Escolar Documentos
Profissional Documentos
Cultura Documentos
"'
OR '1' = '1' --'sdad"."'";
o SQL query
mysql_query
query:
// Prepare Query to avoid SQL Injection
function prepared_sqlquery($code, $data)
{
$parts = explode('?', $code);
$sql = '';
foreach ( $data as $value ) {
$sql .= array_shift( $parts);
$sql .= '"' .addslashes($value). '"';
}
$sql .= array_shift( $parts );
return $sql;
}
mysqli_multi_query
SQL statements 1 query
.
query .
search_loggedout.php
search_loggedin.php SELECT queries
id ( search_loggedin.php)
SQL
query .
index.php
SELECT queries.
>> opencourses.php
:
>> newprof.php
>> newuser.php
: manual.php queries
: contact.php queries
: about.php select queries
Sfragizontas tis litourgies tou admin apo epitheseis CRSF kaliptoume tin periptosi
enas kakovoulos xristis na perasei kapio script mesw kapias formas se kapia selida
tou admin.Krinoume oti dn ehei noima I prostasia apo XSS sti pleura tou admin
kathws ama o kakovoulos xristis ehei parei idi prosvasi sto logariasmo tou admin
den prokitai na mas kanei peretairw zimia vazontas kapio script.Gia ton logo auton
sfragisame apo XSS mono tis perioxes tou guest kai tou xristi (afou i eggraf ton
ekpaideutwn den einai dinati)
ATTACKS :
CRSF
Admin side:
Cleanup.php
Delcourse.php
Edituser.php
Password.php
Addfaculte.php
Eclassconf.php
Infocours.php
Quotecourse.php
Statuscours.php
Mailtoprof.php
multireguser.php
adminannouncements.php
auth.php
auth_process.php
newuseradmin.php
.
http://localhost/openeclass-2.3/modules/unreguser/unreguser.php?doit=yes
/openeclass-2.3/modules/unreguser/unreguser.php?u=4&doit=yes
XSS
script <script>alert("Hello! I am an alert box!");</script>
Script
SCRIPT STI PERIOXI SIZITISEWN
KAI OPOU ALOU
If the HttpOnly flag (optional) is included in the HTTP response header, the cookie
cannot be accessed through client side script (again if the browser supports this
flag). As a result, even if a cross-site scripting (XSS) flaw exists, and a user
accidentally accesses a link that exploits this flaw, the browser (primarily Internet
Explorer) will not reveal the cookie to a third party.