I found a vulnerability in a code on certain forums hosted by http://invisionfree.com and I have a working cookie logger set up. On my own test board, I visited the page that logged cookies as the admin account. I then logged in as the simulated attacker account and after changing my cookie and my useragent to the same as the admin (logged in as the admin in IE, spoofed useragent in Firefox) I was logged in the admin account.

After this I decided it was ready to try in "the wild" so I joined a board I found who was running the code and started stealing cookies. I haven't been able to hijack any of their sessions though, even though they are still logged in. The only possibility I can think of is that their IP is different than mine.. would it check that? If so, how would I go about spoofing an IP?

You won't be able to spoof their IP unless you know their IP and it happens to be a shared host/proxy/AOL or on the same subnet as a machine you own (behind a single switch that you can arp spoof or a single hub that you can sniff), or if you use a ISN guessing attack (but it would be blind - you wouldn't see the replies).

The real question is what do you want to do to them? Logging in as them is probably not what you want to do (it may sound like it, but it's really not). What you really want to do is add posts as them, or change their account information or get them to perform some action that you want. You can do all of that through CSRF and XMLHTTPRequest.

- RSnake
Gotta love it. http://ha.ckers.org

I did just want to log in as them, but I guess you're right, IP spoofing seems to be a nearly impossible option, unless I got lucky. So I guess I'll work on a CSRF using XMLHTTPRequest. So what would be the best CSRF if I wanted to steal an account? One that changed their password and logged who it changed? One that changed their email to mine, requests a lost password, and then changes it back?

Either of those will work. The email one leaves a pretty obvious trace to the admins, but it also makes it much harder for the victim to recover.

- RSnake
Gotta love it. http://ha.ckers.org

For IPB you require the password to change the password and/or the email address.

As for the sploit any chance of pm'ing myself a copy. I have been lucking enough to pwn IPB twice (once with the vbscript in the image and once with the encoding issue in php5) so i would interested to see what you have.

in relation to your issue, what you require is the password. so might i suggest a overwriting the page with a fake login page so you can get the pass in cleartext.

----------
'Just because you got the bacon, lettuce, and tomato don't mean I'm gonna give you my toast.'

The vector I'm using actually isn't a vulnerability in IPB, it's a vulnerability in a Javascript code used on forums from the free forum provider http://invisionfree.com/. It actually took me a while to find a site with the code on it because one of InvisionFree's servers crashed a little while back and most lost the code. But I'm sure there are other codes that would work.

I ended up making a CSRF with the ability to post and PM people. Posting was a bit more complicated because you need an "auth_code", but that's as simple as getting the post page and parsing it for the code. I guess eventually I could make one that overwrites the page with a phishing page, but I want to make sure it's undetectable.