Оправяне на УЯЗВИМОСТ в кода

L

ludasam

Registered
Здравейте,
значи можели да оправите УЯЗВИМОСТИТЕ в тези 3 кода, само знам, че е нещо при ПРОМЕНЛИВИТЕ...
Благодаря ви предварително ;)
all_videos.php
Код: 
<?php
require "config.php";
$thispage = $PHP_SELF;
$showeachside = 5;
$rowsPerPage = 5;
$pageNum = 1;
if(isset($_GET['page']))
{
$pageNum = $_GET['page'];
}
$offset = ($pageNum - 1) * $rowsPerPage;
$query = "SELECT id, title, code FROM `videos` ORDER BY id LIMIT $offset, $rowsPerPage";
$result = mysql_query($query) or die(mysql_error()."[".$query."]");
while ($row = mysql_fetch_array($result))
{
?>
<table><tbody>
<tr>
<td><a href="../video.php?id=<?php print $row['id']; ?>"><img title="video" alt="video" src="http://i1.ytimg.com/vi/<?php print $row['code']; ?>/default.jpg"></a></td>
<td><font color="red"><?php print $row['title']; ?></font><br><a href="../video.php?id=<?php print $row['id']; ?>">» ГЛЕДАЙ «</a></td>
</tr>
</tbody></table>
<hr>
<?
}
$query1 = "SELECT COUNT(id) AS numrows FROM `videos`";
$result = mysql_query($query1) or die('Error, query failed');
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$num = $row['numrows'];
$start = ($pageNum -1) * $rowsPerPage;
if(empty($start))$start=0;
$max_pages = ceil($num/$rowsPerPage);
$cur = ceil($start/$rowsPerPage)+1;
?>
<table border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="middle">
<?php
if(($start-$rowsPerPage) >= 0)
{
$next = $cur - 1;
?>
<a class="page" href="<?php print("$thispage?page=1");?>">ПЪРВА СТРАНИЦА</a>
 | 
<a class="page" href="<?php print("$thispage".($next>0?("?page=").$next:""));?>">НАЗАД</a>
<?php
}
?>
</td>
<td align="center" valign="middle">
<table>
<tr>
<td colspan="3" align="center" valign="middle">
<?php
$eitherside = ($showeachside * $rowsPerPage);
if($start+1 > $eitherside)print (" ... ");
$pg=1;
for($y=0;$y<$num;$y+=$rowsPerPage)
{
$class=(($y==$start)?"active":"")."page";
if(($y > ($start - $eitherside)) && ($y < ($start + $eitherside)))
{
if ($y <> $start) {
?>
 <a class="<?php print($class);?>" href="<?php print("$thispage"."?page=".(($y/$rowsPerPage)+1));?>"><?php print($pg);?></a> 
<?php
} else {
?>
 <a class="<?php print($class);?>"><?php print($pg);?></a> 
<?php
}
}
$pg++;
}
if(($start+$eitherside)<$num)print (" ... ");
?>
</td>
</tr>
</table>
</td>
<td align="center" valign="middle">
<?php
if (($start+$rowsPerPage) < $num)
{
$next = $cur + 1;
?>
<a class="page" href="<?php print("$thispage?page=".$next);?>">СЛЕДВАЩА СТРАНИЦА</a>
 | 
<a class="page" href="<?php print("$thispage?page=$max_pages");?>">ПОСЛЕДНА СТРАНИЦА</a>
<?php
}
?>
</td>
</tr>
<tr>
<td colspan="3" align="center" valign="middle"> </td>
</tr>
</table>


