Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: PHP :: b06-3922.htm

PHP ip2long() function circumvention



PHP ip2long() function circumvention
PHP ip2long() function circumvention



--- PHP ip2long() function circumvention --------------------------------------=0D
=0D
tested on php 5.0.2=0D
	   "  4.3.3=0D
--------------------------------------------------------------------------------=0D
after some test on miniBB application (http://www.minibb.net/) I obtained that=0D 
the php ip2long() function can be tricked to return a valid IPv4 Internet=0D
network address instead of "-1" even if the ip address argument is not a valid=0D
one, through the injection of some chars, ex:=0D
=0D
=0D
=0D
when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32)=0D
=0D
it gives the following (valid) result:=0D
=0D
16843009=0D
=0D
in minibb case this could result in sql injection, forging an header like this:=0D
=0D
X-FOWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE]=0D
=0D
or even like this:=0D
=0D
X-FOWARDED-FOR: 1[CHR(9)]'[SQL CODE]=0D
=0D
(however Minibb limit the string to 15 chars so you will have an unuseful twelve=0D
chars sql injection...)=0D
also remeber that HTTP headers is not filtered by PHP magic_quotes_gpc, so this=0D
could give an attacker the way to fully compromise an application=0D
=0D
code taken from MiniBB 2.0=0D
index.php, 248-264=0D
/* Banned IPs/IDs stuff */=0D
$thisIp=getIP();                      <--------------------- here $thisIp becomes our sql code=0D
$cen=explode('.', $thisIp);=0D
=0D
if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){=0D
$thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+';=0D
$thisIpMask[1]=$cen[0].'.'.$cen[1].'.+';=0D
}=0D
else {=0D
$thisIpMask[0]='0.0.0.+';=0D
$thisIpMask[1]='0.0.0.+';=0D
}=0D
=0D
if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<-----------  $thisIp is passed to the db_ipCheck() function=0D
$title=$sitename." :: ".$l_accessDenied;=0D
echo ParseTpl(makeUp('main_access_denied')); exit;=0D
}=0D
=0D
bb_functions.php, near lines 123-131=0D
//--------------->=0D
function getIP(){=0D
$ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FORWARDED_FOR');=0D
if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- vulnerable code=0D
$finalIP=substr($finalIP,0,15);=0D
return $finalIP;=0D
}=0D
=0D
//--------------->=0D
=0D
setup_mysql.php, near lines 99-105:=0D
=0D
function db_ipCheck($thisIp,$thisIpMask,$user_id){=0D
$res=mysql_query('select id from '.$GLOBALS['Tb'].' where=0D
banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql injection=0D
banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");=0D
echo mysql_error();=0D
if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;=0D
}=0D
=0D
--------------------------------------------------------------------------------=0D
1.05 29/07/2006=0D
rgod=0D
http://retrogod.altervista.org/php_ip2long.htm=0D 
--------------------------------------------------------------------------------=0D
=0D
=0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH