Тема: Ваши вопросы по уязвимостям.
Показать сообщение отдельно

  #7  
Старый 04.03.2013, 09:40
blesse
Участник форума
Регистрация: 18.01.2012
Сообщений: 162
Провел на форуме:
29647

Репутация: 1
По умолчанию
Возможно сформировать запрос так чтоб скрипт выдал

Код:
query = "SELECT * FROM `$table_name` WHERE ck_comment_id = $k_id";
?

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]require_once([/COLOR][COLOR="#DD0000"]'../../../wp-config.php'[/COLOR][COLOR="#007700"]);

require_once([/COLOR][COLOR="#DD0000"]'../../../wp-includes/functions.php'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]// CSRF attack protection. Check the Referal field to be the same

// domain of the script

[/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strip_tags[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]escape[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]));

[/COLOR][COLOR="#0000BB"]$k_action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strip_tags[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]escape[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'action'[/COLOR][COLOR="#007700"]]));

[/COLOR][COLOR="#0000BB"]$k_path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strip_tags[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]escape[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]]));

[/COLOR][COLOR="#0000BB"]$k_imgIndex[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strip_tags[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]escape[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'imgIndex'[/COLOR][COLOR="#007700"]]));

[/COLOR][COLOR="#FF8000"]// prevent SQL injection

[/COLOR][COLOR="#007700"]if (![/COLOR][COLOR="#0000BB"]is_numeric[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#007700"])) die([/COLOR][COLOR="#DD0000"]'error|Query error'[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$table_name[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'comment_rating'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$comment_table_name[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'comments'[/COLOR][COLOR="#007700"];

if([/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$k_action[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$k_path[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#FF8000"]//Check to see if the comment id exists and grab the rating

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM `[/COLOR][COLOR="#0000BB"]$table_name[/COLOR][COLOR="#DD0000"]` WHERE ck_comment_id =[/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

if(![/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]) { die([/COLOR][COLOR="#DD0000"]'error|mysql: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]()); }

if([/COLOR][COLOR="#0000BB"]mysql_num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]))

 {

[/COLOR][COLOR="#0000BB"]$duplicated[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]// used as a counter to off set duplicated votes

[/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]= @[/COLOR][COLOR="#0000BB"]mysql_fetch_assoc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]))

 {

[/COLOR][COLOR="#FF8000"]// Handle proxy with original IP address

[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP_X_FORWARDED_FOR"[/COLOR][COLOR="#007700"]) ?[/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP_X_FORWARDED_FOR"[/COLOR][COLOR="#007700"]) :[/COLOR][COLOR="#0000BB"]getenv[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"REMOTE_ADDR"[/COLOR][COLOR="#007700"]);

 if([/COLOR][COLOR="#0000BB"]strstr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ck_ips'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#FF8000"]// die('error|You have already voted on this item!');

 // Just don't count duplicated votes

[/COLOR][COLOR="#0000BB"]$duplicated[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$ck_ips[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ck_ips'[/COLOR][COLOR="#007700"]];

 }

 else {

[/COLOR][COLOR="#0000BB"]$ck_ips[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ck_ips'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]','[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]// IPs are separated by ','

[/COLOR][COLOR="#007700"]}

 }

[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ck_rating_up'[/COLOR][COLOR="#007700"]] -[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ck_rating_down'[/COLOR][COLOR="#007700"]];

 if([/COLOR][COLOR="#0000BB"]$k_action[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'add'[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$rating[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ck_rating_up'[/COLOR][COLOR="#007700"]] +[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$duplicated[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$direction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'up'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$duplicated[/COLOR][COLOR="#007700"];

 }

 elseif([/COLOR][COLOR="#0000BB"]$k_action[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'subtract'[/COLOR][COLOR="#007700"])

 {

[/COLOR][COLOR="#0000BB"]$rating[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ck_rating_down'[/COLOR][COLOR="#007700"]] +[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$duplicated[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$direction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'down'[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]+[/COLOR][COLOR="#0000BB"]$duplicated[/COLOR][COLOR="#007700"];

 } else {

 die([/COLOR][COLOR="#DD0000"]'error|Try again later'[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#FF8000"]//No action given.