index.php
Код: 
<table width="488px"><tbody>
<tr>
<?php
require 'config.php';
$query = mysql_query("SELECT id, code FROM `videos` ORDER BY `id` DESC LIMIT 4") or die (mysql_error());
while($row = mysql_fetch_array($query))
{
?>
<td><div style="width: 84px; "><div align="center"><a href="../video.php?id=<?php print $row['id']; ?>"><img height="90" width="120" border="0" title="video" alt="video" src="http://i1.ytimg.com/vi/<?php print $row['code']; ?>/default.jpg"></a></div></div></td> 
<?php
}
?>
</tr></tbody></table>
<table width="488px"><tbody>
<tr>
<?php
require 'config.php';
$query = mysql_query("SELECT id, title FROM `videos` ORDER BY `id` DESC LIMIT 4") or die (mysql_error());
while($row = mysql_fetch_array($query))
{
?>
<td><div style="width: 120px;"><div align="center"><font color="red"><?php print $row['title']; ?></font><br><a href="../video.php?id=<?php print $row['id']; ?>">» ГЛЕДАЙ «</a></div></div></td> 
<?php
}
?>
</tr></tbody></table>
<hr>
<center><a href="../all_videos.php">» ВИЖ ВСИЧКИ КЛИПЧЕТА «</a></center>


video.php
Код: 
<?php
include("config.php");
$getid = $_GET['id'];
if (!$_POST['videos'])
{
$our = mysql_query("SELECT title, id, code FROM `videos` where id='$getid' ");
while($r=mysql_fetch_array($our)){
?>
<div class="menucenterhead"><?php echo"$r[title]"; ?></div>
<div class="menucentertxt"><center>
<iframe width="480" height="390" src="http://www.youtube.com/embed/<?php echo"$r[code]"; ?>" frameborder="0" allowfullscreen></iframe>
<hr>
<b>ЛИНК НА КЛИПЧЕТО В YouTube:</b> <a href="http://www.youtube.com/watch?v=<?php echo"$r[code]"; ?>">http://www.youtube.com/watch?v=<?php echo"$r[code]"; ?></a><br>
<b>КОД ЗА ИЗКАРВАНЕ НА ТОВА КЛИПЧЕ В САЙТ:</b>
<br><textarea rows="2" name="txt" cols="55" type="text"><iframe width="480" height="390" src="http://www.youtube.com/embed/<?php echo"$r[code]"; ?>" frameborder="0" allowfullscreen></iframe></textarea>
</center></div>
<?php
}
}
?>

значи казвали са ми, че тези кодове са уязвими и трябвало да сложа (int), addslashes или htmlspecialchars - ( НЕСЪМ СИГОРЕН КОЕ ТОЧНО , НО Е ЕДНО ОТ ВСИЧКИТЕ ) пред ?page=, $_GET или $_POST - ( НЕСЪМ СИГОРЕН ПРЕД КОЕ ТОЧНО , НО Е ЕДНО ОТ ВСИЧКИТЕ )
иначе тук е една от уязвимостите all_videos.php като напиша ../all_videos.php?page=-2 ми излиза това...

PHP: 
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-15, 5' at line 1[SELECT id, title, code FROM `videos` ORDER BY id LIMIT -15, 5]

значи ако може да ми оправите кодовете, ще съм ви много благодарен..
 
Да ти оправим уязвимостите хмм.. по правилно би било да кажеш да ти оправим дупките в кода, както и да е.
Били казъл каде точно се съмняваш, че има дупка имал ли си проблеми с кракерчета и т.н.
 
all_videos.php
Код: 
$pageNum = (int)$_GET['page']; 
if(!isset($pageNum) || !is_numeric($pageNum) || $pageNum < 1) 
{
//Тука твоя код какво да прави с тарикатите дето си играят със  $_GET примерно:
header('Location: index.php');
}

video.php
Код: 
$getid = (int)$_GET['id'];
if(!isset($getid) || !is_numeric($getid) || $getid < 1) 
{
//Тука отново твоя код за това какво да прави с тарикатите дето си играят със  $_GET примерно:
header('Location: index.php');
}
 
