Waraxe IT Security Portal
Login or Register
October 7, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 80
Members: 0
Total: 80
Full disclosure
Some SIM / USIM card security (and ecosystem) info
SEC Consult SA-20240930-0 :: Local Privilege Escalation via MSI Installer in Nitro PDF Pro (CVE-2024-35288)
Backdoor.Win32.Benju.a / Unauthenticated Remote CommandExecution
Backdoor.Win32.Prorat.jz / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Amatu.a / Remote Arbitrary File Write (RCE)
Backdoor.Win32.Agent.pw / Remote Stack Buffer Overflow (SEH)
Backdoor.Win32.Boiling / Remote Command Execution
Defense in depth -- the Microsoft way (part 88): a SINGLEcommand line shows about 20, 000 instances of CWE-73
SEC Consult SA-20240925-0 :: Uninstall Password Bypass in BlackBerry CylanceOPTICS Windows Installer Package (CVE-2024-35214)
Apple iOS 17.2.1 - Screen Time Passcode Retrieval (MitigationBypass)
CyberDanube Security Research 20240919-0 | Multiple Vulnerabilities in Netman204
Submit Exploit CVE-2024-42831
Stored XSS in "Edit Profile" - htmlyv2.9.9
Stored XSS in "Menu Editor" - htmlyv2.9.9
Backdoor.Win32.BlackAngel .13 / Unauthenticated Remote CommandExecution
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Sql injection -> sql injection
Post new topicReply to topic View previous topic :: View next topic
sql injection
PostPosted: Tue Mar 25, 2008 1:15 am Reply with quote
Nial
Advanced user
Advanced user
Joined: Feb 29, 2008
Posts: 103




Hi, i managed to get the index.php page of a website, and i am searching for possible sql injection exploit in it.

I see some fonctions like function($param1, $param2) or function2($param) with in those a sql statement in which parameters are.
In the file, the functions are never use but it should be by the include(page), in the start, that i am not able to see...
My question is if i can initialise the parameters myself or if i have to find another thing...?

And a noobie question, can i, when my session start on the website, initialise some $_SESSION['blabl'] myself with an html form or it is just inside the website?

Thx ^ ^
View user's profile Send private message
PostPosted: Tue Mar 25, 2008 2:01 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Answer for question 2 is - probably not. In most (updated) php installations you can't directly manipulate $_SESSION[] superglobal array.
As for question 1 - too few information ...
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Tue Mar 25, 2008 3:07 pm Reply with quote
Nial
Advanced user
Advanced user
Joined: Feb 29, 2008
Posts: 103




Can i past the content of the file without the website link in it?
View user's profile Send private message
PostPosted: Tue Mar 25, 2008 4:32 pm Reply with quote
waraxe
Site admin
Site admin
Joined: May 11, 2004
Posts: 2407
Location: Estonia, Tartu




Nial wrote:
Can i past the content of the file without the website link in it?


Yes, as far as it without any private information.
View user's profile Send private message Send e-mail Visit poster's website
PostPosted: Wed Mar 26, 2008 2:56 am Reply with quote
Nial
Advanced user
Advanced user
Joined: Feb 29, 2008
Posts: 103




ok here the code :
Code:

<?php
session_start();
require_once('mysql_connect.php');


include('41.php');


//Inclusion
if (!isset($_GET['f'])) {
$_GET['f']='main';
}

$_GET['f'].='.php';

//Protection de l'inclusion
require('security/allowedPages.php');
if (!in_array($_GET['f'], $allowedPages)) exit();
//if (preg_match('/http|www|ftp|window/', $_GET['f'])) exit();

//Fonctions de Hash
require('security/hash.php');

//XSS Secure
require('security/secureXSS.php');

//login sur cookie
/*
if (!isset($_SESSION['password']) and !empty($_COOKIE['cook_password'])) {
$username = $_COOKIE['cook_username'];
$password = $_COOKIE['cook_password'];

$req = "SELECT * FROM lg_users WHERE username='".$username."' LIMIT 1";
$t = mysql_query($req);
$l = mysql_fetch_object($t);
$login_sql = $l->username;
$password_sql = $l->password;
$bnet = $l->bnet;
$ggc = $l->ggc;
$mail = $l->mail;
$clan = $l->clan;
$crank = $l->crank;
$avatar = $l->avatar;
$access = $l->access;
$activ = $l->active;
$theme = $l->theme;
$joined = $l->joined;
$qauth = $l->qauth;

if ($username == $login_sql and $password == cookieHash($password_sql) and $activ == 1) {

