|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
sql injection |
|
Posted: Tue Mar 25, 2008 1:15 am |
|
|
Nial |
Advanced user |
|
|
Joined: Feb 29, 2008 |
Posts: 103 |
|
|
|
|
|
|
|
Hi, i managed to get the index.php page of a website, and i am searching for possible sql injection exploit in it.
I see some fonctions like function($param1, $param2) or function2($param) with in those a sql statement in which parameters are.
In the file, the functions are never use but it should be by the include(page), in the start, that i am not able to see...
My question is if i can initialise the parameters myself or if i have to find another thing...?
And a noobie question, can i, when my session start on the website, initialise some $_SESSION['blabl'] myself with an html form or it is just inside the website?
Thx ^ ^ |
|
|
|
|
|
|
|
|
Posted: Tue Mar 25, 2008 2:01 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Answer for question 2 is - probably not. In most (updated) php installations you can't directly manipulate $_SESSION[] superglobal array.
As for question 1 - too few information ... |
|
|
|
|
Posted: Tue Mar 25, 2008 3:07 pm |
|
|
Nial |
Advanced user |
|
|
Joined: Feb 29, 2008 |
Posts: 103 |
|
|
|
|
|
|
|
Can i past the content of the file without the website link in it? |
|
|
|
|
Posted: Tue Mar 25, 2008 4:32 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
Nial wrote: | Can i past the content of the file without the website link in it? |
Yes, as far as it without any private information. |
|
|
|
|
|
|
|
|
Posted: Wed Mar 26, 2008 2:56 am |
|
|
Nial |
Advanced user |
|
|
Joined: Feb 29, 2008 |
Posts: 103 |
|
|
|
|
|
|
|
ok here the code :
Code: |
<?php
session_start();
require_once('mysql_connect.php');
include('41.php');
//Inclusion
if (!isset($_GET['f'])) {
$_GET['f']='main';
}
$_GET['f'].='.php';
//Protection de l'inclusion
require('security/allowedPages.php');
if (!in_array($_GET['f'], $allowedPages)) exit();
//if (preg_match('/http|www|ftp|window/', $_GET['f'])) exit();
//Fonctions de Hash
require('security/hash.php');
//XSS Secure
require('security/secureXSS.php');
//login sur cookie
/*
if (!isset($_SESSION['password']) and !empty($_COOKIE['cook_password'])) {
$username = $_COOKIE['cook_username'];
$password = $_COOKIE['cook_password'];
$req = "SELECT * FROM lg_users WHERE username='".$username."' LIMIT 1";
$t = mysql_query($req);
$l = mysql_fetch_object($t);
$login_sql = $l->username;
$password_sql = $l->password;
$bnet = $l->bnet;
$ggc = $l->ggc;
$mail = $l->mail;
$clan = $l->clan;
$crank = $l->crank;
$avatar = $l->avatar;
$access = $l->access;
$activ = $l->active;
$theme = $l->theme;
$joined = $l->joined;
$qauth = $l->qauth;
if ($username == $login_sql and $password == cookieHash($password_sql) and $activ == 1) {
//IP
$ins = "INSERT INTO lg_user_ip (user, ip) VALUES ('".$login_sql."', '".$_SERVER['REMOTE_ADDR']."')";
@mysql_query($ins);
$_SESSION['password']=$password;
$_SESSION['username']=$username;
$_SESSION['bnet']=$bnet;
$_SESSION['ggc']=$ggc;
$_SESSION['mail']=$mail;
$_SESSION['clan']=$clan;
$_SESSION['crank']=$crank;
$_SESSION['avatar']=$avatar;
$_SESSION['joined']=$joined;
$_SESSION['access']=$access;
$_SESSION['theme']=$theme;
$_SESSION['qauth']=$qauth;
//Admin Ladder
$req = "SELECT * FROM lg_ladderadmins WHERE user = '".$_SESSION['username']."'";
$t = mysql_query($req);
if (mysql_num_rows($t)) {
$_SESSION['ladder_admin'] = 1;
} else {
$_SESSION['ladder_admin'] = 0;
}
}
}
*/
//Vouched ?
function isVouched($player) {
//BanList
$req = "SELECT * FROM lg_laddervip_vouchlist WHERE username = '".$player."'";
$t = mysql_query($req);
if (mysql_num_rows($t) > 0) {
return true;
} else {
return false;
}
}
if (isset($_SESSION['username'])) {
$_SESSION['vouched'] = isVouched($_SESSION['username']);
}
//Tracking
function trackUser($vch) {
$user = (isset($_SESSION['username'])) ? $_SESSION['username'] : $_SERVER['REMOTE_ADDR'];
$time = time();
$req = "SELECT count(*) FROM lg_usersonline WHERE user = '".$user."'";
$t = mysql_query($req);
$l = mysql_fetch_row($t);
if ($l[0] > 0) {
//Déjà listé => mÃj
mysql_query("UPDATE lg_usersonline SET last_visit = '".$time."', page = '".$_GET['f']."' WHERE user = '".$user."'");
} else {
//On ajoute l'utilisateur
$vch = ($vch) ? 1 : 0;
mysql_query("INSERT INTO lg_usersonline (user, last_visit, vip, page) VALUES ('".$user."', '".$time."', '".$vch."', '".$_GET['f']."')");
}
//clean up
mysql_query("DELETE FROM lg_usersonline WHERE last_visit <= ".($time - 600));
}
trackUser($_SESSION['vouched']);
function intab($msg) {
return '<tr><td><center>'.$msg.'</center></td></tr>';
}
function intab2($msg) {
return '<tr><td class=left></td><td><center>'.$msg.'</center></td><td class=right></td></tr>';
}
function getGoldXP() {
$req = "SELECT gold, pts, pts_vip FROM lg_users WHERE username = '".$_SESSION['username']."'";
$t = mysql_query($req);
$l = mysql_fetch_row($t);
return array('gold' => $l[0], 'xp' => $l[1], 'xp_vip' => $l[2]);
}
function addGold($player, $amount, $info) {
mysql_query("UPDATE lg_users SET gold = gold + ".$amount." WHERE username = '".$player."'");
mysql_query("INSERT INTO lg_goldlog (qui, combien, quoi, quand) VALUES ('".$player."', '".$amount."', '".$info."', '".time()."')");
}
function getRank($player) {
$req = "SELECT username FROM lg_users ORDER BY pts DESC";
$t = mysql_query($req);
$k=1;
while ($l = mysql_fetch_row($t) and $l[0] != $player) $k++;
return $k;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<META http-equiv="Content-type" CONTENT="text/html;charset=iso-8859-1">
<META http-equiv="Content-Language" CONTENT="fr">
<!--<link rel="stylesheet" href="1.css" type="text/css">-->
<?php
if (isset($_SESSION['theme'])) {
echo '<link rel="stylesheet" href="'.$_SESSION['theme'].'.css" type="text/css">';
} else {
echo '<link rel="stylesheet" href="1.css" type="text/css">';
}
?>
<link rel="SHORTCUT ICON" href="favicon.ico">
<base target="_parent">
</head>
<body>
<!-- GOOGLE ANALYTICS -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-1045916-1";
urchinTracker();
</script>
<table align="center">
<tr><td width="1000" colspan="3"><?php include("up.php"); ?></td></tr>
<tr>
<td valign="top" width="175"><?php include("left.php"); ?></td>
<td valign="top" width="650"><?php include($_GET['f']); ?></td>
<td valign="top" width="175"><?php include("right.php"); ?></td>
</tr>
</table>
</body>
</html>
|
|
|
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|