Writing a UDP packet forger in PHP - php

I am working on an UDP spoofer written in PHP and I wanted to know how can I forge those packets. Any help is appreciated. Thank you!


The following function will create a socket in PHP with a port number. Depending on what you are spoofing, you will need to modify the 'message'. In the example below is in clear text but often applications transmit this in the form of binary information which will need to be reserve engineered to spoof it.
function sendUDP($host, $msg, $timeout = 1) {
/* ICMP ping packet with a pre-calculated checksum */
$socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => $timeout, 'usec' => 0));
socket_connect($socket, $host, 8000); //Set up to send to port 8000, change to any port
socket_send($socket, $msg, strLen($msg), 0);
$buf = "";
$from = "";
$port = 0;
#socket_recvfrom($socket , $buf , 24 , 0 , $from , $port );
socket_close($socket);
return $buf;
}


just read those code:
server.php
<?php
//error_reporting( E_ALL );
set_time_limit( 0 );
ob_implicit_flush();
$socket = socket_create( AF_INET, SOCK_DGRAM, SOL_UDP );
if ( $socket === false ) {
echo "socket_create() failed:reason:" . socket_strerror( socket_last_error() ) . "\n";
}
$ok = socket_bind( $socket, '202.85.218.133', 11109 );
if ( $ok === false ) {
echo "socket_bind() failed:reason:" . socket_strerror( socket_last_error( $socket ) );
}
while ( true ) {
$from = "";
$port = 0;
socket_recvfrom( $socket, $buf,1024, 0, $from, $port );
echo $buf;
usleep( 1000 );
}
?>
client.php
<?php
$sock = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
$msg = 'hello';
$len = strlen($msg);
socket_sendto($sock, $msg, $len, 0, '202.85.218.133', 11109);
socket_close($sock);
?>

Related

How to access to socket object from a different php file

I want to send something to my connected clients over another php script. But when I use the function "send", clientlist is null.
Can you help me about this please?
Socket.php:
$clientlist = array();
function run() {
global $clientlist;
set_time_limit(0);
$address = '127.0.0.1';
$port = 80;
$sock = socket_create(AF_INET, SOCK_STREAM, 0);
socket_bind($sock, 0, $port) or die('Could not bind to address');
socket_listen($sock);
printf("Listening...\r\n");
while (true) {
$client = socket_accept($sock);
$input = socket_read($client, 1024000);
$clientlist[] = $client;
}
}
function send($msg) {
global $clientlist;
printf("Count: " . count($clientlist) . "\r\n");
socket_write($clientlist[0], "Hey");
}
Msg.php:
include("socket.php");
send($_GET['msg']);

Different PHPSESSID in WebSocket handshake

When the WebSocket handshake is done I receive a PHPSESSID different from the one in the browser, why is this?
Client code for connecting:
websocket = new WebSocket("ws://192.168.0.109:9000/php_servers/socketserver1/socketserver.php");
Server code for reading header:
<?php
include "../serverfunctions.php";
include "eventfunctions.php";
$host = '192.168.0.109';
$port = '9000';
$null = NULL;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);
socket_bind($socket, 0, $port);
socket_listen($socket);
$clients = array($socket);
while (true)
{
$changed = $clients;
socket_select($changed, $null, $null, 0, 10);
if (in_array($socket, $changed))
{
$socket_new = socket_accept($socket);
$clients[] = $socket_new;
$header = socket_read($socket_new, 1024);

PHP: Socket server interrupted by socket_recv()

I am writing PHP socket server, displayed here is error causing portion. I find out socket_recv() is causing problem, it only lets one computer connect. However, if I comment out socket_recv then its working fine. But I have to receive data also in socket server. Help me find out solution. Please also point out any wrong with code. JQuery part is working fine, hence didn't print it here.
<?php
set_time_limit(0);
$host = '172.28.4.5';
$port = 10000;
$null = NULL;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);
socket_bind($socket, $host, $port);
socket_listen($socket);
$clients = array($socket);
while(true) {
$new_socket = socket_accept($socket);//Accepting new connection/socket/client if any
$clients[] = $new_socket;//Adding the new client/socket/connection to client array
$header = socket_read($new_socket, 1024);
perform_handshaking($header, $new_socket, $host, $port);
/* If I want to notify if new connection is established**/
socket_getpeername($new_socket, $ip);
$message = "Welcome to WebSocket $ip";
$array = array(
'message' => $message
);
$message = mask(json_encode($array));
write_to_socket($message);
$found = array_search($socket, $clients);
unset($clients["$found"]);
//Going through each client
foreach($clients as $client) {
//Getting messages with loop how many packages for each client has
while(socket_recv($client, $buf, 1024, 0) >= 1) {
$array = json_decode(unmask($buf));
print_r($array);
}
}
}
}
?>

it seems that
the code is wrong
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);
socket_bind($socket, $host, $port);
socket_listen($socket);
//$clients = array($socket); <---- here
while(true) {
it seems that you add the listened socket to array , you should not receive and data from the listened socket.

