INVISION POWER BOARD 2.1.7 EXPLOIT

[kw3rln]

----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]

INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION

Eugene Minaev underwater@itdefence.ru

___________________________________________________________________

____/ __ __ _______________________ _______ _______________ \ \ \

/ .\ / /_// // / \ \/ __ \ /__/ /

/ / /_// /\ / / / / /___/

\/ / / / / /\ / / /

/ / \/ / / / / /__ //\

\ / ____________/ / \/ __________// /__ // /

/\\ \_______/ \________________/____/ 2007 /_//_/ // //\

\ \\ // // /

.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .

. \_\\________[________________________________________]_________//_//_/ . .

----[ NITRO ... ]

This vulnerability was already found before, but there was no available

public "figting" exploit for it. This POC consists of several parts - active xss generator,

JS-file, which will be caused at visiting page with xss, log viewer and special component,

which will take necessary data from MySQL forum's tables in case if intercepted session

belonged to the person with moderator privileges.

----[ ANALYSIS ... ]

XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss for

future injetion on the forum board. As the reference it is necessary to specify the full way

up to ya.js file (in which you have already preliminary corrected way on your own). Most likely

it is necessary only to press the button.

The injection can be executed only when there is available session of the user with access

in moderator's panel.It is necessary to result "starter" parameter to numerical by means of "intval"

function.In case of successfull injection there is an oppotunity to enumerate forums' administrators team:

index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*

----[ RECORD ... ]

{

---IP ADDRESS sniffed ip address

---REFERER xssed theme

---COOKIES xssed cookies of forum member

---USER ID xssed user id of forum member

---ADMIN NAME admin username

---ADMIN PASS admin pass hash

---ADMIN SALT admin hash salt

}

----[ PATCH ... ]

FILE

sources/classes/bbcode/class_bbcode_core.php

FUNCTION

regex_check_image

LINE

924

REPLACE

if ( preg_match( "/[?&;]/", $url) )

ON

if ( preg_match( "/[?&;\<\[]/", $url) )

FILE

sources/classes/bbcode/class_bbcode_core.php

FUNCTION

post_db_parse_bbcode

LINE

486

REPLACE

preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

ON

preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );

if ( $row['bbcode_tag'] == 'snapback' )

{

$match[2][$i] = intval( $match[2][$i] );

}

www.underwater.itdefence.ru/isniff.rar

www.milw0rm.com/sploits/2008-isniff.rar

----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]

# milw0rm.com [2008-01-05]

[VoRTeX]

Ma scuzi ca raspund la acest topic, ma poti ajuta? Daca spun corect exploitul asta se compileaz in perl? Daca da dupa aia cum il folosesc pe un site care foloseste versiunea asta 2.1.7? Mersi

[tw8]

Unde dracu vezi tu PERL ?

Eu unul nu vad niciunde ... poate nu am fost atent .

[VoRTeX]

Pai tocmai de asta am intrebat ca sunt mai n00b asa de felu meu in exploituri si de asta . Ce tre sa fac si cum il utilizez? Daca vrei sa ma ajutati ..

[amprenta]

Ce vezi mai sus e doar o analiza a exploitului , si metoda de patch .

Exploitul ii iei din linku ala cu arhiva www.underwater.itdefence.ru/isniff.rar

[VoRTeX]

OK, dar totusi eu va cer altceva. Cum sa-l folosesc? Ca alea in perl stiu cum dar astea?

[Deta]

era un tutorial despre cum sa folosesti acest exploit dar nu mai stiu pe unde...din ce am vazut iti trebuie si shell si cunostinte minime...

[Vhaerun]

OK, dar totusi eu va cer altceva. Cum sa-l folosesc? Ca alea in perl stiu cum dar astea?

Na acu ziceti si voi ... merita asemenea useri sa se afle pe forum ?

EDIT: si daca scrii despre asta , pornesti flame & shit si ei se simt ofensati !

[VoRTeX]

E bine daca un admin considera ca nu merti sa fiu pe forum, pot sa imi dea ban eu nu am nici o problema . Dar daca stiu un anumit lucru asta nu inseamna "ca nu am ce cauta pe forumul asta"

[Vhaerun]

Nu are rost sa mai zic nimic , ca iese flame .

Dati-i mura in gura .

[hirosima]

mai bine ai cauta un manual de html dupa aceeia php, si perl daca esti interesat. Pentru ca nu o sa iti dea nimeni niciodata gata facut. Si tine cont ca nimeni nu sa nascut stiind un limbaj de programare, toti sau chiunuit si au invatat la acelasi stadiu sunt si eu de invatare dar asta nu insamna ca este rau.

Mult succes

[VoRTeX]

Auzi, "dati-i" parca eu as fi singurul de pe acest forum care nu stie sa foloseasca acest exploit, si sunt pe acelasi principiu ca si hiroshima, nimeni nu se naste invatat, dar ai zis asa , parca mi s-ar spune numai mie. Am terminat cu OFF-TOPIC. Nu ma mai ajutati. Multumesc de tot pana acum

[Vhaerun]

omule, daca nu stii nici macar sa folosesti exploitul , atunci ce mai vrei ?

sa zicem ca din eroare in eroare il lansezi si functioneaza . Dupa , ce faci ? Vii aici si zici ca ai 10 minute sa iti stergi logurile si sa ti se dea tutorial ?