Skip to content

Pentesting reports

Notes on penetration testing journeys

Tag: php

PHP: permutations

Posted on 2019/01/08 - 2019/01/08 by trouble

The following function calculates the permutations of a given list (typically an array) and lets you group the results by a given number. This is useful when automatically testing login forms bypass, using the strings you can find on this post.

<?php

function permutations($pool, $r = null) {
    $n = count($pool);
    if ($r == null) $r = $n;
    if ($r > $n) return;
    $indices = range(0, $n - 1);
    $cycles = range($n, $n - $r + 1, -1);
    yield array_slice($pool, 0, $r);
    if ($n <= 0) return; while (true) { $exit_early = false; for ($i = $r;$i--;$i >= 0) {
            $cycles[$i]-= 1;
            if ($cycles[$i] == 0) {
                if ($i < count($indices)) {
                    $removed = array_splice($indices, $i, 1);
                    array_push($indices, $removed[0]);
                }
                $cycles[$i] = $n - $i;
            } else {
                $j = $cycles[$i];
                $i_val = $indices[$i];
                $neg_j_val = $indices[count($indices) - $j];
                $indices[$i] = $neg_j_val;
                $indices[count($indices) - $j] = $i_val;
                $result = [];
                $counter = 0;
                foreach ($indices as $indx) {
                    array_push($result, $pool[$indx]);
                    $counter++;
                    if ($counter == $r) break;
                }
                yield $result;
                $exit_early = true;
                break;
            }
        }
        if (!$exit_early) break;
    }
}

$result = iterator_to_array(permutations(array("a","b","c","d","e", 2));
foreach ($result as $row)
    print implode(" || ", $row) . PHP_EOL;
echo count($result);
?>

The above code will output the following:

a || b
a || c
a || d
a || e
b || a
b || c
b || d
b || e
c || a
c || b
c || d
c || e
d || a
d || b
d || c
d || e
e || a
e || b
e || c
e || d
20
Posted in Bypass login, PHP snippetsTagged permutations, php

PHP: upload a file with cURL

Posted on 2019/01/08 - 2019/01/08 by trouble

To upload a file to a server using PHP and cURL you can use the following script. If you need to make a simple POST request, without sending any file, check out my article: “POST request with cURL”.

<?php

function postRequest($url, $curl_data) {
$options = array(
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER         => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_ENCODING       => "",
CURLOPT_USERAGENT      => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19",
CURLOPT_AUTOREFERER    => true,
CURLOPT_CONNECTTIMEOUT => 9,
CURLOPT_TIMEOUT        => 29,
CURLOPT_MAXREDIRS      => 3,
CURLOPT_POST           => 1,
CURLOPT_POSTFIELDS     => $curl_data,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_VERBOSE        => 1,
CURLOPT_COOKIE         => "",
CURLOPT_PROXY          => null
);

$ch = curl_init($url);
curl_setopt_array($ch, $options);
$content = curl_exec($ch);
$err = curl_errno($ch);
$errmsg = curl_error($ch) ;
$header = curl_getinfo($ch);
curl_close($ch);

$header['errno'] = $err;
$header['errmsg'] = $errmsg;
$header['content'] = $content;
return $header;
}
$file_name_with_full_path = realpath("file_to_upload");
if (function_exists('curl_file_create')) // php 5.5+
$cFile = curl_file_create($file_name_with_full_path);
else
$cFile = '@' . realpath($file_name_with_full_path);
$postData = array("file" => $cFile);

echo print_r(postRequest("http://targeturl.com", $postData), true);

?>
Posted in PHP snippetsTagged curl, file upload, php, upload

PHP: make post request with cURL

Posted on 2019/01/08 - 2019/01/08 by trouble

I’m using the following simple PHP script to make post requests. If you need to upload a file instead, check my article: “upload a file with cURL”.

