fsockopen socket 无服务器限制支持header、cookie、refer 挂马远程-白红宇

fsockopen socket 无服务器限制支持header、cookie、refer 挂马远程

阅读量：7007 次

发布时间：2019-06-27

本文共 5185 字，大约阅读时间需要 17 分钟。

function http($url, $limit = 0, $post = '', $cookie = '', $ip = '', $timeout = 15, $block = TRUE, $encodetype  = 'URLENCODE', $position = 0, $files = array()) {	$return = '';	$matches = parse_url($url);	$scheme = $matches['scheme'];	$host = $matches['host'];	$path = isset($matches['path']) ? $matches['path'].($matches['query'] ? '?'.$matches['query'] : '') : '/';	$port = !empty($matches['port']) ? $matches['port'] : ($scheme == 'http' ? '80' : '');	$boundary = $encodetype == 'URLENCODE' ? '' : random(40);	if($post) {		if(!is_array($post)) {			parse_str($post, $post);		}		format_postkey($post, $postnew);		$post = $postnew;	}	if($post) {		if($encodetype == 'URLENCODE') {			$data = http_build_query($post);		} else {			$data = '';			foreach($post as $k => $v) {				$data .= "--$boundary\r\n";				$data .= 'Content-Disposition: form-data; name="'.$k.'"'.(isset($files[$k]) ? '; filename="'.basename($files[$k]).'"; Content-Type: application/octet-stream' : '')."\r\n\r\n";				$data .= $v."\r\n";			}			foreach($files as $k => $file) {				if(!isset($post[$k]) && file_exists($file)) {					if($fp = @fopen($file, 'r')) {						$v = fread($fp, filesize($file));						fclose($fp);						$data .= "--$boundary\r\n";						$data .= 'Content-Disposition: form-data; name="'.$k.'"; filename="'.basename($file).'"; Content-Type: application/octet-stream'."\r\n\r\n";						$data .= $v."\r\n";					}				}			}			$data .= "--$boundary\r\n";		}		$out = "POST $path HTTP/1.0\r\n";		$header = "Accept: */*\r\n";		$header .= "Accept-Language: zh-cn\r\n";		$header .= $encodetype == 'URLENCODE' ? "Content-Type: application/x-www-form-urlencoded\r\n" : "Content-Type: multipart/form-data; boundary=$boundary\r\n";		$header .= 'Content-Length: '.strlen($data)."\r\n";		$header .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n";		$header .= "Host: $host:$port\r\n";		$header .= "Connection: Close\r\n";		$header .= "Cache-Control: no-cache\r\n";		$header .= "Cookie: $cookie\r\n\r\n";		$out .= $header;		$out .= $data;	} else {		$out = "GET $path HTTP/1.0\r\n";		$header = "Accept: */*\r\n";		$header .= "Accept-Language: zh-cn\r\n";		$header .= "User-Agent: $_SERVER[HTTP_USER_AGENT]\r\n";		$header .= "Host: $host:$port\r\n";		$header .= "Connection: Close\r\n";		$header .= "Cookie: $cookie\r\n\r\n";		$out .= $header;	}	$fpflag = 0;	if(!$fp = @fsocketopen(($ip ? $ip : $host), $port, $errno, $errstr, $timeout)) {		$context = array(				'http' => array(						'method' => $post ? 'POST' : 'GET',						'header' => $header,						'content' => $post,						'timeout' => $timeout,				),		);		$context = stream_context_create($context);		$fp = @fopen($scheme.'://'.($ip ? $ip : $host).':'.$port.$path, 'b', false, $context);		$fpflag = 1;	}	if(!$fp) {		return '';	} else {		stream_set_blocking($fp, $block);		stream_set_timeout($fp, $timeout);		@fwrite($fp, $out);		$status = stream_get_meta_data($fp);		if(!$status['timed_out']) {			while (!feof($fp) && !$fpflag) {				$header = @fgets($fp);				if($header && ($header == "\r\n" ||  $header == "\n")) {					break;				}			}			if($position) {				for($i=0; $i<$position; $i++) {					$char = fgetc($fp);					if($char == "\n" && $oldchar != "\r") {						$i++;					}					$oldchar = $char;				}			}			if($limit) {				$return = stream_get_contents($fp, $limit);			} else {				$return = stream_get_contents($fp);			}		}		@fclose($fp);		return $return;	}}function format_postkey($post, &$result, $key = '') {	foreach($post as $k => $v) {		$_k = $key ? $key.'['.$k.']' : $k;		if(is_array($v)) {			format_postkey($v, $result, $_k);		} else {			$result[$_k] = $v;		}	}}function fsocketopen($hostname, $port = 80, &$errno, &$errstr, $timeout = 15) {	$fp = '';	if(function_exists('fsockopen')) {		$fp = @fsockopen($hostname, $port, $errno, $errstr, $timeout);	} elseif(function_exists('pfsockopen')) {		$fp = @pfsockopen($hostname, $port, $errno, $errstr, $timeout);	} elseif(function_exists('stream_socket_client')) {		$fp = @stream_socket_client($hostname.':'.$port, $errno, $errstr, $timeout);	}	return $fp;}//http://my.oschina.net/cart/var_dump(http('http://www.baidu.com'));exit();

如在实战采集、挂马中，fsockopen、pfsockopen、stream_socket_client、curl、fopen都被运维工程师禁用了，怎么办呢？

嘿嘿，只要他不封80端口，我们还有一招：socket_create 接下来演示如何使用socket采集demo

需要打开PHP的sockets扩展

extension=php_sockets.dll

$socket = socket_create ( AF_INET, SOCK_STREAM, getprotobyname ( 'tcp' ) );if (! socket_connect ( $socket, gethostbyname ( 'www.baidu.com' ), 80 )) {	die ( 'Socket error : ' . socket_strerror ( socket_last_error () ) );}$header = "GET / HTTP/1.0\r\n";$header .= "Host: www.baidu.com\r\n";$header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";$header .= "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Safari/537.36\r\n";$header .= "Keep-Alive: timeout=5, max=100";$header .= "Connection: Keep-Alive\r\n\r\n";socket_write ( $socket, $header, strlen ( $header ) );$result = '';while ( $out = socket_read ( $socket, 1024 ) ) {	$result .= $out;}socket_close ( $socket );//http://my.oschina.net/cart/var_dump ( substr ( $result, strpos ( $result, "\r\n\r\n" ) + 4 ) );exit();