I will begin slowly with an article which studies the phpsploit class, coded by Darkfig. Indeed, he told me that only three people were using this class in order to develop their web-based exploits, tools etc... Before, I used to write entire algorithm by my hands to get the webserver's response. All of this ends. Though an English description is included in the content of the file (because we have to offer an easy understanding for everyone) I decided to explain some features in French (But there, we only speak English :]), in order to convince readers!
I'll suppose you dispose PHP 5 with a CLI - Command Line Interface - because I run my scripts with this tool. If you've a web-server, this is fine, but I mostly find the prompt more convenient.
Let's go. We begin by including the class definition (until there, it's not complicated!) :
<?php
require_once('./phpsploitclass.php');
?>
require_once('./phpsploitclass.php');
?>
By exploring the file, we can see this line:
class phpsploit {
So we will make our script like :
<?php
require_once('./phpsploitclass.php');
$object = new phpsploit();
?>
require_once('./phpsploitclass.php');
$object = new phpsploit();
?>
I imagine that, concerning most of you, you already have programmed in Oriented-Object Programming. As a consequence, you will know that our instance owns:
- attributes: kinds of variables internals to the class. These attributes are, for most of the cases, privates: it means that the user cannot modify them directly;
- methods: they are "under-tools" for manipulating instances. They are commonly publics - the user can call them - but some of them are privates (the phpsploitclass contains some).
get()
The first method that we should use is the get() method. This method take just one and only one argument: the source address of the web-page from which we want to get informations; I mean the response's header with the HTML content. This method returns the entire response from the server (header with two newlines and carriages return) :
<?php
require_once('./phpsploitclass.php');
$object = new phpsploit();
echo $object->get("http://geo0w.blogspot.com/");
?>
require_once('./phpsploitclass.php');
$object = new phpsploit();
echo $object->get("http://geo0w.blogspot.com/");
?>
Let's take a try:
C:\php>php phpsploit1.php
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Last-Modified: Sun, 04 Jan 2009 15:05:21 GMT
Cache-Control: max-age=0 private
ETag: "5b0762bd-de9c-4df7-830f-8fe7e1b4f4ef"
Transfer-Encoding: chunked
Date: Sun, 04 Jan 2009 15:07:09 GMT
X-Content-Type-Options: nosniff
Server: GFE/1.3
Connection: Close
7006
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html dir='ltr' xmlns='http://www.w3.org/1999/xhtml' xmlns:b='http://www.google.com/2005/gml/b' xmlns:data='http://www.google.com/2005/gml/data' xmlns:expr='http://www.google.com/2005/gml/expr'>
<head>
[...]
Be careful: it will probably scroll speedy in the console. You may use the stream operator ">" in order to write the echo of the script into a file in order to consult it. For my part, the response has a size of 37 kB and rubbishes!
Anyway, we have the server response.
Let's code a tool for ourselves: It will let us to get the source of any page. The argument, which corresponds to the URI, is defined in the command line.
<?php
require_once('./phpsploitclass.php');
if(!empty($_SERVER['argv'][1])) {
$object = new phpsploit();
echo $object->get($_SERVER['argv'][1]);
} else {
echo "Usage: ".$argv[0]." [url]\n";
}
?>
require_once('./phpsploitclass.php');
if(!empty($_SERVER['argv'][1])) {
$object = new phpsploit();
echo $object->get($_SERVER['argv'][1]);
} else {
echo "Usage: ".$argv[0]." [url]\n";
}
?>
Let's try:
C:\php>php phpsploit2.php http://www.google.fr/
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Date: Sun, 04 Jan 2009 15:20:40 GMT
Expires: -1
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=584abc4a64322246:TM=1231082440:LM=1231082440:S=Zvx70flgh8_ZY
o5V; expires=Tue, 04-Jan-2011 15:20:40 GMT; path=/; domain=.google.fr
Server: gws
Transfer-Encoding: chunked
Connection: Close
1785
<html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859
-1"><title>Google</title><style>body,td,a,p,.h{font-family:arial,sans-serif}.h{c
olor:#36c;font-size:20px}.q{color:#00c}.ts td{padding:0}.ts{border-collapse:coll
apse}#gbar{height:22px;padding-left:2px}.gbh,.gbd{border-top:1px solid #c9d7f1;f
ont-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbi,#gbs{backg
[...]
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Date: Sun, 04 Jan 2009 15:20:40 GMT
Expires: -1
Content-Type: text/html; charset=ISO-8859-1
Set-Cookie: PREF=ID=584abc4a64322246:TM=1231082440:LM=1231082440:S=Zvx70flgh8_ZY
o5V; expires=Tue, 04-Jan-2011 15:20:40 GMT; path=/; domain=.google.fr
Server: gws
Transfer-Encoding: chunked
Connection: Close
1785
<html><head><meta http-equiv="content-type" content="text/html; charset=ISO-8859
-1"><title>Google</title><style>body,td,a,p,.h{font-family:arial,sans-serif}.h{c
olor:#36c;font-size:20px}.q{color:#00c}.ts td{padding:0}.ts{border-collapse:coll
apse}#gbar{height:22px;padding-left:2px}.gbh,.gbd{border-top:1px solid #c9d7f1;f
ont-size:1px}.gbh{height:0;position:absolute;top:24px;width:100%}#gbi,#gbs{backg
[...]
