Thursday, August 25, 2016

interface/ipsconnect/ipsconnect.php SQL Injection

I saw this web request in the logs and thought it was worth discussing. It appears to be related to an IP.Board 'ipsconnect.php' SQL Injection Vulnerability in the id[] parameter from perhaps 2014/2015 ish. There are public exploits so script kiddies run these kind of queries across the web all the time. The IPS Connect service (interface/ipsconnect/ipsconnect.php) in Invision Power Board (aka IPB or IP.Board) appears impacted.

POST /interface/ipsconnect/ipsconnect.php HTTP/1.1
Connection: keep-alive
Accept: */*
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.6,en;q=0.4
Accept-Charset: utf-8;q=0.7,*;q=0.3
Accept-Encoding: gzip,deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 223
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36
id[]=-1) and 1!="'" and updatexml(NULL,concat(0x3a, ( select table_name from information_schema.tables where BINARY LEFT(table_name, 1) = 'nnn' LIMIT 0,1 ) ),NULL)-- -'

If you look at the request above you see it's sending a payload into the id[] parameter which must not be using parameterized queries and must not be sanitizing the values correctly. It looks like the id should be an integer, but in this case it allows strings, big ugly long strings, strings that contain sql code!

updatexml() is a mysql function that essentially does a xml string replaces. But it's interesting why they would be starting with a NULL string and replacing with a NULL string. Why? This is actually called XPath Error Based Injection. If it's a successful attack ,an error actually gets thrown, and the ERROR message itself contains the data exfiltration. In this case they are trying to grab the name of a particular SQL table to see if they've gained access to the database. If successful it'll probably display something like

Output : XPATH syntax error: ':tableNameHere'

To prevent this, make sure your IP Board software is updated/patched, have a WAF or IPS that blocks SQL Injection attacks, and from a coding perspective use parameterized SQL queries so you can't enter strings in for integers, and sanitize data so special characters like this aren't allowed either.

More about neonprimetime

Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java

Top Github Contributions
  1. Qualys Scantronitor 2.0

Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment