-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbug_d
49 lines (42 loc) · 2.21 KB
/
bug_d
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
affected source code file: /admin/edit_post.php
affected source code:
<?php
include ("includes/headerRefresh.php");
include ("includes/config.php");
include ("functions/functions.php");
require_once ("includes/session.php");
check_login();
?>
<?php get_settings(); ?>
<?php if ((intval($_GET['page']) == 0) || (intval($_GET['post']) == 0)) {
redirect_to("manage_posts.php");
} ?>
<?php include ("header.php") ?>
<?php
$errors = array();
if (isset($_POST['submit'])) {
if ($_POST['title'] == "")
$errors['title'] = "Title of the Post is required !";
if ($_POST['position'] == "")
$errors['position'] = "Position of the Post is required !";
if ($_POST['content'] == "")
$errors['content'] = "Content of the Post is required !";
if (empty($errors)) {
$id = mysql_prep($_GET['post']);
$page_id = mysql_prep($_POST['page_id']);
$title = mysql_prep($_POST['title']);
$active = mysql_prep($_POST['active']);
$position = mysql_prep($_POST['position']);
$content = mysql_prep($_POST['content']);
$query = "UPDATE posts SET page_id = '{$page_id}', title = '{$title}', active = '{$active}', position = '{$position}', content = '{$content}' WHERE id = {$id} ";
.........
?>
affected position:
$query = "UPDATE pages SET title = '{$title}', keywords = '{$keywords}', description = '{$description}', menu_name = '{$menu_name}', position = '{$position}', active = '{$active}', home_page = '{$home_page}', sidebar = '{$sidebar}', sidebar_align = '{$sidebar_align}', contact_form = '{$contact_form}' WHERE id = '{$id}'";
"page" and "post" parameter has not been safely processed. SQL injection can be achieved by constructing SQL injection statements.
affected executable:
Like this: http://xx.xx.com/admin/edit_post.php?page=2&post=2 and 1=1
http://xx.xx.com/admin/edit_post.php?page=2 and 1=1&post=2
http://xx.xx.com/admin/edit_post.php?page=2&post=2 and 1=2
http://xx.xx.com/admin/edit_post.php?page=2 and 1=2&post=2
Then, we can use tools like sqlmap for more information.