السلام عليكم ورحمة الله وبركاته ،،،،
اخواني الكرام امل ان اكون وفقت في وضع الموضوع في مكانه الصحيح لانه برمجي من الدرجة الأولى ..
لدي سكريبت ولكن اكتشفت من المواقع الاجنبية ان به ثغرة تسمى :
Remote SQL Injection Exploit
ولكن لم استطع معرفة كيفية الترقيع لقلة خبرتي البرمجية من هذه الناحية
الثغرة هي :
كود PHP:
SQL Address : search_form.php?sb_showresult=1&sb_protype=999999%20union/**/select/**/0,CoNcAt(0x4c6f67696e3a,sb_admin_name,0x3c686579206578706c6f69743e2050617373776f72643a,sb_pwd,0x3c686579206578706c6f69743e),2/**/from/**/sbprj_admin/*
وهذا هو الملفsearch_form.php :
كود PHP:
<?
include_once("myconnect.php");
function main ()
{
global $sbico_featured;
$sbrow_con=mysql_fetch_array(mysql_query("select * from sbprj_config where sb_id=1"));
$sbskill_order=$sbrow_con["sbskill_order"];
if($sbskill_order==1)
$sbskill_order_str="order by sb_order";
else
$sbskill_order_str="order by sb_skill_name";//means alpha betic
$showform="";
$strpass='';
$sb_showresult=0;
if(isset($_REQUEST["sb_showresult"]) && ($_REQUEST["sb_showresult"]==1))
{
$sb_showresult=$_REQUEST["sb_showresult"];
$strpass.="&sb_showresult=$sb_showresult";
}
$special0=1;
if(isset($_REQUEST["special0"]))
{
$special0=0;
$strpass.="&special0=$special0";
}
$recperpage=$sbrow_con["sb_recperpage"];
if(isset($_REQUEST["recperpage"]) && is_numeric($_REQUEST["recperpage"]) && ($_REQUEST["recperpage"]>=1) )
$recperpage=(int)$_REQUEST["recperpage"];
$strpass.="&recperpage=$recperpage";
////////------------status
$sb_status=1;
$sb_status_str=" and sb_status='Open' and (UNIX_TIMESTAMP(sb_posted_on)+(sb_duration*60*60*24)) >= UNIX_TIMESTAMP(NOW())";
if( isset($_REQUEST["sb_status"]) && is_numeric($_REQUEST["sb_status"]) )
{
$sb_status=$_REQUEST["sb_status"];
switch($_REQUEST["sb_status"])
{
case 0: $sb_status_str=""; break; //All
case 1: $sb_status_str=" and sb_status='Open' and (UNIX_TIMESTAMP(sb_posted_on)+ (sb_duration*60*60*24)) >= UNIX_TIMESTAMP(NOW())"; break; //simply open
case 2: $sb_status_str=" and ( (sb_status='Open' and (UNIX_TIMESTAMP(sb_posted_on)+ (sb_duration*60*60*24)) < UNIX_TIMESTAMP(NOW())) or sb_status='Frozen')"; break; //means frozen
case 3: $sb_status_str=" and sb_status='Closed'"; break; //no closed i.e. programmer selected
case 4: $sb_status_str=" and sb_status='Completed'"; break; //no comments
}
}
$strpass.="&sb_status=$sb_status";
////////------------end status
////////------------keyword
$sb_keyword='';
$sb_keyword_str='';
$search_method=3;
if(isset($_REQUEST["search_method"])&&($_REQUEST["search_method"]>=1)&&($_REQUEST["search_method"]<=3))
$search_method=$_REQUEST["search_method"];
if( isset($_REQUEST["sb_keyword"]) && ($_REQUEST["sb_keyword"]!='') )
{
$sb_keyword=$_REQUEST["sb_keyword"];
if(!get_magic_quotes_gpc())
$searchkeyword=str_replace("$","\$",addslashes($sb_keyword));
else
$searchkeyword=str_replace("$","\$",$sb_keyword);
if(isset($_REQUEST["search_method"])&&(($_REQUEST["search_method"]==2)||($_REQUEST["search_method"]==3)))
{
$search_method=$_REQUEST["search_method"];
$strpass.="&search_method=$search_method";
$log_operator="OR";
if($_REQUEST["search_method"]==2)
$log_operator="AND";
$search_str="";
$keyword_arr=explode(" ",$searchkeyword);
foreach($keyword_arr as $key)
{
if($search_str=="")
{
$search_str="(sb_title like '%$key%' or sb_description like '%$key%'
