1<?php 2 3$socket = null; 4$errno = 0; 5$context = stream_context_create(array('ssl' => array('local_cert' => dirname(__FILE__).'/cert.pem'))); 6 7for ($i=0; $i<10 && !$socket; ++$i) { 8 $port = rand(50000, 65535); 9 10 $socket = @stream_socket_server("tcp://127.0.0.1:$port", $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context); 11} 12//set anther random port that is not the same as $port 13do{ 14 $pasv_port = rand(50000, 65535); 15}while($pasv_port == $port); 16 17if (!$socket) { 18 echo "$errstr ($errno)\n"; 19 die("could not start/bind the ftp server\n"); 20} 21 22$pid = pcntl_fork(); 23 24function pasv_listen($action){ 25 global $pasv_port, $tmp_file; 26 $tmp_file = 'nm2.php'; 27 $pid = pcntl_fork(); 28 if($pid === 0){ 29 $soc = stream_socket_server("tcp://127.0.0.1:$pasv_port"); 30 $fs = stream_socket_accept($soc, 3); 31 switch ($action) { 32 case 'fget': 33 case 'get': 34 //listen for 3 seconds 3 seconds 35 fputs($fs, "I am passive.\r\n"); 36 break; 37 case 'put': 38 file_put_contents($tmp_file, stream_get_contents($fs)); 39 break; 40 case 'list': 41 fputs($fs, "drwxr-x--- 3 owner group 4096 Jul 12 12:16 .\r\n"); 42 fputs($fs, "drwxr-x--- 3 owner group 4096 Jul 12 12:16 ..\r\n"); 43 fputs($fs, "drwxr-x--- 3 owner group 4096 Jul 12 12:16 public_ftp\r\n"); 44 break; 45 case 'list_null': 46 fputs($fs, "\r\n"); 47 break; 48 } 49 fclose($fs); 50 exit; 51 } 52} 53 54if ($pid) { 55 56 function dump_and_exit($buf) 57 { 58 var_dump($buf); 59 fclose($GLOBALS['s']); 60 exit; 61 } 62 63 function anonymous() 64 { 65 return $GLOBALS['user'] === 'anonymous'; 66 } 67 68 /* quick&dirty realpath() like function */ 69 function change_dir($dir) 70 { 71 global $cwd; 72 73 if ($dir[0] == '/') { 74 $cwd = $dir; 75 return; 76 } 77 78 $cwd = "$cwd/$dir"; 79 80 do { 81 $old = $cwd; 82 $cwd = preg_replace('@/?[^/]+/\.\.@', '', $cwd); 83 } while ($old != $cwd); 84 85 $cwd = strtr($cwd, array('//' => '/')); 86 if (!$cwd) $cwd = '/'; 87 } 88 89 $s = stream_socket_accept($socket); 90 91 if (!$s) die("Error accepting a new connection\n"); 92 93 fputs($s, "220----- PHP FTP server 0.3 -----\r\n220 Service ready\r\n"); 94 $buf = fread($s, 2048); 95 96 97 function user_auth($buf) { 98 global $user, $s, $ssl, $bug37799; 99 100 if (!empty($ssl)) { 101 if ($buf !== "AUTH TLS\r\n") { 102 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 103 dump_and_exit($buf); 104 } 105 106 if (empty($bug37799)) { 107 fputs($s, "234 auth type accepted\r\n"); 108 } else { 109 fputs($s, "666 dummy\r\n"); 110 sleep(1); 111 fputs($s, "666 bogus msg\r\n"); 112 exit; 113 } 114 115 if (!stream_socket_enable_crypto($s, true, STREAM_CRYPTO_METHOD_SSLv23_SERVER)) { 116 die("SSLv23 handshake failed.\n"); 117 } 118 119 if (!preg_match('/^PBSZ \d+\r\n$/', $buf = fread($s, 2048))) { 120 fputs($s, "501 bogus data\r\n"); 121 dump_and_exit($buf); 122 } 123 124 fputs($s, "200 OK\r\n"); 125 $buf = fread($s, 2048); 126 127 if ($buf !== "PROT P\r\n") { 128 fputs($s, "504 Wrong protection.\r\n"); 129 dump_and_exit($buf); 130 } 131 132 fputs($s, "200 OK\r\n"); 133 134 $buf = fread($s, 2048); 135 } 136 137 if ($buf == "AUTH TLS\r\n") { 138 fputs($s, "500 not supported.\r\n"); 139 return ; 140 } else if (!preg_match('/^USER (\w+)\r\n$/', $buf, $m)) { 141 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 142 dump_and_exit($buf); 143 } 144 $user = $m[1]; 145 if ($user !