1<?php 2 3$socket = null; 4$errno = 0; 5$context = stream_context_create(array('ssl' => array('local_cert' => dirname(__FILE__).'/cert.pem'))); 6 7for ($i=0; $i<10 && !$socket; ++$i) { 8 $port = rand(50000, 65535); 9 10 $socket = stream_socket_server("tcp://127.0.0.1:$port", $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context); 11} 12//set anther random port that is not the same as $port 13do{ 14 $pasv_port = rand(50000, 65535); 15}while($pasv_port == $port); 16 17if (!$socket) { 18 die("could not start/bind the ftp server\n"); 19} 20 21 22 23 24$pid = pcntl_fork(); 25 26 27 28function pasv_listen($action){ 29 global $pasv_port, $tmp_file; 30 $tmp_file = 'nm2.php'; 31 $pid = pcntl_fork(); 32 if($pid === 0){ 33 $soc = stream_socket_server("tcp://127.0.0.1:$pasv_port"); 34 $fs = stream_socket_accept($soc, 3); 35 switch ($action) { 36 case 'fget': 37 case 'get': 38 //listen for 3 seconds 3 seconds 39 fputs($fs, "I am passive.\r\n"); 40 break; 41 case 'put': 42 file_put_contents($tmp_file, stream_get_contents($fs)); 43 break; 44 case 'list': 45 fputs($fs, "drwxr-x--- 3 owner group 4096 Jul 12 12:16 .\r\n"); 46 fputs($fs, "drwxr-x--- 3 owner group 4096 Jul 12 12:16 ..\r\n"); 47 fputs($fs, "drwxr-x--- 3 owner group 4096 Jul 12 12:16 public_ftp\r\n"); 48 break; 49 case 'list_null': 50 fputs($fs, "\r\n"); 51 break; 52 } 53 fclose($fs); 54 exit; 55 } 56} 57 58 59 60if ($pid) { 61 62 function dump_and_exit($buf) 63 { 64 var_dump($buf); 65 fclose($GLOBALS['s']); 66 exit; 67 } 68 69 function anonymous() 70 { 71 return $GLOBALS['user'] === 'anonymous'; 72 } 73 74 /* quick&dirty realpath() like function */ 75 function change_dir($dir) 76 { 77 global $cwd; 78 79 if ($dir[0] == '/') { 80 $cwd = $dir; 81 return; 82 } 83 84 $cwd = "$cwd/$dir"; 85 86 do { 87 $old = $cwd; 88 $cwd = preg_replace('@/?[^/]+/\.\.@', '', $cwd); 89 } while ($old != $cwd); 90 91 $cwd = strtr($cwd, array('//' => '/')); 92 if (!$cwd) $cwd = '/'; 93 } 94 95 $s = stream_socket_accept($socket); 96 97 if (!$s) die("Error accepting a new connection\n"); 98 99 fputs($s, "220----- PHP FTP server 0.3 -----\r\n220 Service ready\r\n"); 100 $buf = fread($s, 2048); 101 102 103 function user_auth($buf) { 104 global $user, $s, $ssl, $bug37799; 105 106 if (!empty($ssl)) { 107 if ($buf !== "AUTH TLS\r\n") { 108 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 109 dump_and_exit($buf); 110 } 111 112 if (empty($bug37799)) { 113 fputs($s, "234 auth type accepted\r\n"); 114 } else { 115 fputs($s, "666 dummy\r\n"); 116 fputs($s, "666 bogus msg\r\n"); 117 exit; 118 } 119 120 if (!stream_socket_enable_crypto($s, true, STREAM_CRYPTO_METHOD_SSLv23_SERVER)) { 121 die("SSLv23 handshake failed.\n"); 122 } 123 124 if (!preg_match('/^PBSZ \d+\r\n$/', $buf = fread($s, 2048))) { 125 fputs($s, "501 bogus data\r\n"); 126 dump_and_exit($buf); 127 } 128 129 fputs($s, "200 OK\r\n"); 130 $buf = fread($s, 2048); 131 132 if ($buf !== "PROT P\r\n") { 133 fputs($s, "504 Wrong protection.\r\n"); 134 dump_and_exit($buf); 135 } 136 137 fputs($s, "200 OK\r\n"); 138 139 $buf = fread($s, 2048); 140 } 141 142 if ($buf == "AUTH TLS\r\n") { 143 fputs($s, "500 not supported.