Hey Guy's,
I got a really nice cms but it has exploit people keep hacking me.
Would someone make this cms exploit free?
It is based on HomePremiumCms
Cms Download; https://mega.co.nz/#!rJlySRgB!cbMqnH...5xH3DU7SrYU6dE
db; https://mega.co.nz/#!eY0jlSDb!ctJ0gn...Vk7YHv6sa5-U0g
Screens;
Me.php
Me.php (2)
Articles.php
Vip Badges shop
I hope someone can find the exploit and will remove them.
Thanks,
FlyHotel
Hey, because I'm the original maker of this cms I can help you as the best :).
First. I wouldn't recommend you this cms because even I hate it. But I'm not you.
You can go to the global.php and add this code somewhere at the bottom:
This code is checking if there is an escapestring around every $_POST.PHP Code:foreach($_POST as $var => $value){
if($_POST[$var] = $core->EscapeString($value)){
$_POST[$var] = $value;
}elseif($_POST[$var] = $value){
$_POST[$var] = $core->EscapeString($value);
}
}
If there is an escapestring around it, it does nothing.
If there isn't an escapestring around it, it's adding this.
You can do the same with $_GET. Add the same code and replace every $_POST in this code to $_GET.
(I made this code quickly as example)
But this is only fixing the mysql_real_escape_sting() problem.
Thank you,Originally Posted by PremiumEye
I hope this would help, it's a very nice cms but some guys keep hacking me. They can rank their self and delete things from the database.
And i still want to use this cms because i like it ;p
Learn to code, problem solved.
I'm still learning ;)Learn to code, problem solved.
Does this include exploit(s) And if so can someone share the code so it can be removed.
Securing code against SQL injection should be one of the first things you should learn. Try youtube phpAcademy, they have some incredibly good tutorials.
I can't find any exploits..
Could you upload it without SWFs and c_images? I'll look for exploits for you :)
That shouldn't be that hard or a php starter? The most popular of them all is the SQL Injection. (XSS)
Just look everywhere if there's a mysql_real_escape_string() around it. Not that hard?
With my little code you don't have to look everywhere. The code is doing it or you.
Thank you :D The cms is uploading without SWFs and c_images, i will post the download link here when its done.
EDIT:
Upload is done without SWFs and c_images. Downloadlink; https://mega.co.nz/#!OY4DnLYa!TbydMR...6UPIARzUmI_a64
I hope you can find the exploits for me, really thank you that you do this for me.
Last edited by FlyHotel; 05-02-13 at 08:17 AM.
SQL and XSS are two different things. Using Mysql real escape string doesn't fully protect you against code injection either. You also need to remove all html tags using strip-tags.
You mean these html tags? </html>
Mysql string; $dpoints1 = mysql_real_escape_string(substr(floor($_POST['dpoints']),0,30)); ?
What can i do with that?
XSS isn't an SQL injection
It means
Code:cross site scripting
I could fuck your site up using JavaScript if you don't clear HTML tags, if you don't know what HTML tags are I suggest you start learning.
Reply With Quote