16.03.2008, 17:05
|
|
[Лишённый самовыражени
Регистрация: 16.01.2005
Сообщений: 1,787
Провел на форуме:
9751379
Репутация:
3812
|
|
It is a variable that was not cleaned in a way, allowing you to inject SQL code into the cookie. Here is a example of a small vulnerable php script.
PHP код:
<?php
$user['id'] = $_COOKIE['uid'];
$query = "SELECT name, password FROM members where uid='" . $user['id'] . "'";
$query = mysql_query($query);
$name = mysql_result($query, 0);
echo 'Hello ' . $name . '!';
?>
If it is a normal user, it would display a perfectly good name like "Hello Admin!".
You can now use a thing such the extention for firefox called Cookie Editor, and modify the cookie, you can also do this with javascript.
You then edit the cookie's value, it would have been something like "12", but after editing and adding sql code to it, it would be something like "-1 UNION ALL SELECT USER(), NULL FROM mysql.user--".
That will change the query, and display the user connected to the database, instead of the name of the user stored in the database.
That will result in the following being echo'd; "Hello root@localhost".
(c) h4cky0u
__________________
|
|
|