//IP
$ins = "INSERT INTO lg_user_ip (user, ip) VALUES ('".$login_sql."', '".$_SERVER['REMOTE_ADDR']."')";
@mysql_query($ins);

$_SESSION['password']=$password;
$_SESSION['username']=$username;
$_SESSION['bnet']=$bnet;
$_SESSION['ggc']=$ggc;
$_SESSION['mail']=$mail;
$_SESSION['clan']=$clan;
$_SESSION['crank']=$crank;
$_SESSION['avatar']=$avatar;
$_SESSION['joined']=$joined;
$_SESSION['access']=$access;
$_SESSION['theme']=$theme;
$_SESSION['qauth']=$qauth;

//Admin Ladder
$req = "SELECT * FROM lg_ladderadmins WHERE user = '".$_SESSION['username']."'";
$t = mysql_query($req);
if (mysql_num_rows($t)) {
$_SESSION['ladder_admin'] = 1;
} else {
$_SESSION['ladder_admin'] = 0;
}
}
}
*/

//Vouched ?
function isVouched($player) {
//BanList
$req = "SELECT * FROM lg_laddervip_vouchlist WHERE username = '".$player."'";
$t = mysql_query($req);
if (mysql_num_rows($t) > 0) {
return true;
} else {
return false;
}
}
if (isset($_SESSION['username'])) {
$_SESSION['vouched'] = isVouched($_SESSION['username']);
}

//Tracking
function trackUser($vch) {
$user = (isset($_SESSION['username'])) ? $_SESSION['username'] : $_SERVER['REMOTE_ADDR'];

$time = time();

$req = "SELECT count(*) FROM lg_usersonline WHERE user = '".$user."'";
$t = mysql_query($req);
$l = mysql_fetch_row($t);
if ($l[0] > 0) {
//Déjà listé => mÃj
mysql_query("UPDATE lg_usersonline SET last_visit = '".$time."', page = '".$_GET['f']."' WHERE user = '".$user."'");
} else {
//On ajoute l'utilisateur
$vch = ($vch) ? 1 : 0;
mysql_query("INSERT INTO lg_usersonline (user, last_visit, vip, page) VALUES ('".$user."', '".$time."', '".$vch."', '".$_GET['f']."')");
}

//clean up
mysql_query("DELETE FROM lg_usersonline WHERE last_visit <= ".($time - 600));
}

trackUser($_SESSION['vouched']);

function intab($msg) {
return '<tr><td><center>'.$msg.'</center></td></tr>';
}

function intab2($msg) {
return '<tr><td class=left></td><td><center>'.$msg.'</center></td><td class=right></td></tr>';
}

function getGoldXP() {
$req = "SELECT gold, pts, pts_vip FROM lg_users WHERE username = '".$_SESSION['username']."'";
$t = mysql_query($req);
$l = mysql_fetch_row($t);
return array('gold' => $l[0], 'xp' => $l[1], 'xp_vip' => $l[2]);
}

function addGold($player, $amount, $info) {
mysql_query("UPDATE lg_users SET gold = gold + ".$amount." WHERE username = '".$player."'");
mysql_query("INSERT INTO lg_goldlog (qui, combien, quoi, quand) VALUES ('".$player."', '".$amount."', '".$info."', '".time()."')");
}

function getRank($player) {
$req = "SELECT username FROM lg_users ORDER BY pts DESC";
$t = mysql_query($req);
$k=1;
while ($l = mysql_fetch_row($t) and $l[0] != $player) $k++;
return $k;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>

<head>


<META http-equiv="Content-type" CONTENT="text/html;charset=iso-8859-1">
<META http-equiv="Content-Language" CONTENT="fr">
<!--<link rel="stylesheet" href="1.css" type="text/css">-->
<?php

if (isset($_SESSION['theme'])) {
echo '<link rel="stylesheet" href="'.$_SESSION['theme'].'.css" type="text/css">';
} else {
echo '<link rel="stylesheet" href="1.css" type="text/css">';
}

?>
<link rel="SHORTCUT ICON" href="favicon.ico">
<base target="_parent">
</head>

<body>

<!-- GOOGLE ANALYTICS -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-1045916-1";
urchinTracker();
</script>

<table align="center">
<tr><td width="1000" colspan="3"><?php include("up.php"); ?></td></tr>
<tr>
<td valign="top" width="175"><?php include("left.php"); ?></td>
<td valign="top" width="650"><?php include($_GET['f']); ?></td>
<td valign="top" width="175"><?php include("right.php"); ?></td>
</tr>
</table>
</body>
</html>
View user's profile Send private message
sql injection
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.037 Seconds