== 'user' && $user !== 'anonymous') { 146 fputs($s, "530 Not logged in.\r\n"); 147 fclose($s); 148 exit; 149 } 150 151 if (anonymous()) { 152 fputs($s, "230 Anonymous user logged in\r\n"); 153 154 } else { 155 fputs($s, "331 User name ok, need password\r\n"); 156 157 if (!preg_match('/^PASS (\w+)\r\n$/', $buf = fread($s, 100), $m)) { 158 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 159 dump_and_exit($buf); 160 } 161 162 $pass = $m[1]; 163 if ($pass === 'pass') { 164 fputs($s, "230 User logged in\r\n"); 165 } else { 166 fputs($s, "530 Not logged in.\r\n"); 167 fclose($s); 168 exit; 169 } 170 } 171 } 172 173 user_auth($buf); 174 175 $cwd = '/'; 176 $num_bogus_cmds = 0; 177 178 while($buf = fread($s, 4098)) { 179 if (!empty($bogus)) { 180 fputs($s, "502 Command not implemented (".$num_bogus_cmds++.").\r\n"); 181 182 } else if ($buf === "HELP\r\n") { 183 fputs($s, "214-There is help available for the following commands:\r\n"); 184 fputs($s, " USER\r\n"); 185 fputs($s, " HELP\r\n"); 186 fputs($s, "214 end of list\r\n"); 187 188 } elseif ($buf === "HELP HELP\r\n") { 189 fputs($s, "214 Syntax: HELP [<SP> <string>] <CRLF>\r\n"); 190 191 } elseif ($buf === "PWD\r\n") { 192 fputs($s, "257 \"$cwd\" is current directory.\r\n"); 193 194 } elseif ($buf === "CDUP\r\n") { 195 change_dir('..'); 196 fputs($s, "250 CDUP command successful.\r\n"); 197 198 } elseif ($buf === "SYST\r\n") { 199 if (isset($bug27809)) { 200 fputs($s, "215 OS/400 is the remote operating system. The TCP/IP version is \"V5R2M0\"\r\n"); 201 } elseif (isset($bug79100)) { 202 // do nothing so test hits timeout 203 } elseif (isset($bug80901)) { 204 fputs($s, "\r\n" . str_repeat("*", 4096) . "\r\n"); 205 } else { 206 fputs($s, "215 UNIX Type: L8.\r\n"); 207 } 208 209 } elseif ($buf === "TYPE A\r\n") { 210 $ascii = true; 211 fputs($s, "200 OK\r\n"); 212 213 } elseif ($buf === "AUTH SSL\r\n") { 214 $ascii = true; 215 fputs($s, "500 not supported\r\n"); 216 217 } elseif ($buf === "TYPE I\r\n") { 218 $ascii = false; 219 fputs($s, "200 OK\r\n"); 220 221 } elseif ($buf === "QUIT\r\n") { 222 break; 223 224 } elseif (preg_match("~^PORT (\d+),(\d+),(\d+),(\d+),(\d+),(\d+)\r\n$~", $buf, $m)) { 225 $host = "$m[1].$m[2].$m[3].$m[4]"; 226 $port = ((int)$m[5] << 8) + (int)$m[6]; 227 fputs($s, "200 OK.\r\n"); 228 229 } elseif (preg_match("~^STOR ([\w/.-]+)\r\n$~", $buf, $m)) { 230 fputs($s, "150 File status okay; about to open data connection\r\n"); 231 232 if(empty($pasv)) 233 { 234 if (!$fs = stream_socket_client("tcp://$host:$port")) { 235 fputs($s, "425 Can't open data connection\r\n"); 236 continue; 237 } 238 239 $data = stream_get_contents($fs); 240 $orig = file_get_contents(dirname(__FILE__).'/'.$m[1]); 241 242 243 if (isset($ascii) && !$ascii && $orig === $data) { 244 fputs($s, "226 Closing data Connection.\r\n"); 245 246 } elseif ((!empty($ascii) || isset($bug39583)) && $data === strtr($orig, array("\r\n" => "\n", "\r" => "\n", "\n" => "\r\n"))) { 247 fputs($s, "226 Closing data Connection.\r\n"); 248 249 } else { 250 var_dump($data); 251 var_dump($orig); 252 fputs($s, "552 Requested file action aborted.\r\n"); 253 } 254 fclose($fs); 255 }else{ 256 $data = file_get_contents('nm2.php'); 257 $orig = file_get_contents(dirname(__FILE__).'/'.$m[1]); 258 if ( $orig === $data) { 259 fputs($s, "226 Closing data Connection.