<?php if (!isset($test_ua)) $test_ua = "curl"; /* * Data is an array */ function do_req($url, &$data, &$headers) { global $test_ua, $test_referer; if (!is_array($data)) $data = array(); if (!is_array($headers)) { rg_log("Headers is not an array, reset it."); $headers = array(); } rg_log_ml("do_req url[$url] data=" . print_r($data, TRUE) . "headers=" . print_r($headers, TRUE)); $c = curl_init($url); if (count($data) > 0) { curl_setopt($c, CURLOPT_POST, 1); curl_setopt($c, CURLOPT_POSTFIELDS, $data); } curl_setopt($c, CURLOPT_RETURNTRANSFER, TRUE); // We cannot use this because we will not have a // chance to capture the sid. //curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($c, CURLOPT_HEADER, 1); curl_setopt($c, CURLOPT_HTTPHEADER, $headers); curl_setopt($c, CURLOPT_USERAGENT, $test_ua); curl_setopt($c, CURLOPT_REFERER, $test_referer); $r = curl_exec($c); if ($r === FALSE) { rg_log_ml("Cannot load (url=$url), data: " . print_r($data, TRUE)); rg_log("curl error: " . curl_error($c)); return FALSE; } $ret = array(); $header_size = curl_getinfo($c, CURLINFO_HEADER_SIZE); $ret['header'] = substr($r, 0, $header_size); $ret['body'] = substr($r, $header_size); curl_close($c); // Check with tidy if (!empty($ret['body'])) { // we may have a redirect file_put_contents("http.tidy.in", $ret['body']); $cmd = "tidy -errors -utf8 -file http.tidy.out http.tidy.in"; system($cmd, $ec); if ($ec != 0) { echo "tidy ec=$ec\n"; echo file_get_contents("http.tidy.out"); exit(1); } } // Check if a '@@' is present if (strstr($ret['body'], '@@')) { rg_log_ml("Bad @@! body=" . print_r($ret['body'], TRUE)); exit(1); } // find sid $x = preg_match('/Set-Cookie: sid=([a-zA-Z0-9]*)/', $ret['header'], $matches); if (($x === FALSE) || (!isset($matches[1]))) { $ret['sid'] = ""; //rg_log("CHECK: no sid found"); } else { $ret['sid'] = $matches[1]; } // Check for XSS if (strstr($ret['body'], '<xss>')) { file_put_contents('http_xss.out', $ret['body']); rg_log("Found <xss> token! Check http_xss.out. Not good!"); exit(1); } // find token $x = preg_match('/ name="token" value="([a-zA-Z0-9]*)"/', $ret['body'], $matches); if (($x === FALSE) || (!isset($matches[1]))) { //rg_log("CHECK: no token found"); $ret['token'] = ""; } else { $ret['token'] = $matches[1]; } // find logout token $x = preg_match('/logout\?token=([a-zA-Z0-9]*)"/', $ret['body'], $matches); if (($x === FALSE) || (!isset($matches[1]))) { $ret['logout_token'] = ""; } else { $ret['logout_token'] = $matches[1]; } $x = preg_match('/Location: (.*)\s/', $ret['header'], $matches); if ($x === 1) { if (strncmp($url, "http://", 7) == 0) $url = substr($url, 7); rg_log("redirect to url=$url"); $t = explode("/", $url, 2); $new = "http://" . $t[0] . trim($matches[1]); //rg_log("Redirecting to $new..."); $data = array(); if (!empty($ret['sid'])) $headers = array("Cookie: sid=" . $ret['sid']); $f = do_req($new, $data, $headers); if (empty($f['sid'])) $f['sid'] = $ret['sid']; return $f; } return $ret; } /* * Helper function that will do the login and will return the good sid */ function test_login($url, $rg_ui, &$good_sid) { global $test_ua; // First we need to load the form so we can get the token // We provide an old cookie to test if we generate a new pre-login one $data = array(); $headers = array("Cookie: sid=d978671c2cd12fba05be218bb1653c1ce7bfb947"); $r = do_req($url . "/op/login", $data, $headers); if ($r === FALSE) { echo "Cannot load login form.\n"; return FALSE; } $good_sid = $r['sid']; $good_token = $r['token']; rg_log("good: sid=$good_sid token=$good_token"); if (strncmp($good_sid, "X", 1) != 0) { rg_log("Seems we did not get a pre-login session!"); return FALSE; } // Now, post login form rg_log("Do the real login post request"); $data = array( "doit" => 1, "token" => $good_token, "user" => $rg_ui['username'], "pass" => $rg_ui['pass'], "lock_ip" => 1 ); $headers = array("Cookie: sid=" . $good_sid); $r = do_req($url . "/op/login", $data, $headers); if ($r === FALSE) { rg_log_ml("Cannot login: " . print_r($r, TRUE)); return FALSE; } $good_sid = $r['sid']; if (strstr($r['body'], "invalid user or pass")) { rg_log_ml(print_r($r, TRUE)); rg_log("Login invalid. Check above!"); return FALSE; } return $r; } /* * Restore password aaaa for user catab */ function test_restore($db) { $salt = 'd0a41957b835fbf7bfe63b750db15108cc048259'; $pass = 'aaaa'; $pass = rg_user_pass($salt, $pass); $sql = "UPDATE users SET salt = '$salt'" . ", pass = '$pass'" . ", session_time = 3600" . " WHERE username = 'catab'"; $res = rg_sql_query($db, $sql); if ($res == FALSE) { rg_log("Cannot update (" . rg_sql_error() . ")!"); exit(1); } rg_sql_free_result($res); rg_cache_unset("user::4"); } /* * Set user agent */ function test_set_ua($s) { global $test_ua; $test_ua = $s; } /* * Set referer */ function test_set_referer($s) { global $test_referer; $test_referer = $s; } ?>