\r\n"); 144 return ; 145 } else if (!preg_match('/^USER (\w+)\r\n$/', $buf, $m)) { 146 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 147 dump_and_exit($buf); 148 } 149 $user = $m[1]; 150 if ($user !== 'user' && $user !== 'anonymous') { 151 fputs($s, "530 Not logged in.\r\n"); 152 fclose($s); 153 exit; 154 } 155 156 if (anonymous()) { 157 fputs($s, "230 Anonymous user logged in\r\n"); 158 159 } else { 160 fputs($s, "331 User name ok, need password\r\n"); 161 162 if (!preg_match('/^PASS (\w+)\r\n$/', $buf = fread($s, 100), $m)) { 163 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 164 dump_and_exit($buf); 165 } 166 167 $pass = $m[1]; 168 if ($pass === 'pass') { 169 fputs($s, "230 User logged in\r\n"); 170 } else { 171 fputs($s, "530 Not logged in.\r\n"); 172 fclose($s); 173 exit; 174 } 175 } 176 } 177 178 user_auth($buf); 179 180 $cwd = '/'; 181 $num_bogus_cmds = 0; 182 183 while($buf = fread($s, 4098)) { 184 if (!empty($bogus)) { 185 fputs($s, "502 Command not implemented (".$num_bogus_cmds++.").\r\n"); 186 187 } else if ($buf === "HELP\r\n") { 188 fputs($s, "214-There is help available for the following commands:\r\n"); 189 fputs($s, " USER\r\n"); 190 fputs($s, " HELP\r\n"); 191 fputs($s, "214 end of list\r\n"); 192 193 } elseif ($buf === "HELP HELP\r\n") { 194 fputs($s, "214 Syntax: HELP [<SP> <string>] <CRLF>\r\n"); 195 196 } elseif ($buf === "PWD\r\n") { 197 fputs($s, "257 \"$cwd\" is current directory.\r\n"); 198 199 } elseif ($buf === "CDUP\r\n") { 200 change_dir('..'); 201 fputs($s, "250 CDUP command successful.\r\n"); 202 203 } elseif ($buf === "SYST\r\n") { 204 if (isset($bug27809)) { 205 fputs($s, "215 OS/400 is the remote operating system. The TCP/IP version is \"V5R2M0\"\r\n"); 206 } else { 207 fputs($s, "215 UNIX Type: L8.\r\n"); 208 } 209 210 } elseif ($buf === "TYPE A\r\n") { 211 $ascii = true; 212 fputs($s, "200 OK\r\n"); 213 214 } elseif ($buf === "AUTH SSL\r\n") { 215 $ascii = true; 216 fputs($s, "500 not supported\r\n"); 217 218 } elseif ($buf === "TYPE I\r\n") { 219 $ascii = false; 220 fputs($s, "200 OK\r\n"); 221 222 } elseif ($buf === "QUIT\r\n") { 223 break; 224 225 } elseif (preg_match("~^PORT (\d+),(\d+),(\d+),(\d+),(\d+),(\d+)\r\n$~", $buf, $m)) { 226 $host = "$m[1].$m[2].$m[3].$m[4]"; 227 $port = ((int)$m[5] << 8) + (int)$m[6]; 228 fputs($s, "200 OK.\r\n"); 229 230 } elseif (preg_match("~^STOR ([\w/.-]+)\r\n$~", $buf, $m)) { 231 fputs($s, "150 File status okay; about to open data connection\r\n"); 232 233 if(empty($pasv)) 234 { 235 if (!$fs = stream_socket_client("tcp://$host:$port")) { 236 fputs($s, "425 Can't open data connection\r\n"); 237 continue; 238 } 239 240 $data = stream_get_contents($fs); 241 $orig = file_get_contents(dirname(__FILE__).'/'.$m[1]); 242 243 244 if (isset($ascii) && !$ascii && $orig === $data) { 245 fputs($s, "226 Closing data Connection.\r\n"); 246 247 } elseif ((!empty($ascii) || isset($bug39583)) && $data === strtr($orig, array("\r\n" => "\n", "\r" => "\n", "\n" => "\r\n"))) { 248 fputs($s, "226 Closing data Connection.\r\n"); 249 250 } else { 251 var_dump($data); 252 var_dump($orig); 253 fputs($s, "552 Requested file action aborted.