Hola a todos,
Navegando por san google buscando información sobre ciertos router que xxxxxxx nos oferta, me dispuse a entrar en la web de uno de los router, y buscando un modelo en concreto me he topado con lo siguiente:
Cita:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/xxxxx/web/search_result.inc on line 19
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/xxxxxx/web/search_result.inc on line 24
|
Aquí dejo los enlaces con los que pueden ver el error
|
[Solo usuarios registrados pueden
ver los links.
REGISTRARSE] |
|
[Solo usuarios registrados pueden
ver los links.
REGISTRARSE] |
Aquí os dejo la información obtenida:
Código PHP:
<?
$htmltitle="Search Result";
$pagename = "search_result.php";
$pagesize = GetString($_POST[pagesize],"10");
$page = GetString($_POST["page"],"1");
$keyword = GetString(TranSQLQuote($_POST[keyword]),"");
$keyword_data = explode("&",$keyword);
$scope = GetString($_POST[scope],"");
require_once("search_model.inc");
if ($sqlstr==""){
Reload("/search.php");
}else{
$sqlstr .= " ORDER BY ModifyDate DESC ";
}
$res = mysql_query($sqlstr);
$rowcount = mysql_num_rows($res);
$pagecount = ceil($rowcount/$pagesize);
if ($page<1) $page = 1;
if ($page>$pagecount) $page = $pagecount;
if ($list_data=mysql_fetch_array($res)){
$start_row = ($page-1) * $pagesize;
mysql_data_seek($res,$start_row);
$row_num = 0;
?>
<form name="QueryForm" action="<?=$pagename?>" method="post" style="margin:0" onsubmit="return sendform();">
<input type="hidden" name="page">
<input type="hidden" name="scope" value="<?=$scope?>" >
<input type="hidden" name="pagesize" value="<?=$pagesize?>" >
<input type="hidden" name="keyword" value="<?=$keyword?>" >
</form>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<h1>Search Result</h1>
Search results: <?=$rowcount?>
<br>
Search within results :
<form name="fm_search" action="<?=$pagename?>" method="post" style="margin:0;" onsubmit="return sendform();">
<input type="hidden" name="scope" value="<?=$scope?>" >
<input type="hidden" name="keyword" class="txtfield" value="<?=$keyword?>">
<input name="keyword_add" class="txtfield">
<input name="Submit" type="submit" class="btn" value="SUBMIT" onclick="if (sendform()) fm_search.submit();">
</form>
<script language=javascript>
function sendform(){
var browser_type = "";
if (window.navigator.userAgent.indexOf("Firefox")>=1){
browser_type = "ff";
}else{
browser_type = "ie";
}
if (browser_type=="ff"){
fm_search = document.forms[1];
}
re = / /gi;
if (fm_search.keyword_add.value.replace(re,"")==""){alert("Please input keyword");fm_search.keyword_add.focus();return false}
fm_search.keyword.value = fm_search.keyword.value+" & "+fm_search.keyword_add.value;
return true;
}
</script>
<hr class="hr1">
<p>Displaying documents <?=$start_row+1?>-<?=$start_row+10?> of total <strong><?=$rowcount?></strong> found. </p>
<table width="100%" border="0" cellpadding="0" cellspacing="0" id="sresult">
<?
while ($list_data=mysql_fetch_array($res)){
$row_num++;
if ($row_num>$rowcount||$row_num>$pagesize) {break;}
$xclass = "lf_td2";
if ($row_num % 2 == 1) $xclass = "lf_td1";
?>
<tr class="<?=$xclass?>">
<td width="25" valign="top"><?=$row_num?>.</td>
<td><?PrintSearchResultItem($list_data[0],$list_data[1],$list_data[4],$list_data[2],$list_data[3],$keyword_data)?></td>
</tr>
<?
}
?>
</table>
<div id="page">
<?PageStatus2("QueryForm",$page,$pagecount,$rowcount);?>
</div>
<p> </p>
</td>
</tr>
</table>
<?