\r\n"); 260 261 } else { 262 var_dump($data); 263 var_dump($orig); 264 fputs($s, "552 Requested file action aborted.\r\n"); 265 } 266 } 267 268 } elseif (preg_match("~^APPE ([\w/.-]+)\r\n$~", $buf, $m)) { 269 fputs($s, "150 File status okay; about to open data connection\r\n"); 270 271 if(empty($pasv)) 272 { 273 if (!$fs = stream_socket_client("tcp://$host:$port")) { 274 fputs($s, "425 Can't open data connection\r\n"); 275 continue; 276 } 277 278 $data = stream_get_contents($fs); 279 file_put_contents(__DIR__.'/'.$m[1], $data, FILE_APPEND); 280 fputs($s, "226 Closing data Connection.\r\n"); 281 fclose($fs); 282 }else{ 283 $data = stream_get_contents($fs); 284 file_put_contents(__DIR__.'/'.$m[1], $data, FILE_APPEND); 285 fputs($s, "226 Closing data Connection.\r\n"); 286 fclose($fs); 287 } 288 289 }elseif (preg_match("~^CWD ([A-Za-z./]+)\r\n$~", $buf, $m)) { 290 if (isset($bug77680)) { 291 fputs($s, "550 Directory change to $m[1] failed: file does not exist\r\n"); 292 var_dump($buf); 293 } else { 294 change_dir($m[1]); 295 fputs($s, "250 CWD command successful.\r\n"); 296 } 297 298 } elseif (preg_match("~^NLST(?: ([A-Za-z./]+))?\r\n$~", $buf, $m)) { 299 300 if (isset($m[1]) && (($m[1] === 'bogusdir') || ($m[1] === '/bogusdir'))) { 301 fputs($s, "250 $m[1]: No such file or directory\r\n"); 302 continue; 303 } 304 305 // there are some servers that don't open the ftp-data socket if there's nothing to send 306 if (isset($bug39458) && isset($m[1]) && $m[1] === 'emptydir') { 307 fputs($s, "226 Transfer complete.\r\n"); 308 continue; 309 } 310 311 if (empty($pasv)) { 312 fputs($s, "150 File status okay; about to open data connection\r\n"); 313 if (!$fs = stream_socket_client("tcp://$host:$port")) { 314 fputs($s, "425 Can't open data connection\r\n"); 315 continue; 316 } 317 } else { 318 fputs($s, "125 Data connection already open; transfer starting.\r\n"); 319 $fs=$pasvs; 320 } 321 322 323 if ((!empty($ssl)) && (!stream_socket_enable_crypto($pasvs, true, STREAM_CRYPTO_METHOD_SSLv23_SERVER))) { 324 die("SSLv23 handshake failed.\n"); 325 } 326 327 if (empty($m[1]) || $m[1] !== 'emptydir') { 328 fputs($fs, "file1\r\nfile1\r\nfile\nb0rk\r\n"); 329 } 330 331 fputs($s, "226 Closing data Connection.\r\n"); 332 fclose($fs); 333 334 } elseif (preg_match("~^MKD ([A-Za-z./]+)\r\n$~", $buf, $m)) { 335 if (isset($bug7216)) { 336 fputs($s, "257 OK.\r\n"); 337 } else { 338 if (isset($bug77680)) { 339 var_dump($buf); 340 } 341 fputs($s, "257 \"/path/to/ftproot$cwd$m[1]\" created.\r\n"); 342 } 343 344 } elseif (preg_match('/^USER /', $buf)) { 345 user_auth($buf); 346 347 } elseif (preg_match('/^MDTM ([\w\h]+)/', $buf, $matches)) { 348 switch ($matches [1]){ 349 case "A": 350 fputs($s, "213 19980615100045.014\r\n"); 351 break; 352 case "B": 353 fputs($s, "213 19980615100045.014\r\n"); 354 break; 355 case "C": 356 fputs($s, "213 19980705132316\r\n"); 357 break; 358 case "19990929043300 File6": 359 fputs($s, "213 19991005213102\r\n"); 360 break; 361 default : 362 fputs($s, "550 No file named \"{$matches [1]}\"\r\n"); 363 break; 364 } 365 }elseif (preg_match('/^RETR ([\/]*[\w\h]+)/', $buf, $matches)) { 366 if(!empty($pasv)){ 367 ; 368 } 369 else if (!$fs = stream_socket_client("tcp://$host:$port")) { 370 fputs($s, "425 Can't open data connection\r\n"); 371 continue; 372 } 373 374 switch($matches[1]){ 375 376 case "pasv": 377 fputs($s, "150 File status okay; about to open data connection.