\r\n"); 254 } 255 fclose($fs); 256 }else{ 257 $data = file_get_contents('nm2.php'); 258 $orig = file_get_contents(dirname(__FILE__).'/'.$m[1]); 259 if ( $orig === $data) { 260 fputs($s, "226 Closing data Connection.\r\n"); 261 262 } else { 263 var_dump($data); 264 var_dump($orig); 265 fputs($s, "552 Requested file action aborted.\r\n"); 266 } 267 } 268 269 } elseif (preg_match("~^CWD ([A-Za-z./]+)\r\n$~", $buf, $m)) { 270 change_dir($m[1]); 271 fputs($s, "250 CWD command successful.\r\n"); 272 273 } elseif (preg_match("~^NLST(?: ([A-Za-z./]+))?\r\n$~", $buf, $m)) { 274 275 if (isset($m[1]) && (($m[1] === 'bogusdir') || ($m[1] === '/bogusdir'))) { 276 fputs($s, "250 $m[1]: No such file or directory\r\n"); 277 continue; 278 } 279 280 // there are some servers that don't open the ftp-data socket if there's nothing to send 281 if (isset($bug39458) && isset($m[1]) && $m[1] === 'emptydir') { 282 fputs($s, "226 Transfer complete.\r\n"); 283 continue; 284 } 285 286 if (empty($pasv)) { 287 fputs($s, "150 File status okay; about to open data connection\r\n"); 288 if (!$fs = stream_socket_client("tcp://$host:$port")) { 289 fputs($s, "425 Can't open data connection\r\n"); 290 continue; 291 } 292 } else { 293 fputs($s, "125 Data connection already open; transfer starting.\r\n"); 294 $fs=$pasvs; 295 } 296 297 298 if ((!empty($ssl)) && (!stream_socket_enable_crypto($pasvs, true, STREAM_CRYPTO_METHOD_SSLv23_SERVER))) { 299 die("SSLv23 handshake failed.\n"); 300 } 301 302 if (empty($m[1]) || $m[1] !== 'emptydir') { 303 fputs($fs, "file1\r\nfile1\r\nfile\nb0rk\r\n"); 304 } 305 306 fputs($s, "226 Closing data Connection.\r\n"); 307 fclose($fs); 308 309 } elseif (preg_match("~^MKD ([A-Za-z./]+)\r\n$~", $buf, $m)) { 310 if (isset($bug7216)) { 311 fputs($s, "257 OK.\r\n"); 312 } else { 313 fputs($s, "257 \"/path/to/ftproot$cwd$m[1]\" created.\r\n"); 314 } 315 316 } elseif (preg_match('/^USER /', $buf)) { 317 user_auth($buf); 318 319 } elseif (preg_match('/^MDTM ([\w\h]+)/', $buf, $matches)) { 320 switch ($matches [1]){ 321 case "A": 322 fputs($s, "213 19980615100045.014\r\n"); 323 break; 324 case "B": 325 fputs($s, "213 19980615100045.014\r\n"); 326 break; 327 case "C": 328 fputs($s, "213 19980705132316\r\n"); 329 break; 330 case "19990929043300 File6": 331 fputs($s, "213 19991005213102\r\n"); 332 break; 333 default : 334 fputs($s, "550 No file named \"{$matches [1]}\"\r\n"); 335 break; 336 } 337 }elseif (preg_match('/^RETR ([\w\h]+)/', $buf, $matches)) { 338 if(!empty($pasv)){ 339 ; 340 } 341 else if (!$fs = stream_socket_client("tcp://$host:$port")) { 342 fputs($s, "425 Can't open data connection\r\n"); 343 continue; 344 } 345 346 switch($matches[1]){ 347 348 case "pasv": 349 fputs($s, "150 File status okay; about to open data connection.\r\n"); 350 //the data connection is handled in another forked process 351 // called from outside this while loop 352 fputs($s, "226 Closing data Connection.\r\n"); 353 break; 354 case "a story": 355 fputs($s, "150 File status okay; about to open data connection.\r\n"); 356 fputs($fs, "For sale: baby shoes, never worn.\r\n"); 357 fputs($s, "226 Closing data Connection.\r\n"); 358 break; 359 case "binary data": 360 fputs($s, "150 File status okay; about to open data connection.