<?php if (!isset($test_ua)) $test_ua = "curl"; /* * Data is an array */ function do_req($url, &$data, &$headers) { global $test_ua, $test_referer; if (!is_array($data)) $data = array(); $data['rg_debug'] = 1; if (!is_array($headers)) { rg_log("Headers is not an array, reset it."); $headers = array(); } rg_log_ml("do_req url[$url] data=" . print_r($data, TRUE) . "headers=" . print_r($headers, TRUE)); $c = curl_init($url); if (count($data) > 0) { curl_setopt($c, CURLOPT_POST, 1); curl_setopt($c, CURLOPT_POSTFIELDS, $data); } else { if (!strstr($url, '?')) $url .= '?rg_debug=1'; else $url .= '&rg_debug=1'; } curl_setopt($c, CURLOPT_RETURNTRANSFER, TRUE); // We cannot use this because we will not have a // chance to capture the sid. //curl_setopt($c, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($c, CURLOPT_HEADER, 1); curl_setopt($c, CURLOPT_HTTPHEADER, $headers); curl_setopt($c, CURLOPT_USERAGENT, $test_ua); curl_setopt($c, CURLOPT_REFERER, $test_referer); curl_setopt($c, CURLOPT_CERTINFO, TRUE); curl_setopt($c, CURLOPT_VERBOSE, TRUE); $err = @fopen('php://temp', 'w'); if ($err !== FALSE) { curl_setopt($c, CURLOPT_STDERR, $err); } else { rg_log('Cannot open stderr redirection!'); } $r = curl_exec($c); if ($err !== FALSE) { rewind($err); $xerr = @fread($err, 16 * 4096); fclose($err); rg_log_ml($xerr); } if ($r === FALSE) { rg_log_ml("Cannot load (url=$url), data: " . print_r($data, TRUE)); rg_log("curl error: " . curl_error($c)); return FALSE; } $ret = array(); $header_size = curl_getinfo($c, CURLINFO_HEADER_SIZE); $ret['header'] = substr($r, 0, $header_size); $ret['body'] = substr($r, $header_size); curl_close($c); // Check for XSS if (stristr($ret['body'], '<xss>')) { file_put_contents('http_xss.out', $ret['body']); rg_log("Found <xss> token! Check http_xss.out. Not good!"); exit(1); } // Check with tidy if (!empty($ret['body'])) { // we may have a redirect // some fixes $ret['body'] = str_replace('autocomplete="off"', '', $ret['body']); $ret['body'] = str_replace('<xss>', '|xss|', $ret['body']); file_put_contents("http.tidy.in", $ret['body']); $cmd = "tidy -errors -utf8 -file http.tidy.out http.tidy.in"; system($cmd, $ec); if ($ec != 0) { echo "tidy ec=$ec\n"; echo file_get_contents("http.tidy.out"); exit(1); } } // Check if a '@@' is present if (strstr($ret['body'], '@@')) { $t = explode('@@', $ret['body']); $t = explode('@@', $t[1]); if (!strstr($t[0], ' ')) { rg_log_ml("We have unresolved variables: [" . $t[0] . "]!"); exit(1); } } // find sid $x = preg_match('/Set-Cookie: sid=([a-zA-Z0-9]*)/', $ret['header'], $matches); if (($x === FALSE) || (!isset($matches[1]))) { $ret['sid'] = ""; //rg_log("CHECK: no sid found"); } else { $ret['sid'] = $matches[1]; } $ret['tokens'] = array(); $x = preg_match_all('/ name="token" value="([a-zA-Z0-9_:]*)"/', $ret['body'], $matches); //rg_log_ml('DEBUG: matches: ' . print_r($matches, TRUE)); if (($x === FALSE) || (!isset($matches[1]))) { //rg_log("CHECK: no token found"); } else { foreach ($matches[1] as $m) { $t = explode(':', $m); if (!isset($t[1])) { rg_log_ml('body: ' . print_r($ret['body'], TRUE)); rg_log_ml('matches: ' . print_r($matches[1], TRUE)); rg_log('Invalid