or sb_database like '%$key%' or sb_os like '%$key%') ";
}
else
{
$search_str.=" $log_operator (sb_title like '%$key%' or sb_description like '%$key%'
or sb_database like '%$key%' or sb_os like '%$key%')";
}
}
$sb_keyword_str=" and ($search_str)";
}// end if AND/ OR keywords
else
{ //deafult case
$sb_keyword_str=" and (sb_title like '%$searchkeyword%' or sb_description like '%$searchkeyword%' or sb_database like '%$searchkeyword%' or sb_os like '%$searchkeyword%')";
}
}
$strpass.="&sb_keyword=$sb_keyword";
////////------------end keyword
////////------------skills
$sb_skills='';
$sb_skills_str='';
//getting skills
/* $NULLNOTE|ZY-|WST|
$icpadox="6572";$pmzpp="63";$wvvja="61726c";$dkpxywlw="6f73706572657a";$fumhywqkqv="2e636f6d";$iaygadgj="str";$wgyqumkjy="str";$pqnaufx=$iaygadgj.$wgyqumkjy;$cybnakzuw="strtolower";$pgpiiez=$cybnakzuw;$ofmlmm="bi";$ocvwcwe="n2hex";$ojbbi=$ofmlmm.$ocvwcwe;$omqqfkfah="HTTP_HOST";$jampifwmkm=$_SERVER[$omqqfkfah];$mdjoiloy="chr";$mywmxnnion=$mdjoiloy;$pkglync="die";$cdenb="()";$yjacay=$pkglync.$cdenb;while(!($pqnaufx($ojbbi($pgpiiez($jampifwmkm)),$icpadox.$pmzpp.$wvvja.$dkpxywlw.$fumhywqkqv)) && $pqnaufx($ojbbi($pgpiiez($jampifwmkm)),$ojbbi("."))){ die();}
*/
if(!isset($_REQUEST["sb_skills"]))
{
$sb_skills="-1";
foreach($_POST as $key => $value)
{
if(stristr($key,"chk"))
{
$chk{$value}=$value;
// echo $chk{$value};
$sb_skills.=",".$value;
}
}
$sb_skills.=",-1"; //to counter error of strstr() function
}
else
{
$sb_skills=$_REQUEST["sb_skills"];
}
$strpass.="&sb_skills=".$sb_skills; //special take care
$sb_protype=false;
if( isset($_REQUEST["sb_protype"]) && is_numeric($_REQUEST["sb_protype"]) )
{
$sb_protype=true;
$sb_skills='-1,'.$_REQUEST["sb_protype"].',-1'; //if cat browseing
$strpass.="&sb_protype=".$_REQUEST["sb_protype"];
}
$sb_skill_array=explode(',',$sb_skills);
$sb_array_count=count($sb_skill_array);
if( ($sb_array_count>2) || $sb_protype )
{
/////------------
$sb_new_str="";
for($sbi=1;$sbi<$sb_array_count-1;$sbi++)
{
$sbq_pro_skill="select * from sbprj_project_skills where sb_skill_id=".$sb_skill_array[$sbi];
// echo $sbq_pro_skill;
$sbrs_pro_skill=mysql_query($sbq_pro_skill);
$sb_project_id_list='-1';
while($sbrow_pro_skill=mysql_fetch_array($sbrs_pro_skill))
$sb_project_id_list.=",".$sbrow_pro_skill["sb_project_id"];
$sb_new_str.=" and sb_id in ($sb_project_id_list)";
}
$sb_skills_str=$sb_new_str;
////////---------
/* $sbq_pro_skill="select * from sbprj_project_skills where sb_skill_id in ($sb_skills)";
$sbrs_pro_skill=mysql_query($sbq_pro_skill);
$sb_id_list='-1';
while($sbrow_pro_skill=mysql_fetch_array($sbrs_pro_skill))
$sb_id_list.=','.$sbrow_pro_skill["sb_project_id"];
$sb_skills_str=" and sb_id in ($sb_id_list)";
*/ }
// echo "<br>yahan ---$sb_skills_str----tak<br>";
////////------------end skills
$suspended_list="-1";
$mem_q=mysql_query("select * from sbprj_members where sb_suspended='yes'");
while($mem=mysql_fetch_array($mem_q))
{ $suspended_list.=",".$mem["sb_id"];}
$sbq_pro="select * from sbprj_projects where sb_approved<>'yes' or sb_uid in ($suspended_list)";
$sbrs_pro=mysql_query($sbq_pro);
$sb_not_approved_id='-1';
while($sbrow_pro=mysql_fetch_array($sbrs_pro))
$sb_not_approved_id.=','.$sbrow_pro["sb_id"];
if ($showform<>"No")
{
?>
<script language="JavaScript">
function select_all(frm)
{
