пруф http://svn.cacti.net/viewvc/cacti/tags/0.8.7h/auth_login.php?revision=6814&vi
http://svn.cacti.net/viewvc/cacti/tags/0.8.7h/auth_login.php?r1=6257&r2=6807&
- $user = db_fetch_row("SELECT * FROM user_auth WHERE username = '" . $username . "' AND realm = 2");
+ $user = db_fetch_row("SELECT * FROM user_auth WHERE username = " . $cnn_id->qstr($username) . " AND realm = 2");
странно, но перед этим делается
$username = sanitize_search_string($username);
которая в свою очередь
/* sanitize_search_string - cleans up a search string submitted by the user to be passed
to the database. NOTE: some of the code for this function came from the phpBB project.
@arg $string - the original raw search string
@returns - the sanitized search string */
function sanitize_search_string($string) {
static $drop_char_match = array('^', '$', '<', '>', ''', '\'', '"', '|', ',', '?', '~', '+', '[', ']', '{', '}', '#', ';', '!', '=', '*');
static $drop_char_replace = array(' ', ' ', ' ', ' ', '', '', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ', ' ');
/* Replace line endings by a space */
$string = preg_replace('/[\n\r]/is', ' ', $string);
/* HTML entities like */
$string = preg_replace('/\b&[a-z]+;\b/', ' ', $string);
/* Remove URL's */
$string = preg_replace('/\b[a-z0-9]+:\/\/[a-z0-9\.\-]+(\/[a-z0-9\?\.%_\-\+=&\/]+)?/', ' ', $string);
/* Filter out strange characters like ^, $, &, change "it's" to "its" */
for($i = 0; $i < count($drop_char_match); $i++) {
$string = str_replace($drop_char_match[$i], $drop_char_replace[$i], $string);
}
return $string;
}
теперь пусть кто-нибудь сможет объяснить как сделать инъекцию
|