<?php

function postRequest($url, $curl_data) {
$options = array(
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => false,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_ENCODING => "",
CURLOPT_USERAGENT => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.53 Safari/525.19",
CURLOPT_AUTOREFERER => true,
CURLOPT_CONNECTTIMEOUT => 9,
CURLOPT_TIMEOUT => 15,
CURLOPT_MAXREDIRS => 3,
CURLOPT_POST => 1,
CURLOPT_POSTFIELDS => $curl_data,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_VERBOSE => 1,
CURLOPT_PROXY => null // if using a proxy, use the syntax "proxyuser:proxypass@proxyurl:proxyport"
);

$ch = curl_init($url);
curl_setopt_array($ch, $options);
$content = curl_exec($ch);
$err = curl_errno($ch);
$errmsg = curl_error($ch) ;
$header = curl_getinfo($ch);
curl_close($ch);

$header['errno'] = $err;
$header['errmsg'] = $errmsg;
$header['content'] = $content;
return $header;
}
echo print_r(postRequest("http://targeturl.com", "fieldA=valueA&fieldB=valueB"), true);

?>
Posted in PHP snippetsTagged curl, php, post, post request

Music from Soundcloud

Pages

  • Manifesto
  • Get in touch

Categories

  • Arbitrary file download
  • Bash one-liners
  • Bypass login
  • PHP snippets

RSS RSS Feed from Exploit DB

  • [remote] HTTP/2 2.0 - Denial Of Service (DOS)
  • [webapps] Concrete CMS 9.4.3 - Stored XSS
  • [local] Mbed TLS 3.6.4 - Use-After-Free
  • [webapps] ELEX WooCommerce WordPress Plugin 1.4.3 - SQL Injection
  • [webapps] XWiki Platform 15.10.10 - Metasploit Module for Remote Code Execution (RCE)
  • [webapps] Casdoor 2.55.0 - Cross-Site Request Forgery (CSRF)
  • [webapps] dotCMS 25.07.02-1 - Authenticated Blind SQL Injection
  • [webapps] Tourism Management System 2.0 - Arbitrary Shell Upload
  • [remote] ClipBucket 5.5.2 Build #90 - Server-Side Request Forgery (SSRF)
  • [remote] ClipBucket 5.5.0 - Arbitrary File Upload

RSS RSS Feed from Packetstorm

RSS Rss Feed from Nist

  • CVE-2023-36409
    Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
  • CVE-2023-36769
    Microsoft OneNote Spoofing Vulnerability
  • CVE-2023-47004
    Buffer Overflow vulnerability in Redis RedisGraph v.2.x through v.2.12.8 and fixed in v.2.12.9 allows an attacker to execute arbitrary code via the code logic after valid authentication.
  • CVE-2023-45556
    Cross Site Scripting vulnerability in Mybb Mybb Forums v.1.8.33 allows a local attacker to execute arbitrary code via the theme Name parameter in the theme management component.
  • CVE-2023-5605
    The URL Shortify WordPress plugin through 1.7.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
  • CVE-2023-5601
    The WooCommerce Ninja Forms Product Add-ons WordPress plugin before 1.7.1 does not validate the file to be uploaded, allowing any unauthenticated users to upload arbitrary files to the server, leading to RCE.
  • CVE-2023-5530
    The Ninja Forms Contact Form WordPress plugin before 3.6.34 does not sanitize and escape its label fields, which could allow high privilege users such as admin to perform Stored XSS attacks. Only users with the unfiltered_html capability can perform this, and such users are already allowed to use JS in posts/comments etc however the vendor […]
  • CVE-2023-5771
    Proofpoint Enterprise Protection contains a stored XSS vulnerability in the AdminUI. An unauthenticated attacker can send a specially crafted email with HTML in the subject which triggers XSS when viewing quarantined messages.  This issue affects Proofpoint Enterprise Protection: from 8.20.0 before patch 4796, from 8.18.6 before patch 4795 and all other prior versions.
  • CVE-2023-4930
    The Front End PM WordPress plugin before 11.4.3 does not block listing the contents of the directories where it stores attachments to private messages, allowing unauthenticated visitors to list and download private attachments if the autoindex feature of the web server is enabled.
  • CVE-2023-5228
    The User Registration WordPress plugin before 3.0.4.2 does not sanitize and escape some of its settings, which could allow high-privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Proudly powered by WordPress | Theme: micro, developed by DevriX.