Можели дамо го направиш целия код ,че аз не мога да го свържа благодаря предварително
 
all_videos.php
PHP: 
<?php
require "config.php";
$thispage = $PHP_SELF;
$showeachside = 5;
$rowsPerPage = 5;
$pageNum = 1;
if(isset($_GET['page']))
{
$pageNum = (int)$_GET['page'];
}
$offset = ($pageNum - 1) * $rowsPerPage;
$query = "SELECT id, title, code FROM `videos` ORDER BY id LIMIT $offset, $rowsPerPage";
$result = mysql_query($query) or die(mysql_error()."[".$query."]");
while ($row = mysql_fetch_array($result))
{
?>
<table><tbody>
<tr>
<td><a href="../video.php?id=<?php print $row['id']; ?>"><img title="video" alt="video" src="http://i1.ytimg.com/vi/<?php print $row['code']; ?>/default.jpg"></a></td>
<td><font color="red"><?php print $row['title']; ?></font><br><a href="../video.php?id=<?php print $row['id']; ?>">» ГЛЕДАЙ «</a></td>
</tr>
</tbody></table>
<hr>
<?
}
$query1 = "SELECT COUNT(id) AS numrows FROM `videos`";
$result = mysql_query($query1) or die('Error, query failed');
$row = mysql_fetch_array($result, MYSQL_ASSOC);
$num = $row['numrows'];
$start = ($pageNum -1) * $rowsPerPage;
if(empty($start))$start=0;
$max_pages = ceil($num/$rowsPerPage);
$cur = ceil($start/$rowsPerPage)+1;
?>
<table border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="middle">
<?php
if(($start-$rowsPerPage) >= 0)
{
$next = $cur - 1;
?>
<a class="page" href="<?php print("$thispage?page=1");?>">ПЪРВА СТРАНИЦА</a>
 | 
<a class="page" href="<?php print("$thispage".($next>0?("?page=").$next:""));?>">НАЗАД</a>
<?php
}
?>
</td>
<td align="center" valign="middle">
<table>
<tr>
<td colspan="3" align="center" valign="middle">
<?php
$eitherside = ($showeachside * $rowsPerPage);
if($start+1 > $eitherside)print (" ... ");
$pg=1;
for($y=0;$y<$num;$y+=$rowsPerPage)
{
$class=(($y==$start)?"active":"")."page";
if(($y > ($start - $eitherside)) && ($y < ($start + $eitherside)))
{
if ($y <> $start) {
?>
 <a class="<?php print($class);?>" href="<?php print("$thispage"."?page=".(($y/$rowsPerPage)+1));?>"><?php print($pg);?></a> 
<?php
} else {
?>
 <a class="<?php print($class);?>"><?php print($pg);?></a> 
<?php
}
}
$pg++;
}
if(($start+$eitherside)<$num)print (" ... ");
?>
</td>
</tr>
</table>
</td>
<td align="center" valign="middle">
<?php
if (($start+$rowsPerPage) < $num)
{
$next = $cur + 1;
?>
<a class="page" href="<?php print("$thispage?page=".$next);?>">СЛЕДВАЩА СТРАНИЦА</a>
 | 
<a class="page" href="<?php print("$thispage?page=$max_pages");?>">ПОСЛЕДНА СТРАНИЦА</a>
<?php
}
?>
</td>
</tr>
<tr>
<td colspan="3" align="center" valign="middle"> </td>
</tr>
</table>

video.php
PHP: 
<?php
include("config.php");
$getid = (int)$_GET['id'];
if (!$_POST['videos'])
{
$our = mysql_query("SELECT title, id, code FROM `videos` where id='$getid' ");
while($r=mysql_fetch_array($our)){
?>
<div class="menucenterhead"><?php echo"$r[title]"; ?></div>
<div class="menucentertxt"><center>
<iframe width="480" height="390" src="http://www.youtube.com/embed/<?php echo"$r[code]"; ?>" frameborder="0" allowfullscreen></iframe>
<hr>
<b>ЛИНК НА КЛИПЧЕТО В YouTube:</b> <a href="http://www.youtube.com/watch?v=<?php echo"$r[code]"; ?>">http://www.youtube.com/watch?v=<?php echo"$r[code]"; ?></a><br>
<b>КОД ЗА ИЗКАРВАНЕ НА ТОВА КЛИПЧЕ В САЙТ:</b>
<br><textarea rows="2" name="txt" cols="55" type="text"><iframe width="480" height="390" src="http://www.youtube.com/embed/<?php echo"$r[code]"; ?>" frameborder="0" allowfullscreen></iframe></textarea>
</center></div>
<?php
}
}
?>
 
