Long, a professional hacker, who began cataloging these queries in a database known as the The process known as “Google Hacking” was popularized in 2000 by Johnny Subsequently followed that link and indexed the sensitive information. Information was linked in a web document that was crawled by a search engine that This information was never meant to be made public but due to any number of factors this Is a categorized index of Internet search engine queries designed to uncover interesting,Īnd usually sensitive, information made publicly available on the Internet. Proof-of-concepts rather than advisories, making it a valuable resource for those who need The Exploit Database is a repository for exploits and Lists, as well as other public sources, and present them in a freely-available andĮasy-to-navigate database. The most comprehensive collection of exploits gathered through direct submissions, mailing
Non-profit project that is provided as a public service by Offensive Security.Ĭompliant archive of public exploits and corresponding vulnerable software,ĭeveloped for use by penetration testers and vulnerability researchers.
That provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is maintained by Offensive Security, an information security training company James Bercegay of the GulfTech Security Research Team
Matthew Mecham addressed these issues in a VERY timely and professional manner and fixes have been available for some time now.Īll users should upgrade thier Invision Power Board installations as soon as possible, as these vulnerabilities make it fairly easy to grab sensitive user data including password hashes from the database. Users should upgrade as soon as possible, as this is a fairly dangerous vulnerability.
There is working exploit code for this issue available, but we will not be releasing it publicly. With functionality like that an attacker can then do things like dump user data into a message to himself. For one an attacker can select member data into an outfile and use thier browser to retrieve that data, or use the MySQL "mid" function to enumerate each character of the hash one by one until the entire hash is discovered! In future versions of MySQL issues like this will be a lot easier to exploit as we will then be able to "SELECT * FROM `blah` INTO TABLE `foobar`" much like Oracle database for example. This is not that easy of an issue to exploit, but there are a number of ways to successfully take advantage of this issue. If we see this then we know the query returned true and produced some results. This would be a very easy issue to exploit if visible data was returned to the browser, but all we will be able to see is a line in the response header that looks something like this. Now, back to the auto_login() function where we want to concentrate on this bit of code. In the above code we can see that not only is the data unsanatized, but the way the urldecode() function is used also lets an attacker bypass magic_quotes_gpc. Well, let us have a look at this function to see if $pid is sanatized within the function itself. Anyway, as we can see from the above code the variable $mid is properly forced into an integer datatype and as a result is safe to pass to the query, but what about $pid? In the above code we see that the value of $pid is returned from the my_getcookie() function within the FUNC class.
This particular portion of code is from the IPB 1.* series, but the vulnerability seems to exists on all versions of IPB (both the 1.* and 2.* series). $DB->query("SELECT * FROM ibf_members WHERE id=$mid AND password='$pid'") $mid = intval($std->my_getcookie('member_id'))