\r\n"); 378 //the data connection is handled in another forked process 379 // called from outside this while loop 380 fputs($s, "226 Closing data Connection.\r\n"); 381 break; 382 case "a story": 383 fputs($s, "150 File status okay; about to open data connection.\r\n"); 384 fputs($fs, "For sale: baby shoes, never worn.\r\n"); 385 fputs($s, "226 Closing data Connection.\r\n"); 386 break; 387 case "binary data": 388 fputs($s, "150 File status okay; about to open data connection.\r\n"); 389 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 390 fputs($fs, $transfer_type."Foo\0Bar\r\n"); 391 fputs($s, "226 Closing data Connection.\r\n"); 392 break; 393 case "fget": 394 fputs($s, "150 File status okay; about to open data connection.\r\n"); 395 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 396 fputs($fs, $transfer_type."FooBar\r\n"); 397 fputs($s, "226 Closing data Connection.\r\n"); 398 break; 399 case "fgetresume": 400 fputs($s, "150 File status okay; about to open data connection.\r\n"); 401 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 402 fputs($fs, "Bar\r\n"); 403 fputs($s, "226 Closing data Connection.\r\n"); 404 break; 405 case "fget_large": 406 fputs($s, "150 File status okay; about to open data connection.\r\n"); 407 $transfer_type = $ascii? 'ASCII' : 'BINARY' ; 408 if ($GLOBALS['rest_pos'] == '5368709119') { 409 fputs($fs, "X"); 410 } else { 411 fputs($fs, "Y"); 412 } 413 fputs($s, "226 Closing data Connection.\r\n"); 414 break; 415 case "mediumfile": 416 fputs($s, "150 File status okay; about to open data connection.\r\n"); 417 for($i = 0; $i < 150; $i++){ 418 fputs($fs, "This is line $i of the test data.\n"); 419 } 420 fputs($s, "226 Closing data Connection.\r\n"); 421 break; 422 case "/bug73457": 423 fputs($s, "150 File status okay; about to open data connection.\r\n"); 424 break; 425 426 default: 427 fputs($s, "550 {$matches[1]}: No such file or directory \r\n"); 428 break; 429 } 430 if(isset($fs)) 431 fclose($fs); 432 433 434 }elseif (preg_match('/^PASV/', $buf, $matches)) { 435 $pasv=true; 436 $host = "127.0.0.1"; 437 $i=0; 438 439 if (empty($bug73457)) { 440 do { 441 if (!empty($ssl)) { 442 $soc = @stream_socket_server("tcp://127.0.0.1:$pasv_port", $errno, $errstr, STREAM_SERVER_BIND|STREAM_SERVER_LISTEN, $context); 443 } else { 444 $soc = @stream_socket_server("tcp://127.0.0.1:$pasv_port"); 445 } 446 /* Could bind port, Try another port */ 447 if (!$soc) { 448 $pasv_port = rand(50000, 65535); 449 } 450 $i++; 451 } while ($i<10 && !$soc); 452 453 if (!$soc) { 454 echo "$errstr ($errno)\n"; 455 die("could not bind passive port\n"); 456 } 457 } else { 458 $pasv_port=1234; 459 } 460 461 $p2 = $pasv_port % ((int) 1 << 8); 462 $p1 = ($pasv_port-$p2)/((int) 1 << 8); 463 fputs($s, "227 Entering Passive Mode. (127,0,0,1,{$p1},{$p2})\r\n"); 464 465 if (empty($bug73457)) { 466 $pasvs = stream_socket_accept($soc,10); 467 } 468 469 } elseif (preg_match('/^EPSV/', $buf, $matches)) { 470 fputs($s, "550 Extended passsive mode not supported.