Monday, 29 March 2010

"Bambalam!" or "compile PHP for me!"

This simple article will talk about Bambalam. This is not music. Here is the site of the project:
http://www.bambalam.se/bamcompile/


We can see, in big letters, on the page:
Bambalam PHP EXE Compiler/Embedder


Though PHP is supposed to be a scripting and interpreted language, we can compile it in order to:
- hide code;
- make windows applications and exempt someone to have PHP on his computer;
- (in theory) increase the speed execution.

Life is beautiful, isn't it?!

Concerning the "linuxians", don't worry, you can download the Bambalam source code.

Let's fetch the project's archive, extract it into a folder, and see the content:
- readme.txt : don't care;
- project_template.bcp : don't care;
- bamcompile.exe : the executable which will receive arguments in order to generate executables by php;
- examples: a folder containing full of interestings... examples! :)

To put us at ease, let's crate a "project" directory. In this directory, let's create a "hello" folder. Now, in this last folder, let's create a file called "hello.php". Let's write our code:
<?php
echo 'Hello!';
?>


We will now compile it. First of all, you have the choice between the following options:
- Using the command line in order to place you to the bambalam's folder then entering your options manually;
- Making a batch file which will execute sequentially your commands and keeping from them a trace.

For my part, I choose the second option.

On the project's web-site, we are told this:
Usage:
bamcompile [-options] infile.php [outfile.exe]
bamcompile [-options] project_directory mainfile.php [outfile.exe]
bamcompile projectfile.bcp

Options:
-w Hide console window for windowed applications
-c Compress output exe (using UPX)
-d Do not encode PHP files
-e:extension.dll Embed and use PHP extension
-i:icon.ico Add icon to exe


Let's try the first line in order to compile our unique php file! We will create a batch file called "make.bat" in the working directory and write the following lines:

@echo off
"../../bamcompile.exe" hello.php
rem The next instruction prevent console from closing itself
pause


Yeah, we have to put "../../" because we have to get back in the tree. I don't consider you as idiots, but we have to think about it by reflex.

Then we launch make.bat and we don't have the time to say "Leek". (I love leeks).

Bambalam PHP EXE Compiler/Embedder 1.21

Mainfile: hello.php
Outfile: hello.exe

Encoding and embedding hello.php

hello.exe created successfully!
Appuyez sur une touche pour continuer...


Concerning the last line, it is in French because it's my windows's language. It means "Press a key to continue". :)

Finally, we have a wonderful executable which has been created in the same directory. If we launch it by a double click, it immediately shuts; normal.

Let's see what does it give in command line:
C:\bamcompile1.21\projects\hello>hello.exe

Hello!


Great!

Well, ok, there is an empty line over our "Hello!", but we don't really care.

Now, let's come back in the "projects" folder and create two files into it :
- main.php
<?php
require_once('age.php');
if($_SERVER['argc'] < 2) {
    echo "Usage: ".$_SERVER['argv'][0]." [number]\n";
    exit(-1);
}
echo ShowFollowingAge(abs($_SERVER['argv'][1]));
?>


I will sum up the code. Firstly we begin in including the "age.php" file (that we'll write after this), we check we've entered an argument in the command line - which corresponds to an age of any person - and next we call the ShowFollowingAge() function. This function is defined in the "age.php" file. Finally, the "intval()" function let us to ensure that the argument is an integer value, and abs() a positive value.

Let's handle the "age.php" file:
<?php
if(!defined("AGE_PHP")) {
    define("AGE_PHP",TRUE);
    function ShowFollowingAge($var) {
        return $var >= 18 ? "You're major" : "You're minor";
    }
}
?>


Briefly, I prevent the file from being multi-included (even if it doesn't really care here) and then I define my function(s). The define is here because if we define a function several times - with the same name - the scripts doesn't run. Normal.

The function returns a string: "You're major" if the age is above or equal to 18, "You're minor" in the opposite.

Concerning guys who does not understand the ternary expression, it consists to affect a variable a value following a condition. Example:
$variable = condition ? "value if true" : "value if false";


This code is equal to the following one:
if(condition)
$variable = "value if true";
else
$variable = "value if false";


The last code takes four lines whereas the ternary expression just takes one line. That's why I use this last.

But we shouldn't go away from the main topic!!

Now, we will go back to the bamcompile executable's folder. The we create a "make_age.bat" file and write into it:
@echo off
bamcompile.exe projects/age main.php projects/age/age.exe
pause


Indeed, in the Bambalam's web-site, We are told that we can use:
bamcompile [-options] project_directory mainfile.php [outfile.exe]


By identifying:
project_directory = projects/age ;
mainfile.php = main.php ;
outfile.exe (optional argument) = projects/age/age.exe

Then we launch our batch file and it's the ecstasy (normally)!

