search

zerofox-oss / phishpond

Because phishtank was taken.. explore phishing kits in a contained environment!
BSD 3-Clause Clear License
43 stars 14 forks source link

HTTP calls via file_get_contents() not captured #7

Closed sysgoblin closed 3 years ago

sysgoblin commented 4 years ago

Found this issue during investigation of a kit and noticed it making telegram calls without it being intercepted by mitmproxy.

PoC:

<?php
function telegram($msg) {
    $url='https://api.telegram.org/';
    $options=array(
        'http'=>array(
            'method'=>'POST',
            'header'=>"Content-Type:application/x-www-form-urlencoded\r\n",
            'content'=>$msg
        )
    );

    $context=stream_context_create($options);

    $result=file_get_contents($url,false,$context);

    return $result;
}

function telegram_curl($msg) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL,"https://api.telegram.org/");
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, "message=$msg");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $server_output = curl_exec($ch);
    curl_close ($ch);
    return $server_output;
}

$message1 = "stream!";
$message2 = "curl!";

telegram($message);
telegram_curl($message);
?>

Running the above will show only the calls being made via curl being intercepted by mitmproxy.

file_get_contents does not respect proxy config unless declared within the options array, there are likely other functions which will have the same behaviour.