|
Members of Antichat - Level 5
Регистрация: 01.04.2007
Сообщений: 1,268
Провел на форуме:
10046345
Репутация:
4589
|
|
XSS
http://img.snakearena.net/v.php?id='><script>alert()</script>
http://amxbans.snakearena.net/ban_search.php
Есть подозрения на sql-inj:
PHP код:
if ((isset($_POST['nick'])) || (isset($_POST['steamid'])) || (isset($_POST['ip'])) || (isset($_POST['reason'])) || (isset($_POST['date'])) || (isset($_POST['timesbanned'])) || (isset($_POST['admin'])) || (isset($_POST['server']))) {
// Make the array for the active bans list
if (isset($_POST['nick'])) {
$resource3 = mysql_query("SELECT bid, player_nick, admin_nick, ban_length, ban_reason, ban_created, server_ip FROM $config->bans WHERE player_nick LIKE '%".$_POST['nick']."%' ORDER BY ban_created DESC") or die(mysql_error());
} else if (isset($_POST['steamid'])) {
$resource3 = mysql_query("SELECT bid, player_nick, admin_nick, ban_length, ban_reason, ban_created, server_ip FROM $config->bans WHERE (player_id = '".$_POST['steamid']."' AND ban_type='S' ) OR ( player_ip='".$_POST['ip']."' AND ban_type='SI') ORDER BY ban_created DESC") or die(mysql_error());
} else if (isset($_POST['reason'])) {
$resource3 = mysql_query("SELECT bid, player_nick, admin_nick, ban_length, ban_reason, ban_created, server_ip FROM $config->bans WHERE ban_reason LIKE '%".$_POST['reason']."%' ORDER BY ban_created DESC") or die(mysql_error());
} else if (isset($_POST['date'])) {
$date = substr_replace($_POST['date'], '', 2, 1);
$date = substr_replace($date, '', 4, 1);
$resource3 = mysql_query("SELECT bid, player_nick, admin_nick, ban_length, ban_reason, ban_created, server_ip FROM $config->bans WHERE FROM_UNIXTIME(ban_created,'%d%m%Y') LIKE '$date' ORDER BY ban_created DESC") or die(mysql_error());
} else if (isset($_POST['timesbanned'])) {
$resource3 = mysql_query("SELECT bid, player_nick, admin_nick, ban_length, ban_reason, ban_created, server_ip, COUNT(*) FROM $config->bans GROUP BY player_id HAVING COUNT(*) >= '".$_POST['timesbanned']."' ORDER BY ban_created DESC") or die (mysql_error());
} else if (isset($_POST['admin'])) {
$resource3 = mysql_query("SELECT bid, player_nick, admin_nick, ban_length, ban_reason, ban_created, server_ip FROM $config->bans WHERE admin_id = '".$_POST['admin']."' ORDER BY ban_created DESC") or die(mysql_error());
} else if (isset($_POST['server'])) {
$resource3 = mysql_query("SELECT bid, player_nick, admin_nick, ban_length, ban_reason, ban_created, server_ip FROM $config->bans WHERE server_ip = '".$_POST['server']."' ORDER BY ban_created DESC") or die(mysql_error());
} else {
echo "KOE";
}
При magic_quotes = off так же возможна sql-inj в скриптах, инсклудяших include/accesscontrol.inc.php
PHP код:
if(isset($_POST['uid'])){
$_POST['uid'] = secure($_POST['uid']);
} // функция secure зашищает только от xss
.................
if(isset($_COOKIE["amxbans"])) {
$sql = "SELECT * FROM $config->webadmins WHERE username = '$uid' AND password = '$pwd'";
} else {
$sql = "SELECT * FROM $config->webadmins WHERE username = '$uid' AND password = md5('$pwd')";
}
Последний раз редактировалось BlackSun; 09.02.2009 в 11:31..
|