\r\n"); 471 } elseif (preg_match('/^SITE EXEC/', $buf, $matches)) { 472 fputs($s, "200 OK\r\n"); 473 474 } elseif (preg_match('/^RMD/', $buf, $matches)) { 475 fputs($s, "250 OK\r\n"); 476 477 } elseif (preg_match('/^SITE CHMOD/', $buf, $matches)) { 478 fputs($s, "200 OK\r\n"); 479 480 } elseif (preg_match('/^DELE ([\w\h]+)/', $buf, $matches)) { 481 if (isset($matches[1]) && in_array($matches[1], ['file1', "file\nb0rk"])){ 482 fputs($s, "250 Delete successful\r\n"); 483 } else { 484 fputs($s, "550 No such file or directory\r\n"); 485 } 486 } elseif (preg_match('/^ALLO (\d+)/', $buf, $matches)) { 487 fputs($s, "200 " . $matches[1] . " bytes allocated\r\n"); 488 489 }elseif (preg_match('/^LIST www\//', $buf, $matches)) { 490 fputs($s, "226 Transfer complete\r\n"); 491 492 }elseif (preg_match('/^LIST no_exists\//', $buf, $matches)) { 493 fputs($s, "425 Error establishing connection\r\n"); 494 495 }elseif (preg_match('/^REST (\d+)/', $buf, $matches)) { 496 $GLOBALS['rest_pos'] = $matches[1]; 497 fputs($s, "350 OK\r\n"); 498 }elseif (preg_match('/^SIZE largefile/', $buf)) { 499 fputs($s, "213 5368709120\r\n"); 500 }elseif (preg_match('/^RNFR existing_file/', $buf, $matches)) { 501 fputs($s, "350 File or directory exists, ready for destination name\r\n"); 502 }elseif (preg_match('/^RNFR nonexisting_file/', $buf, $matches)) { 503 fputs($s, "550 No such file or directory\r\n"); 504 }elseif (preg_match('/^RNTO nonexisting_file/', $buf, $matches)) { 505 fputs($s, "250 Rename successful\r\n"); 506 }elseif (preg_match('/^MLSD no_exists\//', $buf, $matches)) { 507 fputs($s, "425 Error establishing connection\r\n"); 508 }elseif (preg_match("~^MLSD(?: ([A-Za-z./]+))?\r\n$~", $buf, $m)) { 509 510 if(isset($m[1]) && (($m[1] === 'bogusdir') || ($m[1] === '/bogusdir'))) { 511 fputs($s, "250 $m[1]: No such file or directory\r\n"); 512 continue; 513 } 514 515 // there are some servers that don't open the ftp-data socket if there's nothing to send 516 if(isset($bug39458) && isset($m[1]) && $m[1] === 'emptydir') { 517 fputs($s, "226 Transfer complete.\r\n"); 518 continue; 519 } 520 521 if(empty($pasv)) { 522 fputs($s, "150 File status okay; about to open data connection\r\n"); 523 if(!$fs = stream_socket_client("tcp://$host:$port")) { 524 fputs($s, "425 Can't open data connection\r\n"); 525 continue; 526 } 527 } else { 528 fputs($s, "125 Data connection already open; transfer starting.\r\n"); 529 $fs = $pasvs; 530 } 531 532 if((!empty($ssl)) && (!stream_socket_enable_crypto($pasvs, TRUE, STREAM_CRYPTO_METHOD_SSLv23_SERVER))) { 533 die("SSLv23 handshake failed.\n"); 534 } 535 536 if(empty($m[1]) || $m[1] !== 'emptydir') { 537 fputs($fs, "modify=20170127230002;perm=flcdmpe;type=cdir;unique=811U4340002;UNIX.group=33;UNIX.mode=0755;UNIX.owner=33; .\r\n"); 538 fputs($fs, "modify=20170127230002;perm=flcdmpe;type=pdir;unique=811U4340002;UNIX.group=33;UNIX.mode=0755;UNIX.owner=33; ..\r\n"); 539 fputs($fs, "modify=20170126121225;perm=adfrw;size=4729;type=file;unique=811U4340CB9;UNIX.group=33;UNIX.mode=0644;UNIX.owner=33; foobar\r\n"); 540 fputs($fs, "fact=val=ue;empty=; path;name\r\n"); 541 fputs($fs, "no_space\r\n"); 542 fputs($fs, "no_semi pathname\r\n"); 543 fputs($fs, "no_eq; pathname\r\n"); 544 } 545 546 fputs($s, "226 Closing data Connection.\r\n"); 547 fclose($fs); 548 }elseif (preg_match('/^SIZE \/bug73457/', $buf)) { 549 fputs($s, "213 10\r\n"); 550 }elseif (preg_match("/^SITE/", $buf)) { 551 fputs($s, "500 Syntax error, command unrecognized.\r\n"); 552 }else { 553 dump_and_exit($buf); 554 } 555 } 556 fclose($s); 557 exit; 558} 559 560fclose($socket); 561?> 562
