Waraxe IT Security Portal
Login or Register
July 13, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 106
Members: 0
Total: 106
Full disclosure
CVE-2024-33326
CVE-2024-33327
CVE-2024-33328
CVE-2024-33329
CyberDanube Security Research 20240703-0 | Authenticated Command Injection in Helmholz Industrial Router REX100
SEC Consult SA-20240627-0 :: Local Privilege Escalation via MSI installer in SoftMaker Office / FreeOffice
SEC Consult SA-20240626-0 :: Multiple Vulnerabilities in Siemens Power Automation Products
Novel DoS Vulnerability Affecting WebRTC Media Servers
APPLE-SA-06-25-2024-1 AirPods Firmware Update 6A326, AirPods Firmware Update 6F8, and Beats Firmware Update 6F8
40 vulnerabilities in Toshiba Multi-Function Printers
17 vulnerabilities in Sharp Multi-Function Printers
SEC Consult SA-20240624-0 :: Multiple Vulnerabilities allowing complete bypass in Faronics WINSelect (Standard + Enterprise)
SEC Consult SA-20240620-0 :: Arbitrary File Upload in edu-sharing (metaVentis GmbH)
Zip Slip meets Artifactory: A Bug Bounty Story
Backdoor.Win32.Plugx / Insecure Permissions
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> Sql Injection in Invision Power Board Goto page 1, 2Next
Post new topicReply to topic View previous topic :: View next topic
Sql Injection in Invision Power Board
PostPosted: Tue Apr 12, 2005 12:52 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Just found this advisory:

http://www.securityfocus.com/archive/1/395515/2005-04-09/2005-04-15/0

Quote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah)
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Severity: Medium
Title: Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability
[PATCH INCLUDED]
Date: 09/04/2005

Vendor: Invision Invision Power Services
Vendor Website: http://www.invisionboard.com/
Summary: Invision board 1.3.1 and lower are vulnerable to a sql injection vulnerability
which is caused by the non validation of input in the $this->first variable


**********************************************************************************************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more
at http://www.digitalparadox.org/services.ah
**********************************************************************************************************

Proof of Concept Exploit:

http://localhost/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=SQL_INJECTION

**************
Patch info
**************
A patched version of the vulnerable file can be found at, http://www.digitalparadox.org/memberlist.txt

Just replace /uploads/sources/memberlist.php with this, and it will be fixed.

A simple patch can be,

In /uploads/sources/memberlist.php on Line 274 add this code
[CODE BEGINS]

if (!is_numeric($this->first)) {
$this->first = "0";
}

[CODE ENDS]

So it should finally look like,
[CODE BEGINS]

$this->output .= $this->html->Page_header( array( 'SHOW_PAGES' =>
$links) );

//-----------------------------
// START THE LISTING
//-----------------------------
if (!is_numeric($this->first)) {
$this->first = "0";
}

$DB->query("SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title,
m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions

[CODE ENDS]


Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com,
please feel free to contact me regarding
these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/.
Lookout for my soon to come out book on Secure coding with
php.


-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com

iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj
hAJ8nVzhK+VIlL4iPxDJRh02
=n3TC
-----END PGP SIGNATURE-----


So why not test it in real world - picked up an random site:

Code:

http://****.com/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=f00bar


And we can see nice debug message:

Code:

There appears to be an error with the *** Community Forums database.
You can try to refresh the page by clicking here, if this does not fix the error, you can contact the board administrator by clicking here

Error Returned


mySQL query error: SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions
FROM ibf_members m
LEFT JOIN ibf_member_extra me ON me.id=m.id
LEFT JOIN ibf_groups g ON m.mgroup=g.g_id
WHERE m.id > 0 AND m.mgroup='1' AND g.g_hide_from_list <> 1
ORDER BY m.name asc
LIMIT f00bar,30

mySQL error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'f00bar,30' at line 8
mySQL error code:
Date: Tuesday 12th of April 2005 08:51:04 AM

We apologise for any inconvenience


So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Apr 12, 2005 6:34 pm Reply with quote
Alkaen
Regular user
Regular user
Joined: Feb 16, 2005
Posts: 5
Location: Bahrain - Aldair




All steps are okay.. but how i can exploit this sql injection?!

So that's mean what i've to do after appearing of the error message?

Thanx..
View user's profile Send private message Visit poster's website
PostPosted: Wed Apr 13, 2005 4:05 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Does invision use SHA1 ???? I never knew...... and I never used. Ive got a cracked version of vBulletin 3.0 that Ive used but I've never used invision trail or full.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Apr 13, 2005 11:42 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Alkaen wrote:
All steps are okay.. but how i can exploit this sql injection?!

So that's mean what i've to do after appearing of the error message?

Thanx..


Well, it's complicated. There is need for blind sql attack methods and subqueries (i suggest benchmark() function). But as far as i know, most of the mysql databases on internet right now are version < 4.1.x and so they have no subqueries functionality Rolling Eyes
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 13, 2005 11:45 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




Yes I'm still wondering why Fedora Core 3 came with MySql 3 it baffles me. I noticed the changes in 4.1 though. A lot of people did/do.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Wed Apr 13, 2005 11:48 am Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




shai-tan wrote:
Yes I'm still wondering why Fedora Core 3 came with MySql 3 it baffles me. I noticed the changes in 4.1 though. A lot of people did/do.