}else{
?>
<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<h1>Search Result</h1>
Search results: 0
</td>
</tr>
<tr>
<td><font color=red> Your search did not match any documents</font>
</tr>
<tr>
<td>
<table>
<tr>
<td>Suggestions:</td>
<td> </td>
</tr>
<tr>
<td> </td>
<td>
- Make sure all words are spelled correctly.<br>
- Try different keywords.<br>
- Try more general keywords.<br>
- Try fewer keywords.<br>
</td>
</tr>
</table></td>
</tr>
</table>
<?
}
?>
Info algo más importante.
Código PHP:
<?
//#### Corporate ####
$condition="
CONCAT(
PageTitle,' ',
MetaKeyword,' ',
WebSearchKeyword
)
";
$sql_select = "
SELECT ProgramNo,CategoryName,Modifydate,
'corporate' AS scope,
$condition AS condition
FROM CorporateCategory
";
$sql_where = " WHERE
StatusFlag='1' AND (IFNULL(OnlineDate,CURDATE())<=CURDATE() AND IFNULL(OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_corporate = $sql_select.$sql_where;
//echo $sql_corporate;
//exit();
//#### Press Room ####
//---- Press Room Self
$condition = "
CONCAT(
np.Title,' ',
np.SubTitle,' ',
np.Content
)
";
$sql_select = "
SELECT np.sqno,np.Title,np.Modifydate,
'press_room' AS scope,
$condition AS condition
FROM NewsPress np
";
$sql_where = " WHERE
np.StatusFlag='1' AND (IFNULL(np.OnlineDate,CURDATE())<=CURDATE() AND IFNULL(np.OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_press_room1 = $sql_select.$sql_where;
//echo $sql_press_room1;
//exit();
//---- Press Room Related Product
$condition = "
vm.PC4Name
";
$sql_select = "
SELECT np.sqno,np.Title,np.Modifydate,
'press_room' AS scope,
$condition AS condition
FROM NewsPress np
JOIN NewsPressRelatedProduct rp ON np.PressNo=rp.PressNo
JOIN ProductCategory pc ON rp.CategoryGroupNo=pc.CategoryGroupNo
JOIN vw_MODEL_LV4 vm ON pc.indexflag=vm.PC4indexflag
";
$sql_where = " WHERE
np.StatusFlag='1' AND (IFNULL(np.OnlineDate,CURDATE())<=CURDATE() AND IFNULL(np.OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_press_room2 = $sql_select.$sql_where;
//echo $sql_press_room2;
//exit();
//---- Press Room Related Event
$condition = "
ne.Title
";
$sql_select ="
SELECT np.sqno,np.Title,np.Modifydate,
'press_room' AS scope,
$condition AS condition
FROM NewsPress np
JOIN NewsPressRelatedEvent re ON np.PressNo=re.PressNo
JOIN NewsEvent ne ON re.EventNo=ne.EventNo
";
$sql_where = " WHERE
np.StatusFlag='1' AND (IFNULL(np.OnlineDate,CURDATE())<=CURDATE() AND IFNULL(np.OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_press_room3 = $sql_select.$sql_where;
//echo $sql_press_room2;
//exit();
$sql_press_room = $sql_press_room1." UNION ".$sql_press_room2." UNION ".$sql_press_room3;
//echo $sql_press_room;
//exit();
//#### Event ####
$condition = "
CONCAT(
Title,' ',
Place
)
";
$sql_select = "
SELECT ne.sqno,ne.Title,ne.ModifyDate,
'event' AS scope,
$condition AS condition
FROM NewsEvent ne
";
$sql_where = " WHERE
ne.StatusFlag='1' AND (IFNULL(OnlineDate,CURDATE())<=CURDATE() AND IFNULL(OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_event = $sql_select.$sql_where;
//echo $sql_event;
