| File Store PRO 3.2 Blind SQL Injection |
|________________________________________|
Download from: /cgi/demo/fs/filestore.zip
- Need admin rights:
/confirm.php:
复制代码代码如下:
if(isset($_GET["folder"]) && $_GET["folder"]!="") {
$folder=$_GET["folder"];
} else {
exit("Bad Request");
}
if(isset($_GET["id"]) && $_GET["id"]!="") {
$id=$_GET["id"];
} else {
exit("Bad Request");
}
// Validate all inputs
// Added by SepedaTua on June 01, 2006 - /
/********************** SepedaTua ****************************/
/* Fields:
$folder
$id
*/
$search = array ('@@si',
'@@si',
'@([rn])[s] @',
'@&(quot|#34);@i',
'@&(amp|#38);@i',
'@&(lt|#60);@i',
'@&(gt|#62);@i',
'@&(nbsp|#160);@i',
'@&(iexcl|#161);@i',
'@&(cent|#162);@i',
'@&(pound|#163);@i',
'@&(copy|#169);@i',
'@&#(d );@e');
$replace = array ('',
'',
'1',
'"',
'&',
'',
' ',
chr(161),
chr(162),
chr(163),
chr(169),
'chr
(1)');
$ffolder = $folder;
$fid = $id;
$folder = preg_replace($search, $replace, $folder);
$id = preg_replace($search, $replace, $id);
-----
$SQL="SELECT `".DB_PREFIX."users`.*, `".DB_PREFIX."file_list`.`filename`, `".DB_PREFIX."file_list`.`descript` ";
$SQL.=" FROM `".DB_PREFIX."file_list` LEFT JOIN `".DB_PREFIX."users` ON `".DB_PREFIX."file_list`.`user_id`=`".DB_PREFIX."users`.`id`";
$SQL.=" WHERE `".DB_PREFIX."file_list`.`id`='".$id."'";
if(!$mysql->query($SQL))
{
exit($mysql->error);
}
if($mysql->num
【File Store PRO 3.2 Multiple Blind SQL Injection Vulnerabilities】相关文章:
★ gapicms 9.0.2 (dirDepth) Remote File Inclusion Vulnerability
★ Arctic Issue Tracker 2.0.0 (index.php filter) SQL Injection Exploit
★ MojoJobs (mojoJobs.cgi mojo) Blind SQL Injection Exploit
★ 名为Typosquatting的古老攻击手法 [误植]到底多可怕