Invision Power Board多个SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110563 漏洞类型 SQL注入
发布时间 2006-07-05 更新时间 2006-07-25
CVE编号 CVE-2006-3543 CNNVD-ID CNNVD-200607-164
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28167
https://cxsecurity.com/issue/WLB-2006070005
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-164
|漏洞详情
**有争议**InvisionPowerBoard(IPB)1.x和2.x存在多个SQL注入漏洞。远程攻击者可以借助index.php中的ketqua操作中的(1)idcat和(2)code参数;aindex.php中的(3)Attach和(4)ref操作中的id参数index.php中的(5)Profile,(6)Login,以及(7)Help操作中的CODE参数;以及(8)coins_list.php中的member_id参数,执行任意SQL指令。注:开发者就此问题提出反驳,声称"CODE属性从未在SQL查询中出现"并且"'ketqua'[action]和file'coin_list.php'并非标准的IPB2.x功能"。尚不清楚这些向量是否与独立模块或IPB的修改有关。
|漏洞EXP
source: http://www.securityfocus.com/bid/18836/info

Invision Power Board is prone to multiple SQL-injection vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied data before using it in an SQL query. 

A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database implementation.

http://www.example.com/index.php?act=ketqua&code=showcat&idcat=[SQL] 
http://www.example.com/index.php?act=Attach&type=post&id=[SQL] 
http://www.example.com/index.php?act=Profile&CODE=[SQL] 
http://www.example.com/index.php?act=ketqua&code=[SQL] 
http://www.example.com/coins_list.php?member_id=[SQL] 
http://www.example.com/index.php?act=Login&CODE=[SQL] 
http://www.example.com/index.php?act=Help&CODE=[SQL] 
http://www.example.com/index.php?act=ref&id=[SQL]
|参考资料

来源:BID
名称:18836
链接:http://www.securityfocus.com/bid/18836
来源:BUGTRAQ
名称:20060710Re:InvisionPowerBoard"v1.X&2.X"SQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/439602/100/0/threaded
来源:BUGTRAQ
名称:20060704InvisionPowerBoard"v1.X&2.X"SQLInjection
链接:http://www.securityfocus.com/archive/1/archive/1/439145/100/0/threaded
来源:OSVDB
名称:30084
链接:http://www.osvdb.org/30084
来源:SREASON
名称:1231
链接:http://securityreason.com/securityalert/1231