Bambalam PHP EXE Compiler/Embedder 1.21

Mainfile: main.php
Outfile: projects/age/age.exe
Project dir: projects/age

Embedding age.exe
Encoding and embedding age.php
Encoding and embedding main.php

projects/age/age.exe created successfully!
Appuyez sur une touche pour continuer...


We execute age.exe with the command line:
C:\bamcompile1.21\projects\age>age.exe 18
You're major
C:\bamcompile1.21\projects\age>age.exe 16
You're minor
C:\bamcompile1.21\projects\age>age.exe aaa
You're minor
C:\bamcompile1.21\projects\age>age.exe -4
You're minor
C:\bamcompile1.21\projects\age>age.exe -18
You're major
C:\bamcompile1.21\projects\age>age.exe 32
You're major


Since the program has'nt a real interest, this is a simple example.

I regret to announce that the fairground ride ends up here. We could say this article busy me in order to present you a tool that I love much; I sent nice executables to friend thanks to it. Funny.

Take a look in the "examples" folder, it's worth it! There are even a calculator programmed with the winbinder extension (http://www.winbinder.org) which let us to make GUI programs. Anyway, It worth it for those who make php scripts and who would like to share with other persons that, themselves, haven't PHP set up in their computer.

That's all. See you soon.

Geo
Posted by at 2 comments:

phpsploitclass.php

Click here to download the latest version of phpsploitclass

I will begin slowly with an article which studies the phpsploit class, coded by Darkfig. Indeed, he told me that only three people were using this class in order to develop their web-based exploits, tools etc... Before, I used to write entire algorithm by my hands to get the webserver's response. All of this ends. Though an English description is included in the content of the file (because we have to offer an easy understanding for everyone) I decided to explain some features in French (But there, we only speak English :]), in order to convince readers!

I'll suppose you dispose PHP 5 with a CLI - Command Line Interface - because I run my scripts with this tool. If you've a web-server, this is fine, but I mostly find the prompt more convenient.

Let's go. We begin by including the class definition (until there, it's not complicated!) :

<?php
require_once('./phpsploitclass.php');
?>


By exploring the file, we can see this line:
class phpsploit {


So we will make our script like :

<?php
require_once('./phpsploitclass.php');
$object = new phpsploit();
?>


I imagine that, concerning most of you, you already have programmed in Oriented-Object Programming. As a consequence, you will know that our instance owns:
- attributes: kinds of variables internals to the class. These attributes are, for most of the cases, privates: it means that the user cannot modify them directly;
- methods: they are "under-tools" for manipulating instances. They are commonly publics - the user can call them - but some of them are privates (the phpsploitclass contains some).

get()



The first method that we should use is the get() method. This method take just one and only one argument: the source address of the web-page from which we want to get informations; I mean the response's header with the HTML content. This method returns the entire response from the server (header with two newlines and carriages return) :

<?php
require_once('./phpsploitclass.php');
$object = new phpsploit();
echo $object->get("http://geo0w.blogspot.com/");
?>


Let's take a try:


C:\php>php phpsploit1.php
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Last-Modified: Sun, 04 Jan 2009 15:05:21 GMT
Cache-Control: max-age=0 private
ETag: "5b0762bd-de9c-4df7-830f-8fe7e1b4f4ef"
Transfer-Encoding: chunked
Date: Sun, 04 Jan 2009 15:07:09 GMT
X-Content-Type-Options: nosniff
Server: GFE/1.3
Connection: Close

7006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
<head>

[...]


Be careful: it will probably scroll speedy in the console. You may use the stream operator ">" in order to write the echo of the script into a file in order to consult it. For my part, the response has a size of 37 kB and rubbishes!

Anyway, we have the server response.

Let's code a tool for ourselves: It will let us to get the source of any page. The argument, which corresponds to the URI, is defined in the command line.

<?php
require_once('./phpsploitclass.php');
if(!empty($_SERVER['argv'][1])) {
$object = new phpsploit();
echo $object->get($_SERVER['argv'][1]);
} else {
echo "Usage: ".$argv[0]." [url]\n";
}
?>


Let's try:

C:\php>php phpsploit2.php http://www.google.fr/
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Date: Sun, 04 Jan 2009 15:20:40 GMT
Expires: -1
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=584abc4a64322246:TM=1231082440:LM=1231082440:S=Zvx70flgh8_ZY
o5V; expires=Tue, 04-Jan-2011 15:20:40 GMT; path=/; domain=.google.fr
Server: gws
Transfer-Encoding: chunked
Connection: Close

1785
<html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859
-1"><title>Google</title><style>body,td,a,p,.h{font-family:arial,sans-serif}.h{c
olor:#36c;font-size:20px}.q{color:#00c}.ts td{padding:0}.ts{border-collapse:coll
apse}#gbar{height:22px;padding-left:2px}.gbh,.gbd{border-top:1px solid #c9d7f1;f
ont-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbi,#gbs{backg
[...]