//exit();
//#### Award ####
//---- Award Self
$condition = "
CONCAT(
na.AwardName,' ',
na.Media
)
";
$sql_select = "
SELECT na.sqno,na.AwardName,na.ModifyDate,
'award' AS scope,
$condition AS condition
FROM NewsAward na
JOIN Country c ON na.CountryNo=c.sqno
";
$sql_where = " WHERE
na.StatusFlag='1'
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_award1 = $sql_select.$sql_where;
//echo $sql_award1;
//exit();
//---- Award Related Product
$condition = "
vm.PC4Name
";
$sql_select = "
SELECT na.sqno,na.AwardName,na.ModifyDate,
'award' AS scope,
$condition AS condition
FROM NewsAward na
JOIN NewsAwardRelatedProduct rp ON rp.AwardNo=na.AwardNo
JOIN ProductCategory pc ON rp.CategoryGroupNo=pc.CategoryGroupNo
JOIN vw_MODEL_LV4 vm ON pc.indexflag=vm.PC4indexflag
";
$sql_where = " WHERE
na.StatusFlag='1'
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_award2 = $sql_select.$sql_where;
//echo $sql_award2;
//exit();
$sql_award = $sql_award1." UNION ".$sql_award2;
//echo $sql_award;
//exit();
//#### Product ####
$condition = "
CONCAT(
vm.PC1Name,' ',
pc.CategoryDesc,' ',
pc.KeyMessage,' ',
pc.Positioning
)
";
$sql_select = "
SELECT pc.sqno,vm.PC1Name,pc.ModifyDate,
'product' AS scope,
$condition AS condition
FROM ProductCategory pc
JOIN vw_MODEL_LV1 vm ON pc.indexflag=vm.PC1indexflag
";
$sql_where = "
WHERE pc.StatusFlag='1' AND (IFNULL(OnlineDate,CURDATE())<=CURDATE() AND IFNULL(OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_product1 = $sql_select.$sql_where;
//echo $sql_product1;
//exit();
$condition = "
CONCAT(
vm.PC4Name,' ',
pc.CategoryDesc,' ',
pc.KeyMessage,' ',
pc.Positioning
)
";
$sql_select = "
SELECT DISTINCT CategoryGroupNo,vm.PC4Name,pc.ModifyDate,
'product' AS scope,
$condition AS condition
FROM ProductCategory pc
JOIN vw_MODEL_LV4 vm ON pc.indexflag=vm.PC4indexflag
";
$sql_where = "
WHERE pc.StatusFlag='1' AND (IFNULL(OnlineDate,CURDATE())<=CURDATE() AND IFNULL(OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_product4 = $sql_select.$sql_where;
//echo $sql_product4;
//exit();
$sql_product = $sql_product4." UNION ".$sql_product1;
//echo $sql_product;
//exit();
//#### Solution ####
$condition = "
CONCAT(
sc.CategoryName,' ',
sc.CategoryDesc,' ',
sc.PageTitle,' ',
sc.MetaKeyword,' ',
sc.MetaDesc,' ',
sc.WebSearchKeyword
)
";
$sql_select = "
SELECT sc.ProgramNo,sc.CategoryName,sc.ModifyDate,
'solution' AS scope,
$condition AS condition
FROM SolutionCategory sc
";
$sql_where = " WHERE
sc.StatusFlag='1' AND (IFNULL(OnlineDate,CURDATE())<=CURDATE() AND IFNULL(OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_solution = $sql_select.$sql_where;
//echo $sql_solution;
//exit();
//#### Download Library ####
$condition = "
CONCAT(
External_Model_Name,' ',
mtTitle,' ',
MaterialVersion,' ',
MaterialDesc,' ',
Platform
)
";
$sql_select = "
SELECT sd.sqno AS sqno,CONCAT(sd.External_Model_Name,' ',sd.mtTitle,' ',MaterialVersion),sd.Release_Date AS ModifyDate,
'download' AS scope,
$condition AS condition
FROM SupportDownload sd
";
$sql_where = " WHERE