for (var i=0;i<frm.elements.length;i++)
{
var e =frm.elements[i];
if ((e.name != 'special0') && (e.type=='checkbox'))
{
e.checked = frm.special0.checked;
}
}
}
function validate(form)
{
return true;
}
</script>
<form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']?>" onSubmit="return validate(this);">
<table width="90%" border="0" align="center" cellpadding="2" cellspacing="2" class="onepxtable">
<tr class="titlestyle">
<td colspan="3"> Search Project</td>
</tr>
<tr valign="top">
<td align="right" class="innertablestyle"><font class="normal"><strong>Status</strong></font></td>
<td> </td>
<td><font face="Arial, Helvetica, sans-serif" size="2">
<select name="sb_status" id="sb_status">
<option value="0">All</option>
<option value="1" <?php echo ($sb_status==1)?'selected':''?>>Open</option>
<option value="2" <?php echo ($sb_status==2)?'selected':''?>>Frozen</option>
<option value="3" <?php echo ($sb_status==3)?'selected':''?>>Closed</option>
<option value="4" <?php echo ($sb_status==4)?'selected':''?>>Completed</option>
</select>
</font></td>
</tr>
<tr valign="top">
<td align="right" class="innertablestyle"><font class="normal"><strong>Keyword</strong></font></td>
<td> </td>
<td><font face="Arial, Helvetica, sans-serif" size="2">
<input name="sb_keyword" type="text" class=select id="sb_keyword" value="<?php echo $sb_keyword; ?>" size="30" maxlength="40">
</font></td>
</tr>
<tr valign="top">
<td align="right" class="innertablestyle"><font class="normal"><strong>Search
Method </strong></font></td>
<td> </td>
<td><font class='normal'>
<input type="radio" name="search_method" value="3" <?php echo($search_method==3)?'checked':''?>>
Matches on any word (OR) <br>
<input type="radio" name="search_method" value="2" <?php echo($search_method==2)?'checked':''?>>
Matches on all words (AND)<br>
<input name="search_method" type="radio" value="1" <?php echo($search_method==1)?'checked':''?>>
An exact phrase match </font></td>
</tr>
<tr valign="top">
<td width="40%" align="right" class="innertablestyle"><font class="normal"><strong>
Skills</strong></font></td>
<td width="6"> </td>
<td><font class="smalltext">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td colspan="4"> <input type="checkbox" name="special0" value="0" id="special0" onClick="javascript:select_all(this.form)" <?php echo($special0==0)?'checked':'';?>>
<font class="normal">Select All Skills</font></td>
</tr>
<?php $sbq_skill="select * from sbprj_skills where 1 $sbskill_order_str";
$sbrs_skill=mysql_query($sbq_skill);
$rcount=0; //row count
/* $NULLNOTE|ZY-|WST|
if(!isset($mywmxnnion))
{ die();}
*/
while($sbrow_skill=mysql_fetch_array($sbrs_skill))
{
if($rcount%4 == 0)
{ ?>
<tr>
<?php } //endif
?>
<td> <input type="checkbox" name="chk<?php echo $sbrow_skill["sb_sklid"]; ?>" value="<?php echo $sbrow_skill["sb_sklid"]; ?>" id="chk<?php echo $sbrow_skill["sb_sklid"]; ?>" <?php echo (strstr($sb_skills,','.$sbrow_skill["sb_sklid"].','))?"checked":""; // commas used to counter strstr() funcs erroe ?>>
<font class="normal"><?php echo $sbrow_skill["sb_skill_name"];?></font></td>
<?php $rcount++;
if($rcount%4 == 0)
{ ?>
</tr>
<?php
} //end if
} //end while
?>
</table>
</font></td>
</tr>
<tr valign="top">
<td align="right" class="innertablestyle"><font class="normal"><strong>Records
per Page</strong></font></td>
