Invision Gallery Product

GovernmentSecurity.org > GSO Programming Section > Visual Basic

ComSec

May 4 2005, 06:09 AM

MOVED FROM Exploit section.... its turned it into a small Project i can further Develop......

http://www.securitytracker.com/alerts/2005/May/1013894.html

http://www.invisiongallery.com

about:Invision Gallery is a fully featured, powerful gallery system that is easy and fun to use! It plugs right into your existing Invision Power Board to create a seamless browsing experience for the users of your forum. We've taken many of the most popular feature requests from our customers and integrated them into this product.

Target URL:http://xxxxxxxx.com/v2/?act=module&module=gallery

a couple of issues apply:

by adding script injection inputs like so

http://xxxxxxxxx.com/v2/index.php?act=modu...ne_key=30&cat=1

will cause an injection error messages

QUOTE

mySQL query error: SELECT i.file_type, i.masked_file_name, i.caption, i.id, i.directory, m.name, m.id AS mid
FROM ibf_gallery_images i, ibf_members m
WHERE album_id=0 AND m.id=i.member_id
ORDER BY date DESC
LIMIT '><script>alert(document.cookie)</script>, 1

with the above info you can then navigate the table... using the SELECT FROM WHERE ORDER LIMIT.... to add advanced sql injection methods

also cookie and session can be obtained with :

http://xxxxxxxxxxx.com/v2/index.php?act=mo...</script>

due to NO previous response to other issues

http://www.securitytracker.com/id?1013863

Vendor NOT informed

screenshots:

Axl

May 4 2005, 08:31 AM

nice find m8

but you are wrong....
there is no way to make a working sql injection exploit out of that bug
the input you are changing is in the "limit" field.
you cant use union within "limit"
so the bug is useless

but the xss works =]
gj !!

SkullSplitter

May 4 2005, 09:21 AM

hmm i am looking for the nice tool in the thumbnails

i cant find it with the search feature ....

can anyone help (*look2comsec*) ?

Cheers

SkullSplitter

ComSec

May 4 2005, 10:22 AM

thanks Axl i forgot about the Union and Limit from a PM we had with each other last year.... well at least its something to go on .... am in the middle of making a tool to find various methods and including encoded strings... hence the XSS activity

here is the program so far...might interest you and one or two others mate

if you fancy trying it out..Axl...then PM me.... am looking for further ways and methods to include in the program.

cheers

[R]

May 4 2005, 11:40 AM

can I buy this tool?

ComSec

May 4 2005, 01:49 PM

thanks all for the PM's will sort something... here are a couple more screenshots of
further progress

image 1.... is the start up position...

you will note 2 new buttons to open and close a section of the form expanding it for the Encoding section...see image 2....

also an XSS is included... using a hex input... see url

added an XP button theme... also .... should be ready for a few to try late tomorrow

also added a Search and Replace... within the url saves a lot of cutting and paste... see start image.... with demo of replacing searchphp.... within the url with the script input XSS above it....

ComSec

May 6 2005, 01:08 PM

this is getting close to the final tool

screenshots:

added XSS load , save

added clear old string on input... ie XSS will auto clear old input box

added about form

new screenshots : Expanded Form & Start Form

whisker

Jul 20 2005, 06:05 AM

That is quiet impressed it...how did you coded it? I just learning coding about a week (python,perl), Could I please try that program comsec ?

I'd like to try it on my invison board installed on my vmware

Cheers

ComSec

Jul 20 2005, 06:48 AM

it here whisker on my other website

http://www.codelinx.net/tool.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.