We may now get both headers and body response from any page, provided it is available. You understand me.



post()



Almost equals to the get() method. However, this method takes exactly two arguments:
- the target page of the post request - until there, nothing of different;
- the data to send to the server, coded like "variable1=value1&variable2=value2"...

An example is better than a sloppy speech. Let's make a php script that waits for post-datas (you'll have to set this script onto your web-server).

<?php
if(!empty($_POST)) {
echo "You have posted :\n";
readfile("php://input");
} else {
echo "You don't have posted anything.";
}
?>


We save it into target.php and we suppose that we can access it by http://localhost/target.php. Here is, as consequent, a script example to execute in CLI:

<?php
require_once('./phpsploitclass.php');
$object = new phpsploit();
echo $object->post("http://localhost/target.php","pseudo=Geo&pass=greatdad");
?>


We try it on the console:

C:\php>php phpsploit3.php
HTTP/1.1 200 OK
Date: Mon, 05 Jan 2009 12:30:21 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Length: 39
Connection: close
Content-Type: text/html

You have posted :
pseudo=Geo&pass=superpapi


Magic! \o/
It goes up a gear.

addcookie(), agent(), addheader()



Three important methods. They let us to build our http request.

The addcookie() method takes exactly two arguments, which represent, respectively, the variable and its value. For example:
<?php
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->addcookie('admin',1);

// Now we can send our requests
$response = $obj->get("http://localhost/page.php");
// etc...
?>


Then each time we would "visit" the page by using the get() method, the cookie will be inserted into our headers. Sure you can call the addcookie() method as necessary as you want.

The agent() method specifies a value for the "User-Agent" field of your http request. This serve to specify a browser's name with which you want to get the page. A kind of falsification; indeed, it exists sites that interacts differently when we use an empty field or a non-existent agent.

The method takes exactly one argument: the "User-Agent" value that you want. Here is an example using this method:
<?php
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->agent("Mozilla Firefox");

// We can send our requests...
$reponse = $obj->get("http://localhost/page.php");
// etc...
?>


the addheader() method let us to add some filed into our headers. It takes exactly two arguments which are, respectively, the field name and the field value.

<?php
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->addheader("X-Forwarded-For","127.0.0.1");
$obj->addheader("Referer","http://www.google.fr");

// We can do our queries...
?>


Note : Although some methods, which let us to manipulate cookies with the user-agent, are implemented, it's not forbidden to do this:

$obj->addheader("User-Agent","Mozilla Firefox");
$obj->addheader("Cookie","PHPSESSID=ANotVeryCorrectPHPSESSID; admin=1; pseudo=Geo");


We realize that the class is complete. And it's not over! If I had to demonstrate it entirely, then I could not finish...

reset()



It is important to talk about this method. It either take one argument or none. If it doesn't receive any, it reset all headers, cookie and other parameters, in the other case it reset the header value corresponding to the header name that we passed into our argument. The call is easy:

$obj->reset();


Conclusion



As a conclusion, this article aims to sensitive you. I confess that I was going far while presenting briefly several method of the phpsploit class. There are many others:
- you can get the "Set-Cookie" field's value automatically and use it into your next request via the cookiejar() method;
- you can print separately the headers from the HTML, and vice versa;
- you can upload a file;
- ...

Don't hesitate to read phpsploitclass.php! All of this is explained in English.

Concerning the French version, I have an example which uses the phpsploitclass. You can find it there: http://venom630.free.fr/geo/tutz/securite_informatique/injections_sql_imbriquees/. But I do not have anyone in English. Sorry guys.

When I wrote this article, I had to review my article. So it might be confused. Moreover, I'm not English, so I'll bless you if you forgive my many errors. :)

Geo
Posted by at No comments:

Beginning

Hi there!

I created this blog in order to translate my french own, which is available here. So, I will try to make a translation of quality for each article that I wrote.

So I'm importing many articles, but not every. At least, I don't think so for the moment.

I ask you to forgive me from my various mistakes. :)

Geo
Posted by at No comments:
Subscribe to: Posts (Atom)