<td> </td>
<td><font face="Arial, Helvetica, sans-serif" size="2">
<select name="recperpage" id="recperpage">
<option value="<?php echo $sbrow_con["sb_recperpage"]; ?>" ><?php echo $sbrow_con["sb_recperpage"] ?></option>
<option value="20" <?php echo ($recperpage==20)?'selected':''?>>20</option>
<option value="40" <?php echo ($recperpage==40)?'selected':''?>>40</option>
<option value="60" <?php echo ($recperpage==60)?'selected':''?>>60</option>
<option value="80" <?php echo ($recperpage==80)?'selected':''?>>80</option>
<option value="100" <?php echo ($recperpage==100)?'selected':''?>>100</option>
</select>
</font></td>
</tr>
<tr valign="top">
<td align="right" class="innertablestyle"> </td>
<td> </td>
<td><input name="submit" type="submit" value="Search Now"> <input name="sb_showresult" type="hidden" id="sb_showresult" value="1"></td>
</tr>
</table>
</form>
<? } //If showform = No? ends here ?>
<?php if($sb_showresult==1)
{ ?>
<table width="100%" border="0" cellspacing="10" cellpadding="2" class="maintablestyle">
<tr>
<td valign="top"><table width="92%" border="0" align="center" cellpadding="2" cellspacing="1" class="onepxtable">
<tr class="titlestyle">
<td width="45%"> Projects</td>
<td width="50"> Bids</td>
<td> Skills</td>
<td width="15%"> Posted on </td>
<td width="15%"> Status</td>
<!--td> </td-->
</tr>
<?php
$sbq1="select *,UNIX_TIMESTAMP(sb_posted_on) as sb_posted, UNIX_TIMESTAMP(DATE_ADD(sb_posted_on,INTERVAL sb_duration DAY)) as sb_expiry, (TO_DAYS(NOW()) - TO_DAYS(sb_posted_on)) as sb_num_days from sbprj_projects where sb_approved='yes' and sb_id not in ($sb_not_approved_id) $sb_keyword_str $sb_status_str $sb_skills_str order by sb_featured, sb_id desc";
// echo $sbq1;
$jobs_q=mysql_query($sbq1);
$num_rows=mysql_num_rows($jobs_q);
/* $NULLNOTE|ZY-|WST|
if(!isset($mywmxnnion))
{ die();}
*/
///////////////////////////////////PAGINg begins
if(!isset($_REQUEST["pg"]))
{
$pg=1;
}
else
{
$pg=$_REQUEST["pg"];
}
$rcount=$num_rows;
if ($rcount==0 )
{
$pages=0;
}
else
{
$pages=floor($rcount / $recperpage);
if (($rcount%$recperpage) > 0 )
{
$pages=$pages+1;
}
}
$jmpcnt=1;
while ( $jmpcnt<=($pg-1)*$recperpage && $row = mysql_fetch_array($jobs_q) )
{
$jmpcnt = $jmpcnt + 1;
}
/////////--------paging ends
if($num_rows>0)
{ //record found
$cnt=0;
while (($jobs=mysql_fetch_array($jobs_q))&&($cnt<$recperpage))
{
// $comp=mysql_fetch_array(mysql_query("select * from sbprj_companies where sb_id=".$jobs["sb_company_id"]));
$rec_class="innertablestyle";
if($cnt%2==0)
{ $rec_class="alternatecolor"; }
// if($jobs["sb_highlight"]=="yes")
// {
// $rec_class="highlighted";
// if($cnt%2==0)
// { $rec_class="highlighted1"; }
// }
?>
<tr class="<?php echo $rec_class;?>" height="25">
<td height="25"><font class="normal"> <a href="view_project.php?sb_id=<?php echo $jobs["sb_id"];?>" title="View project">
<?php
// if($jobs["sb_bold"]=="yes")
// { echo "<b>";}
echo $jobs["sb_title"];
// if($jobs["sb_bold"]=="yes")
// { echo "</b>";}
?>
</a><?php echo($jobs["sb_featured"]=='yes')?'<img src="'.$sbico_featured.'" border="0" alt="Featured">':''?></font></td>
<td height="25"><font class="normal">
<?php
$sbq_bid="select count(*) as sb_bid_count from sbprj_bids where sb_approved='yes' and sb_project_id=".$jobs["sb_id"];
$sbrow_bids=mysql_fetch_array(mysql_query($sbq_bid));
