I. background information
First I want to introduce this web App of background information, as well as on the vulnerability of some of the basic overview:
IPB Forum known as Invision Power Board（abbreviated IPB or IP. Board, is the world's most famous Forum app by PHP+MySQL architecture, 1. The X version is free, from 2. X began to charge. Many large units are its users such as NASA and the ultra-micro semiconductor company, AMD, etc.
In this system the presence of interface/ipsconnect/ipconnect. php page does not properly handle the id parameter, the resulting website will appear a sql error. This vulnerability will put the error information written to/cache/sql_error_latest. cgi. With this file the continuous interaction, can obtain sensitive information. Online have already appeared for this vulnerability PoC code, The code is written in python, the link is: http://seclists.org/fulldisclosure/2014/Nov/20
The use of this code may be required in the source code of the target IP address to modify
Can at home on the site to find the IP. Board version 3. 4. 5, This version to meet the vulnerability conditions, I'm on WAMP environment set the IP. The Board of the experimental environment, the installation process sets the user name for navyofficer, password for navyofficer, the 邮箱 为 firstname.lastname@example.org and the system only this one user.
Second, the specific attack process
1, access to System User number
The attacker sends the following