Yeah, this is frustrating,. when you have found some nice sql injection hole in some prominent website and then will see - b00m - no UNION possibilities Very Happy
Wtf? It's 21. century, webmasters and admins!!! Cmn, we want union tricks to be working!! We want subqueries to be working!! And in future, we want multiple queries in mysql/php platform too (like now in mssql/oracle) Very Happy
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Apr 13, 2005 11:51 am Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




They take the things you love and dont bother to give a few things to replace.

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Fri Apr 15, 2005 1:10 pm Reply with quote
Ratinho
Beginner
Beginner
Joined: Mar 20, 2005
Posts: 2




thank you very much...
View user's profile Send private message Send e-mail ICQ Number
Hey..
PostPosted: Mon Apr 25, 2005 2:40 pm Reply with quote
Dcrab
Valuable expert
Valuable expert
Joined: Apr 25, 2005
Posts: 7




Hey,
Waraxe: you hit the money with that post about frustration lol.. after all that auditing when you come to know its not exploitable.. lol thats frustrating, you probably know what i mean heh btw if you msn catch me at dcrab[at]hackerscenter[dotdotodotdotodotspamdotdotdot]com itll be nice to talk to you.
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Mon Apr 25, 2005 4:46 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Hi, Dcrab! Nice to see ya! So much advisories from you ... its amazing Smile
If this will continue, then i don't have soon any targets to analyze Wink
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 25, 2005 6:32 pm Reply with quote
Dcrab
Valuable expert
Valuable expert
Joined: Apr 25, 2005
Posts: 7




haha i know what you mean.. i have already run out of ideas :p do you msn..?
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Re: Sql Injection in Invision Power Board
PostPosted: Mon Apr 25, 2005 10:21 pm Reply with quote
cXIb8O3
Active user
Active user
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




waraxe wrote:

So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality Rolling Eyes


hym.. lock.. if you have right in mysql... (INTO) that LIMIT 0,10 INTO OUTFILE '/path/file.php'/*

if you can to m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number, me.photo_location, me.photo_type, me.photo_dimensions insert php code (example <? exec('cat /etc/passwd'); ?>)...

can you include file.
View user's profile Send private message Visit poster's website
Re: Sql Injection in Invision Power Board
PostPosted: Mon Apr 25, 2005 10:29 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




cXIb8O3 wrote:
waraxe wrote:

So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality Rolling Eyes


hym.. lock.. if you have right in mysql... (INTO) that LIMIT 0,10 INTO OUTFILE '/path/file.php'/*

if you can to m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number, me.photo_location, me.photo_type, me.photo_dimensions insert php code (example <? exec('cat /etc/passwd'); ?>)...

can you include file.


From mysql manual:

http://dev.mysql.com/doc/mysql/en/select.html

Code:

13.1.7. SELECT Syntax
13.1.7.1. JOIN Syntax
13.1.7.2. UNION Syntax
SELECT
[ALL | DISTINCT | DISTINCTROW ]
[HIGH_PRIORITY]
[STRAIGHT_JOIN]
[SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
[SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
select_expr, ...
[INTO OUTFILE 'file_name' export_options
| INTO DUMPFILE 'file_name']
[FROM table_references
[WHERE where_definition]
[GROUP BY {col_name | expr | position}
[ASC | DESC], ... [WITH ROLLUP]]
[HAVING where_definition]
[ORDER BY {col_name | expr | position}
[ASC | DESC] , ...]
[LIMIT {[offset,] row_count | row_count OFFSET offset}]
[PROCEDURE procedure_name(argument_list)]
[FOR UPDATE | LOCK IN SHARE MODE]]


As i can understand, after "LIMIT x,y" there can be only subqueries useful maybe...
But this is right - if we have sql injection with INSERT INTO possibility and current mysql user has file operation permissions, then we can try to write out file with php/perl/whatever code inside, and therefore such sql injection can be possibly turned out to possible shell level access.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Mon Apr 25, 2005 10:33 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Dcrab wrote:
haha i know what you mean.. i have already run out of ideas :p do you msn..?


I prefer quiet peaceful life, so no msn/ym/icq/irc/skype/cellphone Smile
But in very rare cases i use yahoo messenger. You can email me, i am checking my mailbox many times a day.
View user's profile Send private message Send e-mail Visit poster's website
Re: Sql Injection in Invision Power Board
PostPosted: Mon Apr 25, 2005 10:48 pm Reply with quote
cXIb8O3
Active user
Active user
Joined: Feb 17, 2005
Posts: 26
Location: Poland<>Luxembourg




waraxe wrote:

mySQL query error: SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions
FROM ibf_members m
LEFT JOIN ibf_member_extra me ON me.id=m.id
LEFT JOIN ibf_groups g ON m.mgroup=g.g_id
WHERE m.id > 0 AND m.mgroup='1' AND g.g_hide_from_list <> 1
ORDER BY m.name asc
LIMIT f00bar,30

mySQL error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'f00bar,30' at line 8
mySQL error code:
Date: Tuesday 12th of April 2005 08:51:04 AM


in this query... we can't use UNION because is there ORDER BY. ; ] but after LIMIT you can use UNION
View user's profile Send private message Visit poster's website
Sql Injection in Invision Power Board
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 2
Goto page 1, 2Next
Post new topicReply to topic


Powered by phpBB 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.096 Seconds