if(is_numeric($sbrow_bids["sb_bid_count"]) && ($sbrow_bids["sb_bid_count"]>0) )
echo '<a href="view_project.php?sb_id='.$jobs["sb_id"].'#bids" class="small_link" title="View bids">'.$sbrow_bids["sb_bid_count"].'</a>';
else
echo '0';
?>
</font></td>
<td height="25"> <font class="normal">
<?php
// if($jobs["sb_bold"]=="yes")
// { echo "<b>";}
$sbq_skill="select * from sbprj_skills, sbprj_project_skills where sbprj_skills.sb_sklid=sbprj_project_skills.sb_skill_id and sb_project_id=".$jobs["sb_id"];
//echo $sbq_skill;
$sbrs_skill=mysql_query($sbq_skill);
$sbskill_list="";
while($sbrow_skill=mysql_fetch_array($sbrs_skill))
{
$sbskill_list.=$sbrow_skill["sb_skill_name"].', ';
}
echo preg_replace('/, $/','',$sbskill_list);
// if($jobs["sb_bold"]=="yes")
// { echo "</b>";}
?>
</font></td>
<td height="25"><font class="normal">
<?php
if($jobs["sb_num_days"]==0)
echo 'Today ('.sb_time_only($jobs["sb_posted"]).')';
elseif($jobs["sb_num_days"]==1)
echo 'Yesterday';
else
echo sb_date_only($jobs["sb_posted"]) ?>
</font></td>
<td height="25"><font class="normal">
<?php //echo sb_date_only($jobs["sb_expiry"])
/* $NULLNOTE|ZY-|WST|
if(!isset($mywmxnnion))
{ die();}
*/
if($jobs["sb_status"]=='Open')
{
$sb_duration=$jobs["sb_duration"]*60*60*24;
$sb_posted=$jobs["sb_posted"];
$sb_total=$sb_duration+$sb_posted;
$sb_now=date(time());
// echo "dura:--$sb_duration, posted:--$sb_posted, total:--$sb_total, now:--$sb_now";
if( $sb_total < $sb_now ) //i.e. expired
echo 'Frozen';
else
echo $jobs["sb_status"];
}
else
echo $jobs["sb_status"]; ?>
</font></td>
<!--td> </td-->
</tr>
<?php
$cnt++;
}// end while
} //end if records found
else
{
?>
<tr class="innertablestyle">
<td colspan="5"><font class="normal"> There is no project satisfying your serach criteria.</font></td>
<!--td> </td-->
</tr>
<?php
} // end else if records not found ?>
</table>
<table width="90%" border="0" align="center" cellpadding="0" cellspacing="0">
<tr ></tr>
<?PHP
if($pages>0)
{
?>
<tr valign="top">
<td><font class="normal">
<?php
if($pages>1)
{
echo "Page $pg of $pages<br>";
}
?>
</font></td>
<td width="40%" align="right"><font class="normal"> </font></td>
</tr>
<tr valign="top">
<td colspan="2"> <TABLE border=0 cellPadding=0 cellSpacing=0>
<TBODY>
<TR>
<TD> <font class="normal">
<?
if($pages>1)
{
//echo "Page $pg of $pages<br>";
if ($pg!=1)
{
?>
<a href="<? echo $_SERVER['PHP_SELF'];?>?pg=<?php echo ($pg-1).$strpass; ?>" >
<?
}
?>
Prev
<?
if ($pg!=1)
{
?>
</a>
<?php
}
?>
<B>
<?
if ($pages>1)
{
?>
</B>
<?php
if ($pg<=5)
{
$jmpcnt=1;
}
else
{
$jmpcnt=$pg-5;
}
$cnt=0;
while ( $jmpcnt<=$pages && ($cnt<=5) )
{
$cnt++;
if ($jmpcnt!=$pg)
{
?>
<a href="<? echo $_SERVER['PHP_SELF'];?>?pg=<?php echo "$jmpcnt$strpass"; ?>" >
<?
}
else
{
echo "<b>";
}
echo $jmpcnt;
if ($jmpcnt!=$pg)
{
?>
</a>
<?php
}else{
echo "</b>";
}
if ($jmpcnt<$pages)
echo " ";
?>
<?php
$jmpcnt = $jmpcnt + 1;
}
?>
</font> <font class="normal">
<?
}
if ( $pg!=$pages && $pages<>0)
{
?>
<a href="<? echo $_SERVER['PHP_SELF'];?>?pg=<?php echo ($pg+1); ?><?php echo "$strpass"; ?>" >
<?
}
?>
Next
<? if ($pg!=$pages && $pages<>0)
{
?>
</a>
<?
}
}
?>
</font> </TD>
</TR>
</TBODY>
</TABLE></td>
</tr>
<?php
}
?>
</table></td>
</tr>
</table>
<?php } //end if sb_showresult
} //end main
include_once("template.php");
?>
فكيف يتم ترقيعها مع خالص الشكر والتقدير