MaterialFile<>''
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_download = $sql_select.$sql_where;
//echo $sql_download;exit();
//#### Knowledge Base ####
$condition = "
CONCAT(
kb_problem_summary,' ',
kb_problem_text,' ',
kb_solution_text
)
";
$sql_select = "
SELECT kb.kb_id AS sqno,kb_problem_summary,kb_entry_date AS ModifyDate,
'kb' AS scope,
$condition AS condition
FROM knowledgebase kb
JOIN knowledgebase_problem kbp ON kb.kb_id=kbp.kb_id
JOIN knowledgebase_solution kbs ON kb.kb_id=kbs.kb_id
";
$sql_where = " WHERE
kb_level=4 and kb_status_id=6
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_kb = $sql_select.$sql_where;
//echo $sql_kb;
//exit();
//#### Glossary ####
//---- Glossary Self ----
$condition = "
CONCAT(
g.Title,' ',
g.FullName,' ',
g.GlossaryDesc
)
";
$sql_select = "
SELECT g.sqno,g.Title,g.ModifyDate,
'glossary' AS scope,
$condition AS condition
FROM Glossary g
";
$sql_where = " WHERE
g.StatusFlag='1' AND (IFNULL(g.OnlineDate,CURDATE())<=CURDATE() AND IFNULL(g.OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_glossary1 = $sql_select.$sql_where;
//echo $sql_glossary1;
//exit();
//---- Glossary Related Product
$condition = "
vm.PC4Name
";
$sql_select = "
SELECT g.sqno,g.Title,g.ModifyDate,
'glossary' AS scope,
$condition AS condition
FROM Glossary g
JOIN GlossaryRelatedProduct rp ON rp.GlossaryNo=g.GlossaryNo
JOIN ProductCategory pc ON rp.CategoryGroupNo=pc.CategoryGroupNo
JOIN vw_MODEL_LV4 vm ON pc.indexflag=vm.PC4indexflag
";
$sql_where = " WHERE
g.StatusFlag='1' AND (IFNULL(g.OnlineDate,CURDATE())<=CURDATE() AND IFNULL(g.OfflineDate,'2100-01-01')>=CURDATE())
";
foreach ($keyword_data as $keyword_str){
$sql_where .= " AND INSTR(LCASE($condition),LCASE('".trim($keyword_str)."'))>0 ";
}
$sql_glossary2 = $sql_select.$sql_where;
//echo $sql_glossary2;
//exit();
$sql_glossary = $sql_glossary1." UNION ".$sql_glossary2;
//echo $sql_glossary;
//exit();
$sql_seach_view =
$sql_corporate
." UNION ".
$sql_press_room
." UNION ".
$sql_event
." UNION ".
$sql_award
." UNION ".
$sql_product
." UNION ".
$sql_solution
." UNION ".
$sql_solution
." UNION ".
$sql_kb
." UNION ".
$sql_glossary
;
//echo $sql_seach_view;
//exit();
if ($scope=="all"){
$sqlstr =
$sql_corporate
." UNION ".
$sql_press_room
." UNION ".
$sql_event
." UNION ".
$sql_award
." UNION ".
$sql_product
." UNION ".
$sql_solution
." UNION ".
$sql_download
." UNION ".
$sql_kb
." UNION ".
$sql_glossary;
}elseif ($scope=="corporate") {
$sqlstr = $sql_corporate;
}elseif ($scope=="news") {
$sqlstr =
$sql_press_room
." UNION ".
$sql_event
." UNION ".
$sql_award
;
}elseif ($scope=="press_room") {
$sqlstr =
$sql_press_room
;
}elseif ($scope=="event") {
$sqlstr =
$sql_event
;
}elseif ($scope=="award") {
$sqlstr =
$sql_award
;
}elseif ($scope=="product_solution") {
$sqlstr =
$sql_product
." UNION ".
$sql_solution
;
}elseif ($scope=="product") {
$sqlstr =
$sql_product
;
}elseif ($scope=="solution") {
$sqlstr =
$sql_solution
;
}elseif ($scope=="support") {
$sqlstr =
$sql_download
." UNION ".