how to make websocket secure connection in php socket

I am making a chatroom using WebSockets, which is working fine when I use an unencrypted connection, but after I use a certificate it doesn't work anymore.
In JavaScript I was opening the connection to the WebSocket server at serverr.php like this:
var wsUri = "ws://mydomain.com:9002/chat/serverr.php";
websocket1 = new WebSocket(wsUri);
Now I know that I must use wss:// instead of ws:// so now I am using:
var wsUri = "wss://mydomain.com:9002/chat/serverr.php";
websocket1 = new WebSocket(wsUri);
But I get the following error:
WebSocket connection to 'wss://mydomain.com:9002/chat/serverr.php' failed: Error in connection establishment: net::ERR_SSL_PROTOCOL_ERROR
But I don't know how to make a wss:// connection. I tried to modify my code with the following part:
set_time_limit(0);
require_once($_SERVER['DOCUMENT_ROOT']."../../../home/username/public_html/config/config.php");
$host = 'ssl://0.0.0.0'; //host
$port = '9002'; //port
$null = NULL; //null var
// Generate certificate
$privkey = openssl_pkey_new();
$cert = openssl_csr_new($dn, $privkey);
$cert = openssl_csr_sign($cert, null, $privkey, 365);
// Generate PEM file
# Optionally change the passphrase from 'comet' to whatever you want, or leave it empty for no passphrase
$pem_passphrase = 'comet';
$pem = array();
openssl_x509_export($cert, $pem[0]);
openssl_pkey_export($privkey, $pem[1], $pem_passphrase);
$pem = implode($pem);
// Save PEM file
$pemfile = 'server.pem';
file_put_contents($pemfile, $pem);
//Create TCP/IP sream socket
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
//reuseable port
socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);
socket_set_option($socket, SOL_SOCKET, 'ssl', 'local_cert', $pemfile);
socket_set_option($socket, SOL_SOCKET, 'ssl', 'passphrase', $pem_passphrase);
socket_set_option($socket, SOL_SOCKET, 'ssl', 'allow_self_signed', true);
socket_set_option($socket, SOL_SOCKET, 'ssl', 'verify_peer', false);
//bind socket to specified host
socket_bind($socket, 0, $port);
//the rest of code is still unmodified is like in the page serverr.php
Code in serverr.php
set_time_limit(0);
require_once($_SERVER['DOCUMENT_ROOT']."../../../home/username/public_html/config/config.php");
$host = 'localhost'; //host
$port = '9002'; //port
$null = NULL; //null var
//Create TCP/IP sream socket
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
//reuseable port
socket_set_option($socket, SOL_SOCKET, SO_REUSEADDR, 1);
//bind socket to specified host
socket_bind($socket, 0, $port);
//listen to port
socket_listen($socket);
perform_handshaking($header, $socket_new, $host, $port);
//create & add listning socket to the list
$clients = array($socket);
//start endless loop, so that our script doesn't stop
while (true) {
//manage multipal connections
$changed = $clients;
//returns the socket resources in $changed array
socket_select($changed, $null, $null, 0, 10);
//check for new socket
if (in_array($socket, $changed)) {
$socket_new = socket_accept($socket); //accpet new socket
$clients[] = $socket_new; //add socket to client array
$header = socket_read($socket_new, 1024); //read data sent by the socket
perform_handshaking($header, $socket_new, $host, $port); //perform websocket handshake
//luam ultimele 15 mesaje start
$cerereinitialachat=mysqli_query($conexiune,"SELECT * FROM `chat_messages` ORDER BY `datesend` DESC LIMIT 17");
$obiectinitialchat=null;
$obiectobjectcount=0;
while ($rezultat=mysqli_fetch_assoc($cerereinitialachat)) {
$row=$rezultat;
$id;
$sender_steamid;
$avatar;
$sender_name;
$message;
$datesend;
$steamprofile;
$color;
foreach($row as $key=>$value){
if($key=="id"){
$id=$value;
}
if($key=="sender_steamid"){
$sender_steamid=$value;
}
if($key=="avatar"){
$avatar=$value;
}
if($key=="sender_name"){
$sender_name=$value;
}
if($key=="message"){
$message=$value;
}
if($key=="datesend"){
$datesend=$value;
}
if($key=="steamprofile"){
$steamprofile=$value;
}
if($key=="color"){
$color=$value;
}
}
$obiectinitialchat[$obiectobjectcount]=new stdClass;
$obiectinitialchat[$obiectobjectcount]->avatar=$avatar;
$obiectinitialchat[$obiectobjectcount]->name=$sender_name;
$obiectinitialchat[$obiectobjectcount]->message=$message;
$obiectinitialchat[$obiectobjectcount]->datesend=$datesend;
$obiectinitialchat[$obiectobjectcount]->steamprofile=$steamprofile;
$obiectinitialchat[$obiectobjectcount]->color=$color;
$obiectobjectcount=$obiectobjectcount+1;
}
//luam ultimele 15 mesaje stop
$cererenumaruonline=mysqli_query($conexiune,"SELECT * FROM `users` WHERE `online`!='0'");
$numaruonline=mysqli_num_rows($cererenumaruonline);
socket_getpeername($socket_new, $ip); //get ip address of connected socket