[/COLOR][COLOR="#007700"]}

if (![/COLOR][COLOR="#0000BB"]$duplicated[/COLOR][COLOR="#007700"])

 {

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"UPDATE `[/COLOR][COLOR="#0000BB"]$table_name[/COLOR][COLOR="#DD0000"]` SET ck_rating_[/COLOR][COLOR="#0000BB"]$direction[/COLOR][COLOR="#DD0000"]= '[/COLOR][COLOR="#0000BB"]$rating[/COLOR][COLOR="#DD0000"]', ck_ips = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$ck_ips[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"' WHERE ck_comment_id =[/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

 if(![/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"])

 {

[/COLOR][COLOR="#FF8000"]// die('error|query '.$query);

[/COLOR][COLOR="#007700"]die([/COLOR][COLOR="#DD0000"]'error|Query error'[/COLOR][COLOR="#007700"]);

 }

[/COLOR][COLOR="#FF8000"]// Now duplicated votes will not

[/COLOR][COLOR="#007700"]if(![/COLOR][COLOR="#0000BB"]mysql_affected_rows[/COLOR][COLOR="#007700"]())

 {

 die([/COLOR][COLOR="#DD0000"]'error|affected '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$rating[/COLOR][COLOR="#007700"]);

 }

[/COLOR][COLOR="#0000BB"]$karma_modified[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

 if ([/COLOR][COLOR="#0000BB"]get_option[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ckrating_karma_type'[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#DD0000"]'likes'[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$k_action[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'add'[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$karma_modified[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$karma[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$rating[/COLOR][COLOR="#007700"];

 }

 if ([/COLOR][COLOR="#0000BB"]get_option[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ckrating_karma_type'[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#DD0000"]'dislikes'[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$k_action[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'subtract'[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$karma_modified[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$karma[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$rating[/COLOR][COLOR="#007700"];

 }

 if ([/COLOR][COLOR="#0000BB"]get_option[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ckrating_karma_type'[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#DD0000"]'both'[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$karma_modified[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$karma[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"];

 }

if ([/COLOR][COLOR="#0000BB"]$karma_modified[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"UPDATE `[/COLOR][COLOR="#0000BB"]$comment_table_name[/COLOR][COLOR="#DD0000"]` SET comment_karma = '[/COLOR][COLOR="#0000BB"]$karma[/COLOR][COLOR="#DD0000"]' WHERE comment_ID =[/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);

 if(![/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]) die([/COLOR][COLOR="#DD0000"]'error|Comment Query error'[/COLOR][COLOR="#007700"]);

 }

[/COLOR][COLOR="#FF8000"]// Invalidate the W3 cache by triggering the global wordpress action hook for an edited comment

[/COLOR][COLOR="#0000BB"]do_action[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"edit_comment"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#007700"]);

 }

 } else {

 die([/COLOR][COLOR="#DD0000"]'error|Comment doesnt exist'[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#FF8000"]//Comment id not found in db, something wrong ?

[/COLOR][COLOR="#007700"]}

} else {

 die([/COLOR][COLOR="#DD0000"]'error|Fatal: html format error'[/COLOR][COLOR="#007700"]);

}

[/COLOR][COLOR="#FF8000"]// Add the + sign,

[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) {[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"+[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]; }

[/COLOR][COLOR="#FF8000"]//This sends the data back to the js to process and show on the page

// The dummy field will separate out any potential garbage that

// WP-superCache may attached to the end of the return.

[/COLOR][COLOR="#007700"]echo([/COLOR][COLOR="#DD0000"]"done|[/COLOR][COLOR="#0000BB"]$k_id[/COLOR][COLOR="#DD0000"]|[/COLOR][COLOR="#0000BB"]$rating[/COLOR][COLOR="#DD0000"]|[/COLOR][COLOR="#0000BB"]$k_path[/COLOR][COLOR="#DD0000"]|[/COLOR][COLOR="#0000BB"]$direction[/COLOR][COLOR="#DD0000"]|[/COLOR][COLOR="#0000BB"]$total[/COLOR][COLOR="#DD0000"]|[/COLOR][COLOR="#0000BB"]$k_imgIndex[/COLOR][COLOR="#DD0000"]|dummy"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR] 
 
Ответить с цитированием