PHP ip2long() function circumvention

rgod Sat, 29 Jul 2006 08:51:09 -0700

--- PHP ip2long() function circumvention --------------------------------------



tested on php 5.0.2

           "  4.3.3

--------------------------------------------------------------------------------

after some test on miniBB application (http://www.minibb.net/) I obtained that

the php ip2long() function can be tricked to return a valid IPv4 Internet

network address instead of "-1" even if the ip address argument is not a valid

one, through the injection of some chars, ex:


<?php

 for ($i=0; $i<=255; $i++)

 {

  echo $i.":".ip2long("1.1.1.1".chr($i)."'or'a'='a'/*")."\r\n";

 }

?>


when chr($i) is chr(0), chr(9), chr(10), chr(11), chr(12), chr(13) or chr(32)


it gives the following (valid) result:


16843009


in minibb case this could result in sql injection, forging an header like this:


X-FOWARDED-FOR: 1.1.1.1[CHR(9)]'[SQL CODE]


or even like this:


X-FOWARDED-FOR: 1[CHR(9)]'[SQL CODE]


(however Minibb limit the string to 15 chars so you will have an unuseful twelve

chars sql injection...)

also remeber that HTTP headers is not filtered by PHP magic_quotes_gpc, so this

could give an attacker the way to fully compromise an application


code taken from MiniBB 2.0

index.php, 248-264

/* Banned IPs/IDs stuff */

$thisIp=getIP();                      <--------------------- here $thisIp 
becomes our sql code

$cen=explode('.', $thisIp);


if(isset($cen[0]) and isset($cen[1]) and isset($cen[2])){

$thisIpMask[0]=$cen[0].'.'.$cen[1].'.'.$cen[2].'.+';

$thisIpMask[1]=$cen[0].'.'.$cen[1].'.+';

}

else {

$thisIpMask[0]='0.0.0.+';

$thisIpMask[1]='0.0.0.+';

}


if (db_ipCheck($thisIp,$thisIpMask,$user_id)) { //<-----------  $thisIp is 
passed to the db_ipCheck() function

$title=$sitename." :: ".$l_accessDenied;

echo ParseTpl(makeUp('main_access_denied')); exit;

}


bb_functions.php, near lines 123-131

//--------------->

function getIP(){

$ip1=getenv('REMOTE_ADDR');$ip2=getenv('HTTP_X_FORWARDED_FOR');

if ($ip2!='' and ip2long($ip2)!=-1) $finalIP=$ip2; else $finalIP=$ip1; //<-- 
vulnerable code

$finalIP=substr($finalIP,0,15);

return $finalIP;

}


//--------------->


setup_mysql.php, near lines 99-105:


function db_ipCheck($thisIp,$thisIpMask,$user_id){

$res=mysql_query('select id from '.$GLOBALS['Tb'].' where

banip='."'".$thisIp."'".' or banip='."'".$thisIpMask[0]."'".' or //<--- sql 
injection

banip='."'".$thisIpMask[1]."'".' or banip='."'".$user_id."'");

echo mysql_error();

if($res and mysql_num_rows($res)>0) return TRUE; else return FALSE;

}


--------------------------------------------------------------------------------

1.05 29/07/2006

rgod

http://retrogod.altervista.org/php_ip2long.htm

--------------------------------------------------------------------------------

PHP ip2long() function circumvention

Reply via email to