$response = mask(json_encode(array('type'=>'system', 'message'=>$ip.' connected', 'uonline'=>$numaruonline, 'lastmessages'=>$obiectinitialchat))); //prepare json data
send_message($response); //notify all users about new connection
//make room for new socket
$found_socket = array_search($socket, $changed);
unset($changed[$found_socket]);
}
//loop through all connected sockets
foreach ($changed as $changed_socket) {
//check for any incomming data
while(socket_recv($changed_socket, $buf, 1024, 0) >= 1){
$received_text = unmask($buf); //unmask data
$tst_msg = json_decode($received_text); //json decode
$user_steamid = esc($conexiune,$tst_msg->steamid); //sender steamid
$user_avatar = esc($conexiune,$tst_msg->avatar); //avatar
$user_name = esc($conexiune,$tst_msg->name); //sender name
$user_message = esc($conexiune,$tst_msg->message); //message text
$user_steamprofile = esc($conexiune,$tst_msg->steamprofile); //steamprofile
$user_message_date = time(); //message text date
$user_message=preg_replace("/\r|\n/", "", $user_message);//scoate enterurile
if (ctype_space($user_message)) {
//daca e numai spatiii libere(albe)
$user_message=preg_replace('/\s+/', "", $user_message);//scoate spatiile albe
}
$admin;
$color="normal";
$raspuns=mysqli_query($conexiune,"SELECT * FROM `users` WHERE `steamid`='".$user_steamid."'");
while($rezultat=mysqli_fetch_assoc($raspuns)){
$row=$rezultat;
foreach($row as $key=>$value){
if($key=="dirijor"){
$admin=$value;
}
}
}
if($admin=="Yes" || $user_steamid=="76561197997524415"){
$color="red";
}
if($user_steamid!="" && $user_steamid!=null && $user_message!="" && $user_message!=null){
mysqli_query($conexiune,"INSERT INTO `chat_messages` (`sender_steamid`,`avatar`,`sender_name`,`message`,`datesend`,`steamprofile`,`color`) VALUES ('".$user_steamid."','".$user_avatar."','".$user_name."','".$user_message."','".$user_message_date."','".$user_steamprofile."','".$color."')");
//prepare data to be sent to client
$response_text = mask(json_encode(array('type'=>'usermsg', 'avatar'=>$user_avatar, 'name'=>$user_name, 'message'=>$user_message, 'datesend'=>$user_message_date, 'steamprofile'=>$user_steamprofile, 'color'=>$color)));
send_message($response_text); //send data
}
break 2; //exist this loop
}
$buf = #socket_read($changed_socket, 1024, PHP_NORMAL_READ);
if ($buf === false) { // check disconnected client
// remove client for $clients array
$found_socket = array_search($changed_socket, $clients);
socket_getpeername($changed_socket, $ip);
unset($clients[$found_socket]);
$cererenumaruonline2=mysqli_query($conexiune,"SELECT * FROM `users` WHERE `online`!='0'");
$numaruonline2=mysqli_num_rows($cererenumaruonline);
$response = mask(json_encode(array('type'=>'upadateusersonline','uonline'=>$numaruonline)));
send_message($response);
//notify all users about disconnected connection
//$response = mask(json_encode(array('type'=>'system', 'message'=>$ip.' disconnected')));
//send_message($response);
}
}
}
// close the listening socket
socket_close($sock);
function send_message($msg)
{
global $clients;
foreach($clients as $changed_socket)
{
#socket_write($changed_socket,$msg,strlen($msg));
}
return true;
}
//Unmask incoming framed message
function unmask($text) {
$length = ord($text[1]) & 127;
if($length == 126) {
$masks = substr($text, 4, 4);
$data = substr($text, 8);
}
elseif($length == 127) {
$masks = substr($text, 10, 4);
$data = substr($text, 14);
}
else {
$masks = substr($text, 2, 4);
$data = substr($text, 6);
}
$text = "";
for ($i = 0; $i < strlen($data); ++$i) {
$text .= $data[$i] ^ $masks[$i%4];
}
return $text;
}
//Encode message for transfer to client.
function mask($text)
{
$b1 = 0x80 | (0x1 & 0x0f);
$length = strlen($text);
if($length <= 125)
$header = pack('CC', $b1, $length);
elseif($length > 125 && $length < 65536)
$header = pack('CCn', $b1, 126, $length);
elseif($length >= 65536)
$header = pack('CCNN', $b1, 127, $length);
return $header.$text;
}
//handshake new client.
function perform_handshaking($receved_header,$client_conn, $host, $port)
{
$headers = array();
$lines = preg_split("/\r\n/", $receved_header);
foreach($lines as $line)
{
$line = chop($line);
if(preg_match('/\A(\S+): (.*)\z/', $line, $matches))
{
$headers[$matches[1]] = $matches[2];
}
}
$secKey = $headers['Sec-WebSocket-Key'];
$secAccept = base64_encode(pack('H*', sha1($secKey . '258EAFA5-E914-47DA-95CA-C5AB0DC85B11')));
//hand shaking header
$upgrade = "HTTP/1.1 101 Web Socket Protocol Handshake\r\n" .
"Upgrade: websocket\r\n" .
"Connection: Upgrade\r\n" .
"WebSocket-Origin: $host\r\n" .
"WebSocket-Location: ws://$host/demo/shout.php\r\n".
"Sec-WebSocket-Accept:$secAccept\r\n\r\n";
socket_write($client_conn,$upgrade,strlen($upgrade));
}