debug token: ' . $m); exit(1); } $ret['tokens'][$t[1]] = $t[0]; } } rg_log_ml('DEBUG ret[tokens]: ' . print_r($ret['tokens'], TRUE)); // find logout token $x = preg_match('/logout\?token=([a-zA-Z0-9:]*)"/', $ret['body'], $matches); //rg_log_ml('DEBUG: matches[logout]: ' . print_r($matches, TRUE)); if (($x === FALSE) || (!isset($matches[1]))) { $ret['tokens']['logout'] = ''; } else { $t = explode(':', $matches[1]); $ret['tokens']['logout'] = $t[0]; } $x = preg_match_all('/ class="secret_token">([A-Z0-9]*)</', $ret['body'], $matches); if (($x !== FALSE) && (isset($matches[1])) && isset($matches[1][0])) { $ret['totp_secret'] = $matches[1][0]; rg_log('DEBUG ret[totp_secret]=' . $ret['totp_secret']); } $x = preg_match('/Location: (.*)\s/', $ret['header'], $matches); if ($x === 1) { if (strncmp($url, "http://", 7) == 0) $url = substr($url, 7); $t = explode("/", $url, 2); $new = "http://" . $t[0] . trim($matches[1]); rg_log("Redirecting to $new..."); $data = array(); if (!empty($ret['sid'])) $headers = array("Cookie: sid=" . $ret['sid']); $f = do_req($new, $data, $headers); if (empty($f['sid'])) $f['sid'] = $ret['sid']; return $f; } @rename('http-last.out', 'http-prev.out'); file_put_contents('http-last.out', $ret['body']); return $ret; } /* * Helper function that will do the login and will return the good sid */ function test_login($url, $rg_ui, &$good_sid) { global $test_ua; // First we need to load the form so we can get the token // We provide an old cookie to test if we generate a new pre-login one $data = array(); $headers = array("Cookie: sid=d978671c2cd12fba05be218bb1653c1ce7bfb947"); $r = do_req($url . "/op/login", $data, $headers); if ($r === FALSE) { echo "Cannot load login form.\n"; return FALSE; } $good_sid = $r['sid']; $good_token = $r['tokens']['login']; rg_log("good: sid=$good_sid token=$good_token"); if (strncmp($good_sid, "X", 1) != 0) { rg_log("Seems we did not get a pre-login session!"); return FALSE; } // Now, post login form rg_log("Do the real login post request"); $data = array( "doit" => 1, "token" => $good_token, "user" => $rg_ui['username'], "pass" => $rg_ui['pass'], "lock_ip" => 1 ); $headers = array("Cookie: sid=" . $good_sid); $r = do_req($url . "/op/login", $data, $headers); if ($r === FALSE) { rg_log_ml("Cannot login: " . print_r($r, TRUE)); return FALSE; } $good_sid = $r['sid']; if (strstr($r['body'], "invalid user")) { rg_log_ml(print_r($r, TRUE)); rg_log("Login invalid. Check above!"); return FALSE; } return $r; } /* * Restore password aaaa for user catab */ function test_restore($db) { $salt = 'd0a41957b835fbf7bfe63b750db15108cc048259'; $pass = 'aaaa'; $pass = rg_user_pass($salt, $pass); $sql = "UPDATE users SET salt = '$salt'" . ", pass = '$pass'" . ", session_time = 3600" . " WHERE username = 'catab'"; $res = rg_sql_query($db, $sql); if ($res == FALSE) { rg_log("Cannot update (" . rg_sql_error() . ")!"); exit(1); } rg_sql_free_result($res); rg_cache_unset('user::4::info', RG_SOCKET_NO_WAIT); } /* * Set user agent */ function test_set_ua($s) { global $test_ua; $test_ua = $s; } /* * Set referer */ function test_set_referer($s) { global $test_referer; $test_referer = $s; } ?>