We may now get both headers and body response from any page, provided it is available. You understand me.
post()
Almost equals to the get() method. However, this method takes exactly two arguments:
- the target page of the post request - until there, nothing of different;
- the data to send to the server, coded like "variable1=value1&variable2=value2"...
An example is better than a sloppy speech. Let's make a php script that waits for post-datas (you'll have to set this script onto your web-server).
<?php
if(!empty($_POST)) {
echo "You have posted :\n";
readfile("php://input");
} else {
echo "You don't have posted anything.";
}
?>
if(!empty($_POST)) {
echo "You have posted :\n";
readfile("php://input");
} else {
echo "You don't have posted anything.";
}
?>
We save it into target.php and we suppose that we can access it by http://localhost/target.php. Here is, as consequent, a script example to execute in CLI:
<?php
require_once('./phpsploitclass.php');
$object = new phpsploit();
echo $object->post("http://localhost/target.php","pseudo=Geo&pass=greatdad");
?>
require_once('./phpsploitclass.php');
$object = new phpsploit();
echo $object->post("http://localhost/target.php","pseudo=Geo&pass=greatdad");
?>
We try it on the console:
C:\php>php phpsploit3.php
HTTP/1.1 200 OK
Date: Mon, 05 Jan 2009 12:30:21 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Length: 39
Connection: close
Content-Type: text/html
You have posted :
pseudo=Geo&pass=superpapi
HTTP/1.1 200 OK
Date: Mon, 05 Jan 2009 12:30:21 GMT
Server: Apache/2.2.6 (Win32) PHP/5.2.5
X-Powered-By: PHP/5.2.5
Content-Length: 39
Connection: close
Content-Type: text/html
You have posted :
pseudo=Geo&pass=superpapi
Magic! \o/
It goes up a gear.
addcookie(), agent(), addheader()
Three important methods. They let us to build our http request.
The addcookie() method takes exactly two arguments, which represent, respectively, the variable and its value. For example:
<?php
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->addcookie('admin',1);
// Now we can send our requests
$response = $obj->get("http://localhost/page.php");
// etc...
?>
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->addcookie('admin',1);
// Now we can send our requests
$response = $obj->get("http://localhost/page.php");
// etc...
?>
Then each time we would "visit" the page by using the get() method, the cookie will be inserted into our headers. Sure you can call the addcookie() method as necessary as you want.
The agent() method specifies a value for the "User-Agent" field of your http request. This serve to specify a browser's name with which you want to get the page. A kind of falsification; indeed, it exists sites that interacts differently when we use an empty field or a non-existent agent.
The method takes exactly one argument: the "User-Agent" value that you want. Here is an example using this method:
<?php
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->agent("Mozilla Firefox");
// We can send our requests...
$reponse = $obj->get("http://localhost/page.php");
// etc...
?>
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->agent("Mozilla Firefox");
// We can send our requests...
$reponse = $obj->get("http://localhost/page.php");
// etc...
?>
the addheader() method let us to add some filed into our headers. It takes exactly two arguments which are, respectively, the field name and the field value.
<?php
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->addheader("X-Forwarded-For","127.0.0.1");
$obj->addheader("Referer","http://www.google.fr");
// We can do our queries...
?>
require_once('./phpsploitclass.php');
$obj = new phpsploit();
$obj->addheader("X-Forwarded-For","127.0.0.1");
$obj->addheader("Referer","http://www.google.fr");
// We can do our queries...
?>
Note : Although some methods, which let us to manipulate cookies with the user-agent, are implemented, it's not forbidden to do this:
$obj->addheader("User-Agent","Mozilla Firefox");
$obj->addheader("Cookie","PHPSESSID=ANotVeryCorrectPHPSESSID; admin=1; pseudo=Geo");
$obj->addheader("Cookie","PHPSESSID=ANotVeryCorrectPHPSESSID; admin=1; pseudo=Geo");
We realize that the class is complete. And it's not over! If I had to demonstrate it entirely, then I could not finish...
reset()
It is important to talk about this method. It either take one argument or none. If it doesn't receive any, it reset all headers, cookie and other parameters, in the other case it reset the header value corresponding to the header name that we passed into our argument. The call is easy:
$obj->reset();
Conclusion
As a conclusion, this article aims to sensitive you. I confess that I was going far while presenting briefly several method of the phpsploit class. There are many others:
- you can get the "Set-Cookie" field's value automatically and use it into your next request via the cookiejar() method;
- you can print separately the headers from the HTML, and vice versa;
- you can upload a file;
- ...
Don't hesitate to read phpsploitclass.php! All of this is explained in English.
Concerning the French version, I have an example which uses the phpsploitclass. You can find it there: http://venom630.free.fr/geo/tutz/securite_informatique/injections_sql_imbriquees/. But I do not have anyone in English. Sorry guys.
When I wrote this article, I had to review my article. So it might be confused. Moreover, I'm not English, so I'll bless you if you forgive my many errors. :)
Geo
No comments:
Post a Comment