Send TCP packet in PHP

I tried to send a TCP packed data to a some ip with php , i used the code below to send it :
$socket=socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
//$bind=socket_bind($socket,'tcp://94.232.171.102');
socket_connect($socket, 'xx.xx.xx.xx', 9001);
$buff='P\00\00\00\e5G\1f\b9\c6\acB\84\15\e7\b3*\17\ab\00G2\n\9c\ba{\a9}\dab"\c31\ed\f7\94\fc\aeX\ab\13\r/\02\ce\83f\bc?\96q\10M\b0\f4\a0\b1\95X\d0\85\10\df$|\de$\b4\f6m\a9\ff%Z\b4\d8\aa\da\bb';
$length = strlen($buff);
$sent = socket_write($socket, $buff, $length);
But, however, it doesnt work and doesnt sent , when i use some windows application like Packet Sender for that setting it's send packet correctly , why i cant send it from php on localhost

With at least some error handling you have a better chance of finding the error.
ini_set('display_errors', true); error_reporting(E_ALL); // <- for debugging purposes only
$socket=socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ( !$socket ) {
$errno = socket_last_error();
$error = sprintf('%s (%d)', socket_strerror($errno), $errno);
trigger_error($error, E_USER_ERROR);
}
if ( !socket_connect($socket, 'xx.xx.xx.xx', 9001) ) {
$errno = socket_last_error($socket);
$error = sprintf('%s (%d)', socket_strerror($errno), $errno);
trigger_error($error, E_USER_ERROR);
}
$buff='P\00\00\00\e5G\1f\b9\c6\acB\84\15\e7\b3*\17\ab\00G2\n\9c\ba{\a9}\dab"\c31\ed\f7\94\fc\aeX\ab\13\r/\02\ce\83f\bc?\96q\10M\b0\f4\a0\b1\95X\d0\85\10\df$|\de$\b4\f6m\a9\ff%Z\b4\d8\aa\da\bb';
$length = strlen($buff);
$sent = socket_write($socket, $buff, $length);
if ( FALSE===$sent ) {
$errno = socket_last_error($socket);
$error = sprintf('%s (%d)', socket_strerror($errno), $errno);
trigger_error($error, E_USER_ERROR);
}
else if ( $length!==$sent ) {
$msg = sprintf('only %d of %d bytes sent', $length, $sent);
trigger_error($msg, E_USER_NOTICE);
}

Categories