$sql_kb
." UNION ".
$sql_glossary
;
}elseif ($scope=="download") {
$sqlstr =
$sql_download
;
}elseif ($scope=="kb") {
$sqlstr =
$sql_kb
;
}elseif ($scope=="glossary") {
$sqlstr =
$sql_glossary
;
}
//echo $sqlstr;
//exit();
?>
Código:
Is false - keyword=&scope=all&search=BUSCAR [Cookies] PHPSESSID=1faf9f4f1a016e872415fd2e97ec736b
Modificiado 14/01/2012
¿Como obtuve el código fuente que ahora les expuse?
Es bastante sencillo, como pueden leer en la cita que expuse los errores que mostraba la web está la ruta de los códigos.
Cita:
Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/xxxxx/web/search_result.inc on line 19
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /var/www/xxxxxx/web/search_result.inc on line 24
|
Como pueden observar la ruta que expone es
/var/www/xxxxx/web/search_result.inc
Como en la mayoria de los servidores linux con los que he trabajado que contienen un servidor web apache, la ruta por default donde se almacenan las web es en
/var/www, en caso de tener host virtuales la ruta sería /var/www/host_virtual1, /var/www/host_virtual2, /var/www/host_virtual3, etc..
en el navegador puse la ruta, teniendo en cuenta que estamos accediendo desde la url del dominio, que en este caso sería una ruta relativa
Cita:
|
[Solo usuarios registrados pueden
ver los links.
REGISTRARSE] |
|
para probar suerte, ya que si los permisos sobre los ficheros están bien puestos no tendría acceso a dicho archivo,y para sorpresa mia puede ver código que no debería ver.
Empece a hacer una lectura del código en php(intentando recordar mis conocimientos, algo básicos de php) y me muevo directamente a la línea 19 para ver el fallo.
Código:
mysql_num_rows($res)
Veo la variable $res, intento investigar que contiene dicha variable, justo en la lína anterior(18)
Código:
$res = mysql_query($sqlstr)
ejecuta una consulta sql donde le da valor a dicha variable, y la consulta supuse que estaba almacenada en la variable $sqlstr, por lo que seguí buscando el contenido de otra variable, como en este fichero no se encuentra esta variable declarada y no vi que fuese algun parámetro pasado por el metodo $_POST, y al ver la siguiente linea:
Código:
require_once("search_model.inc");
sospeche que se encontraba en dicho fichero, al ver como expone la ruta del fichero puedo observar que está en la misma carpeta, por lo que en la url cambié
search_result.inc por
search_model.inc, quedando asi
Cita:
|
[Solo usuarios registrados pueden
ver los links.
REGISTRARSE] |
|
La puse en el navegador y para mi sorpresa un contenido algo especial, que no devería ser visto por ningun usuario a simple vista.
Resumen: Configurar un servidor es una tarea más dificil de lo que muchos se piensan, y no siempre dejar el servidor con la configuración por defecto es la opción más segura, ya que el diseño de cada web es un mundo aparte y solo el o los programadores saben que restringir o no.
Este tipo de fallos es provocado en estas grandes empresas a la falta de coordinación en el area de informática, y a la gran carga de trabajo que se ven sometido.
Albert Einstein: Todos somos ignorantes, lo que no todos ignoramos las mismas cosas.
Pd: Un dato más que adquiri al intentar explicarles a ustedes es la verción de php,apache, sistema operativo y bd
Cita:
Apache/2.2.3 (Ubuntu) PHP/5.2.1
MySql 4.1.0
|
Si no recuerdo mal un amigo y usuario de este foro expuso un videotutorial(con exploits incluido) sobre un fallo de seguridad encontrado en esta verción de apache
13-ene-2012, 14:20
[G] Aparente fallo encontrado en xxxxx
Temas Similares
![[G] Aparente fallo encontrado en xxxxx](http://foro.el-hacker.com/iconimages/f34/g-aparente-fallo-encontrado-en-xxxxx_ltr.gif)
Mode Lineal