\r\n"); 361 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 362 fputs($fs, $transfer_type."Foo\0Bar\r\n"); 363 fputs($s, "226 Closing data Connection.\r\n"); 364 break; 365 case "fget": 366 fputs($s, "150 File status okay; about to open data connection.\r\n"); 367 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 368 fputs($fs, $transfer_type."FooBar\r\n"); 369 fputs($s, "226 Closing data Connection.\r\n"); 370 break; 371 case "fgetresume": 372 fputs($s, "150 File status okay; about to open data connection.\r\n"); 373 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 374 fputs($fs, "Bar\r\n"); 375 fputs($s, "226 Closing data Connection.\r\n"); 376 break; 377 case "fget_large": 378 fputs($s, "150 File status okay; about to open data connection.\r\n"); 379 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 380 if ($GLOBALS['rest_pos'] == '5368709119') { 381 fputs($fs, "X"); 382 } else { 383 fputs($fs, "Y"); 384 } 385 fputs($s, "226 Closing data Connection.\r\n"); 386 break; 387 case "mediumfile": 388 fputs($s, "150 File status okay; about to open data connection.\r\n"); 389 for($i = 0; $i < 150; $i++){ 390 fputs($fs, "This is line $i of the test data.\n"); 391 } 392 fputs($s, "226 Closing data Connection.\r\n"); 393 394 default: 395 fputs($s, "550 {$matches[1]}: No such file or directory \r\n"); 396 break; 397 } 398 if(isset($fs)) 399 fclose($fs); 400 401 402 }elseif (preg_match('/^PASV/', $buf, $matches)) { 403 $pasv=true; 404 $p2 = $pasv_port % ((int) 1 << 8); 405 $p1 = ($pasv_port-$p2)/((int) 1 << 8); 406 $host = "127.0.0.1"; 407 if (!empty($ssl)) { 408 $soc = stream_socket_server("tcp://127.0.0.1:$pasv_port", $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context); 409 } else { 410 $soc = stream_socket_server("tcp://127.0.0.1:$pasv_port"); 411 } 412 413 fputs($s, "227 Entering Passive Mode. (127,0,0,1,{$p1},{$p2})\r\n"); 414 415 $pasvs = stream_socket_accept($soc,10); 416 417 }elseif (preg_match('/^EPSV/', $buf, $matches)) { 418 fputs($s, "550 Extended passsive mode not supported.\r\n"); 419 } elseif (preg_match('/^SITE EXEC/', $buf, $matches)) { 420 fputs($s, "200 OK\r\n"); 421 422 } elseif (preg_match('/^RMD/', $buf, $matches)) { 423 fputs($s, "250 OK\r\n"); 424 425 } elseif (preg_match('/^SITE CHMOD/', $buf, $matches)) { 426 fputs($s, "200 OK\r\n"); 427 428 } elseif (preg_match('/^ALLO (\d+)/', $buf, $matches)) { 429 fputs($s, "200 " . $matches[1] . " bytes allocated\r\n"); 430 431 }elseif (preg_match('/^LIST www\//', $buf, $matches)) { 432 fputs($s, "150 Opening ASCII mode data connection for file list\r\n"); 433 fputs($s, "226 Transfer complete\r\n"); 434 435 }elseif (preg_match('/^LIST no_exists\//', $buf, $matches)) { 436 fputs($s, "425 Error establishing connection\r\n"); 437 438 }elseif (preg_match('/^REST (\d+)/', $buf, $matches)) { 439 $GLOBALS['rest_pos'] = $matches[1]; 440 fputs($s, "350 OK\r\n"); 441 }elseif (preg_match('/^SIZE largefile/', $buf)) { 442 fputs($s, "213 5368709120\r\n"); 443 }else { 444 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 445 dump_and_exit($buf); 446 } 447 } 448 fclose($s); 449 exit; 450} 451 452fclose($socket); 453?> 454