PHP内网探测脚本(内网代理访问+内网端口扫描)

前些天看到wooyun社区有人发的jsp内网探测脚本，可以内网代理访问和内网端口扫描。但是却没找到php的既能代理内网，又能扫描内网端口的的脚本。所以我写了这个集合版本的php内网探测脚本。

一、代码

<?php set_time_limit(0);//设置程序执行时间ob_implicit_flush(True);ob_end_flush();$url = isset($_REQUEST['url'])?$_REQUEST['url']:null; /*端口扫描代码*/function check_port($ip,$port,$timeout=0.1) { $conn = @fsockopen($ip, $port, $errno, $errstr, $timeout); if ($conn) { fclose($conn); return true; }} function scanip($ip,$timeout,$portarr){foreach($portarr as $port){if(check_port($ip,$port,$timeout=0.1)==True){echo 'Port: '.$port.' is open<br/>';@ob_flush();@flush(); } }}echo '<html><form action="" method="post"><input type="text" name="startip" value="Start IP" /><input type="text" name="endip" value="End IP" /><input type="text" name="port" value="80,8080,8888,1433,3306" />Timeout<input type="text" name="timeout" value="10" /><br/><button type="submit" name="submit">Scan</button></form></html>';if(isset($_POST['startip'])&&isset($_POST['endip'])&&isset($_POST['port'])&&isset($_POST['timeout'])){	$startip=$_POST['startip'];$endip=$_POST['endip'];$timeout=$_POST['timeout'];$port=$_POST['port'];$portarr=explode(',',$port);$siparr=explode('.',$startip);$eiparr=explode('.',$endip);$ciparr=$siparr;if(count($ciparr)!=4||$siparr[0]!=$eiparr[0]||$siparr[1]!=$eiparr[1]){exit('IP error: Wrong IP address or Trying to scan class A address');}if($startip==$endip){echo 'Scanning IP '.$startip.'<br/>';@ob_flush();@flush();scanip($startip,$timeout,$portarr);@ob_flush();@flush();exit();} if($eiparr[3]!=255){$eiparr[3]+=1;}while($ciparr!=$eiparr){$ip=$ciparr[0].'.'.$ciparr[1].'.'.$ciparr[2].'.'.$ciparr[3];echo '<br/>Scanning IP '.$ip.'<br/>';@ob_flush();@flush();scanip($ip,$timeout,$portarr);$ciparr[3]+=1; if($ciparr[3]>255){$ciparr[2]+=1;$ciparr[3]=0;}if($ciparr[2]>255){$ciparr[1]+=1;$ciparr[2]=0;}}}/*内网代理代码*/function getHtmlContext($url){     $ch = curl_init();     curl_setopt($ch, CURLOPT_URL, $url);     curl_setopt($ch, CURLOPT_HEADER, TRUE);    //表示需要response header     curl_setopt($ch, CURLOPT_NOBODY, FALSE); //表示需要response body     curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);     curl_setopt($ch, CURLOPT_TIMEOUT, 120);     $result = curl_exec($ch);   global $header;   if($result){        $headerSize = curl_getinfo($ch, CURLINFO_HEADER_SIZE);        $header = explode("\r\n",substr($result, 0, $headerSize));        $body = substr($result, $headerSize);   }     if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '200') {         return $body;     }     if (curl_getinfo($ch, CURLINFO_HTTP_CODE) == '302') {     $location = getHeader("Location");     if(strpos(getHeader("Location"),'http://') == false){       $location = getHost($url).$location;     }         return getHtmlContext($location);     }     return NULL; } function getHost($url){     preg_match("/^(http:\/\/)?([^\/]+)/i",$url, $matches);     return $matches[0]; } function getCss($host,$html){     preg_match_all("/<link[\s\S]*?href=['\"](.*?[.]css.*?)[\"'][\s\S]*?>/i",$html, $matches);     foreach($matches[1] as $v){     $cssurl = $v;         if(strpos($v,'http://') == false){       $cssurl = $host."/".$v;     }     $csshtml = "<style>".file_get_contents($cssurl)."</style>";     $html .= $csshtml;   }   return $html; } if($url != null){     $host = getHost($url);     echo getCss($host,getHtmlContext($url)); }?>

其中的代理访问这部分的源码，借鉴了前人的源代码。附上地址：http://zone.wooyun.org/content/22879。对作者表示感谢

用法：

1、端口扫描部分：

填好起始ip、结束ip、自定义端口、超时等，点击扫描即可，十分方便

2、内网代理部分：

直接在文件后面加url参数，注意这里要带着http协议，不然可能css加载不完