Здравейте,
значи още ми дава същият проблем, като напиша http://site.com/all_videos.php?page=-2 ми излиза това...
http://prikachi.com/images/903/5153903x.png
 
PHP: 
<?php
require "config.php";
$thispage = htmlentities($_SERVER['PHP_SELF'], ENT_QUOTES);
$showeachside = 5; $rowsPerPage = 5; $pageNum = 1;
if(isset($_GET['page'])){ $pageNum = str_replace ("-", "", $_GET['page']); $pageNum = (int)$pageNum; } else { $pageNum = 1; }
if($pageNum == 0) { $pageNum = 1; } else { $pageNum = $pageNum; }
if($pageNum != 1){ $offset = ($pageNum-1)*$rowsPerPage; } else { $offset = 0; }
$result = mysql_query("SELECT `id`, `title`, `code` FROM `videos` ORDER BY id LIMIT $offset, $rowsPerPage") or die(mysql_error()."[".$query."]");
while ($row = mysql_fetch_array($result)) {
echo "
<table><tbody>
<tr>
<td><a href=\"../video.php?id={$row['id']}\"><img title=\"video\" alt=\"video\" src=\"http://i1.ytimg.com/vi/{$row['code']}/default.jpg\"></a></td>
<td><font color=\"red\">{$row['title']}</font><br /><a href=\"../video.php?id={$row['id']}\">» ГЛЕДАЙ «</a></td>
</tr>
</tbody></table>
<hr>";
}
$query1 = mysql_query("SELECT COUNT(id) AS numrows FROM `videos`") or die(mysql_error()."[".$query."]");
$row = mysql_fetch_array($query1, MYSQL_ASSOC);
$num = $row['numrows'];
$start = ($pageNum -1) * $rowsPerPage;
if(empty($start))$start=0;
$max_pages = ceil($num/$rowsPerPage);
$cur = ceil($start/$rowsPerPage)+1;
echo '
<table border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" valign="middle">';
if(($start-$rowsPerPage) >= 0) {
$next = $cur - 1;
?>
<a class="page" href="<?php print("$thispage?page=1");?>">ПЪРВА СТРАНИЦА</a>
 | 
<a class="page" href="<?php print("$thispage".($next>0?("?page=").$next:""));?>">НАЗАД</a>
<?php
}
echo '
</td>
<td align="center" valign="middle">
<table>
<tr>
<td colspan="3" align="center" valign="middle">';
$eitherside = ($showeachside * $rowsPerPage);
if($start+1 > $eitherside)print (" ... ");
$pg = 1;
for($y=0;$y<$num;$y+=$rowsPerPage) {
$class=(($y==$start)?"active":"")."page";
if(($y > ($start - $eitherside)) && ($y < ($start + $eitherside))) {
if ($y <> $start) {
?>
 <a class="<?php print($class);?>" href="<?php print("$thispage"."?page=".(($y/$rowsPerPage)+1));?>"><?php print($pg);?></a> 
<?php
} else {
?>
 <a class="<?php print($class);?>"><?php print($pg);?></a> 
<?php
}
}
$pg++;
}
if(($start+$eitherside)<$num)print (" ... ");
?>
</td>
</tr>
</table>
</td>
<td align="center" valign="middle">
<?php
if (($start+$rowsPerPage) < $num) {
$next = $cur + 1;
?>
<a class="page" href="<?php print("$thispage?page=".$next);?>">СЛЕДВАЩА СТРАНИЦА</a>
 | 
<a class="page" href="<?php print("$thispage?page=$max_pages");?>">ПОСЛЕДНА СТРАНИЦА</a>
<?php
}
?>
</td>
</tr>
<tr>
<td colspan="3" align="center" valign="middle"> </td>
</tr>
</table>

Поздрави, Ext :))))
 
Трябва да си влезнал или регистриран, за да отговориш тук.

Back
Горе